In sum, the provision means that a cyber emergency would be declared only under some of the worst possible national scenarios. But a critical issue is what kind of review there would be to determine whether and when a cyber emergency should be declared.
The new draft of the bill—likely in response to public anxiety about the kill-switch idea—explicitly forbids a shutdown: “neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet.”
What’s more, any emergency measures implemented in response to a cyber emergency would expire within 30 days, with the possibility of several 30-day extensions. To be sure, 30 days is a long while in Internet time. But it’s hard to imagine the circumstances under which these provisions would be invoked. The language of the bill seems to mean that nothing would do it short of a massive computer-virus or physical attack in which ISPs stood idly by as malware spread like wildfire. Of course, should such a situation arise, it’s not clear that government intervention would make any difference. The ISPs would already be doing everything they could to counter the attack. And there’s no reason to believe that the government would have any comparative advantage in understanding the situation better than the Internet engineers themselves.
The U.S. government may already have the authority to shut down the Internet anyway. Section 706 of the Communications of Act of 1934—written into the act shortly after the 1941 attack on Pearl Harbor—gives the President the power to shut down “any facility or station for wire communication” or take federal control of such facilities in the event of a “state of war” and for up to six months after the expiration of such a state. Although of course the War Congress of 1941 wasn’t thinking about the Internet, there is some indication that the Department of Homeland Security believes this provision could apply. In June of 2010, Homeland Security cited Section 706 as “one of the authorities the President would rely on if the nation were under a cyber attack.”
Beyond the legalities or politics of drastic action, it’s worth asking whether the type of Internet shutdown seen in Egypt and elsewhere is even possible in the United States. Internet penetration in Egypt is around 15 percent—high for Africa but low compared with the rest of the Middle East. Penetration in Libya is around 5 percent. (Internet penetration in Burma is less than 1 percent.) The shuttering of one or two ISPs has a much greater effect in these small markets than it would in the States.
It is unlikely that the government could cow all of the hundreds of ISPs operating in the U.S. to shut down at once. If the government were determined to shut down Internet access, it would probably focus on Tier 1 ISPs—those that provide Internet access to other ISPs and whose disruption would have the biggest ramifications. Another possibility would be to shut down major Internet exchange points, or “carrier hotels,” that exist around the country. Yet another would be to go after major wireless providers. However, the likelihood of a complete shutdown remains low: at the point such a measure was attempted, no doubt we would have plenty of other problems to raise with such an overreaching government.