EFF’s Richard Esguerra says that Cnet got it right when Declan McCullagh described concerns about the Cybersecurity Act:
In April, we voiced serious concerns about the Cybersecurity Act of 2009, a bill by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME), that sought to give the federal government unprecedented power over the Internet. For months, the bill has been redrafted behind closed doors and has recently been circulated, but by all accounts, the changes are cosmetic and it’s sadly more of the same.
Like the original bill, the new version appears to give the President carte blanche to decide which networks and systems, private or public, count as “critical infrastructure information systems or networks.” And alongside that authority, there still appears to be murky language that would permit the President to shut down the Internet. Note the troubling provision in the original bill, which said:
The President […] may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;The new bill says:
The President […] in the event of an immediate threat […] may declare a cybersecurity emergency; and may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network;In other words, they appear to have packaged Presidential authority to shut down the Internet and other private networks behind a ribbon of red tape, and the words “national response.”
In addition, a CNET article by Declan McCullagh indicates that many of the early concerns about privacy, authority, and security effectiveness have gone unsolved: there is vague language about mapping federal and private networks; there is an unexplained scheme to certify cybersecurity professionals at the federal level; and the mandated implementation of a “cybersecurity strategy” before the completion of a legal review that could protect against inadvertent privacy violations or inefficiency.