-- potentially "cripple privacy and security in one fell swoop" through one provision (alone) empowering the Commerce Secretary to "have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access...."
In other words, the Commerce Department will be empowered to access "all relevant data" - without privacy safeguards or judicial review. As a result, constitutionally protected privacy protections will be lost - ones guaranteed under the Electronic Communications Privacy Act, the Privacy Protection Act, and financial privacy regulations.
Another provision mandates a feasibility study for an identity management and authentication program that would sidestep "appropriate civil liberties and privacy protections."
At issue is what role should the federal government play in cybersecurity? How much power should it have? Can it dismiss constitutional protections, and what, in fact, can enhance cybersecurity without endangering our freedoms?
S. 773 and 778, as now written, "make matters worse by weakening existing privacy safeguards (without) address(ing) the real problems of security."
Months later, S. 773 was secretly redrafted, but from what's known, leaves it mostly unchanged. Like the original version, it gives the president carte blanche power "to decide which networks and systems, private or public, count as 'critical infrastructure information systems or networks," according to the EFF's Richard Esguerra. It also lets him shut down the Internet in both versions of the bill.
The original one states:
"The President....may order the disconnection of any Federal Government or United States critical infrastructure information systems or network in the interest of national security."
The new bill says:
"The President....in the event of an immediate threat (may) declare a cybersecurity emergency; and may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network."
In other words, he can shut down the Internet and leave privacy, authority, and security effectiveness unresolved. According to EFF's senior staff attorney, Lee Tien:
"The language has changed but it doesn't contain any real additional limits. It simply switches the more direct and obvious language they had originally to the more ambiguous (version). The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administration process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
"there is vague language about mapping federal and private networks; there is an unexplained scheme to certify cybersecurity professionals at the federal level; and the mandated implementation of a 'cybersecurity strategy' before the completion of a legal review that could protect against inadvertent privacy violations or inefficiency."
In late February, Director of National Intelligence, Admiral Dennis Blair, told the House Intelligence Committee that the NSA, not DHS, should be in charge of cybersecurity even though it has a "trust handicap" to overcome because of its illegal spying:
"I think there is a great deal of distrust of the National Security Agency and the intelligence community in general playing a role outside of the very narrowly circumscribed role because of some of the history of the FISA issue in years past...." So Blair asked the committee's leadership to find a way to instill public confidence.