Thread: Cybersecurity bill allows gov't to dictates how you run your servers
View Single Post
Old 12-11-2010, 03:07 PM  
brandonstills
Confirmed User
 
brandonstills's Avatar
 
Join Date: Dec 2007
Location: Chatsworth, CA
Posts: 1,964
Cybersecurity bill allows gov't to dictates how you run your servers
http://news.cnet.com/8301-13578_3-20023464-38.html

The bill would allow gov't to control how you run your servers. If you don't comply you will be fined.

I'm sure they will require some proprietary security software that only one company will have a monopoly on. And I'm sure the company will be chosen based on campaign contributions, and probably feature a hidden backdoor.

"All your database are belong to me."

Quote:
Section 224 of HSCPIPA hands DHS explicit legal "authorities for securing private sector" computers. A cybersecurity chief to be appointed by Napolitano would be given the power to "establish and enforce" cybersecurity requirements.

HSCPIPA's process works like this: DHS draws up a list of regulated "critical" companies by evaluating the likelihood of a "cyberincident," existing vulnerabilities, and the consequences of an attack. DHS is supposed to consult with the NSA, other federal agencies, and the private sector to the "maximum extent practicable," but the other groups don't get a veto over the final list.

Any "system or asset" that is a "component of the national information infrastructure"--read broadly, that could be any major Web site or provider--is fair game for DHS regulation. Companies can appeal if they don't want to be on the "critical" list, but it means asking DHS to reconsider its original decision (no neutral party considers the appeal).

"With a little bit of imagination, you can pretty much pull anything into that," says Lauren Weinstein of People for Internet Responsibility. "Does Google represent critical infrastructure now? It's hard to see how any major Internet service or property could be assured of the fact that it would not be covered."

Once the list is complete, DHS has the authority to require those regulated tech companies to "comply with the requirements" that it has levied. Those requirements include presenting "cybersecurity plans" to the agency, which has the power to "approve or disapprove" each of them. DHS "may conduct announced or unannounced audits and inspections" to ensure "compliance."

"In the case of noncompliance," the legislation says, DHS "may levy civil penalties, not to exceed $100,000 per day, for each instance of noncompliance."

Harper, from the Cato Institute, says that private firms already have the right incentives on cybersecurity. HSCPIPA imposes "a layer of bureaucracy that seeks to replicate the incentive structure that technology firms already face," he says.
brandonstills is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote