Based on two (1, 2) previous cyber security bills, a draft bill that has been circulating around town backed by Senate Majority Leader Harry Reid would give the White House sweeping new powers over companies that operate “covered critical infrastructure” or (CCI). And more than that, the bill would eliminate a vital aspect of the governmental process: a right to a day in court.
People often think of critical infrastructure as power plants, dams, and public safety communication networks. On the Internet, modems, routers and other specific network equipment could be designated as CCI. But this bill is written broadly, so that the Administration could even designate online services—such as e-mail and cloud computing services—that use the Internet but are not themselves network infrastructure.
All businesses want to keep Americans safe and protect infrastructure that supports the American economy. But what happens if a company (or an industry) wants to challenge their CCI designation? Typically, what makes America work is that we can question authority and even challenge our government in court when we think it’s wrong. But this legislation explicitly denies businesses their right to challenge a CCI designation in court.
(4) Final appeal.—A final decision in any appeal under this subsection shall be a final agency action that shall not be subject to judicial review except as part of an enforcement action under section 306(b)(7). [emphasis added]
This part of the bill has to be amended to allow judicial appeals to make it fair for the businesses that will pay for it.
And when courts do review a designation, they should scrutinize whether the Secretary rightly applied–not just “considered”–the specific risk factors in the legislation. The current draft has a low bar for the government, requiring the Secretary to merely consider certain risk factors–and lets the Secretary add other factors, too.
In the event of a major cyber incident, companies should be leading the way in developing a fix, not standing by and waiting for the government to issue orders.
The companies that operate critical Internet infrastructure are not part of the cyber security problem, they are the key to the solution. Rather than punishing these pillars of the security community, lawmakers should be looking for innovative ways to support their efforts.
The high-tech industry has been a strong supporter of government’s renewed focus on cyber security. But we want to avoid the situation where government gains the power to issue expansive, unchecked edicts without the right to a day in court.