An In-depth Analysis of Lieberman’s Cybersecurity Bill 2011: Giving Birth to Big Brother
“Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders.”
After reading the revamped Cyber Security Bill 2011 sponsored by Joe Lieberman (co-sponsored by Senators Rockefeller*, Snowe, Collins, Lieberman & Carper) , shock and anger quickly set in. While the nation has been watching endless news stories about our congressmen quibbling over a measly two trillion dollars, Senator Lieberman has been silently slipping the most treacherous, deceitful & manipulative bill ever created through the Senate. When Lieberman, chairman of the Senate Committee on Homeland Security and Governmental Affairs (SCHSGA), first proposed the earlier version of the bill (Protecting Cyberspace as a National Asset Act of 2010, S.3480), critics slammed him and it for being too broad in scope and for including a ‘kill switch’ for the Internet- so reminiscent of Hosni Mubarak’s during the Egyptian uprising. Lieberman blithely brushed criticism aside, rejected the idea of a ‘kill switch’ and claimed that the bill actually restricted the current rights & powers of the President under Reagan’s 12472 – Assignment of National Security and Emergency Preparedness Telecommunications Functions Executive Order (an update to the Communications Act of 1934). According to Lieberman’s interpretation of this Act, the President may close “any facility or station for wire communication,” effectively allowing him to ‘shut down’ the Internet if necessary. No authority of the kind exists for one single reason: the Internet is not simply facilities or stations for wire communication and the interpretation of it being so is completely ridiculous. It also belies the necessity of this bill to begin with. However, in one thing he is correct: there is no ‘kill switch’. Just complete and total control of the entire world. That’s all. This may bring chuckles, but read on.
The 2010 bill stalled in both the House & the Senate and was left to flounder until recently. The new Cyber Security Bill 2011 (irononically referred to as the Internet Freedom Act) has been amended and re-introduced to the Senate Floor, after passing through Lieberman’s SCHSGA Committee. Evaluation of this bill is absolutely necessary for all United States Citizens and all U.S. based companies, both large & small. The breadth & depth of this bill is simply staggering. “Preposterous” would not be ill-applied. Not only will it produce the biggest bureaucracy heretofore known to man, but it will also usher in ‘Big Brother’ once & for all. This bill represents the biggest take-over of private industry by the U.S.A. government (or any government) in the history of our country. The possible & probable misuse of the power within this bill range anywhere from electronic spying on U.S. Citizens & companies to strong-arm tactics to force companies out of business if they fail to comply with government orders. In the wrong hands, the powers & intended actions of this bill could deny food, water, and any other supply to U.S. citizens. If ever there could be a ‘mark of the beast’, this would be the way to implement it.
“He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name.” Revelation 13:16-17
The following article will outline the scope, intent, the resulting Office of Cyberspace Policy Department, the authority of the department, the implications of the bill, the private sector response to the bill and final conclusions. Letters from America’s leading software, hardware companies that have vehemently protested this bill (and the strong armed response from Lieberman) are also included. *A special note concerning Senator Rockefeller & his connection to news ownership will appear at the end of the article. Contact information (simple, fast & straightforward) for each State’s Senators & Representatives is listed. Every citizen who values their civil rights must protest this bill’s passage.
I. Scope of the Bill:
The scope of this new legislation encompasses the regulatory control of all the hardware & software owned & operated by the Federal, State & City governments. It also includes whatever private & public companies the Director of Office of Cyberspace Policy Department deems ‘important’ to the cyber security of the United States. As this bill doesn’t call for the full implementation of a robust, federally owned & operated communication network, this would encompass any and all computers, servers, hard lines, satellites, telephone companies, software & databases that it uses to pass its information. In addition, the scope of this bill requires the entire supply chain of components that supply these ‘critical’ entities to come ‘into compliance’ with standards developed by this new agency (think Pentium chips made in China). This would literally mean the entire Internet, all suppliers of the Internet and potentially, everything linked to it. The Internet is defined as such:
the Internet is vital to almost every facet of
2 the daily lives of the people of the United States,
3 from the water we drink to the power we use to the
4 ways we communicate;
5 (2) in the modern world, the Internet is essen
6 tial to the free flow of ideas and information
(3) CYBERSPACE.—The term ‘‘cyberspace’’
20 means the interdependent network of information in21
frastructure, and includes the Internet, tele22
communications networks, computer systems, and
23 embedded processors and controllers in critical in24
It is extremely difficult to imagine how the Internet and a potential cyber attack could do irreparable damage to our entire water supply, but more on that later. Remarkably, this bill also includes International assets. The United States Homeland Security Department will now be extending its mandates across the globe to any and all communications facilities that ‘affect’ our Internet. It will now ‘work’ with foreign governments to ‘encourage’ them to implement American security software and procedures to fortify American interests. As the argument could be made that if you control all American communications assets, then you control the world’s communications assets, this bill is absurd in its ambition.
II. Intent of Bill:
The stated intent of the bill is to protect the Internet from a crippling cyber attack, but doesn’t seem to notice the complete contradiction it presents as it frames the need for such a bill. It begins by attempting to smooth worries of an Internet ‘kill switch’ by stating that, due to the extreme flexibility and decentralized nature of the Internet, the Internet can never be technically ‘shut down’. It then proceeds to cite the ability of cyber terrorists to ‘take down’ the United States by killing or crippling our Internet capability!
“the Internet has developed into a robust
14 network within the United States, with thousands of
15 providers, making it technically impossible to shut
16 down the Internet;”
“it is vital that the Internet, and the access
8 of the people of the United States to the Internet,
9 be protected to ensure the reliability of the critical
10 services that rely upon this network and the avail
11 ability of the information and communications that
12 travel over this network;”
“cyber attacks are a real and evolving threat
23 to the information infrastructure and economy of the
It also, ironically enough, includes the following provision:
“LIMITATION.—Notwithstanding any provision of
21 this Act, an amendment made by this Act, or section 706
22 of the Communications Act of 1934 (47 U.S.C. 606), ne23 ther the President, the Director of the National Center
24 for Cybersecurity and Communications, or any officer or
employee of the United States Government shall have the
2 authority to shut down the Internet.”
The disingenuousness of the bill is established by these statements. The Internet either can not be ‘shut down’ by an individual (a cyber terrorist or the POTUS) and therefore the implication that our entire water supply could be decimated needs to be re-evaluated (and the need for this new agency goes away) OR the Internet can be shut down by one person (cyber terrorist) and leaves open the possibility that the POTUS could do so with the provisions set forth in this bill (which is tyranny). As the bill is premised on both options, one must conclude either 1) The bill (& Lieberman) is lying about its intent & ability to shut down/control the Internet or 2) the bill (and the proposed Cyber Agency) is unnecessary because the Internet can not be shut down or controlled by any individual in the first place.
III. Organizational Impacts of Bill:
The bill calls for the creation of a new Office of Cyberspace Policy Department that answers to the Department of Homeland Security which, in turn, answers only to the President. As the scope of mission assigned to the Director of this new department includes both national & international private/public companies, the power to influence the private sector by one man (and by extension, by the President of the United States) will be unprecedented in human history. While this bill delineates incredible width & depth to the authorities of this new organization, the limits are only vaguely hinted at. While the bill enjoys using the word, “voluntary’ & ‘cooperation with private entities’ and ‘concurrence’, it gives itself coercion tactics that are reminiscent of the Gestapo or the U.S.S.R. These friendly terms are used sparingly and vaguely to such a point that they are meaningless. One must look to the punitive authorities given in order to decide whether private participation will be voluntary.
The size of a department that can accomplish the stated goals of this bill would have to be enormous. The number of IT professionals, private business oversight supervisors, legal advisors & attorneys, report analysts, the software & hardware to support them, the budgeting personnel, the administrative staff, the human resources personnel, the physical space to house the personnel, the salaries & the benefits to mention only a few requirements will be colossal. To put this into perspective: to define, develop & implement one version of one new software/hardware/architectural system for one telecommunications company can take upwards of three years, 300 million dollars and a team of about 300-400 people. As this agency seeks to implement new ‘security standards’ across all these companies at least once every year, this equates to at least one new software & hardware revision at least once a year across thousands (tens of thousands?) of ‘entities’. As each of these revisions must be monitored to determine compliance, federal employees must actively supervise & manage each of these projects. As there are thousands of companies that will fall under the discretion of this new agency, tens of thousands of people, at least, will be needed to even attempt to accomplish the mission statement of this new organization.
This bill also seeks to establish control of standards of the entire supply chain for the ‘critical’ federal & private entities. ‘Supply chain’ refers to all the components (think Pentium Chips made in China) needed to support all those computers, satellites, hard disks, databases, software, intranets, Internet and now, ‘clouds’ of functionality. Oh, just think of the amount of work it will be to ensure that all those items fall into compliance! Allow me to once again bring this into perspective. My father has worked in the nuclear engineering field for his entire career. He & a partner are attempting to replace one, tiny part of the nuclear facility. It will improve the plant’s capacity, life and safety by 300%. However, in order to bring this one device into compliance with the Nuclear Regulatory Agency (mind you, this is one agency in charge of one, very specialized industry), it has taken over a year and with prohibitive cost. Receiving compliance certification is the only way to prove compliance- and this is another year to wait. Needless to say, this one new part may never come into existence. All these things will need to be done in order to ‘secure’ the supply chain.
Simply imagining the complexity gives me nightmares. At some point, I have to laugh at the magnitude of the undertaking. However, my laughter is quelled when I wonder how much the voting senators will understand before they vote!
IV. Authority of the Bill
1) This bill gives the Director of the new Cyberspace Policy Department & the USA President massive authority over the private sector. The Director & President can order any company it deems relevant to participating in the creation of new standards, protocols, and technology development.
8 National Cybersecurity Advisory Council, the
9 head of appropriate sector-specific agencies, and
10 any private sector entity determined appro11
priate by the Director, risk-based assessments
12 of national information infrastructure and in13
formation infrastructure located outside the
14 United States the disruption of which could re15
sult in national or regional catastrophic damage
16 in the United States, on a sector-by-sector
17 basis, with respect to acts of terrorism, natural
18 disasters, and other large-scale disruptions or
19 financial harm, which shall identify and
20 prioritize risks to the national information in21
frastructure and information infrastructure lo22
cated outside the United States the disruption
23 of which could result in national or regional
24 catastrophic damage in the United States, in..
2) This bill gives this Director & President to force any company it deems relevant to implement the new standards, procedures & protocols- at its own expense, thus adding a crippling blow to the company’s ability to compete worldwide, In addition, each of these companies will be forced to submit reports every year to this powerful new entity.
‘‘(1) IN GENERAL.—Not later than 6 months
11 after the date on which the Director promulgates
12 regulations under section 248(b), and every year
13 thereafter, each owner or operator of covered critical
14 infrastructure shall certify in writing to the Director
15 whether the owner or operator has developed and
16 implemented, or is implementing, security measures
17 approved by the Director under section 248 and any
18 applicable emergency measures or actions required
19 under section 249 for any cyber risks and national
20 cyber emergencies.
3) This bill gives the Director & President the right to simply take over all company resources to implement the new standards, procedures & protocols if the company refuses to comply. Imagine the Gestapo, armed with IT Professionals, marching into IBM and simply taking over the company if it won’t comply. That is the authority given in this bill.
21 ‘‘(2) FAILURE TO COMPLY.—If an owner or op22
erator of covered critical infrastructure fails to sub23
mit a certification in accordance with paragraph (1),
24 or if the certification indicates the owner or operator
25 is not in compliance, the Director may issue an
order requiring the owner or operator to submit pro2
posed security measures under section 248 or com3
ply with specific emergency measures or actions
4 under section 249.
IN GENERAL.—Consistent with the factors
7 described in paragraph (3), the Director may per8
form an evaluation of the information infrastructure
9 of any specific system or asset constituting covered
10 critical infrastructure to assess the validity of a cer11
tification of compliance submitted under subsection
‘‘(2) DOCUMENT REVIEW AND INSPECTION.—
14 An evaluation performed under paragraph (1) may
16 ‘‘(A) a review of all documentation sub17
mitted to justify an annual certification of com18
pliance submitted under subsection (a)(1); and
19 ‘‘(B) a physical or electronic inspection of
20 relevant information infrastructure to which the
21 security measures required under section 248 or
22 the emergency measures or actions required
23 under section 249 apply.
24 ‘‘(24 ‘‘(3) EVALUATION SELECTION FACTORS.—In
25 determining whether sufficient risk exists to justify
1 an evaluation under this subsection, the Director
2 shall consider—
3 ‘‘(A) the specific cyber risks affecting or
4 potentially affecting the information infrastruc5
ture of the specific system or asset constituting
6 covered critical infrastructure;
7 ‘‘(B) any reliable intelligence or other in8
formation indicating a cyber risk or credible na9
tional cyber emergency to the information infra10
structure of the specific system or asset consti11
tuting covered critical infrastructure;
12 ‘‘(C) actual knowledge or reasonable sus13
picion that the certification of compliance sub14
mitted by a specific owner or operator of cov15
ered critical infrastructure is false or otherwise
17 ‘‘(D) a request by a specific owner or oper18
ator of covered critical infrastructure for such
19 an evaluation; and
20 ‘‘(E) such other risk-based factors as iden21
tified by the Director.
22 ‘‘(4) SECTOR-SPECIFIC AGENCIES.—To carry
23 out the risk-based evaluation authorized under this
24 subsection, the Director may use the resources of a
25 sector-specific agency with responsibility for the cov-
1 ered critical infrastructure or any Federal agency
2 that is not a sector-specific agency with responsibil3
ities for regulating the covered critical infrastructure
4 with the concurrence of the head of the agency.
For those unaccustomed to this type of language, the passages say: 1) if a company doesn’t comply, the Director can order them to do so. 2)If they still do not comply, then the Director can send someone, forcibly, into a company and force them to hand over their software/ hardware documents for review. 3) They can then use the company’s employees, computers, software & hardware to force the technical changes demanded by the Director- without the consent of the company owners. 4) that only the heads of Federal ‘agencies’ will have the ability to ‘concur’ or not. Note that the private sector is not given this choice. No limitations on this ability are listed.
4) This bill gives the Director & President the ability to leverage unspecified amounts of monetary fines should any company that it deems relevant not comply with its new mandates. As this amount could be anything, it is nothing more than a strong-arm tactic to threaten rebelling companies with financial destruction if it will not come into compliance.
5) This bill gives the new agency the power to sift through all the data on the Internet in order to deem it ‘relevant’ for protection. The problem is that it needs to ‘know’ what that data is before it can be sifted. Knowing what the data is, is called spying. The personal information about every citizen will now be available, in the name of cyber security (very dubiously carried out by the slowest ‘company’ on earth), to Big Brother. The possibilities for shady spying, espionage, civilian repression and corporate punishment are endless. There are no limits in this bill concerning additional functionality that can be added during this sifting activity. For example, while sifting your personal information, software could be added to look for the existence of personal blogs, group affiliations, or contacts or even words & phrases that the government has labeled ‘cyber terrorism’. You could be entered into a database ‘list’ and sent to another agency for ‘monitoring’ as this bill also allows for the passage of personal information to other security agencies. As ‘cyber terrorism’ is not defined in this bill to any level of specificity, anyone could make this list for any reason. And only two men get to decide the criteria: The President & the Director. No oversight is required by any other legal entity.
6) This bill gives this department the ability to define what ‘appropriate’ civil liberties’ are. By not including a stronger statement protecting ALL civil rights of USA citizens, the door is open to complete abuse of our rights- all in the name of cyber terrorism. While the introduction of the Bill states that this bill must not interfere with First Amendment rights:
(5) although the United States must ensure the
18 security of the Nation and its critical infrastructure,
19 the actions of the Government must not encroach on
20 rights guaranteed by the First Amendment to the
21 Constitution of the United States;
it goes on to state actions that are in complete contradiction. Just one example of this type of language can be found here:
‘‘(T)(i) conduct, in consultation with the
‘‘(AA) in coordination with the Director of
18 the Office of Cyberspace Policy and the heads
19 of relevant Federal agencies, develop and imple20
ment an identity management strategy for
21 cyberspace, which shall include, at a minimum,
22 research and development goals, an analysis of
23 appropriate protections for privacy and civil lib24
erties, and mechanisms to develop and dissemi25
nate best practices and standards relating to
identity management, including usability and
2 transparency; and
3 ‘‘(BB) perform such other duties as the
4 Secretary may direct relating to the security
5 and resiliency of the information and commu6
nications infrastructure of the United States.
(7) The President of the United States may declare a national cyber emergency for 30 days without any consultation from Congress. The only thing he need do is notify all the federal & private agencies that there has been a declaration and what he considers it to be. He and/or the Director of the Cyber Agency may extend this ’emergency’ action for 90 days without consulting Congress or the American people.
‘‘SEC. 249. NATIONAL CYBER EMERGENCIES.
16 ‘‘(a) DECLARATION.—
17 ‘‘(1) IN GENERAL.—The President may issue a
18 declaration of a national cyber emergency to covered
19 critical infrastructure if there is an ongoing or immi20
nent action by any individual or entity to exploit a
21 cyber risk in a manner that disrupts, attempts to
22 disrupt, or poses a significant risk of disruption to
23 the operation of the information infrastructure es24
sential to the reliable operation of covered critical in25
frastructure. Any declaration under this section shall
specify the covered critical infrastructure subject to
2 the national cyber emergency.
Any emergency measure or
20 action developed under this section shall cease to
21 have effect not later than 30 days after the date on
22 which the President issued the declaration of a na23
tional cyber emergency, unless—
24 ‘‘(A) the Director details in writing why
25 the emergency measure or action remains nec-
1 essary to address the identified national cyber
2 emergency; and
‘‘(B) the President issues a written order
4 or directive reaffirming the national cyber
5 emergency, the continuing nature of the na6
tional cyber emergency, or the need to continue
7 the adoption of the emergency measure or ac8
9 ‘‘(2) EXTENSIONS.—An emergency measure or
10 action extended in accordance with paragraph (1)
12 ‘‘(A) remain in effect for not more than 30
13 days after the date on which the emergency
14 measure or action was to cease to have effect;
16 ‘‘(B) unless a joint resolution described in
17 subsection (f)(1) is enacted, be extended for not
18 more than 3 additional 30-day periods, if the
19 requirements of paragraph (1) and subsection
20 (d) are met.
V. Implications of Bill:
1) USA technology Will Lose its Competitive Edge.
As technology morphs, literally, everyday into something new, the ability of this new monstrosity to ‘keep up’ will be impossible. If this bill has regulatory rights, the ability to define software/hardware standards or methodology over any of these (and future) communication companies, its ponderous weight & restrictions will pull every single communications company underwater with it. New communication technology will cease to exist in the private sector. Communications innovation will be dependent on the bureaucracy of this pendulous government agency. As no government is beholden to stock owners or a board of directors, all incentives to stay lean & mean will be removed. All new communication technology now and in the future will have to wait until this enormous bureaucracy catches up. America will become a backwater nation instead of the communication giant it is today.
2) This Agency Will Fail to Secure the Internet, Will Waste 100s of Trillions of Dollars But May Usher In Big Brother Instead.
As this new bill is attempting to coordinate its tele-communications with EVERY company (there will be thousands, if not tens of thousands) that has legal ownership of ANY database, software or hardware (up to and including satellites!) that affects ‘critical’ government communications, the task is 1) not feasibly possible and 2) will need endless resources 3) will waste trillions of dollars and result in failure all the same. This equates to the full take over of technology by the United States government for one reason only: the only way that it can ensure that all these companies comply with its new mandates is to gain management, oversight and punitive authority over them. That is a take over. Big Brother, in all its ugly glory, will be given birth, but the Agency, due to its size & scope will fail to be technologically ‘ahead’ of the smaller, leaner & faster cyber terrorists it aims to thwart. Think: Bill Gates in his garage vs. Comcast. Who can program something in less time?
3) Widespread Political Corruption is Inevitable
The incredible power over the private sector that this bill with give to one man (the Director of the new Cyberspace Policy Department) leaves open the door to massive corruption. As the financial burden of defining, developing & implementing all the software & hardware demands (not to mention the yearly auditing & reporting requirements) from this new department will fall 100% on the private/public companies, there will be a massive resistance to comply. The doors to bribery from multi-billion dollar companies will be wide open. The power that is given to the President of the United States of America over each & every one of these powerful & wealthy companies will lead to corrupt elections and election campaign contributions.
4) Civil Rights Will Disappear & Tyranny Will Result
The power of any coordinated and centralized group of wealthy industry magnates and the most powerful politicians on earth will lead to a complete subversion of the American citizen. Owning and controlling all the information in the United States of America (think Google, Yahoo, Comcast, Bing, etc) is, literally, 100% power over the entire world & its resources. The possibilities for abuse are too dangerous to contemplate. In corrupt hands, this power could be used to rule the world. It does not belong to any one man, one President, department, or nation.
If ever a true partnership between communication giants & political giants were ever to exist, the results would be complete annihilation of every citizen’s civil rights. No company in the world would willingly do what this bill demands of them unless the owners of the companies were hugely rewarded in some way. The only kind of reward that can be offered to large companies & their major stock owners is a guarantees of huge profits either by eliminating competition through regulatory burdens on them or by the monopoly of lucrative government contracts. This can only mean complete corruption of both the private & political cultures. Absolutely nothing would be sacred. Considering that this bill gives every bit of data into the hands of the government, the personal information of private citizens (everything from your shopping habits, to your email accounts to your political blogs) could be used to suppress & control the population- if the government ever considers you to be a ‘threat’ to national security, that is. It has never been an American trait to trust the government with this level of private information.
VI. Government Protections (of itself) in the Bill
1) No USA citizen or company may sue the government for any violations of privacy or for any disruption of communication- even when doing so may result in:
“damages for losses for physical and emo7
tional pain, suffering, inconvenience, physical
8 impairment, mental anguish, disfigurement, loss
9 of enjoyment of life, loss of society and compan10
ionship, loss of consortium, hedonic damages,
11 injury to reputation, and any other nonpecu12
2) Only provable financial loss (almost impossible to gauge) or death that stems from their actions (other than the financial losses to any company they deem ‘critical’ to their security).
3) This bill also prevents anyone from suing the companies that are forced to participate in these actions. The result is that if a complete disruption of communication for 90 days prevents you from knowing your mother had a heart attack & died- resulting in her burial without you, tough luck for you. Everyone is immune. The only exception is if you can prove death occurred by a shut down of communications. Limitations on the amount you can sue for are also included.
VII. Private market response to the bill:
Three major companies (IBM, CISCO, Oracle) have already balked at this level of government intrusion into their businesses. They have submitted a joint letter refuting the ability & the wisdom of the government to attempt cyber security by this take over of private communications companies. They cite the decline of U.S. technology as inevitable & the ironic consequence that we may need to purchase better technology oversees as a result of this bill. In addition, they claim their legal proprietary & trademark rights over their intellectual property as reasons that the government may not have access to their internal information & processes. They propose another solution in their letter, which is ignored completely by Lieberman’s response letter.
Dear Senators Lieberman and Collins:
Securing our nation’s information infrastructure is not only important to the millions of users and
businesses who depend on it for commerce, information and entertainment; it’s also a matter of
vital national security. Like our government, the innovative companies who develop and deploy
the information technology that comprise the Internet and private networks that are part of this
critical infrastructure take this very seriously. Preventing malicious attacks and protecting the
data on these networks requires constant vigilance and is demanded by our customers who
manage the global financial system, the power grid, communications networks, healthcare
systems, and our national defense.
S. 3480, the Lieberman-Collins-Carper Protecting Cyberspace as a National Asset Act, is
intended to protect Federal systems and critical infrastructure from cyber attack. As such, it
gives new resources and power to the Department of Homeland Security over government
procurement and seeks to create a new regulatory, monitoring, response, and remediation role for
the DHS for both government networks and private, commercial networks. While well
intentioned, it ultimately puts U.S. critical infrastructure at increased risk by threatening the
intellectual property of American companies that create the IT that operates the vast majority of
U.S. government and private-sector critical networks and systems. The unintended result may be
a weakening of the domestic software and hardware industry to an extent that could, ironically,
leave the U.S.mor e dependent upon foreign suppliers for their critical IT systems.
Section 253. Specifically, Section 253 mandates that the Secretary of Homeland Security (in
consultation with “the Director of Cyberspace Policy, The Secretary of Commerce, the Secretary
of State, the Director of National Intelligence, the Administrator of General Services, the
Administrator for Federal Procurement Policy, agency CIO’s, agency Chief Acquisition officers,
Chief Financial Officers and the private sector”) develop and implement a “supply chain risk
management strategy” to protect Federal information infrastructure. This “strategy” would then
be applied to the governments procurement system and in effect, regulate the information
•All software and hardware companies who do business with the government, essentially
the majority of the technology industry, would have to change their development
processes, internal procedures, designs and products to comply with the “strategy.” This
directly contradicts the President’s proclamation in May 2009 as part of his cybersecurity
strategy: “So let me be very clear. My administration will not dictate security standards
for private companies. On the contrary, we will collaborate with industry to find
technology solutions that ensure our security and promote prosperity.”
•All products purchased by the government would also have to meet standards approved
by NIST – hampering the ability of the government to gain access to new technology that
hasn’t yet been vetted by government regulators.
•This would set the barrier to entry for the government market at a prohibitive level for
small businesses that would have to meet new requirements to adhere to the new
•Although the bill appears to exempt the DoD and national security systems from its
requirements, as a practical matter it does not because technology products are developed
through a single development process and sold globally.
•The new unbounded, government-wide procurement and testing requirements instituted
by DHS would undermine international standards, including the accepted U.S. and
international standard, the output-based Common Criteria (“CC”), which is intended to
provide product assurance globally, prevent the balkanization of technology, and prevent
foreign governments from demanding access to sensitive, proprietary technical
information. The CC is already used to certify products for use in U.S. national security
systems, and creating a whole new process – as Sec 253 seems likely to do – both
undermines the CC, and sends a signal to other governments that non-standard,
unbounded demands are acceptable. Access to this information by foreign governments
could be used to create domestic competitors to U.S. firms or create other non-trivial
A better approach would be to require technology companies that do business with the Federal
government to adhere to the Common Criteria where appropriate for product assurance (ensuring
the product itself exhibits security), and with regard to any specific unit of production, adhere to
an internationally accepted standard for ‘chain-of-custody’ supply chain requirements which are
disclosed by the vendor, and audited pursuant to international standards. Additionally, Common
Criteria should be reviewed and improved upon, so as to improve its weaknesses without losing
its strengths. These programs would embrace current and insipient international standards for
supply chain and software assurance. This would preserve innovation and diversity in the
marketplace protecting core intellectual property. Lastly, the expertise in this area does not
currently reside in the DHS, the agency granted regulatory authority under the bill.
It’s also not clear whether giving significant new regulatory authority to the Department of
Homeland Security is the right approach. In December the President appointed a new White
House Cybersecurity Coordinator, Howard Schmidt. The Lieberman-Collins-Carper legislation
appears to circumvent the Cybersecurity Coordinator’s authority before the office has been given
an opportunity to succeed.
Section 242. Another troubling provision in the bill as introduced is Section 242, which creates a
“National Center for Cyber security and Communications” operated within DHS which would be
required to “assist in the identification, remediation, and mitigation of vulnerabilities to the
Federal information infrastructure and the national information infrastructure” including
“dynamic, comprehensive, and continuous situational awareness of the security status of the
national information infrastructure.” There is no existing authority for the Federal government to
have “continuous situational awareness” of the security status of private networks and this would
be impossible to achieve without the deployment of government monitoring devices on private
networks, which would also provide access to private personal and commercial data on those
networks. Establishing this capability contravenes a commitment made by President Obama in
his announcement of the appointment of a new White House Cybersecurity Coordinator: “Our
pursuit of cybersecurity will not – I repeat, will not include – monitoring private sector networks
or Internet traffic.”
Section 248(b). Finally, under Section 248(b), the new DHS Cyber Director is mandated to
issue regulations putting under Federal control the IT and network infrastructure of any private
sector company or entity the Secretary deems important enough to be a “covered critical
infrastructure” entity. This authority extends to any U.S. company determined by the Secretary
to be critical, and the regulatory power is apparently unbounded.
We appreciate your attention to these important concerns and look forward to working with you
to develop a more robust and secure information infrastructure.
Cisco Systems, Inc.
VIII. Lieberman’s Response & Inaccuracies to IBM, Oracle, & Cisco Systems
Lieberman responded harshly with the following letter:
Dear Mr. Chambers, Mr. Palmisano, and Mr. Ellison:
On June 24, 2010, your companies wrote to us concerning the Protecting Cyberspace as a National Asset Act, S. 3480. We introduced this bill on June 10, and it was favorably reported out of the Homeland Security and Governmental Affairs Committee on June 24 by a unanimous voice vote. This legislation is informed by years of oversight by this Committee and is the result of more than a year of drafting. Our staff spent considerable time working with industry representatives – including representatives from your companies – and the bill, as reported, addresses many of the concerns your companies raised during that time.
We hope that the information provided below will address some of the concerns and misconceptions you have about the bill and its scope.
Section 253. In your letter, you state that developing and implementing a supply chain risk management strategy for federal information technology procurement would “in effect, regulate the information technology sector.” This statement is simply not supported by the text of the bill. (1)
As an initial matter, requiring a strategy on supply chain security for federal information technology procurements – which will be developed in consultation with numerous agencies, councils, and the private sector – would not regulate the information technology sector writ large (1). Rather, this section directs the Federal Acquisition Regulatory Council (FAR Council) to use its existing authority over federal government procurements to implement the strategy, in much the same way as efforts already under way at the Department of Defense and Department of Homeland Security (DHS) as part of Initiative 11 of the Comprehensive National Cybersecurity Initiative (CNCI).
Homeland Security Presidential Directive-23 explained the need for supply chain risk management for government information technology procurements:
Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the lifecycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices.”
We agree with this assessment, which is why section 253 creates a responsible, flexible, and comprehensive approach, in partnership with industry (2), to ensure that we have greater security built into critical federal networks and systems. We also believe that developing a single, unified, approach to this problem will be less burdensome for industry (3) than myriad agency policies developed ad hoc.
Moreover, to ensure that this section does not place an unnecessary burden on industry, the bill requires the strategy “to the maximum extent practicable (4), promote the ability of federal agencies to procure authentic commercial off the shelf information and communications technology products and services from a diverse pool of suppliers.” This is further echoed in the requirement in subsection (d) that the strategy “be consistent with the preferences for the acquisition of commercial items under section 2377 of title 10, United States Code, and section 314B of the Federal Property and Administrative Services Act of 1949 (41 U.S.C. 264b).” On numerous occasions, your companies have expressed the belief that industry is taking sufficient steps to protect its supply chain and guarantee software assurance. Thus, the strategy should be consistent with the internal practices of most IT companies that do business with the federal government.
Your letter also raises concerns that Section 253 would require “all purchases by the government . . . to meet standards approved by NIST.” But this requirement is not new; the National Institute of Standards and Technology (NIST) has had responsibility for some time in “develop[ing] standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency.” Only recently has the federal government began to leverage NIST’s unique relationship with the private sector to help develop interoperable standards that will allow both vendors and agencies to come together and define what “secure” really means. In fact, in July 2007, OMB issued a memorandum to require information technology providers to use the Secure Content Automated Protocol – a technology-neutral, interoperable standard developed by NIST – to certify that their products would not unintentionally alter network security configurations. As such, your concern seems directed at current law and practice – not this provision, which supports NIST’s important, ongoing work in this area.
Your letter also expresses concern that Section 253 will undermine the Common Criteria and suggests that instead the “Common Criteria should be reviewed and improved upon, so as to improve its weaknesses without losing its strengths.” But your objections, again, are not supported by the text, as section 253 both incorporates international standards and provides a mechanism for recommending improvements where the standards are deficient. Section 253 explicitly requires that the strategy place particular emphasis on “the use of internationally-recognized standards and standards developed by the private sector and develop[ment of] a process, with the NIST, to make recommendations for improvements of the standards.” Indeed, this provision was based largely on language recommended by your representatives.
Your letter also asserts that “the expertise in this area does not currently reside at DHS, the agency granted regulatory authority under the bill.” First, as we noted above, the strategy is not regulatory in nature (5), as any change to existing procurement regulations will be done by the FAR Council using existing notice and comment procedures. Second, the statement reflects a misreading of the bill – the strategy is not a DHS product; rather, it will be the result of a broad inter-agency effort, as well as a partnership with the private sector, that will be led, but not dictated, by DHS (2).
Third, and more fundamentally, the responsibility for protecting the American people from a large-scale domestic attack – in any form – is at the heart of DHS’s mission (6). It has responsibility for securing our nation’s critical infrastructure, and for protecting the government’s “dot-gov” domain. Quite simply, no other agency is as well-positioned as DHS to lead the cooperative effort set forth by Section 253. Any effort to secure our civilian government systems and our critical cyber infrastructure must leverage the mission and resources of DHS – doing otherwise would waste taxpayer resources on duplicative efforts at other agencies and exacerbate coordination challenges. DHS is already the department within the federal government building partnerships with the private sector (2) to secure our critical infrastructure and key resources, and Section 253 builds on that responsibility and capability.
Lastly, this section of the letter expressed concern that our bill would “circumvent” the authority of the National Security Staff’s Cybersecurity Coordinator. We appreciate your expression of support for the concept of an overall federal coordinator for cybersecurity, and assure you that nothing in our bill will undermine the authority of such an office Instead, it would ensure that the Director has sufficient authority to set strategy and policy, oversee its implementation, and resolve inter-agency disputes, including in the development of the strategy that Section 253 would mandate. Our bill would also ensure that the Congress and the public (including industry) have full insight into the activities of the White House office.
Section 242. Our legislation, as your letter notes, creates a National Center for Cybersecurity and Communications (NCCC) within the DHS to elevate our nation’s focus on the security of civilian government systems and vulnerable private sector networks, especially those that are most critical to our nation’s welfare. The NCCC will serve as a partner with the private sector, relying on voluntary information sharing programs (2) to gain a better understanding of the risk our nation faces from cyber threats. Your letter is correct that the responsibility of the NCCC would include “assist[ing] in the identification, remediation, and mitigation of vulnerabilities to . . . the national information infrastructure.”
Among other ways, the NCCC would do so by promoting (2) risk-based best practices established under Section 247 of the new law – best practices developed in consultation with the private sector and based to the maximum extent possible on existing private sector standards. The NCCC – at the request of the private sector – would be available to provide voluntary technical assistance. The programs our bill would establish at the NCCC would form the foundation for a collaborative relationship with the private sector – a relationship built on trust (2) and interaction versus overly burdensome top-down regulatory mandates.
By working in partnership and voluntarily sharing information with the private sector (2), the NCCC will have a better understanding of the threats and vulnerabilities our nation faces in cyberspace, “situational awareness” of our nation’s cybersecurity posture. In your remarks on the NCCC’s responsibility to develop this “situational awareness,” your letter asserts, incorrectly, that the bill would lead to the “deployment of government monitoring devices on private networks.”
It is extremely misleading to argue that our legislation would grant the NCCC any authority to monitor or compel the production of information from the private sector (7). Indeed, the legislation expressly states – in numerous places – that it would grant no authority to the federal government to conduct surveillance on private networks(8) or compel the production of information. Indeed, in the very section (Sec. 242(f)(1)(C)) cited in your letter regarding “dynamic, comprehensive, and continuous situational awareness of the security status of . . . the national information infrastructure,” our legislation makes clear that the NCCC’s analysis will be based on “sharing and integrating classified and unclassified information (7) . . . on a routine and continuous basis” with several federal cyber operations centers and the private sector (7). Moreover, as it relates to the private sector, that section explicitly states that information will be shared with the NCCC from “any non-Federal entity, including, where appropriate, information sharing and analysis centers, identified by the Director(14), with the concurrence of the owner or operator of that entity and consistent with applicable law(9).” (Emphasis added). Indeed, our legislation carefully distinguishes between the “situational awareness” required under Section 242(f)(1)(C) and the “automated and continuous monitoring” that would be required for federal networks under Title III. It is simply incongruous to interpret section 242, as your letter does, as an authorization to deploy “government monitoring devices on private networks.”
Section 248(b). The assertion in your letter that the regulatory authority in Section 248(b) is “apparently unbounded” is equally without merit. Quite to the contrary, our bill specifies that only those systems or assets whose disruption would cause a national or regional catastrophe (10) could be subject to the bill’s mandatory risk-based security performance requirements. To qualify as a national or regional catastrophe, the disruption of the system or asset would have to cause:
• mass casualties with an extraordinary number of fatalities;
• severe economic consequences;
• mass evacuations of prolonged duration; or
• severe degradation of national security capabilities, including intelligence and defense functions. (10)
Thus, the bill sets up a process that clearly defines – and limits – the systems and assets that the Secretary of Homeland Security can identify as covered critical infrastructure.
Owners/operators who believe their systems and assets were erroneously identified as covered critical infrastructure will have an opportunity to appeal their coverage through administrative procedures (11). This will help ensure that only our nation’s most critical systems or assets are covered by the risk-based security performance requirements in Section 248. Thus, we do not believe that the scope of covered critical infrastructure is overly broad, and it is simply wrong to claim that the reach of the section is “unbounded.” In devising its regulatory structure, our bill appropriately seeks to protect against the most catastrophic risks to our country.
In implementing risk-based security performance requirements, the legislation also builds in flexibility for the owners and operators of covered critical infrastructure. The risk-based security performance requirements applicable to covered critical infrastructure would be developed in collaboration with the private sector and sector-specific agencies. These performance requirements would be targeted only at cyber risks to specific systems or assets that “if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.”(12) Moreover, owners and operators would have the ability to choose (13) the security measures that are right for their own systems and networks – so long as they meet the minimum performance requirements applicable to these high-risk systems and assets. In addition to this flexibility, the legislation would provide important incentives for complying with the risk-based security performance requirements – liability limitations for specified civil actions.
Your input on this important legislation is important to our Committee, and both our staff and yours have invested considerable time in this process. While we find the mischaracterizations of our bill in your letter inaccurate and disappointing, we welcome further discussion and hope that we can engage in a constructive dialogue going forward.
Joseph I. Lieberman Susan M. Collins
Chairman Ranking Member
Thomas R. Carper
Chairman, Subcommittee on Federal Financial Management,
Government Information, Federal Services, and
Inaccuracies in Lieberman’s letter:
(1) As demonstrated in this article, regulating the entire supply chain does, in fact, encompass a huge sector of the technology industry. Lieberman’s denial is false and manipulative.
(2) Considering the ability of this Agency to coerce participation of all ‘required’ entities, words like ‘cooperative’, ‘voluntary’, ‘collaborative’ or ‘partnership’ absurd.
(3) The idea that centralization in systems development across America and the world contradicts the incredible success of supposedly ‘ad hoc’ development that has driven the technology market since Bill Gates tinkered in his garage. This statement alone, disqualifies Lieberman from making any statements about the technology sector whatsoever.
(4) Note that the wording here allows for the new Cyber Agency to develop whatever it wants as long as it is ‘not pragmatic’ to buy ‘off the shelf’. This puts the new Cyber Agency into direct competition with the private sector. In addition, these words also imply that if the desired system is not available ‘off the shelf’ and the Cyber Agency is unable to develop the required system, then the private sector must create it. The language here is complete nonsense and manipulation.
(5) This is patently false. The bill states, in no uncertain language, that this Agency is not only able to define regulatory standards for security compliance, but is also able to leverage punitive measures on non-compliant companies. The punitive measures have already been quoted. The regulatory aspect (pls. note that the business partner may only consult) is as follows:
14 the Director, in consultation with the head of
15 the sector-specific agency with responsibility for
16 the covered critical infrastructure and the head
17 of any Federal agency that is not a sector-spe18
cific agency with responsibilities for regulating
19 the covered critical infrastructure, determine to
20 be appropriate and necessary to protect public
21 health and safety, critical infrastructure, or na22
tional and economic security.
(6) This is a complete reach for Lieberman. He attempts to say, as part of the bill, the follow logic:
If A + B = C
A= any attack on domestic soil
B=the attack is considered large-scale
C=Homeland Security has complete & total jurisdiction of any and all resources necessary to ‘protect’ against that attack.
And D + E = F
D= The Internet covers every aspect of American life!- Even water!
E= The Internet is in danger of being severely damaged by Cyber Terrorists!
F= Cyber Terrorists can severely damage every facet of American Life- Even Water!
And F=A+B, Then C=F
Cyber Terrorism qualifies as a large-scale, domestic attack and therefore, Homeland Security has complete jurisdiction over all activities & resources needed to prevent it.
If D, then E
E= We need a huge agency to set standards for current & future communications both within USA borders and without.
The chain of logic is flimsy at best.
(7) The second two statements contradict the first statement. They simply re-iterate the companies’ point. Private companies will be forced to allow the new Cyber Agency to monitor private data (classified & unclassified) on a continuous basis.
(9) This is a complete falsehood. The bill states that only the heads of FEDERAL agencies will be able to give any kind of permission for access to their data and/or systems. No such authority exists for the private companies deemed ‘critical’ to the Director of this new agency. They will all be forced to give access to their data. The phrase used in this statement is completely misleading. The actual paragraph of the bill from which this phrase is sourced deals with who the Director of the new Cyber Agency will share already gleaned data with. It gives the Director the freedom to share all gleaned data (from any private company) with all listed federal agencies AND with any other private information (as long as the originating company agrees with this SHARING of their data with another private company).
(1) IN GENERAL.—The Director shall—
22 ‘‘(C) provide dynamic, comprehensive, and
23 continuous situational awareness of the security
24 status of the Federal information infrastruc25
ture, national information infrastructure, infor-
1 mation infrastructure that is owned, operated,
2 controlled, or licensed for use by, or on behalf
3 of, the Department of Defense, a military de4
partment, or another element of the intelligence
5 community, and information infrastructure lo6
cated outside the United States the disruption
7 of which could result in national or regional
8 catastrophic damage in the United States by
9 sharing and integrating classified and unclassi10
fied information, including information relating
11 to threats, vulnerabilities, traffic, trends, inci12
dents, and other anomalous activities affecting
13 the infrastructure or systems, on a routine and
14 continuous basis with—
…(list of Federal Agencies)
4 ‘‘(vii) any non-Federal entity, includ5
ing, where appropriate, information shar6
ing and analysis centers, identified by the
7 Director, with the concurrence of the
8 owner or operator of that entity and con9
sistent with applicable law;
Reference IV. Authority of the Bill to decide if private companies will be participating ‘voluntarily’ in the new regulations being set forth by this new Cyber Agency. Consider, also, the following type of language in the bill. Please note the consistent use of the word ‘shall’:
1 ‘‘SEC. 252. SECTOR-SPECIFIC AGENCIES.
2 ‘‘(a) IN GENERAL.—The head of each sector-specific
3 agency and the head of any Federal agency that is not
4 a sector-specific agency with responsibilities for regulating
5 covered critical infrastructure shall coordinate with the
6 Director on any activities of the sector-specific agency or
7 Federal agency that relate to the efforts of the agency re8
garding security or resiliency of the national information
9 infrastructure, including critical infrastructure and cov10
ered critical infrastructure, within or under the super11
vision of the agency.
(8) This also a falsehood. It states this limitation UNLESS it 1) relates to an ‘incident’ and/or Big Brother deems it necessary. This allows the government to take information that it never had the right to have in the first place, evaluate it against the Patriot Act (or any other act listed) and determine if it qualifies as ‘important for U.S. security’. Pls. note that if the Patriot Act ever decided to interpret a ‘enemy combatant’ as someone who ‘threatened’ Obama, then uppity bloggers could make the list. If they make the Patriot Act’s definition of a ‘enemy combatant’, then this will qualify the Cyber Agency to glean information about him through surveillance. This is called ‘slippery’ language.
‘‘(D) intercept a wire, oral, or electronic
2 communication (as those terms are defined in
3 section 2510 of title 18, United States Code),
4 access a stored electronic or wire communica5
tion, install or use a pen register or trap and
6 trace device, or conduct electronic surveillance
7 (as defined in section 101 of the Foreign Intel8
ligence Surveillance Act of 1978 (50 U.S.C.
9 1801)) relating to an incident, unless otherwise
10 authorized under chapter 119, chapter 121, or
11 chapter 206 of title 18, United States Code, or
12 the Foreign Intelligence Surveillance Act of
13 1978 (50 U.S.C. 1801 et seq.).
(10) These words do not exist in the bill. Instead, it is defined as:
‘‘(17) the term ‘national cyber emergency’
22 means an actual or imminent action by any indi23
vidual or entity to exploit a cyber risk in a manner
24 that disrupts, attempts to disrupt, or poses a signifi25
cant risk of disruption to the operation of the infor-
1 mation infrastructure essential to the reliable oper2
ation of covered critical infrastructure;
This is considerably different from Lieberman’s letter in that it opens the authority to a much broader definition.
11) Pls. note that a private company may only appeal. They may not refuse to participate. Everything is under the decision of one Director- and the President.
(12) This is exactly the kind of vague language, that could mean almost anything, that riddles this bill.
(13) Note the generosity of the new Cyber Agency: if the private company who is being forced to implement new standards (at their own expense) doesn’t want to use the technical solutions of the Agency, they can develop their own- as long as THE DIRECTOR approves it.
IX. Final Conclusions
Asked on CNN’s “State of the Union” Sunday whether he was trying to “seize
control or shut down” the Internet, Lieberman answered “no way” and added that
“the government should never take over the Internet.”
Lieberman said the Internet was “constantly being probed by other countries
for weaknesses and that “we need the capacity for the president to say to an
Internet service provider, ‘We’ve got to disconnect the American Internet from
all traffic coming in from this country.’”
- It would be cheaper, faster and safer/better for America if our government secured its own critical communications by simply installing & maintaining its own, proprietary systems between government agencies. They should not use the Internet at all to communicate. The reach to control every aspect of American life (in the name of a potential cyber attack on America) will create a monster that can not and will not be controlled. It is better to trust in the self-interest of software & hardware producing companies to add internet security than to give up our freedoms to a repressive government.
- This bill is written in such language that almost any technology could fall under it.
- Civil protection language is written so vaguely as to offer no protection at all.
- Senator Lieberman lied in his letter. At the very best, he misleads.
- There only two conclusions about Senator Lieberman (and all supporters of this bill) one can make after reading this bill: either Senator Lieberman is completely incompetent in his information gathering skills concerning the impact such a bill would have on the world, or he is an evil man in collusion with evil people with completely evil intentions. On a personal note: I always assume a person knows exactly what they are doing.
Contact Your Senator & Representative Today, Before This Passes:
If you wish, you can simply modify, copy & paste the following statement into your Senators & Representative’s email:
My husband & I adamantly oppose any Cybersecurity & Internet Freedom Act (proposed either by Democrats or Republicans in either the House or the Senate) that allows for the creation of yet another Federal agency. We also oppose any legislation that gives any agency in the federal government any authority over any private sector entity in its attempt to secure its own Intranet. We feel strongly that the only authority the federal government has over any kind of internet is limited to its own, proprietary intranet, software & hardware. The federal government may not, at any time, have any mandate authority over any sector of the technology industry- or anything that uses the Internet at large- in the name of Cyberspace security or Internet freedom. We feel that to give you this authority is to give up our civil liberties. We also feel that these kinds of bills represent the full takeover of the private technology sector (and even beyond). We trust in the self interest of these private companies to provide the best Internet Security possible for us and do not need the federal government to get involved. We are fine the way things are. We demand that the federal government secure your own Intranet in any way you see fit, but leave the Internet alone.
X. Special Notes Concerning Senator Rockefeller & the Ownership of All American Media Outlets
Senator David Rockefeller is a major player in the news ownership cartel in that he is the single largest individual shareholder of the JP Morgan Chase Bank, bank, holding 1.7% of its shares, which is one of the ‘purchasing vehicles’ used by six incredibly rich & powerful families and/or groups that currently owns all American news, movie production studios, magazines and other media. Senator Rockefeller is also leading the charge against Rupert Murdoch in what appears to be a power play for more (controlling?) voting shares in Murdoch’s News Corporation empire (note: the six groups own a large share of News Corp, but it maintains a semblance of autonomy thus far). Rockefeller is also deeply immersed in the Council on Foreign Relations, (CFR) and the Bilderberg Group. He also created the Trilateral Commission (TC). All of these organizations have come under attack from all corners of America due to their belief in the erasure of National boundaries into what they call a New World Order, Open Societies and/or New International Order (see my ‘Is it Ineptitude or is President Obama Smart Like a Fox? article).
As Sen. Rockefeller has demonstrated him to be an elitist of the highest order, it is simply no shock to see him backing this bill so strenuously. The power given over to a few elite hands will be the completion of his life’s work.