The Senate is currently debating a key piece of cybersecurity legislation which could change the way American tech firms operate. It is impossible to understate the need for the proposed Cybersecurity Act of 2012--the United States, in the midst of a historic surge in online crime and espionage, has decided to act to reduce the problem. However, critics argue that the Cybersecurity Act is wasteful and threatens privacy. As currently written, the Cybersecurity Act could lead to massively increased costs for American tech and Internet firms.
The Cybersecurity Act dramatically increases the Department of Homeland Security's (DHS) role in combating cybercrime. Responsibility for commercial and civilian online security would be explicitly placed under DHS's supervision; responsibility currently lies with a host of federal, state, and local law enforcement and intelligence agencies. A new National Center for Cybersecurity and Communications (NCCC) would be established within DHS, and would be headed up by a Senate-confirmed presidential appointee. Information sharing between government agencies would be streamlined. And the DHS will be responsible for establishing federally mandated “cybersecurity performance requirements” for critical Internet infrastructure.
The latest aspect of this bill has especially rankled critics. The DHS, once it decides what constitutes “critical internet infrastructure”--as the bill does not give an explicit definition--will lay down security requirements for the owners and operators of relevant services. Owners and operators will be required, at their own expense, to alter their Internet security choices in accordance with government requirements. This will be an extremely pricy proposition for hardware providers, Internet infrastructure providers, and web giants like Google, Facebook, and Amazon.
As currently written, the bill merely defines “critical Internet infrastructure” as anything “whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life.” This is a broad definition that gives Homeland Security a huge mandate for overseeing Internet security standards by American tech firms.
A bipartisan group of Senators, led by John McCain (R-AZ), has argued that the Cybersecurity Act will lead to federally mandated Internet security requirements for private firms. Meeting federal benchmarks for online security will lead, ironically, to reduced security for critical Internet infrastructure providers. Rather than being able to introduce innovative responses to new threats, critical infrastructure providers will be tied to federal benchmarks from 2012 for at least the next five years.
Government cybercrime and cyberespionage protection is currently covered by the Federal Information Security Management Act of 2002. This 10-year-old bill does not cover aspects of modern security culture such as smartphones and spearphishing.
On the one hand, a new cybersecurity bill is a much needed thing. However, the current version of the bill clocks in at over 200 pages. Rather than being restricted to protecting the government from cyberattacks (a worthy goal), the bill was intentionally written in ambiguous and confusing language that could hypothetically lead to many American firms falling under its mandate. The Department of Homeland Security has not been known for cutting costs down, for providing clear regulatory definitions, or for working effectively with the private sector. Fast Company just reported on the awful mess of Homeland Security's social media surveillance program.
While McCain is upset about the potential for increased government regulation and increased expenses for tech firms, he's mostly angry that the bill doesn't increase the NSA's spying powers. In a statement submitted to the Senate Homeland Security and Governmental Affairs Committee, McCain stated his wish for U.S. Cyber Command and the NSA to oversee cybersecurity, rather than DHS. McCain's statement explicitly stated that part of his vision was for the NSA to engage in real-time monitoring of Internet traffic in order to prevent cyberattacks.
It is important to note that the Cybersecurity Bill is still in its infancy and that the bill's contents will change markedly before passing. An earlier version of the bill inadvertently fueled fears of a government Internet kill switch thanks to sloppy writing. Meanwhile, the House of Representatives is pushing through a similar cybersecurity bill.
However, whatever form the government's final cybercrime legislation takes, we know two things. Tech and Internet firms will see increased security costs thanks to stricter regulation, and the government's power to spy on the Internet will likely increase.
[Image: Flickr user Harald Groven]