So while there is no kill switch in the bill, it would establish two federal bodies to develop and enforce security standards for critical infrastructure systems, and it would clarify the government’s power in the event of a cyber emergency to give mandatory orders to the private operators of critical infrastructure systems.
It would, further, give the National Institute of Standards and Technology the ability, in conjunction with the private sector, to create security standards, which would then be imposed on federal agencies and private operators of critical infrastructure systems. This introduces the potential for mission creep.
Moreover, it is not yet known what those standards would be. Would they permit deep-packet sniffing, other methods of surveillance, or back doors? Who would have final say about the standards and their implementation and enforcement? Does the government possess the expertise to take on this task? If not, how will the relevant agencies acquire that expertise before the standards are developed?
When it comes to improving the online security environment in this country, everyone has work to do, including the federal government. Keeping up with patches and updates, regularly changing user names and passwords on critical systems, and choosing unique, complex passwords are just a few of the habits of good security that should be widespread but aren’t. Some parts of this bill—like section 301, which calls for withholding bonuses from senior agency officials whose agencies aren’t up to snuff—may be good steps toward implementing a functional and habitual security environment at the federal level. Other parts clearly need more consideration and debate.
That the information-security environment in this country and around the world needs work is clear. Whether this is the bill that is needed, or even whether the federal government should have a role in regulating private-sector information security, is less so.
Jonathan Zittrain is a professor of law and of computer science at Harvard University and cofounder of its Berkman Center for Internet & Society; Molly Sauter is a research assistant at the Berkman Center. Updates will appear at www.jz.org