In the past few weeks, we’ve seen two countries try to “turn off” the Internet. On January 27, Egypt, which had previously known few restrictions on Internet access, stopped delivering bits to the subscribers to nearly all its ISPs, even though data passing through Egypt kept flowing normally. Since February 19, Libya has experienced irregular nationwide outages lasting anywhere from a few minutes to seven hours.
This is nearly unprecedented—only brief incidents in Nepal and Burma, in 2005 and 2007 respectively, can compare. The events have renewed debate over proposed U.S. legislation that would give our government a similar ability to pull the plug on Internet communications in an emergency.
The bill, introduced in the Senate first last fall and again this spring by Senators Susan Collins, of Maine, and Joseph Lieberman, of Connecticut, was first titled “Protecting Cyberspace as a National Asset Act of 2010” and then the “Cybersecurity and Internet Freedom Act of 2011.” Many observers have simply called it the “kill switch” bill, suggesting that it would give the President authority to shut down the Internet, perhaps in ways just seen in the Middle East. That’s an unfair characterization. But there are other reasons to be skeptical about S.3480.
The bill contains a lot more than just the provision for a so-called kill switch. It would establish a White House Office of Cyberspace Policy, tasked with oversight over all “instruments of national power relating to ensuring the security and resiliency of cyberspace” and with the enforcement of security standards to be developed by the National Institute of Standards and Technology (NIST) across public- and private-sector “critical infrastructure systems.”
It would also establish a National Center for Cybersecurity and Communications in the Department of Homeland Security, to oversee the United States Computer Emergency Response Team, which disseminates cybersecurity information from researchers and the government to the private sector.
But most controversial is the proposal that if the President declares a “cyber emergency,” the Department of Homeland Security could issue mandatory orders and directives to “critical infrastructure systems.” This is what’s been interpreted as the kill switch.
Under what circumstances an Internet shutdown would be warranted is a matter of interpretation. The bill says a “cyber emergency” is an “actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.” “Critical infrastructure,” in turn, is defined as those systems whose “disruption or destruction would cause a mass casualty event which includes an extraordinary number of fatalities; severe economic consequences; mass evacuations with a prolonged absence; or severe degradation of national security capabilities, including intelligence and defense functions.”
That all sounds pretty narrow: most Web servers would not qualify as that type of infrastructure—nor would a small ISP. Responding to criticism of the kill-switch idea, the Senate has said that the bill is intended to provide a “precise, targeted and focused way for the President to defend our most sensitive infrastructure,” and it further defined that infrastructure as systems involved in the vital maintenance of the telecommunications networks, electrical grid, water systems and financial systems. Of course, as more systems move to the cloud, questions arise as to whether we will start to find these critical infrastructure systems interwoven with more mundane civilian resources, and what the implications of such mixing would be under this bill.