When Senators Lieberman, Collins, and Carper proposed legislation last week to deal with the risk of a large-scale attack on our computer infrastructure, the libertarian-privacy attack was not long in coming.
Declan McCullagh, a committed libertarian journalist for Cnet, posted a long story full of angst about the bill. It would, he said, ""grant the president far-reaching emergency powers to seize control of or even shut down portions of the Internet."
He claimed that, under the bill, "companies such as broadband providers, search engines, or software firms that the government selects 'shall immediately comply with any emergency measure or action developed' by the Department of Homeland Security. Anyone failing to comply would be fined." Only warrantless wiretapping is excluded as an emergency power.
"Because there are few limits on the president's emergency power, which can be renewed indefinitely," McCullagh predicted (and pretty obviously hoped) that "the bill is likely to encounter stiff opposition." He cited concerns expressed by TechAmerica, the Center for Democracy and Technology, and the Cato Institute.
On one technical but important point, Declan may have misread the bill. He seems to think (judging from a post of his on Dave Farber's list) that the bill would impose obligations on any company for which the telephone system or Internet is "essential." I assume that's why he says that search engines are covered by the bill. I doubt that they are, because the bill in fact applies to a relatively limited set of critical facilities -- and to the information infrastructure on which those facilities depend.
So, if operators of our power grid are dumb enough to run their systems by relying on the Internet and Windows XP, then the bill's authority to order emergency measures would apply to the providers of electric power, to their ISPs, and to Microsoft. Otherwise the ISPs and Microsoft are in the clear. As for the rest of us, including our search engines, we're in the clear from the start.
The broader issue is whether Declan is right to hate the bill. Certainly the privacy-industrial complex is gearing up for a scare campaign.
But I think it's fair to ask the privacy campaigners two questions before joining them in chanting "Internet kill switch."
First, do they believe that foreign governments can't attack networks that are essential to our lives? Frankly, I don't think there's anyone with an ounce of technical savvy who thinks such an attack is impossible, or even improbable. I laid out the case for that risk in chapter 9 of Skating on Stilts:
If you’re a foreign government, breaking into U.S. networks is a twofer. You can start by stealing secrets. But if push comes to shove, you can use your access to destroy the same systems you’ve been exploiting. Corrupt the backup files, then bring the whole system down. Or start randomly changing data and emails until no one can trust anything in the system. It wouldn’t take much to create chaos. The financial crisis of 2008 became a panic when bankers began to disbelieve each other. No one trusted the other guy’s books, so they stopped lending, and theworld crashed. Could that same mistrust be created by modifying or destroying a few firms’ computer accounting and trading records? We probably don’t want to find out.
It’s no secret how to fight a war against the United States. Slow us down, then cause us pain at home and wait for antiwar sentiment to grow. Cyberattacks are ideal for that strategy. Everything in the country, from flight plans and phone calls to pipelines and traffic lights, is controlled by networks susceptible to attack. A determined, state-sponsored attacker could bring them all down—and blame it on some hacker liberation front so we wouldn’t even know whom to bomb.
(I have posted all of chapter 9 in an easily accessible archive " for www.skatingonstilts.com. The excerpt is licensed for free copying and distribution.)So if the answer to my first question is yes, an attack is possible, my second question is "Who do you think will need to take action in response to the attack?" Cato Institute? TechAmerica? CDT?
Fat chance.
As the BP oil spill shows, companies are quite capable of setting the stage for catastrophes well beyond their ability to remedy. We properly expect the government to regulate companies to address risks that can't be internalized by the companies taking the risks. And when disaster strikes despite those efforts, we expect the President to have the authority to respond.
If another country launches a computer network attack on US infrastructure, do we want the President to look as helpless as he looks today in response to the BP spill? Remember, he won't be looking helplessly at a few tarballs on the beach; in a worst-case emergency, he might be looking helplessly at a country that lacks power, working phones, and maybe even a reliable financial system.
If that happens, Declan McCullagh, the Cato Institute, and TechAmerica won't even be returning your phone calls.
Why do you provide credibility to Declan's commentary by responding to it? Enjoyed your discussion, nonetheless. Per usual, your logic is impeccable!
Posted by: Gail Bronson | Jun 13, 2010 at 02:19 AM
Some Definitions from the proposed bill you link to:
14) NATIONAL INFORMATION INFRASTRUCTURE.—The term ‘‘national information infrastructure’’ means information infrastructure— (A)(i) that is owned, operated, or controlled within or from the United States; or
‘‘(4) the term ‘covered critical infrastructure’ means a system or asset—
HEN10553 S.L.C. 21
1 ‘‘(A) that is on the prioritized critical in frastructure list established by the Secretary under section 210E(a)(2); and ‘‘(B)(i) that is a component of the national information infrastructure; or
It isn't clear to me how you're reaching the analysis that essentially all systems that are dependent on the Internet are not "national information infrastructure" and that they therefore are not covered by the rest of the requirements of the bill. I am analyzing it, and if you can't point out where I've misread the definitions here, or don't understand the text as written because of the context required from another law/regulation. Is it that systems aren't covered if they are not already on the list of critical infrastructure? This bill seems to actually say all information systems are critical information systems. Perhaps not its intent?
Thank you.
Posted by: Andy | Jun 13, 2010 at 12:24 PM
Stewart,
I really appreciate your context here and I also appreciate the way you can capture significant meaning in concise phrases. I personally plan on spreading this one around as much as I can: "Companies are quite capable of setting the stage for catastrophes well beyond their ability to remedy." You say a great deal in those few words.
Cheers,
Bob
Posted by: Bob Gourley | Jun 13, 2010 at 12:28 PM
To respond to Andy, here's the definition of covered critical infrastructure, which is what the bill gives authority over:
"(4) the term ‘covered critical infrastructure’means a system or asset—
‘‘(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and
‘‘(B)(i) that is a component of the national information infrastructure; or
‘‘(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset."
I think the structure and grammar are pretty clear. To be covered, an institution must satisfy both (A) and (B), which are joined in the conjunctive "and." To satisfy (B), the institution must meet either the criteria in (B)(i) or in (B)(ii), which are joined in the disjunctive. Both B)(i) and (B)(ii) can only be satisfied by ties to the national information infrastructure.
Or to put it in English, you can't be covered if you aren't on the list, and just being on the list is not enough. You also have to be part of the information infrastructure or the information infrastructure must be essential to your functioning.
Thanks for this note, though. It makes me realize that I was too quick to say that Microsoft and ISPs would be directly subject to regulation if they service the power grid. They would not, at least not for that reason. Only the grid would be subject to regulation, though of course any order to the grid owners about what standards their ISPs or operating systems must meet would have pretty profound indirect effects on Microsoft and ISPs.
Posted by: stewart baker | Jun 13, 2010 at 01:31 PM
To Gail: How about Justice Brandeis? *Now* am I picking on someone my own size?
Posted by: stewart baker | Jun 13, 2010 at 01:32 PM
Mechanism, hinged on cooperative behavior among a set of responding nodes. Since naïve cooperative behaviors might introduce new risks, including fragility in the face of poor or maliciously-generated information, particular attention must be paid to robustness in the cooperative strategy.
The difficulty of detecting, quarantining and recovering
from zero-day viruses is made easier if local sensors are
allowed more room for error. If we err on the side of allowing false alarms, then detectors can be cautious (paranoid!) and
conservatively flag anything that looks suspicious, and
depends on cooperative corroboration to determine whether
the attack is real or not. For this policy to be effective,
though, requires the entire anti-virus system to handle false
alarms quickly and cheaply and still respond rapidly to real
virus attacks.
Posted by: Emmanuel Johnson | Jun 14, 2010 at 01:54 PM
Actually, Windows Embedded is used in infrastructure.
Posted by: Dale | Jun 16, 2010 at 10:25 PM
Dale: Aaaaaeeee!
Posted by: stewart baker | Jun 19, 2010 at 10:39 AM
If such attack are going to continue than this will be big loss for the country and i think quick solution should be find out to stop such attacks.
Posted by: cheap computer | Jul 08, 2010 at 08:39 AM