Legislation is now passing through the U.S. Senate that could give the president unprecedented powers over the Internet, including the ability to ‘shut down’ portions of it when a cybersecurity emergency is declared. The bill was introduced at the beginning of the month, but concerns have since been raised over its vague wording.
At issue is Section 18(2) of the Cybersecurity Act of 2009, which reads as follows:
“The president … may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.”
At face value, the legislation, introduced by West Virginia Senator Jay Rockefeller, seems aimed at protecting sensitive government data and infrastructure, such as electrical grids and the like. Rockefeller makes his case by presenting a litany of findings indicating how vulnerable we are to cyber threats. Among them, Congressional studies that found an attack on a major financial institution could severely impact the economy, and attacks on systems controlling our power grid could “have the potential to disrupt services for hours or weeks.”
However, the bill offers no definition for what may be considered “United States critical infrastructure.” Could this mean entire fiber-optic pipes? Access to certain servers? The entire Internet, if the attack is really severe? Nobody seems to know. If made law, this vagueness could be used to justify just about any move to restrict Internet traffic within the country, as long as there is a perceived “threat.”
The Center for Democracy and Technology said the bill would give the government unprecedented and unacceptable control over the Internet. “The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” president and CEO Leslie Harris said.
Electronic Frontier Foundation civil liberties director Jessica Granick seems equally alarmed by the legislation’s tone. “Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government,” she said.
President Obama is not yet publicly supporting the bill, although the Administration’s defense agenda does include protection from digital threats. Also, Obama said in July 2008 that he would declare Internet infrastructure a “strategic asset” and appoint a cyber advisor. While there may be no connection between the two, there are similarities in their proposals.
But is there really a need for such legislation? Government Accountability Office reviews have found that the government’s security problems include “insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs,” according to security expert Bruce Schneier.
If that’s the case, such federalization of Internet infrastructure may not be necessary at all. Schneier suggested that cybersecurity threats shouldn’t be dealt with as a government or military problem, because it’s a universal problem. “All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics,” he argued. “We’ve all got the same problems, so solutions must be shared.”
[photo from peoplelandandwater.gov]