By Grant Gross
A US Senate committee has approved a wide-ranging cybersecurity bill that some critics have suggested would give the US president the authority to shut down parts of the Internet during a cyberattack.
Senator Joe Lieberman and other bill sponsors have refuted the charges that the Protecting Cyberspace as a National Asset Act gives the president an Internet “kill switch.” Instead, the bill puts limits on the powers the president already has to cause “the closing of any facility or stations for wire communication” in a time of war, as described in the Communications Act of 1934, they said in a breakdown of the bill published on the Senate Homeland Security and Governmental Affairs Committee website.
The committee unanimously approved an amended version of the legislation by voice vote Thursday, a committee spokeswoman said. The bill next moves to the Senate floor for a vote, which has not yet been scheduled.
Obama security review
gets mixed reception
The bill, introduced earlier this month, would establish a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, which would work with private US companies to create cybersecurity requirements for the electrical grid, telecommunications networks and other critical infrastructure.
The bill also would allow the US president to take emergency actions to protect critical parts of the Internet, including ordering owners of critical infrastructure to implement emergency response plans, during a cyber-emergency. The president would need congressional approval to extend a national cyber-emergency beyond 120 days under an amendment to the legislation approved by the committee.
The legislation would give the US Department of Homeland Security authority that it does not now have to respond to cyber-attacks, Lieberman, a Connecticut independent, said earlier this month.
“Our responsibility for cyber defence goes well beyond the public sector because so much of cyberspace is owned and operated by the private sector,” he said. “The Department of Homeland Security has actually shown that vulnerabilities in key private sector networks like utilities and communications could bring our economy down for a period of time if attacked or commandeered by a foreign power or cyber terrorists.”
Other sponsors of the bill are Senators Susan Collins, a Maine Republican, and Tom Carper, a Delaware Democrat.
One critic said last Thursday that the bill will hurt the nation’s security, not help it. Security products operate in a competitive market that works best without heavy government intervention, said Wayne Crews, vice president for policy and director of technology studies at the Competitive Enterprise Institute, an anti-regulation think tank.
“Policymakers should reject such proposals to centralize cyber security risk management,” Crews said in an e-mail. “The Internet that will evolve if government can resort to a ‘kill switch’ will be vastly different from, and inferior to, the safer one that will emerge otherwise.”
Cybersecurity technologies and services thrive on competition, he added. “The unmistakable tenor of the cybersecurity discussion today is that of government steering while the market rows,” he said. “To be sure, law enforcement has a crucial role in punishing intrusions on private networks and infrastructure. But government must coexist with, rather than crowd out, private sector security technologies.”
Last week, 24 privacy and civil liberties groups sent a letter raising concerns about the legislation to the sponsors. The bill gives the new National Center for Cybersecurity and Communications “significant authority” over critical infrastructure, but doesn’t define what critical infrastructure is covered, the letter said.
Without a definition of critical infrastructure there are concerns that “it includes elements of the Internet that Americans rely on every day to engage in free speech and to access information,” said the letter, signed by the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation and other groups.
“Changes are needed to ensure that cybersecurity measures do not unnecessarily infringe on free speech, privacy, and other civil liberties interests,” the letter added.