In the past month we’ve seen two countries try to “turn off” the Internet. On January 27, in Egypt, which had previously known few restrictions on Internet access (though, to be sure, intimidation of bloggers and activists was common), nearly all ISPs stopped delivering bits to their subscribers, even though data transiting Egypt from the outside world kept flowing normally. One Egyptian ISP, Noor, stayed up for a few days amidst speculation that it had been spared because major banks and the Egyptian stock exchange were subscribers; subsequently it went down, too. Internet access was then restored before the Mubarak government fell. In Libya, irregular nationwide outages lasting anywhere from a few minutes to seven hours have been occurring since the February 19.
This is nearly unprecedented; only brief incidents in Nepal and Burma, in 2005 and 2007 respectively, could compare. The events have renewed debate over proposed U.S. legislation that might give the government a similar ability to pull the plug on Internet communications in an emergency.
The bill, introduced in the Senate first last fall and again this spring by Senators Collins and Lieberman, was first titled “Protecting Cyberspace as a National Asset Act of 2010,” and then “Cybersecurity and Internet Freedom Act of 2011.” Many observers have simply called it the “kill switch” bill, suggesting that the bill would give the President authority to shut down the Internet, perhaps in ways just seen in the Middle East. That’s an unfair characterization. But there are other reasons to be skeptical about S.3480.
The bill contains a lot more than just the provision for a so-called “kill switch.” It provides for the establishment of a White House Office of Cyberspace Policy, tasked with oversight over all “instruments of national power relating to ensuring the security and resiliency of cyberspace” and the enforcement of security standards developed by the National Institute of Standards and Technology (NIST) across both public and private sector “critical infrastructure systems.” (NIST is the National Institute of Standards and Technology, an agency at the Department of Commerce tasked with advancing measurement science, standards and technology. Among other things, it houses the atomic clock which keeps the nation’s official time.) It also provides for the establishment of a National Center for Cybersecurity and Communications at the Department of Homeland Security, which would oversee the United States Computer Emergency Response Team, which, as the public/private operational arm of the National Cyber Security Division, acts to disseminate cybersecurity information from the research and government communities to the private sector.
Then there’s the most controversial bit: the bill proposes that, in the event of a “cyber emergency” as declared by the President, the Department of Homeland Security could issue mandatory orders and directives to “critical infrastructure systems”. This has been interpreted as meaning that the goverment could “shut down” the internet within the United States.
Under what circumstances this would be warranted depends largely on interpretation. The bill says a “cyber emergency” is an “actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure”. “Critical infrastructure” is in turn defined as those systems whose “disruption or destruction would cause a mass casualty event which includes an extraordinary number of fatalities; severe economic consequences; mass evacuations with a prolonged absence; or severe degradation of national security capabilities, including intelligence and defense functions”.
That all sounds pretty narrow: most Web servers would not qualify as that type of infrastructure–nor would a small ISP. Responding to criticism of the kill switch idea, the Senate has said that the bill is intended to provide a “precise, targeted and focused way for the President to defend our most sensitive infrastructure,” further defining that infrastructure as systems involved in the vital maintenance of the telecommunications networks, electrical grid, water systems and financial systems. Of course, as more systems move to the cloud, there’s a question of whether we will start to find these critical infrastructure systems interwoven with more mundane civilian resources, and what the implications of such mixing would be under this bill.
Putting it all together, this means that a cyber emergency would only to be declared in the event of an imminent risk of massive death and destruction, severe economic damage, mass evacuations or harm to our national security capabilities—the worst of all possible scenarios. But a critical issue is what kind of review there would be of whether a declared emergency really qualifies under the bill. Though there is no direct identification of critical infrastructure beyond those whose disruption would cause scenes from the movie 2012, there is a means in the bill for those designated as critical infrastructure systems to appeal that classification.
The new draft of the bill– likely responding to public anxiety over kill switches–explicitly forbids a shut down: “neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet.”
Any emergency measures developed and implemented in the event of a cyber emergency would also expire within thirty days, with the possibility of several thirty day extensions. To be sure though, thirty days is a long while in Internet time, and more than enough time to change, perhaps irreversibly, a company who find itself on the wrong side of the critical infrastructure designation. Most important is to try. It’s also hard to imagine the circumstances under which these provisions would be invoked. By the language of the bill, it would appear to be nothing short of a massive virus–or physical–attack in which ISPs stood idly by as malware spread like. Of course, should that situation arise, it’s not clear that sending in the Marines (figuratively, if not literally), and telling various ISP’s to fix it would make any difference–as if they somehow wouldn’t be trying to do that anyway, and as if the government would have any comparative advantage in understanding the situation than the Internet engineers themselves would have.
Oddly, the U.S. government may already have the authority to shut down the Internet anyway. Section 706 of the Communications of Act of 1934 – written into the Act shortly after the 1941 attacks on Pearl Harbor – provides the President with the ability to shut down “any facility or station for wire communication” or take federal control of such facilities in the event of a “state of war” and for up to six months after the expiration of such a state. Of course, the War Congress of 1941 wasn’t thinking about the Internet at the time, though there is some indication that the Department of Homeland Security believes this provision could apply. In June of 2010, the Department of Homeland security apparently cited Section 706 as “one of the authorities the President would rely on if the nation were under a cyber attack.”
The new bill does not permit such a Federal takeover or shutdown, limits the amount of time a cyber emergency declaration can be in effect, and contains language intended to render the emergency measures as non-disruptive as possible.
Beyond the legalities or politics of drastic action, it’s worth asking whether the type of Internet shutdown seen in Egypt and elsewhere is even possible in the United States. Internet penetration in Egypt is around 15.4%, high for Africa but low compared to the rest of the Middle East; penetration in Libya is around 5% ; in Burma Internet penetration is at less than 1%. They have much smaller populations than the US, in smaller geographic areas. The shuttering of one or two ISPs has a much greater effect in these small markets than it would in the States. It is unlikely that the government could, though social and political pressure not backed up by statute and public accord, cow the hundreds of different ISPs operating in the continental United States to all shut down at once. Someone bent on disrupting Internet access would have to focus on Tier 1 ISPs – those who provide Internet access to other ISPs, and for which a shutdown would have the biggest ramifications. Another potential method for shutdown would be disrupting one or more of the major Internet exchange points or “carrier hotels” that exist around the country. Going after major wireless providers could also have a big impact. However, the likelihood of a complete shutdown remains low: at the point such a measure would be attempted we’d likely have plenty of other problems to raise with such an overreaching government. More important, with Internet access so crucial to the economy and to state and federal governments, a broad-based shutdown would carry incalculable costs. The point at which the Internet is so suffused in a society that a censorious government could consider turning it off is also the point at which the Internet is so suffused in a society that a government would likely not dare turn it off. Egypt and Libya provide new and surprising counter-examples to that hypothesis, but even in Egypt access was restored while the Mubarak government was still in power. And the level of integration of the Internet with layers of the American economy and communications system is an order of magnitude more than in Egypt and certainly Libya.
So, while there is no a kill switch hidden in the bill, it provides for the establishment of two federal bodies responsible for the development and enforcement of certain private and governmental security standards in the area of critical infrastructure systems, and establishes the ability of the government to give mandatory directives and orders to the private operators of critical infrastructure systems in the event of a cyber emergency, which is defined to sound a lot like a real emergency.
That said, is this bill a reasonable reaction to the current state of cybersecurity in this country?
The bill endows NIST with the ability to create security standards, in conjunction with the private sector, which would then be imposed on federal agencies and private operators of critical infrastructure systems. This introduces the potential for mission creep, and moreover, it is simply not known what those standards will be yet. Would such standards include the capacity for deep-packet sniffing, other methods of surveillance or backdoors? Who within NIST and the private sector would have final say in the creation of these standards, their implementation and enforcement? Does the government currently possess the expertise to take on this task to begin with? What actions will the relevant agencies take to ensure they have that experience at the ready when it comes to developing these standards?
When it comes to improving the online security environment in this country, everyone has work to do, including the federal government. Keeping up with patches and updates, changing default usernames and passwords on critical systems and choosing unique, complex passwords that change regularly are just some habits of good security that should be widespread but aren’t. Some parts of this bill, like section 301 which in part provides for the withholding of bonuses to senior agency officials whose agencies aren’t up to snuff, may be a good step towards implementing a functional and habitual security environment at the federal level. Some other sections clearly need more consideration and debate.
That the information security environment in this country and around the world needs work is clear. Whether or not this is the bill that is needed, or even whether the federal government should have a role in regulating civilian, private sector infosec, is less so.
An edited version was published this morning by the MIT Technology Review.