Thursday, February 03, 2011

Senators Refute Claims Cyber Security Bill Is An Internet Kill Switch

Critics speaking out in opposition to the new Cyberspace as a National Asset Act, also dubbed by myself and many others the "Internet Kill Switch Bill" have forced a rebuttal by backers of the proposal Senators Joseph Lieberman, Susan Collins and Tom Carper. The trio issued a statement this week condemning the actions in Egypt and refuting claims that the proposed legislation would give our president the same power over the internet the Egypt president so callously wielded.
“The steps the Mubarak government took last week to shut down Internet communications in Egypt were, and are, totally wrong.  His actions were clearly designed to limit internal criticisms of his government.  Our cybersecurity legislation is intended to protect the U.S. from external cyber attacks. Yet, some have suggested that our legislation would empower the President to deny U.S. citizens access to the Internet. Nothing could be further from the truth. We would never sign on to legislation that authorized the President, or anyone else, to shut down the Internet. Emergency or no, the exercise of such broad authority would be an affront to our Constitution."

"Our bill already contains protections to prevent the President from denying Americans access to the Internet - even as it provides ample authority to ensure that those most critical services that rely on the Internet are protected. And, even though experts question whether anyone can technically ‘shut down’ the Internet in the United States, we will ensure that any legislation that moves in this Congress contains explicit language prohibiting the President from doing what President Mubarak did."
The statement draws on five points of interest:
  1. That the bill is precise and targeted and only applies to our most critical infrastructure
  2. The legislation specifically says the President can only invoke the emergency authorities “if there is an ongoing or imminent” attack that would “cause national or regional catastrophic effects” by the disruption of the nation’s most critical infrastructure.
  3. Any measures ordered by the President must be “the least disruptive means feasible.”
  4. The President must notify Congress, and the emergency measures cannot be continued beyond 120 days without congressional approval.
  5. The legislation expressly forbids any action that would violate the First Amendment and also prohibits limiting internet traffic, emails, and other forms of communication (except those between critical infrastructure providers) unless no other action would prevent a regional or national catastrophe. 
Being an out spoken detractor of this bill and having studied its many forms I do have to say that the new legislation is a bit more focused and not as broad as it's previous incarnations. However, the Senators are still missing several key points and there are still several areas that are very open to interpretation.

For starters I didn't see anywhere that it expressly states the President can only enact the law for 120 days. Not that that really matters, our economy would go to hell in less time than that. Reports suggest that the recent blackout cost Egypt's economy about $90 million, or $18 million per day, comprising 3% to 4% of the country's economic output. The US government would clearly lose more than that on a daily basis and that could led to a catastrophic decline in our economy over the short term. Figure that over an extended period of 120 days and you are talking serious long term ramifications.

The wording of the bill and what networks might be impacted under the 'most critical infrastructure' is still very vague. There are some new guidelines added that were never there before but they still fail to pinpoint what networks would and wouldn't been shutdown.

The situations in which the president can invoke the emergency authority aren't nearly as cut and dried as the Senators statement seem to make it. There are 4 other instances, threat or potential threat to - national security, the economy, the disruption of the reliable operation of covered critical infrastructure and one very very vague criteria:

(E) other risk-based security factors that the Director, in consultation with the head of the sector-specific agency that is the first-party regulatory agency with responsibility for the covered critical infrastructure concerned, determines to be appropriate and necessary to protect public health and safety, critical infrastructure, national security, or economic security.
The last contention just simply makes no sense at all. If you think you are under 'cyber attack' or there is a threat from a serious worm, botnet or virus of some sort that is so threatening that you need to cut the lines of communication to major networks then clearly you are going to cut email services and limit internet traffic which is the way most of the infections get it. Either the Senators don't get that or they think we are just stupid enough to buy there arguments.

Language of the bill aside I see several other areas that bother me.

First is the creation of a new government body. We already have several agencies, many of which the legislation would draw on for support, that are up and running now that could and do handle cyber security threats. Why do we need to funnel millions of dollars to the creation of yet another agency?

Second is the feasibility of such a law and the ability of the agencies to react in a serious time of crisis. Clearly there will have to be a contingency plan in place, which the bill calls for new regulations to govern the 'critical infrastructure'. There is still really no clear guidelines how and what networks could be cut off. If there is a 'perceived' threat who decides what gets cut off and when? Are we going to have a bunch of analysts sitting around waiting to make a decision then calling the president who then has final say? If so we already lost as a well organized attack would probably have already gotten in.

The full bill can be found here H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. I strongly suggest everyone read the bill for themselves and draw their own conclusions. I for one still do not like the wording of the bill and think it potentially hands over too much control to our government.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you