The comprehensive cybersecurity legislation currently in development in the Senate aims to bring high-level government attention to the serious problem of cybersecurity by giving one White House official oversight of critical network infrastructure.
Yet the proposal in the draft legislation to give the national cybersecurity adviser the ability to disconnect federal or "critical" networks under threat of cyberattack may create more uncertainties than solutions, at least initially, cybersecurity experts warn.
Determining which networks are "critical" would be the first step to achieving security. A summary of the draft bill obtained by CNET News acknowledges the large swath of critical infrastructure that resides in the private sector-- banking, utilities, auto traffic control, and telecommunications.
Those networks all have different risk tolerances and means of mitigating risk--giving one person authority to disconnect any of them from the Internet would require a strong understanding of an overwhelming number of different systems.
"The irony is people keep on asking for somebody in charge who has this God's-eye view of what's going on in a purposefully decentralized system," said Bob Giesler, vice president for cyber programs at Science Applications International Corporation (SAIC). "This permeates the whole (cybersecurity) debate, which is what can the government do for us. I think you'll find at the end of Melissa Hathaway's 60-day (cybersecurity) review that industry will come back and say the best thing they can do is is share the data so we can be better risk managers," rather than manage risk themselves.
In February, President Obama selected former Booz Allen consultant Melissa Hathaway, who also worked for the director of national intelligence in the Bush administration, to conduct a review of federal cybersecurity activities.
Cutting off critical networks could have any number of impacts on consumers, depending on what services were disconnected, said Liesyl Franz, vice president for information security and global public policy at the trade organization TechAmerica. For instance, banks may stop distributing money through ATMs, government agencies may not be able to distribute services like food stamps or drivers' licenses, or financial institutions could stop trading.
However, "the best case scenario in this situation doesn't mean just (disconnecting networks) without collaboration," Franz said.
"The owners and operators themselves would be in a better position to say when they should disconnect networks," she said. "I would bet none of them would say the government should do it."
Rather than simply having an authoritative figure dictate when a network should shut down, she said, it would make more sense to establish a series of steps the public and private sectors could enact together in the face of a threat, based on the threat level.
Determining what threats merit significant action would be another challenge, given that networks of all kinds constantly face cyberattacks.
"Everybody is under attack, at some level, all the time," said Marjory Blumenthal, associate provost for academic affairs at Georgetown University and the founding executive director of the Computer Science and Telecommunications Board. Blumenthal was part of a commission that produced a report last year to advise the president on cybersecurity issues. … Read more