Let’s kill the kill-switch debate
Hysteria over presidential power to turn off the Internet is politics, not cybersecurity
Let’s all get a grip on ourselves and forget about the supposed “kill switch” in the cybersecurity legislation introduced last month by Sen. Joseph Lieberman (I-Conn.) and look at the reality instead.
There has been a lot of outrage expressed in recent weeks, much of it by unquestioning bloggers, about national emergency provisions that would empower the president to turn off the Internet — whatever that means. From what I can see, there is no such provision in the bill. And there doesn’t need to be. The president of the United States, as commander in chief of the armed forces and the executive in charge in any emergency, already has broad powers that could be construed to allow control of vital resources without any help from Sen. Lieberman or his bill.
The present concerns have more to do with politics and business than with cybersecurity and the sanctity of the Internet.
President has had ‘kill switch’ for communications since 1934
DHS would be cyber power center under Lieberman/Collins proposal
Present cybersecurity strategies call for the National Security Agency to protect military and intelligence IT systems, puts the Homeland Security Department in charge of securing the .gov domain, and depends on the private sector to defend its resources. They are all supposed to cooperate, but just how is not spelled out, and what we have now is a fragmented and largely dysfunctional system.
The Protecting Cyberspace as a National Asset Act of 2010, S. 3480, would amend the Homeland Security Act to create a comprehensive framework for cybersecurity, putting DHS in charge of the security of the nation’s critical infrastructure, including the Internet. It creates an office and director of cyberspace policy that would require all agencies and companies controlling critical infrastructure to have emergency response plans that would be activated during a “national cyber emergency.”
The bill defines such an emergency as, “an actual or imminent action by any individual or entity to exploit a cyber vulnerability in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.” Once the president declares such an emergency, the director would order implementation of the response plans and “develop and coordinate emergency measures or actions necessary to preserve the reliable operation and mitigate or remediate the consequences of the potential disruption,” and to address the exploited vulnerabilities.
This is supposed to be accomplished with the “least disruptive means feasible,” but it does give the president and director a lot of leeway.
Overall, however, if Lieberman and Congress wanted to give the president authority to shut down or control the Internet, this is a pretty clumsy way to do it. First of all, extending an emergency beyond the 30-day limit would require renewing the declaration every 30 days. Secondly, the bill gives deference to the private sector in its response plans and security measures, making it difficult for the government to effectively impose broad restrictions. Thirdly, the director during an emergency must consult with the secretary of Defense and the directors of NSA and the National Institute of Standards and Technology, as well as any other agencies involved.
There is little doubt that these provisions could be abused, but to describe as a kill switch systematic measures intended to respond to serious threats is hyperbole, to say the least. It is hard to imagine any type of meaningful defensive system, physical or logical, that would not be liable to abuse.
I am not sure that the Lieberman bill is the best blueprint for a defensive system for cyberspace, but the bill should be debated on it real merits and not with politically motivated arguments or scare tactics used by an industry lobbying against any type of regulation.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.