So if it is within the CEO's capabilities to determine and verify a compromise within their own systems, and also to shut them down, which is, I suspect, the way it works now, why pass a law that would interject the Commerce Department and the President into the equation, expanding the powers that each now have?
Because that isn’t the way it works now. There are two fundamental issues that prevent it from working that way - both are addressed in the bill. The first is that private companies are not obliged to shut down their network once compromised and some CEO’s, recognising the massive impact on profitability, will avoid it at all costs. The second is also related to profitability, some companies see data security as an additional and largely unwanted cost, they cut their IT security staff to the bone and cut corners when it comes to security. What you end up with is position where a CEO isn’t obliged to shut the network down and hasn’t got the staff to tell him it’s the best long term option.
Example: The CEO determines and verifies that a compromise of their system has occured. They then notify the Commerce Department, who then in turn notifies the President, who declares a compromise and then calls back the CEO and orders him to shut down the system? It sounds quite convoluted to me.
Convoluted is what you get when you start adding checks and balances Denise.
The reality is that if this bill comes into force the good companies who recognise the risk and the required action probably won’t need to be told to shut down the network. The bill just ensures that they’re more likely to do it. Remember when I said that IT people like to cover their arse? Well that’s true of CEO’s as well, if they take the decision to shut down the network and lose twenty million off their stock price the shareholders will hang them from the nearest lamppost if it turns out they made the wrong decision. If the CEO can cover his arse by passing the buck and the responsibility over to the government he’s more likely to make a call, at present he may be swayed by the consequences of getting it wrong.
Then there are the bad companies, those that at present pay only lip service to data security. At present they probably won’t even know they’ve been compromised, in that scenario their internet provider might be the one reporting suspicious packets or another company that’s being affected by the compromised system might report it. Under the new bill they’ll be forced to bring their standards up to a minimum where they would at least know they’ve been compromised and if they don’t cut their own network the bill gives the government to option to overturn their decision.
If I were to be falsely accused and killed by the authorities, of course my family would have ground for legal action. But I would be dead still, and the damage could not be undone.
That’s true Denise but the family would receive financial recompense in lieu of the loss, it wouldn’t undo the damage but it would prove the illegitimacy of the action. They call those payments “damages” for that exact reason.
The CEO of a company could quite legally refuse an order by the President to shutdown his network as long as the network can be proved not to be compromised.
The legal term they’d offer in defence is “the exception that proves the rule”.
A lot of people get confused about what that means in legal terms, which isn’t surprising because it’s taken on so many additional meanings in common usage, so it might be worthwhile if I give you another analogy to make the point.
If you go to a restaurant that has a sign out front that says “Children eat free on Sunday” you’d have a very strong legal case if you went there on Sunday and were charged for your two-year-olds meal. The sign is pretty clear, right? If however you went to the restaurant on Monday you’d have no legal right to get free food for your toddler. Your argument might be that the restaurant doesn’t have a rule that specifies that they don’t supply free food on Monday but the exception inherent in the inclusion of the word “Sunday” proves that such a rule exists.
“Children eat free on Sunday”
The sign infers that on any day other than Sunday food is not free.
The sign might just as well read “Children don’t eat free on Monday, Tuesday, Wednesday, Thursday, Friday and Saturday” because the exception inherent in the original sign proves that such a rule exists.
So let’s look at that section of the bill again:
The President -
may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic
to and from any compromised Federal government
or United States critical infrastructure information
system or network;
Let’s stick that on a sign above Obama’s desk
The president can order the shutdown of any compromised network.
The exception that proves the rule is the word COMPROMISED. Here’s the rule it proves:
The president can NOT order the shutdown of an uncompromised network.
We could hang that sign next to the first if you like - but there isn’t really any need - the exception in the first sign already proves the rule exists.
Hope that helps Denise.