One of the Protecting Cyberspace as a National Asset Act's biggest points of contention is how critical infrastructure should be defined. How should it be defined?
The directive that created the Homeland Security Department lists 18 critical infrastructure sectors, and I believe that's what the bill refers to.
How do you get the private companies that run critical infrastructure to comply with government demands for increased cyber security?
This would have to be in the event of what they call an existential issue, which is a threat to the survival of the republic. So it's not going to happen every week or every month or every year. But if there is a threat to the survival of the republic that could be controlled by government intervention, do you want to say that this action cannot be taken? The threshold for taking this action was very high in the original version of the bill that was introduced in June, so I wonder if it would ever be used. Of course, you can fairly ask: Can you have an existential crisis over the Internet? I don't know, probably not. But you could do some nasty things. Still, I would never expect to see this used.
If the U.S. government were to identify a cyber threat and step in to protect critical infrastructure systems, what might that look like?
The bill really doesn't give the government the ability to control the Internet. If, for example, one electrical grid is infected with a computer virus, you would want to insolate it from other electrical grids in the U.S. People have brought up the idea of a kill switch for the Internet, but this bill is not about a kill switch. The model here came out of the Defense Department, which has the ability to examine the U.S. military's command network. If, for example, the Pacific Command's computers are infected and have problems, the DoD can give them a week to clean up their problems or they will be taken off of the larger network. In this scenario the Pacific Command would still have access to its own network.
So the idea behind this legislation, at least as it's currently written, would be to disconnect companies from the Internet but not to shut down the Internet in a crisis situation?
That's right. We need to think about how we intervene in networks in an emergency. It would be nice if we could do that in some logical fashion and in some way that was more transparent. I'm pretty sure if there was a crisis, a real crisis, there would be no debate over this. How do we now define an expanded role for the government in national security? Part of that will be: Should the government have the right to intervene through regulation or this kind of disconnect ability? We have to have a serious debate. The problem is that the debate has been driven largely by this Internet pioneer ideology and by business interests, and that's not a good way to approach national security.