Legislation is now passing through the U.S. Senate that could give the president unprecedented powers over the Internet, including the ability to ’shut down’ portions of it when a cybersecurity emergency is declared. The bill was introduced in early April, but concerns have since been raised over its vague wording.
At issue is Section 18(2) of the Cybersecurity Act of 2009, which reads as follows: “The president … may declare a cybersecurity emergency and order the shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.”
At face value, the legislation, introduced by West Virginia Senator Jay Rockefeller, seems aimed at protecting sensitive government data and infrastructure, such as electrical grids and the like. Rockefeller makes his case by indicating how vulnerable we are to cyber threats. Among them, Congressional studies that found an attack on a major financial institution could severely impact the economy, and attacks on systems controlling our power grid could “have the potential to disrupt services for hours or weeks.”
However, the bill offers no definition for what may be considered “United States critical infrastructure.” Nobody seems to know. If made law, this vagueness could be used to justify just about any move to restrict Internet traffic within the country, as long as there is a perceived “threat.”
The Center for Democracy and Technology said the bill would give the government unprecedented and unacceptable control over the Internet. “The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” president Leslie Harris said.
Electronic Frontier Foundation civil liberties director Jessica Granick seems equally alarmed by the legislation’s tone. “Since many of our critical infrastructure systems are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government,” she said.
President Obama is not yet publicly supporting the bill, although the Administration’s defense agenda does include protection from digital threats. But is there really a need for such legislation? Government Accountability Office reviews have found that the government’s security problems include “insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and ineffective information security programs,” according to security expert Bruce Schneier.
Schneier suggested that cybersecurity threats shouldn’t be dealt with as a government or military problem, because it’s a universal problem. “All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages.
We all are the targets of the same attack tools and tactics,” he argued. “We’ve all got the same problems, so solutions must be shared.”