Today SEW posted an article titled “Homeland Security Wants Internet Kill Switch“.
In light of events in Egypt, hearing that Homeland Security is considering shutting off internet access in the US is unsettling. It’s supposed to be, otherwise what good is that headline?
According to the original article on Wired, “an aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.”
Last year, when this critical cyber-security bill was originally submitted Senators Joe Lieberman, ID-Conn., Chairman of the Senate Homeland Security and Governmental Affairs Committee, and Susan Collins, R-Me. issued a “fact sheet” on the Myth vs. Reality of the S. 3480 “Protecting Cyberspace as a National Asset Act of 2010” bill.
The bill authorizes a “kill switch” allowing the President to shut down the Internet.
(From the original document, emphasis mine)
Rather than granting a “kill switch,” S. 3480 would make it far less likely for a President to use the broad authority he already has in current law to take over communications networks.
Section 706 of the Communications Act of 1934 provides nearly unchecked authority to the President to “cause the closing of any facility or station for wire communication” and “authorize the use of control of any such facility or station” by the Federal government. Exercise of the authority requires no advance notification to Congress and can be authorized if the President proclaims that “a state or threat of war” exists. The authority can be exercised for up to six months after the “state or threat of war” has expired.
The Department of Homeland Security, in testimony before the Committee on June 15, 2010, indicated that Section 706 is one of the authorities the President would rely on if the nation were under a cyber attack.
For more details read the full explanation here.
The bill gives the President the authority to take over the Internet.
S. 3480 would direct the President to set risk-based security performance requirements and, in a national cyber emergency, order emergency measures for our nation’s most critical infrastructure – those systems and assets that are most critical to our telecommunications networks, electric grid, financial system, and other components of critical infrastructure.
To qualify as a national or regional catastrophe, the disruption of the system or asset would have to cause:
• mass casualties with an extraordinary number of fatalities;
• severe economic consequences;
• mass evacuations of prolonged duration; or
• severe degradation of national security capabilities, including intelligence and defense functions.
The bill would give the President the authority to conduct electronic surveillance and monitor private networks.
The bill creates no new authority to conduct electronic surveillance.
The bill would give the President the authority to regulate the Internet.
The bill would set risk-based security performance requirements only for the owners/operators of our most critical systems and assets, which if disrupted would cost thousands of lives or billions of dollars in economic damage. The risk-based security performance requirements set by the NCCC would be developed in collaboration with the private sector.
By including a strategy to ensure security is considered in federal information technology procurements, the bill would upset international standards for information technology products and services.
For too long, the federal government has failed to adequately account for security when procuring information technology products and services. S. 3480 would require the government to develop a strategy to consider security risks in information technology procurements.
This bill and the “clarification” thereof don’t seem to leave much room for us to feel comfortable that, should there be a mass uprising among the civilians of the US (reflective of Egypt today), that we would have much freedom to voice our concerns/make plans/organize using internet services.
While this bill may not extend the surveillance possibilities of the government on its people, it does not make us any safer from the possibility of that occurring.
Additionally, this bill does not outline any reasonable methods to prevent and/or handle a massive cyber attack should one occur. Instead it outlines that plans will be developed after an attack has occurred. I wouldn’t put much faith in a system that recognizes a risk and plans to plan for it once it’s occurred.
I’d feel better if the government would have begun training cybersecurity professionals immediately upon determining this threat will occur, rather than waiting to scramble after the damage is done…