OVERKILL?: Legislation under review in the U.S. Senate seeks to better protect the country's critical infrastructure from cyber attack, but some accuse the government of wanting to give itself the equivalent of an Internet "kill switch". Image: COURTESY OF HENRIK JONSSON, VIA ISTOCKPHOTO.COM
The Egyptian government's recent move to shut down the region's Internet service providers (ISPs) has prompted concern worldwide that surfing could be silenced by politicians or leaders in other countries, including the U.S. Adding to this fear of a so-called Internet "kill switch" are bills proposed in the past couple of years that seek to give the White House the authority to essentially disconnect the country's electrical utilities, telecommunications lines and other critical infrastructure from the Internet in the event of a major cyber attack.
The latest such bill, the Protecting Cyberspace as a National Asset Act, was introduced last June by Sen. Joseph Lieberman (I-Conn.) and revised in December by the Senate Committee on Homeland Security and Governmental Affairs. It calls for the formation of a National Center for Cybersecurity and Communications (NCCC) within the U.S. Department of Homeland Security (DHS) that would be responsible for protecting both federal computer networks and critical infrastructure owned by the private sector against cyber attacks.
Although the White House already has broad wartime powers, making aspects of the proposed act redundant, opposition to the bill has centered on its provision to give the federal government the authority to define what is meant by "critical infrastructure." According to the bill (pdf), the government can "take measures to protect any computer system whose destruction or disruption of reliable operation would cause national or regional catastrophic effects." This could include cutting off the system from the Internet. Owners of facilities labeled as critical infrastructure would be notified as soon as this designation is made. An owner could appeal this designation but, as the bill is currently written, the government would make the final decision to disconnect, which is not subject to judicial review.
The bill does not propose to disconnect the Internet itself, yet critics remain anxious. "We're troubled by the idea that the president could declare an emergency and shut down digital communications," Free Press Action Fund Campaign Director Timothy Karr said in a prepared statement posted to the organization's Web site. Although Lieberman and bill co-sponsors Susan Collins (R–Maine) and Tom Carper (D–Del.) have issued their own statement saying that they do not seek to "empower the president to deny U.S. citizens access to the Internet," Karr is unconvinced. The promises "that the bill won't give the president 'kill-switch' powers aren't very reassuring," according to Karr's statement. "The devil is always in the details, and here the details suggest that this is a dangerous bill that threatens our free speech rights."
Others opposed to the bill include Steve DelBianco, director of the trade group NetChoice, who told Reuters in September he objected specifically to the part of the bill that would bar companies designated as "critical" from fighting that designation in court.
To better understand Lieberman's bill and its potential impact, Scientific American spoke with James Lewis, senior fellow and director of the Center for Strategic & International Studies's Technology and Public Policy Program. Lewis took opponents of the bill to task for inventing the idea of an Internet kill switch, defended several changes the bill would make to White House cyber security oversight, and questioned whether government should let critical infrastructure owners determine how these systems are protected from cyber attacks.
[An edited transcript of the interview follows.]
Are you surprised by the Egyptian government's tactic of cutting off Internet access in an attempt to control anti-Mubarak protesters?
It's become part of what some governments have to do to maintain their political control. They're not the first; they won't be the last. Other countries have extensive monitoring of communications, and several restrict access to the Internet. Less democratic states worry about the political effects of the Internet—that it's going to create new opportunities for resistance, for organization and for protest, and undermine the legitimacy of the regime. We don't have those problems in the U.S. because dissent is sort of a normal part of our existence.
Lately there have been concerns that an Internet shutdown could happen in the U.S., particularly with regard to new legislation that seeks to give the government the right to require owners of critical infrastructure to implement certain cyber security measures. There have been several efforts over the past decade to find some way of better protecting critical infrastructure from cyber attack. What, if anything, is special about the Protecting Cyberspace as a National Asset Act of 2010?
It really tackles some of the key issues that have bedeviled U.S. cyber policy for 15 years. The central part is that voluntary action is no longer sufficient for national security and that the private sector cannot secure their networks against advanced opponents. We know the ability of any individual critical infrastructure owner to undertake cyber security will be uneven—some companies do a great job and some companies don't.