Protecting U.S. “Cyberspace”: How the Notion of an Internet “Kill Switch” Sidetracked the National Asset Act By Markus Rauschecker March 2012 Is the United States prepared to defend against a cyber attack of epic proportion? The downside of cyber advancements are that a successful attack could threaten our Civilian infrastructure, costing us billions of dollars and many lives. It can be difficult to fully grasp the magnitude of the damage that a cyber attack could cause. Civilian infrastructure including electric grids, water delivery systems, and transportation grids could all malfunction. Telecommunications could end. The integrity of nuclear and chemical plants could be threatened. Moreover, banking and finance systems could all be crippled through a successful cyber attack. Costs to the economy could easily reach into the billions of dollars and citizens could face life‐
threatening conditions due to the absence of critical services. Recognizing the dire consequences that could result from a major cyber attack, Senators Joe Lieberman (I‐CT), Susan Collins (R‐ME), and Thomas Carper (D‐DE) introduced the "Protecting Cyberspace as a National Asset Act of 2010"1 (henceforth the Act) in June 2010, to increase cyberspace security and ensure the country’s resiliency to a cyber attack. The Act sought to achieve these goals by establishing governmental entities to lead and coordinate the effort of protecting the country’s cyberspace. Beyond that, however, the Act would have also granted the President the authority to implement emergency measures to protect critical infrastructure. It was this additional element of the Act that led to its ultimate failure, as the scope of the President’s authority was too broad and the critical infrastructure covered by the Act was undefined. Critics interpreted the proposed Act as giving the President a “kill switch” that he could use to shut down the internet, and fears that the Act could dramatically infringe on free speech steadily grew. Despite supporters of the Act urging the public that it did not provide the President with such broad authority, the opposition to the Act could not be overcome. The Act featured multiple approaches to strengthening cybersecurity and resiliency. First, in order to “bring together the disjointed efforts of multiple federal agencies” and to establish a “clear organizational structure to lead federal efforts in safeguarding cyber networks,” the Act would have 1 http://www.opencongress.org/bill/111‐s3480/text. www.lawpracticetoday.org
©American Bar Association 2012
established the Office of Cybersecurity Policy and the National Center for Cybersecurity and Communications (NCCC).2 The Office of Cybersecurity Policy, headed by a Director of Cyberspace Policy and falling under the Executive Office of the President, would develop a “national strategy to increase the security and resiliency of cyberspace.”3 The Office would “oversee, coordinate, and integrate all policies and activities of the Federal Government across all instruments of national power relating to ensuring the security and resiliency of cyberspace.”4 The National Center for Cybersecurity and Communications, within the Department of Homeland Security and headed by a Director appointed by the President and confirmed by the Senate, would enforce cybersecurity policies throughout the government and the private sector. The Director of the Center “would be responsible for leading the federal effort to secure, protect, and ensure the resiliency of the information infrastructure of the United States”5. This effort would include the identification of vulnerabilities, establishing situational awareness, conducting risk‐based assessments, and developing protection standards. In addition to creating governmental entities to lead and coordinate the cybersecurity effort, the Act would have also granted the President and the NCCC authority to create, implement, and enforce measures and regulations for safeguarding the nation’s cyber networks. The measures and regulations created by the NCCC would be applicable to federal government agencies as well as private sector entities, as identified by the NCCC’s Director.6 Private sector entities that own or operate critical infrastructure covered by the Act would have to implement security measures that met risk‐based security performance requirements. In addition to these preventative measures, the Act also would have empowered the President to issue a “declaration of national cyber emergency”7 if a cyber attack occurs or is imminent. After such a declaration is made, the NCCC Director could then “develop and coordinate emergency measures or actions necessary to preserve the reliable operation and mitigate or remediate the consequences of the potential disruption of covered critical infrastructure.”8 While the emergency measures directed under this section should consist of the “least disruptive means feasible,”9 the extent of the measures was not defined. Consequently, the idea that the Act contained a “kill switch” that the President could use to shut down the internet quickly spread, as traditional media, websites, and bloggers gave reports 2 Remarks by Senators Lieberman, Collins, and Carper introducing the Act, June 10, 2010. http://lieberman.senate.gov/index.cfm/news‐
events/news/2010/6/lieberman‐collins‐carper‐unveil‐major‐cybersecurity‐bill‐to‐modernize‐strengthen‐and‐coordinate‐cyber‐defenses . 3 The Act, Section 101(a)(1). 4 The Act, Section 101(a)(2). 5 The Act, Section 242(f)(1)(A). 6 The Act, Section 248(b)(1). 7 The Act, Section 249(a)(1). 8 The Act, Section 249(a)(3)(B). 9 The Act, Section 249(a)(3)(C). www.lawpracticetoday.org
©American Bar Association 2012
and published stories claiming that this was the case. What is more, civil rights groups began expressing their concern that the Act would severely threaten free speech. On June 23, 2010, a collection of privacy, civil liberties, and civil rights groups submitted a letter to Senators Lieberman, Collins, and Carper expressing their concerns over the proposed Act. Specifically, these groups wanted to ensure that the legislation did not “unnecessarily infringe on free speech, privacy and other civil liberties interests.”10 Their main concern was that the Act was vague in two important aspects. First, by this Act, the President and the NCCC would have authority over “covered critical infrastructure”, yet the Act did not adequately define covered critical infrastructure. The organizations had a legitimate concern that the Act could therefore be applied to infrastructure that citizens rely on to engage in free speech, such as the internet. Second, the emergency measures that the Act would authorize were unspecified. This could mean that the emergency actions could include a mechanism for shutting down or limiting internet communication, i.e., a “kill switch”. Since the internet is vital to free speech, the letter argued, any government action that would infringe on this right must meet a traditional First Amendment strict scrutiny test. As public outcry over the proposed Act intensified, Senators Lieberman and Collins issued a facts sheet seeking to address some of the “misconceptions about the bill.”11 The first “myth” that the Senators wanted to debunk was that the Act established a “kill switch,” and that it gave the President the authority to shut down the internet in times of emergency. The Senators pointed out that the President has already had the power to take over communications networks since the passage of the Communications Act of 1934. The legislation that the Senators were proposing, they argued, would actually “bring Presidential authority to respond to a major cyber attack into the 21st century by providing a precise, targeted, and focused way for the President to defend our most sensitive infrastructure.”12 Rather than limiting the President to the sole option of shutting off the internet during an imminent cyber attack, the Act would implement proactive measures for protecting cyberspace and empower the President to implement less drastic actions in the event of a breach of security. Indeed, the Protecting Cyberspace as a National Asset Act would not “restrict or prohibit communications carried by, or over, covered critical infrastructure...unless the [NCCC] Director determines that no other emergency measure or action will preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption.”13 So, while the Act did not explicitly establish a “kill switch”, the undefined “emergency measures” authorized by the Act, as well as this provision regarding the restriction of communications, do verify the government’s prerogative to shut down parts of the internet in cyber emergencies. Despite assurances from Senators Lieberman, Collins, Carper, and others that the Act did not include a “kill switch,” public outcry was significant enough to force a reassessment of the legislation. Over the 10 https://www.cdt.org/files/pdfs/20100624_joint_cybersec_letter.pdf. 11 Cybersecurity Myths v. Reality, June 23, 2010. 12 Id. 13 The Act, Section 249(a)(6)(A). www.lawpracticetoday.org
©American Bar Association 2012
next two years the legislation was revised, and in February 2012 the Cybersecurity Act of 2012 was introduced. This newly proposed legislation hopes to alleviate the concerns about the 2010 Act by eliminating any provisions that could be interpreted as giving the President a “kill switch.” The new legislation also defines critical infrastructure very narrowly to include only systems that could cause catastrophic damage, if compromised. It even explicitly excludes systems based solely on activities protected by the First Amendment. The Senators hope that this revised legislation will finally achieve the critically important goal of strengthening the nation’s cybersecurity, while also alleviating legitimate concerns about government’s ability to restrict free speech. Markus Rauschecker is a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security (CHHS). As part of his duties, he is currently consulting for the District of Columbia on Continuity of Operations and Continuity of Government planning. www.lawpracticetoday.org
©American Bar Association 2012