During the recent revolution in Egypt, the government disabled Internet access throughout the country with the flip of a switch. Could the same thing happen in America? Practically, because the structure of the Internet in the United States is more complex and decentralized than in Egypt, it cannot be shut down as easily. However, several bills have been proposed that could give the government broad power to take over the Internet communications of any public or private entity it deems necessary.
The first bill introducing the concept of Presidential Internet “kill switch” power was S. 773, the Cybersecurity Act of 2009 (later the Cybersecurity Act of 2010). The original version of the bill gave the President the power to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.” The bill provides examples of “critical infrastructures,” such as private and public entities in the energy, information, telecommunications, emergency services, agriculture, food, water, public health, government, transportation, defense, banking, finance, chemicals and hazardous materials, postal, and shipping sectors. Due to the unpopularity of the kill switch provision, the bill was amended (PDF) to remove the kill switch power and require the President to work with government and private industry to define “cybersecurity emergency” and develop “detailed response and restoration plans.” The amended bill also stated that it “does not authorize, and shall not be construed to authorize, an expansion of existing Presidential authorities.”
Senators Lieberman, Collins, and Carper introduced a similar bill, S. 3480, called the Protecting Cyberspace as a National Asset Act. The act would establish a National Center for Cybersecurity and Communications (NCCC) within the Department of Homeland Security. Like S. 773, the act would also give the President the power to declare a “cyber emergency” for “critical infrastructure.” After the President declared an emergency, the Director of the NCCC would assume control of the critical infrastructures and would direct the owners and operators to take unspecified actions with as little disruption to services as possible. The bill was amended to require the President to receive Congressional approval for any emergency lasting more than 120 days and was placed on the Senate Legislative calendar in December 2010.
Senators Lieberman and Collins issued a press release (PDF) to dispel fears that S. 3480 authorizes Internet kill switch power, arguing instead that the bill only impacts critical infrastructures. However, critics of the bill expressed concerns that it does not adequately define “critical infrastructure.” Unlike S. 773 (PDF), no examples of critical infrastructures are listed in S. 3480 (PDF). The definitions section of S. 3480 specifies that “critical infrastructure” has the meaning as defined as in section 1016(e) of the USA Patriot Act (PDF). Section 1016(e) states that “the term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” That definition did not satisfy the ACLU, the American Library Association, the Electronic Frontier Foundation, and many other organizations, who drafted an open letter (PDF) to the bill’s sponsors. The letter’s authors proposed modifications to the bill which would include more free speech and information privacy safeguards for the users of critical infrastructure networks.
In response to such criticisms, the senators changed the title of the bill to the “Cybersecurity and Internet Freedom Act” and introduced it as S. 413 in February 2011. S. 413 (PDF) introduces new language directly addressing the kill switch issue: “neither the President, the Director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the Federal Government should have the authority to shut down the Internet.” Nonetheless, civil liberties groups are still opposed to any broad government authority over the Internet, and propose that “common-sense security practices” such as regular security updates and encryption will protect the United States better than any type of kill switch power over Internet service.
What would a cyberattack in the United States look like? Many believe that the Stuxnet computer worm, which appears to have targeted and disabled equipment used for uranium enrichment in Iran, was a successful cyberattack by a sophisticated enemy. Other possible attacks that have been suggested include infiltrating air traffic control computer systems and disrupting flights or hacking into the power grid and cutting power to customers. On the other hand, skeptics have criticized these doomsday scenarios as pure hype and fear mongering without factual support, publicized by government officials and industry players looking to profit off of cybersecurity investment. For example, Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee and supporter of the bill, said that the government is concerned that a hacker could open the floodgates of the Hoover Dam, killing thousands of innocent lives. The Bureau of Reclamation pointed out that the Hoover Dam and other facilities like it are not connected to the Internet.
Lawmakers considering the bill will need to balance the need for emergency executive power over the Internet without judicial review against the unforeseen consequences of declaring war in cyberspace. Cyberspace is a unique battleground, because as security expert Bruce Schneier notes, “when a nation is attacked in a regular conflict, a variety of military and civil institutions respond. The legal framework for this depends on two things: the attacker and the motive. But when you’re attacked on the Internet, those are precisely the two things you don’t know.” Schneier cautions that when the enemy is unknown, retaliation against the wrong target for the wrong reason becomes more likely. Two officers at the Office of Homeland Security expressed similar concerns, and cautioned against any declaration of cyberwar. They then proposed that the government’s role should be to fill in any remaining security gaps left open by private industry in order to ensure the security of the Internet in the United States. Whether or not the proposed bills adequately fill in these gaps without compromising the free and open nature of the Internet or individuals’ privacy when using the Internet remains an open question.