A bill introduced in the Senate on April 1, 2009, the Cybersecurity Act of 2009, seems to expand the federal governments control and power over the private sector, if that entity is deemed part of the nations critical information infrastructure.
CNet and others are reporting this bill would give authority to the President, or the President's designees, to classify and control private business.
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
The bill in it's current form calls for a creation of certification program, and a law that makes it illegal for any individual to engage in business in the US, or to be employed in the US as a provider of cybersecurity services "to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
It also states
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;CommentsClose CommentsPermalink
(3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
The problem with this bill, in the opinion of many, is it's lack of definition. "Cybersecurity" isn't defined, and here are the pertinent definitions.
CYBER- The term ‘cyber’ means--CommentsClose CommentsPermalink
(A) any process, program, or protocol relating to the use of the Internet or an intranet, automatic data processing or transmission, or telecommunication via the Internet or an intranet; and
(B) any matter relating to, or involving the use of, computers or computer networks.
FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes--
(A) Federal Government information systems and networks; and
(B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.
In my opinion, very sweeping, too vaugue and disturbing. Essentially, any computer or network the government deems critical can be controlled and shutdown. And anyone providing the undefined service of "cybersecurity" at any entity, public or private, that is deemed critical, must be licensed by the federal government.