The Internet is abuzz today with the reports by Declan McCullagh that the newest version of The Cybersecurity Act of 2009 has been getting some edits by Senator Jay Rockefeller (D-WV). Although the full edits have not been release, the reports so far continue to talk about how this bill, if passed, could result in sweeping changes in how IT professionals do their job.
The provision would require the licensing of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision, like many provisions in this bill, are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control. Some have wondered if this is a way to enforce a cyber state of emergency – order licensed professionals to turn over controls to the Feds when an emergency is declared.
I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure: communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.
As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:
The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.
For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.
The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.
In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.
In Data Security Podcast Episode 48, we talked with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.
Earlier this year, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC”). He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it? As we reported on the Podcast a few weeks ago, Melissa E. Hathaway, the White House’s Senior Cybersecurity Official also resigned.