In the past few weeks, we’ve seen two countries try to “turn off” the Internet. On January 27, Egypt, which had previously known few restrictions on Internet access, stopped delivering bits to the subscribers to nearly all its ISPs, even though data passing through Egypt kept flowing normally. Since February 19, Libya has experienced irregular nationwide outages lasting anywhere from a few minutes to seven hours.
This is nearly unprecedented—only brief incidents in Nepal and Burma, in 2005 and 2007 respectively, can compare. The events have renewed debate over proposed U.S. legislation that would give our government a similar ability to pull the plug on Internet communications in an emergency.
The bill, introduced in the Senate first last fall and again this spring by Senators Susan Collins, of Maine, and Joseph Lieberman, of Connecticut, was first titled “Protecting Cyberspace as a National Asset Act of 2010” and then the “Cybersecurity and Internet Freedom Act of 2011.” Many observers have simply called it the “kill switch” bill, suggesting that it would give the President authority to shut down the Internet, perhaps in ways just seen in the Middle East. That’s an unfair characterization. But there are other reasons to be skeptical about S.3480.
The bill contains a lot more than just the provision for a so-called kill switch. It would establish a White House Office of Cyberspace Policy, tasked with oversight over all “instruments of national power relating to ensuring the security and resiliency of cyberspace” and with the enforcement of security standards to be developed by the National Institute of Standards and Technology (NIST) across public- and private-sector “critical infrastructure systems.”
It would also establish a National Center for Cybersecurity and Communications in the Department of Homeland Security, to oversee the United States Computer Emergency Response Team, which disseminates cybersecurity information from researchers and the government to the private sector.
But most controversial is the proposal that if the President declares a “cyber emergency,” the Department of Homeland Security could issue mandatory orders and directives to “critical infrastructure systems.” This is what’s been interpreted as the kill switch.
Under what circumstances an Internet shutdown would be warranted is a matter of interpretation. The bill says a “cyber emergency” is an “actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.” “Critical infrastructure,” in turn, is defined as those systems whose “disruption or destruction would cause a mass casualty event which includes an extraordinary number of fatalities; severe economic consequences; mass evacuations with a prolonged absence; or severe degradation of national security capabilities, including intelligence and defense functions.”
That all sounds pretty narrow: most Web servers would not qualify as that type of infrastructure—nor would a small ISP. Responding to criticism of the kill-switch idea, the Senate has said that the bill is intended to provide a “precise, targeted and focused way for the President to defend our most sensitive infrastructure,” and it further defined that infrastructure as systems involved in the vital maintenance of the telecommunications networks, electrical grid, water systems and financial systems. Of course, as more systems move to the cloud, questions arise as to whether we will start to find these critical infrastructure systems interwoven with more mundane civilian resources, and what the implications of such mixing would be under this bill.
In sum, the provision means that a cyber emergency would be declared only under some of the worst possible national scenarios. But a critical issue is what kind of review there would be to determine whether and when a cyber emergency should be declared.
The new draft of the bill—likely in response to public anxiety about the kill-switch idea—explicitly forbids a shutdown: “neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet.”
What’s more, any emergency measures implemented in response to a cyber emergency would expire within 30 days, with the possibility of several 30-day extensions. To be sure, 30 days is a long while in Internet time. But it’s hard to imagine the circumstances under which these provisions would be invoked. The language of the bill seems to mean that nothing would do it short of a massive computer-virus or physical attack in which ISPs stood idly by as malware spread like wildfire. Of course, should such a situation arise, it’s not clear that government intervention would make any difference. The ISPs would already be doing everything they could to counter the attack. And there’s no reason to believe that the government would have any comparative advantage in understanding the situation better than the Internet engineers themselves.
The U.S. government may already have the authority to shut down the Internet anyway. Section 706 of the Communications of Act of 1934—written into the act shortly after the 1941 attack on Pearl Harbor—gives the President the power to shut down “any facility or station for wire communication” or take federal control of such facilities in the event of a “state of war” and for up to six months after the expiration of such a state. Although of course the War Congress of 1941 wasn’t thinking about the Internet, there is some indication that the Department of Homeland Security believes this provision could apply. In June of 2010, Homeland Security cited Section 706 as “one of the authorities the President would rely on if the nation were under a cyber attack.”
Beyond the legalities or politics of drastic action, it’s worth asking whether the type of Internet shutdown seen in Egypt and elsewhere is even possible in the United States. Internet penetration in Egypt is around 15 percent—high for Africa but low compared with the rest of the Middle East. Penetration in Libya is around 5 percent. (Internet penetration in Burma is less than 1 percent.) The shuttering of one or two ISPs has a much greater effect in these small markets than it would in the States.
It is unlikely that the government could cow all of the hundreds of ISPs operating in the U.S. to shut down at once. If the government were determined to shut down Internet access, it would probably focus on Tier 1 ISPs—those that provide Internet access to other ISPs and whose disruption would have the biggest ramifications. Another possibility would be to shut down major Internet exchange points, or “carrier hotels,” that exist around the country. Yet another would be to go after major wireless providers. However, the likelihood of a complete shutdown remains low: at the point such a measure was attempted, no doubt we would have plenty of other problems to raise with such an overreaching government.
So while there is no kill switch in the bill, it would establish two federal bodies to develop and enforce security standards for critical infrastructure systems, and it would clarify the government’s power in the event of a cyber emergency to give mandatory orders to the private operators of critical infrastructure systems.
It would, further, give the National Institute of Standards and Technology the ability, in conjunction with the private sector, to create security standards, which would then be imposed on federal agencies and private operators of critical infrastructure systems. This introduces the potential for mission creep.
Moreover, it is not yet known what those standards would be. Would they permit deep-packet sniffing, other methods of surveillance, or back doors? Who would have final say about the standards and their implementation and enforcement? Does the government possess the expertise to take on this task? If not, how will the relevant agencies acquire that expertise before the standards are developed?
When it comes to improving the online security environment in this country, everyone has work to do, including the federal government. Keeping up with patches and updates, regularly changing user names and passwords on critical systems, and choosing unique, complex passwords are just a few of the habits of good security that should be widespread but aren’t. Some parts of this bill—like section 301, which calls for withholding bonuses from senior agency officials whose agencies aren’t up to snuff—may be good steps toward implementing a functional and habitual security environment at the federal level. Other parts clearly need more consideration and debate.
That the information-security environment in this country and around the world needs work is clear. Whether this is the bill that is needed, or even whether the federal government should have a role in regulating private-sector information security, is less so.
Jonathan Zittrain is a professor of law and of computer science at Harvard University and cofounder of its Berkman Center for Internet & Society; Molly Sauter is a research assistant at the Berkman Center. Updates will appear at www.jz.org