The rapid migration by U.S. government agencies to cloud-based architectures is producing radical, and potentially beneficial, changes to these agencies' management structures. Costs are coming down, and as some agencies are just now realizing, security and resiliency could be going up. But the very concept of cloud infrastructure is something that legislators have yet to become familiar with.
So another long-debated piece of cybersecurity legislation will enter the next round of what has become an annual event: As The Hill reports this morning, Sen. Joe Lieberman's (I - Conn.) cybersecurity bill is likely to make another appearance this week in the Homeland Security Committee which he chairs.
Sen. Lieberman made the announcement last week that he intends to bring his bill to a floor vote. That may be a feat in itself, since previous efforts to push the legislation never got it past Lieberman's own committee.
How Red Is "Red Alert?"
At issue is the viability of language that would give an executive branch office the authority to take control of the management of any system where critical government data and services are maintained, in the event of a so-called "cyber emergency." Such language may have made better sense in the mainframe era, but in the cloud era where services are widely distributed and also replicated, the power to commandeer compute power may be too broad.
The bill which Lieberman hopes to put to a floor vote has yet to be re-introduced (which says enough about the likelihood of immediate passage right there). When last we left the legislation in May 2011, it called for the creation of a National Center for Cybersecurity and Communications (perhaps abbreviated N3C), at whose head would be a Director and a Chief Information Security Officer.
Sensibly enough, those individuals would be tasked with ensuring that government agencies take whatever steps are deemed necessary to eliminate or mitigate risks. In a genuine effort to be clear about the matter, the 2011 version of the Lieberman bill defined "risk" with a big, bold stroke: "The term 'cyber risk' means any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure."
Or to summarize, a risk is anything that poses a risk. In the event of credible intelligence that someone is attempting to exploit a risk, the 2011 bill would have given the President the authority to declare a "cyber emergency." As Lieberman found himself having to do several times last year, he defended this power of declaration as something less than pulling some kind of Internet "kill switch." "We would never sign on to legislation that authorized the President, or anyone else, to shut down the Internet," the senator stated last February. "Emergency or no, the exercise of such broad authority would be an affront to our Constitution."
But then what is a cyber emergency, short of something similar to the Homeland Security Dept. raising the "terror alert" level from "yellow" to "orange?" The 2011 bill would have required the operators of so-called "covered critical infrastructure" to take appropriate, pre-designated response measures. As the bill put it, "develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure."
Can Government Take Over Without Taking Over?
It would have to be the "least disruptive means feasible," the bill went on, and it specifically prohibited any government agency's ability to seize or commandeer servers that belong to this infrastructure. But what are we talking about, anyway? The bill took a very broad approach to what constitutes "covered infrastructure," defining it essentially as any component whose failure or disruption would lead to "national or regional catastrophic effects."
So if any reintroduced legislation significantly resembled last year's version, then conceivably in the event of significant risk of attack, which the old bill defined as something that's risky, any data center where government data is housed, including privately run centers, may find themselves answerable to government authorities who take charge of administering the responses. This may yet be questionable, especially in light of how much government agencies have learned just in the past two years alone through the implementation of cloud architectures in the private sector. From a standpoint of merit alone, there might be considerable weight to the argument of making government agencies stand aside in the event of a cyber emergency.
What may concern private data centers which provide services to government agencies is the extent to which this legislation would force them to give up the driver's seat, particularly at times when their expertise could be used most. That there should be a government information security authority in charge of policy, makes sense; whether that authority should extend its hand to the management of response procedures remains open to debate.