ADVERTISEMENT
This article is from the In-Depth Report Forecasting the Future of Cloud Computing

What Is the Best Way to Protect U.S. Critical Infrastructure from a Cyber Attack?

Egypt's Internet shutdown and recent U.S. legislation proposing expanded White House control of critical infrastructure cyber security have conjured images of a government-controlled Internet kill switch
Internet,security, government



COURTESY OF HENRIK JONSSON, VIA ISTOCKPHOTO.COM

The Egyptian government's recent move to shut down the region's Internet service providers (ISPs) has prompted concern worldwide that surfing could be silenced by politicians or leaders in other countries, including the U.S. Adding to this fear of a so-called Internet "kill switch" are bills proposed in the past couple of years that seek to give the White House the authority to essentially disconnect the country's electrical utilities, telecommunications lines and other critical infrastructure from the Internet in the event of a major cyber attack.

The latest such bill, the Protecting Cyberspace as a National Asset Act, was introduced last June by Sen. Joseph Lieberman (I-Conn.) and revised in December by the Senate Committee on Homeland Security and Governmental Affairs. It calls for the formation of a National Center for Cybersecurity and Communications (NCCC) within the U.S. Department of Homeland Security (DHS) that would be responsible for protecting both federal computer networks and critical infrastructure owned by the private sector against cyber attacks.

Although the White House already has broad wartime powers, making aspects of the proposed act redundant, opposition to the bill has centered on its provision to give the federal government the authority to define what is meant by "critical infrastructure." According to the bill (pdf), the government can "take measures to protect any computer system whose destruction or disruption of reliable operation would cause national or regional catastrophic effects." This could include cutting off the system from the Internet. Owners of facilities labeled as critical infrastructure would be notified as soon as this designation is made. An owner could appeal this designation but, as the bill is currently written, the government would make the final decision to disconnect, which is not subject to judicial review.

The bill does not propose to disconnect the Internet itself, yet critics remain anxious. "We're troubled by the idea that the president could declare an emergency and shut down digital communications," Free Press Action Fund Campaign Director Timothy Karr said in a prepared statement posted to the organization's Web site. Although Lieberman and bill co-sponsors Susan Collins (R–Maine) and Tom Carper (D–Del.) have issued their own statement saying that they do not seek to "empower the president to deny U.S. citizens access to the Internet," Karr is unconvinced. The promises "that the bill won't give the president 'kill-switch' powers aren't very reassuring," according to Karr's statement. "The devil is always in the details, and here the details suggest that this is a dangerous bill that threatens our free speech rights."

Others opposed to the bill include Steve DelBianco, director of the trade group NetChoice, who told Reuters in September he objected specifically to the part of the bill that would bar companies designated as "critical" from fighting that designation in court.

To better understand Lieberman's bill and its potential impact, Scientific American spoke with James Lewis, senior fellow and director of the Center for Strategic & International Studies's Technology and Public Policy Program. Lewis took opponents of the bill to task for inventing the idea of an Internet kill switch, defended several changes the bill would make to White House cyber security oversight, and questioned whether government should let critical infrastructure owners determine how these systems are protected from cyber attacks.

[An edited transcript of the interview follows.]

Are you surprised by the Egyptian government's tactic of cutting off Internet access in an attempt to control anti-Mubarak protesters?
It's become part of what some governments have to do to maintain their political control. They're not the first; they won't be the last. Other countries have extensive monitoring of communications, and several restrict access to the Internet. Less democratic states worry about the political effects of the Internet—that it's going to create new opportunities for resistance, for organization and for protest, and undermine the legitimacy of the regime. We don't have those problems in the U.S. because dissent is sort of a normal part of our existence.

Lately there have been concerns that an Internet shutdown could happen in the U.S., particularly with regard to new legislation that seeks to give the government the right to require owners of critical infrastructure to implement certain cyber security measures. There have been several efforts over the past decade to find some way of better protecting critical infrastructure from cyber attack. What, if anything, is special about the Protecting Cyberspace as a National Asset Act of 2010?
It really tackles some of the key issues that have bedeviled U.S. cyber policy for 15 years. The central part is that voluntary action is no longer sufficient for national security and that the private sector cannot secure their networks against advanced opponents. We know the ability of any individual critical infrastructure owner to undertake cyber security will be uneven—some companies do a great job and some companies don't.

The private sector may own most of the critical infrastructure in this country, but, you know, it also owns most of the land in the United States, too. Does that mean that we don't need an army? The ownership question is largely irrelevant. Businesses don't like to be regulated. I understand that, but when it comes to national security we can't depend on voluntary action. That's largely what the bill tackles. You'd give Homeland Security more authority to mandate security in critical infrastructure, and that's a good thing.

Are attacks on the U.S.'s critical infrastructure an imminent threat?
One of the problems we've had with the debate is that people have been really imprecise in what they mean by a cyber threat. The normal practice is to call everything cyber war and cyber attack. We know that a cyber attack, a real cyber attack, is now part of an advanced military's arsenal. Some of our opponents have even done the necessary reconnaissance on U.S. critical infrastructure to find vulnerabilities. The director of the National Security Agency (NSA) has told me this. It's just going to be part of warfare in the future. It's a weapon that many major militaries have and that probably 20 to 30 countries are trying to acquire.

If that is the case, why haven't any cyber attacks on U.S. critical infrastructure taken place?
They also have missiles, airplanes and ships. It doesn't mean they just use them freely. That's why I think we haven't seen any critical infrastructure cyber attacks so far. People have the weapons, but they're no more likely to use them frivolously than they are any other weapons for fear of reprisal.

Is the Protecting Cyberspace as a National Asset Act an effective approach to protecting utilities, communications networks and other critical infrastructure?
The bill is on the right track, although it's now being rewritten, and we don't know what the current version looks like. They're trying to figure out what it is you need to do to become really effective. Information-sharing and public-private partnerships don't work. The bill tries to say that we need to move beyond these old and somewhat sterile debates and think of new ways to protect national security. People don't like that because it goes against the sort of utopian ideology that the Internet was built around, and it goes against the desire of companies not to be regulated.

The Act calls for an Office of Cyberspace Policy, which would have it's own director. Where would this director fit into the government's cyber security hierarchy, and how would this impact Howard Schmidt's role as White House Cyber Security Coordinator?
I think the authors of the bill think they would be upgrading Howard Schmidt's position. He would still be where he is, but he would have more ability to actually shape policy and action. Some of what they feel is that Howard's position doesn't have the authority it needs. Put aside Howard for a minute, I think the Office of Cyberspace Policy would be like the White House's Office of the Trade Representative. In other words, there would be a White House staff with enough members to cover the problem and that have the ability to say this is U.S. policy, this is what people will do.

There's a school of thought that too much control of the Internet, even for the sake of cyber security, is counterproductive. Should the government consider a more collaborative approach to security?
We're in a transitional moment, and this debate over an Internet kill switch is part of that. You have the old-school Internet thinkers who are wedded to this pioneering vision that we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal. But you also now have people saying, let's look at the data and see what really has worked. We know from the data that although there haven't been cyber attacks on critical infrastructure, there has been espionage against it. We know that an approach such as the 2003 National Cyber Security Strategy (pdf)—which was: we'll share information with people and when they realize the scope of the problem they'll immediately do the right thing—is just not going to happen. Some companies may not realize what they need to do and underestimate their vulnerabilities. When you ask critical infrastructure companies whether their control systems are connected to the Internet, almost all of them say "no," because that is the right answer. And they probably believe it's no. But when you actually go and do the checking you'll find that about one third of them actually are connected to the Internet and the executives just didn't know.

One of the Protecting Cyberspace as a National Asset Act's biggest points of contention is how critical infrastructure should be defined. How should it be defined?
The directive that created the Homeland Security Department lists 18 critical infrastructure sectors, and I believe that's what the bill refers to.

How do you get the private companies that run critical infrastructure to comply with government demands for increased cyber security?
This would have to be in the event of what they call an existential issue, which is a threat to the survival of the republic. So it's not going to happen every week or every month or every year. But if there is a threat to the survival of the republic that could be controlled by government intervention, do you want to say that this action cannot be taken? The threshold for taking this action was very high in the original version of the bill that was introduced in June, so I wonder if it would ever be used. Of course, you can fairly ask: Can you have an existential crisis over the Internet? I don't know, probably not. But you could do some nasty things. Still, I would never expect to see this used.

If the U.S. government were to identify a cyber threat and step in to protect critical infrastructure systems, what might that look like?
The bill really doesn't give the government the ability to control the Internet. If, for example, one electrical grid is infected with a computer virus, you would want to insolate it from other electrical grids in the U.S. People have brought up the idea of a kill switch for the Internet, but this bill is not about a kill switch. The model here came out of the Defense Department, which has the ability to examine the U.S. military's command network. If, for example, the Pacific Command's computers are infected and have problems, the DoD can give them a week to clean up their problems or they will be taken off of the larger network. In this scenario the Pacific Command would still have access to its own network.

So the idea behind this legislation, at least as it's currently written, would be to disconnect companies from the Internet but not to shut down the Internet in a crisis situation?
That's right. We need to think about how we intervene in networks in an emergency. It would be nice if we could do that in some logical fashion and in some way that was more transparent. I'm pretty sure if there was a crisis, a real crisis, there would be no debate over this. How do we now define an expanded role for the government in national security? Part of that will be: Should the government have the right to intervene through regulation or this kind of disconnect ability? We have to have a serious debate. The problem is that the debate has been driven largely by this Internet pioneer ideology and by business interests, and that's not a good way to approach national security.

Rights & Permissions
Share this Article:

Comments

You must sign in or register as a ScientificAmerican.com member to submit a comment.
Scientific American Dinosaurs

Get the
latest special collector's edition, Dinosaurs!

Limited Time Offer!

Purchase Now >

X

Email this Article

X