article

10.06.09

The Coming Internet Shutdown?

The Cybersecurity Act of 2009 would let Obama disconnect parts of the Internet in an emergency. Nicholas Ciarelli on how the government can improve security without resorting to a “kill switch.”

The U.S. government has announced that it will ease some of its control over ICANN, a key policy-making organization that helps oversee the Internet. But other actions in Washington demonstrate how difficult it is for the government to keep its hands off its prized invention.

Exhibit A is the Cybersecurity Act of 2009, which sounds like a dusty old conspiracy theory from the fringe right: a bill on Capitol Hill that would give the president the power to shut down the Internet.

The bill “allows the president to declare a cybersecurity emergency and to direct the national response to the problem, but it doesn’t describe what that means, or whether there’s any limits.”

Proposed in April by Senators Jay Rockefeller and Olympia Snowe, the bill would empower the president, in cases of emergency, to disconnect parts of the Internet deemed “critical infrastructure.” This language raised red flags for digital-rights advocates, as many of those networks—in telecommunications, banking, energy, and other areas—are privately owned, not operated by the government.

A redrafted bill, made public in recent weeks, has done little to quell the controversy, replacing the provision with even fuzzier language that “would permit the president to shut down the Internet,” according to the digital rights group the Electronic Frontier Foundation.

“It basically allows the president to declare a cybersecurity emergency and to direct the national response to the problem, but it doesn’t describe what that means, or whether there’s any limits,” said Jennifer Granick, the EFF’s civil-liberties director. (Full disclosure: This writer has benefited from the EFF’s support in defending an Apple lawsuit.)

That the government needs a robust cybersecurity strategy is hardly in dispute—a coordinated attack on a vital network could bring down, say, the country’s electrical grid. (A denial-of-service attack this summer rendered Twitter and Facebook, two decidedly less vital services, inaccessible for several hours.) Last year, five federal agencies received failing marks for computer security from the House Oversight and Government Reform Committee.

Douglas Rushkoff: Google’s Better iPhoneRecognizing the threat, the new administration has trumpeted cybersecurity as a matter of critical importance. “From now on, our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: as a strategic national asset,” Obama said in a May speech. “Protecting this infrastructure will be a national-security priority.” And for the sixth year in a row, October has been dubbed “National Cybersecurity Awareness Month,” a distinction that seems likely to garner as much public awareness as “National Popcorn Poppin’ Month” (also October).

The PR blitz has done little to address the problem, however. Months after the president’s speech, he has yet to appoint a “cybersecurity czar” to coordinate the government’s disjointed efforts; an acting czar resigned in August. And in March, Rod Beckstrom, director of the Department of Homeland Security’s National Cybersecurity Center, also resigned, saying the National Security Agency was dominating the country’s cybersecurity efforts. But at least it has been clear where the administration’s heart lies.

Hence the far-reaching bill, which has touched off debates over the legislation’s true scope. “My understanding is that the president currently has the authority to disconnect critical infrastructure, so reiterating it in this law doesn’t do much,” says Gene Spafford, a prominent computer-security expert and professor at Purdue University.

And in a statement, the Commerce Committee calls the digital-rights advocates’ concerns over an Internet shutdown overblown: “To be very clear, the Rockefeller-Snowe bill will not empower a ‘government shutdown or takeover of the Internet’ and any suggestion otherwise is misleading and false...Chairman Rockefeller and Senator Snowe are deeply committed to transparency and an open exchange of ideas in crafting this legislation.”

So why not attack cybersecurity problems in a decentralized way, as the Internet is decentralized by nature? As security specialist Bruce Schneier, the EFF, and others have noted, the vulnerabilities that threaten the country’s networks are the kinds of routine issues that are addressed more effectively by installing secure, up-to-date software than by putting a statutory “kill switch” on the Internet.

“GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information-security programs. These aren’t super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with,” Schneier writes in The Wall Street Journal. “The best thing the government can do for cybersecurity world-wide is to use its buying power to improve the security of the IT products everyone uses.”

Such a strategy would require the U.S. government to take a less imperious approach to regulating the Internet. But Americans also wouldn’t have to wait for Washington to get its act together, leaving each of us to celebrate National Cybersecurity Awareness Month in his or her own way.

Nicholas Ciarelli is an assistant product manager at The Daily Beast.