Last week the Senate Committee on Homeland Security and Governmental Affairs passed the Protecting Cyberspace as a National Asset Act of 2010, a bill now better known as the "Kill Switch Bill." The bill will now be considered by the Senate. There's no "kill switch" provision in the bill, but the President has had that power for decades.
The bill, if passed into law, will establish new cybersecurity organizations in the White House and The Department of Homeland Security, and compel private enterprises to cooperate with said agencies during a "cyber emergency" if deemed necessary by the President.
CNET reported on June 10th that the Senate was considering the bill, using the term "kill switch" to describe the proposed emergency powers, and warning of the potential for the president to gain "absolute power" over the Internet.
Section 249 of the bill contains the material regarding powers during a "cyber emergency." Here's what the bill actually contains, according to the official summary, emphasis ours:
Section 249: If the President determines there is a credible threat to exploit cyber vulnerabilities of the covered critical infrastructure, the President may declare a national cyber emergency, with notification to Congress and owners and operators of affected covered critical infrastructure. The notification must include the nature of the threat, the reason existing security measures are deficient, and the proposed emergency measures needed to address the threat. If the President exercises this authority, the Director of the NCCC will issue emergency measures necessary to preserve the reliable operation of covered critical infrastructure. Any emergency measures issued under this section will expire after 30 days unless the Director of the NCCC or the President affirms in writing that the threat still exists or the measures are still needed. Emergency measures imposed by the Director must be the least disruptive means feasible, and such emergency measures cannot be used to set aside the requirements of the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act of 1978. This section does not authorize any new surveillance authorities or permit the government to "take over" private networks. While complying with the mandatory emergency measures, owners and operators of covered critical infrastructure will have the flexibility to propose alternative security measures that address the national cyber emergency and, once approved by the Director, implement those security measures in lieu of the original mandatory emergency measures. Owners and operators of covered critical infrastructure who comply with the requirements can in certain circumstances receive liability protections that range from limitations on some damages to immunity from suit.
The Director will also work with owner and operators of covered critical infrastructure outside the United States to inform them of cyber threats and vulnerabilities and appropriate security measures.
The language in the summary is consistent with the language in the bill itself (section 249 starts on page 76). It doesn't sound like a "kill switch." The bill would require the President to submit a report describing, among other things, "The actions necessary to preserve the reliable operation and mitigate the consequences of the potential disruption of covered critical infrastructure" (pg. 84 lines 1-4). That sounds like the opposite of a kill switch: this legislation describes a process by which the president is expected to take action to ensure access to "critical infrastructure" -including the Internet.
There's plenty of room to debate the merits of the federal government dictating the security policies of private companies, the ability of the president to continually extend any provisions beyond 30 days, the value of establishing new cyber security departments within the government, and the vagueness of the language in the bill. But this is nothing nearly so radical as some are making it out to be.
In fact, as Senate Committee on Homeland Security and Governmental Affairs' web site for the bill points out, the President already has a legislative (but of course, not technological) "kill switch." The Communications Act of 1934 gave the president power to shut down "wire communications." Here's the specific passage:
Upon proclamation by the President that there exists a state or threat of war involving the United States, the President, if he deems it necessary in the interest of the national security and defense, may during a period ending not later than six months after the termination of such state or threat of war and not later than such earlier date as the Congress by concurrent resolution may designate, (1) suspend or amend the rules and regulations applicable to any or all facilities or stations for wire communication within the jurisdiction of the United States as prescribed by the Commission, (2) cause the closing of any facility or station for wire communication and the removal therefrom of its apparatus and equipment, or (3) authorize the use or control of any such facility or station and its apparatus and equipment by any department of the Government under such regulations as he may prescribe, upon just compensation to the owners.
The bill was amended in 1996, and the 1996 version retains the above passage. The backers of the bill suggest the bill would actually limit the power granted to the President by the Communications Act. The language of the bill requiring the President's solutions to be the "least disruptive" possible and limiting emergency periods to 30 days instead of six months support this claim.
The clamor over this bill does raise some intriguing possibilities. What, technologically, could the US federal government actually do to "shut down the Internet"?
Shutting down all US based ISPs would effectively shut down the Internet within the US (and all web sites hosted here). ISPs in other countries would be unaffected, and it's conceivable that US citizens could still subscribe to foreign sattelite Internet services.
Does the president, under the authority of the Communications Act of 1934, have the right to shut down ICANN? Could the US government shut down or block access to ICANN through some other existing legal means already? wouldn't shutting down ICANN effectively cripple the Internet internationally? How hard would it be for foreign telcos to replace ICANN in that event? open_sailing's Openet project seeks to stitch together various packet radio and wireless mesh networks to build a global internet outside the control of governments and telecos, but its a long way from being ready.
But who's interests would shutting down the Internet serve? Surely totalitarian regimes could benefit from censoring individual web sites, and certain companies would benefit if certain applications being blocked. But it's also been suggested that the Internet has been benefitial to dictatorships. And most importantly, the business world does not want to see its profits diminished by impediments to Internet access. One can hardly imagine any administration, no matter how corrupt, actually using a "kill switch."
Special thanks to my friend Laura for help researching this