Wired magazine reported today that a new bill from Joe Lieberman and Susan Collins, currently in draft form, would give the government broad powers to take over responsibility for civilian networks in case of an “imminent cyber threat.”
It’s commendable that legislators are thinking about private networks while making contingency plans for a massive cyber attack. Protecting government IT systems isn’t enough — the vast majority of the country’s infrastructure in this area lies in private hands.
From the Wired report:
“These emergency measures are supposed to remain in place for no more than 30 days. But they can be extended indefinitely, a month at a time.
The DHS cybersecurity director has to ensure that the emergency measures ‘represent the least disruptive means feasible’ and that ‘the privacy and civil liberties of United States persons are protected,’ according to the bill.”
This bill does raise all sorts of thorny questions, though. How specific are the guidelines to determine when an attack is critical enough to justify the government taking control over the assets of a private company? Can the DHS cybersecurity director do this unilaterally? And why is the government more capable than private industry in defending against a cyber attack? I’m sure the good people at Google and Microsoft have spent an hour or two pondering these issues and would have some expertise to lend.
I haven’t seen the bill’s full text, so perhaps some of this issues are addressed, but it’s evident from ongoing events in the Gulf of Mexico that the government is not always the best-equipped party to handle a crisis (although private industry isn’t exactly covering itself in glory, I suppose). It’ll be interesting the see the reaction from the private sector if and when this legislation goes forward.