Federal legislation introduced in the Senate this week would give President Obama the power to declare a cybersecurity emergency and then shut down both public and private networks including Internet traffic coming to and from compromised systems.
The proposed legislation, introduced April 1, also would give the President the power to “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.”
Some critics of the bill say that phrase needs to be more clearly defined.
“We are confident that the communication networks and the Internet would be so designated [as critical infrastructure], so in the interest of national security the president could order them disconnected.,” said Leslie Harris, president and CEO at the Center for Democracy and Technology (CDT), , which promotes democratic values and constitutional liberties for the digital age.
Harris and the CDT don’t think such sweeping power is good news for anyone, including private networks that could be shut down by government order. Those same networks would be subject to government mandated security standards and technical configurations.
The bill says the president must have a comprehensive national cybersecurity strategy in place 12 months after the bill passes.
“This is pretty sweeping legislation,” says Harris. “Seems the President could turn off the Internet completely or tell someone like Verizon to limit or block certain traffic,” she said. “There is a lot to worry about in this bill.”
In addition, an agency appointed by the President would control how and when systems are restored.
The power could conceivably extend to large service provider networks such as those run by Google, Microsoft, AOL, Yahoo and others who offer online services and applications to corporations and consumers.
“We are currently studying this legislation,” said Dan Martin, a spokesman for Google. “Security has been a priority at Google from the beginning of the company – we recognize that secure products are instrumental in maintaining the trust our users place in us.”
Proponents including officials from the Center for Strategic and International Studies (CSIS) say the legislation is comprehensive and strong and reflects the need for thorough debate around digital security that is long overdue.
The bill was introduced by West Virginia Democratic Sen. John Rockefeller, the chairman of the Senate Committee on Commerce, Science, and Transportation, and Sen. Olympia Snowe, a Republican from Maine.
Rockefeller said in a statement the bill loosely parallels the recommendations presented in December to Obama by a CSIS panel. The panel recommended naming an assistant for cyberspace and a National Security Council (NSC) director to coordinate government response to cyber threats.
The 51-page Rockefeller/Snowe bill calls for the appointment of a National Cybersecurity Advisor that reports directly to the President.
“[Rockefeller/Snowe] got input form a lot of sources, including the CSIS report, so there is more there than we had laid out. It’s a strong bill,” said Jim Lewis, director and senior fellow in the technology and public policy program at CSIS.
The bill aims at uniting both public and private network operators, including corporations, in developing regulations for defending computer systems before and during cyber attacks.
Rockefeller says the legislation addresses the threat to private sector infrastructure such as banking, utilities, air/rail/auto traffic control, and telecommunications.
But even Rockefeller said the bill was a starting point and not a finished product.
“This legislation is the beginning of the process - the objective of this cybersecurity bill is to start the debate and chairman Rockefeller welcomes comments from all parties, he is sitting down with stakeholders already and he welcomes input from all those supportive of the legislation and those with concerns,” said Jena Longo, deputy communications director for the U.S. Senate Committee on Commerce, Science & Transportation.
CDT’s Harris said there is likely to be much concern from the private sector. In CDT’s evaluation of the bill’s language, Harris says “We read this bill to say it sets a technical standard and one way to do things.”
She says the government could establish standards on how to configure software and on security configurations that would apply to anything the President says is critical infrastructure.
“If you are a bank or a communications network and you are critical infrastructure you have to meet those standards,” says Harris. Such a mandate, she says, would undermine innovation and weaken security because all critical infrastructure would be running the same technology that once compromised would see networks fall like dominoes.
But it is that kind of input, says CSIS Lewis, that the bill is designed to draw out.
“It takes a broad brush approach,” he says. “It’s got sections on organization, strategy, education, technology standards, public private partnership and a little regulatory authority. No previous U.S. effort has been as comprehensive, and that’s one of the main reasons all our previous efforts failed. This is a big step forward,” said Lewis.
But he added that all that might add up to the bill never getting passed. “But it’s good to put people on notice that the standard half-baked or half-witted solutions won't cut it."