In an effort to prove the axiom that no good deed goes unpunished, lawmakers are now looking to potentially impose onerous and costly new rules on the private-sector companies that built and operate the vast majority of the nation’s critical Internet infrastructure. And as we expressed in a recent Reuters article, draft cybersecurity legislation could block a vital aspect of the governmental process: a right to a day in court.
Based on two (1, 2) previous cybersecurity bills, a draft bill that has been circulating around town backed by Senate Majority Leader Harry Reid would give the White House sweeping new powers over companies that operate “covered critical infrastructure” or (CCI). Under the bill, the Secretary of Homeland Security could force companies that operate CCI to pay for expensive new operational requirements and upgrades.
People often think of critical infrastructure as power plants, dams, and public safety communication networks. On the Internet, modems, routers and other specific network equipment could be designated as CCI. But this bill is written broadly, so that the Administration could even designate online services—such as e-mail and cloud computing services—that use the Internet but are not themselves network infrastructure.
All businesses want to keep Americans safe and protect infrastructure that supports the American economy. But any businesses whose systems are designated as CCI by the Secretary of Homeland Security face expensive upgrades and operational requirements.
What happens if a company (or an industry) wants to challenge their CCI designation? Typically, what makes America work is that we can question authority and even challenge our government in court when we think it’s wrong. But this legislation explicitly denies businesses their right to challenge a CCI designation in court.
(4) Final appeal.—A final decision in any appeal under this subsection shall be a final agency action that shall not be subject to judicial review except as part of an enforcement action under section 306(b)(7). [emphasis added]
This part of the bill has to be amended to allow judicial appeals to make it fair for the businesses that will pay for it.
And when courts do review a designation, they should scrutinize whether the Secretary rightly applied–not just “considered”–the specific risk factors in the legislation. The current draft has a low bar for the government, requiring the Secretary to merely consider certain risk factors–and lets the Secretary add other factors, too.
In the event of a major cyber incident, companies should be leading the way in developing a fix, not standing by and waiting for the government to issue orders.
The companies that operate critical Internet infrastructure are not part of the cyber security problem, they are the key to the solution. Rather than punishing these pillars of the security community, lawmakers should be looking for innovative ways to support their efforts.
The high-tech industry has been a strong supporter of government’s renewed focus on cyber security. But we want to avoid the situation where government gains the power to issue expansive, unchecked edicts without the right to a day in court.