The blogosphere is all atwitter over the Lieberman-Collins cybersecurity bill and its alleged Internet kill switch. Lots of people are still taking the whole idea of an Internet kill switch seriously. Worse, they think that's what the Lieberman-Collins bill proposes.
So let me say it again, this time with exegesis:
The claim that the bill contains a kill switch is, well, a bunch of bull switch.
The epithet "Internet kill switch" was first coined to describe (to attack, really) a much different bill proposed by a different committtee. Maybe that bill justified the term.
But Lieberman's bill doesn't. It is a lot more limited and careful in responding to a serious threat -- the possibility that another nation might use our increasingly networked infrastructure to disrupt phone, banking, and power service in large parts of the country. Since those services are in private hands, the government needs some legislative authority to respond to such an attack. (We don't usually ask private companies to respond to military attacks on their own.)
So what authority does the bill propose to give the government? To cut to the chase, it doesn't grant authority over "the Internet." It gives the President the power to order certain critical infrastructure owners to protect themselves in a coordinated way. Here's a more detailed breakdown of who's covered (My apologies, but this is a little complicated.)
- First, to be covered, an asset must be part of the critical infrastructure, which is defined under existing law as systems and assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." That is pretty carefully focused on things like nuclear power plants and the New York Stock Exchange, not the Internet at large .
- Second, under section 241, even assets that arguably fit this definition are not covered unless they are identified on a list prepared by DHS (as far as I know, the list has not made public, because we don't want to give adversaries a handy list of the best targets).
- Third, the authority only applies to a portion of that list, specifically to IT systems that support (or are themselves) critical infrastructure.
Okay; it doesn't cover the whole Internet. But at least it's a "kill switch" for the networks it covers, right?
Nope, not that, either. Under the bill, in an emergency, section 249 of the bill lets the government order owners of critical infrastructure to do two things:
- First, the government can tell them to implement their own emergency response plans, which are required by a different section (248) of the bill.
- Second, the government can "develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences" of an attack. And in developing these measures, the government must choose "the "least disruptive means feasible."
In short, if you think that a cyberattack is possible, and I've devoted big chunks of this website to explaining why an attack is highly likely, then this bill simply gives the President the minimum authority he'll need to assure protection for our most important assets -- like phones, banks, power.
Then why is the blogosphere, right and left, full of fulmination about the kill switch? This post is long enough already, so I'll just say that I think it's a combination of privacy ideologues who automatically condemn new government authorities, even necessary ones, and anti-regulatory business interests -- what I call the privacy-industrial complex. If you want to know more, it's a theme I develop at length in Skating on Stilts.
Were it not for the present crisis in the Gulf of Mexico, I might trust your assessment. Government agencies seem to have a way of enlarging their hegemony and competing with each other over turf, while neglecting their legitimate jobs.
You write: "Since those services are in private hands, the government needs some legislative authority to respond to such an attack."
Why isn't this authority to respond to cyber attacks assigned to the NSA and Defense Department or the FBI? You may be right that his isn't a "kill switch," but I really don't see any need for a new bureaucracy to be created to create even more strings in that rat's nest that already exists. Such agencies seem to function more as targets for FOIA requests and ACLU lawsuits than as real protectors of the nation.
Posted by: Allen Thorpe | Jun 20, 2010 at 12:49 AM
For sure, government agencies have their own disfunctions, and there were efforts to find an agency other than DHS to address the problem of cybersecurity. However, when DHS was created, all of the civilian authorities over this problem were concentrated in DHS, so it would be hard to move responsibility at this point. DHS certainly took a long time rising to this challenge, but I think part of the reason was the deep resistance to any regulatory authority in this area. In other words, having been told for so long by so many that it should keep its hands off, is it really any wonder that DHS did so little until very recently?
As for NSA, I'm not sure people who mistrust government would feel more comfortable giving this job to that agency.
Posted by: stewart baker | Jun 20, 2010 at 08:32 AM
DoD can't do very much, because of Posse Comtitatus.
NSA is more of a monitoring-and-intel-gathering agency, not an active-operations agency. It's like the difference between a traffic cop with a radar gun and the SWAT team.
Posted by: DensityDuck | Jun 21, 2010 at 04:44 PM