Bill would give president emergency control of Internet
Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."

A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.

The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.

Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.

The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.

Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)

"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."

Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.

The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."

Technically agencies that work for the President can already do this.

Just more of Big Brother getting control over our lives. Remember government knows what is better for you than you do yourself. Just look at the things government has taken control of so far it is starting to become scary, maybe I should have stayed in Iraq.

Proposed bill would give President coontrol of Internet

A new US Senate Bill would grant the President far-reaching emergency powers to seize control of, or even shut down, portions of the internet.

The legislation says that companies such as broadband providers, search engines or software firms that the US Government selects "shall immediately comply with any emergency measure or action developed" by the Department of Homeland Security. Anyone failing to comply would be fined.

That emergency authority would allow the Federal Government to "preserve those networks and assets and our country and protect our people," Joe Lieberman, the primary sponsor of the measure and the chairman of the Homeland Security committee, told reporters on Thursday. Lieberman is an independent senator from Connecticut who meets with the Democrats.

Due to there being few limits on the US President's emergency power, which can be renewed indefinitely, the densely worded 197-page Bill (PDF) is likely to encounter stiff opposition.

TechAmerica, probably the largest US technology lobby group, said it was concerned about "unintended consequences that would result from the legislation's regulatory approach" and "the potential for absolute power". And the Center for Democracy and Technology publicly worried that the Lieberman Bill's emergency powers "include authority to shut down or limit internet traffic on private systems."

The idea of an internet "kill switch" that the President could flip is not new. A draft Senate proposal that ZDNet Australia's sister site CNET obtained in August allowed the White House to "declare a cybersecurity emergency", and another from Sens. Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to "order the disconnection" of certain networks or websites.

On Thursday, both senators lauded Lieberman's Bill, which is formally titled Protecting Cyberspace as a National Asset Act, or PCNAA. Rockefeller said "I commend" the drafters of the PCNAA. Collins went further, signing up at a co-sponsor and saying at a press conference that "we cannot afford to wait for a cyber 9/11 before our government realises the importance of protecting our cyber resources".

Under PCNAA, the Federal Government's power to force private companies to comply with emergency decrees would become unusually broad. Any company on a list created by Homeland Security that also "relies on" the internet, the telephone system or any other component of the US "information infrastructure" would be subject to command by a new National Center for Cybersecurity and Communications (NCCC) that would be created inside Homeland Security.

The only obvious limitation on the NCCC's emergency power is one paragraph in the Lieberman Bill that appears to have grown out of the Bush-era flap over wiretapping without a warrant. That limitation says that the NCCC cannot order broadband providers or other companies to "conduct surveillance" of Americans unless it's otherwise legally authorised.

Lieberman said on Thursday that enactment of his Bill needed to be a top congressional priority. "For all of its 'user-friendly' allure, the internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets," he said. "Our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals."

A new cybersecurity bureaucracy
Lieberman's proposal would form a powerful and extensive new Homeland Security bureaucracy around the NCCC, including "no less" than two deputy directors, and liaison officers to the Defense Department, Justice Department, Commerce Department, and the Director of National Intelligence. (How much the NCCC director's duties would overlap with those of the existing assistant secretary for infrastructure protection is not clear.)

The NCCC also would be granted the power to monitor the "security status" of private sector websites, broadband providers and other internet components. Lieberman's legislation requires the NCCC to provide "situational awareness of the security status" of the portions of the internet that are inside the United States — and also those portions in other countries that, if disrupted, could cause significant harm.

Selected private companies would be required to participate in "information sharing" with the Feds. They must "certify in writing to the director" of the NCCC whether they have "developed and implemented" federally approved security measures, which could be anything from encryption to physical security mechanisms, or programming techniques that have been "approved by the director". The NCCC director can "issue an order" in cases of non-compliance.

The prospect of a vast new cybersecurity bureaucracy with power to command the private sector worries some privacy advocates. "This is a plan for an auto-immune reaction," says Jim Harper, director of information studies at the libertarian Cato Institute. "When something goes wrong, the government will attack our infrastructure and make society weaker."

To sweeten the deal for industry groups, Lieberman has included a tantalising offer absent from earlier drafts: immunity from civil lawsuits. If a software company's programming error costs customers billions, or a broadband provider intentionally cuts off its customers in response to a federal command, neither would be liable.

If there's an "incident related to a cyber vulnerability" after the President has declared an emergency and the affected company has followed federal standards, plaintiffs' lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear, but the US Treasury will even pick up the private company's tab.

Another sweetener: a new White House office would be charged with forcing federal agencies to take cybersecurity more seriously, with the power to jeopardise their budgets if they fail to comply. The likely effect would be to increase government agencies' demand for security products.

Tom Gann, McAfee's vice president for government relations, stopped short of criticising the Lieberman Bill, calling it a "very important piece of legislation".

McAfee is paying attention to "a number of provisions of the Bill that could use work," Gann said, and "we've certainly put some focus on the emergency provisions."

I laughed. Freudian slip?

maybe I should have stayed in Iraq.