The blogosphere is all atwitter over the Lieberman-Collins cybersecurity bill and its alleged Internet kill switch. Lots of people are still taking the whole idea of an Internet kill switch seriously. Worse, they think that's what the Lieberman-Collins bill proposes.
So let me say it again, this time with exegesis:
The claim that the bill contains a kill switch is, well, a bunch of bull switch.
The epithet "Internet kill switch" was first coined to describe (to attack, really) a much different bill proposed by a different committtee. Maybe that bill justified the term.
But Lieberman's bill doesn't. It is a lot more limited and careful in responding to a serious threat -- the possibility that another nation might use our increasingly networked infrastructure to disrupt phone, banking, and power service in large parts of the country. Since those services are in private hands, the government needs some legislative authority to respond to such an attack. (We don't usually ask private companies to respond to military attacks on their own.)
So what authority does the bill propose to give the government? To cut to the chase, it doesn't grant authority over "the Internet." It gives the President the power to order certain critical infrastructure owners to protect themselves in a coordinated way. Here's a more detailed breakdown of who's covered (My apologies, but this is a little complicated.)
- First, to be covered, an asset must be part of the critical infrastructure, which is defined under existing law as systems and assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." That is pretty carefully focused on things like nuclear power plants and the New York Stock Exchange, not the Internet at large .
- Second, under section 241, even assets that arguably fit this definition are not covered unless they are identified on a list prepared by DHS (as far as I know, the list has not made public, because we don't want to give adversaries a handy list of the best targets).
- Third, the authority only applies to a portion of that list, specifically to IT systems that support (or are themselves) critical infrastructure.
Okay; it doesn't cover the whole Internet. But at least it's a "kill switch" for the networks it covers, right?
Nope, not that, either. Under the bill, in an emergency, section 249 of the bill lets the government order owners of critical infrastructure to do two things:
- First, the government can tell them to implement their own emergency response plans, which are required by a different section (248) of the bill.
- Second, the government can "develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences" of an attack. And in developing these measures, the government must choose "the "least disruptive means feasible."
In short, if you think that a cyberattack is possible, and I've devoted big chunks of this website to explaining why an attack is highly likely, then this bill simply gives the President the minimum authority he'll need to assure protection for our most important assets -- like phones, banks, power.
Then why is the blogosphere, right and left, full of fulmination about the kill switch? This post is long enough already, so I'll just say that I think it's a combination of privacy ideologues who automatically condemn new government authorities, even necessary ones, and anti-regulatory business interests -- what I call the privacy-industrial complex. If you want to know more, it's a theme I develop at length in Skating on Stilts.