Internet 'kill switch' bill gets a makeover

Senate "cyberemergency" bill returns, with critics saying tweaks still don't safeguard civil liberties and could lead to Internet takeover.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read

A Senate proposal that has become known as the Internet "kill switch" bill was reintroduced this week, with a tweak its backers say eliminates the possibility of an Egypt-style disconnection happening in the United States.

As CNET reported last month, the 221-page bill hands Homeland Security the power to issue decrees to certain privately owned computer systems after the president declares a "national cyberemergency." A section in the new bill notes that does not include "the authority to shut down the Internet," and the name of the bill has been changed to include the phrase "Internet freedom."

"The emergency measures in our bill apply in a precise and targeted way only to our most critical infrastructure," Sen. Susan Collins (R-Maine) said yesterday about the legislation she is sponsoring with Sen. Joe Lieberman (I-Conn). "We cannot afford to wait for a cyber 9/11 before our government finally realizes the importance of protecting our digital resources."

But the revised wording (PDF) continues to alarm civil liberties groups and other critics of the bill, who say the language would allow the government to shut down portions of the Internet or restrict access to certain Web sites or types of content. Even former Egyptian President Hosni Mubarak didn't actually "shut down" the Internet: at least at first, a trickle of connections continued.

"It still gives the president incredible authority to interfere with Internet communications," ACLU legislative counsel Michelle Richardson said today. If the Department of Homeland Security wants to pull the plug on Web sites or networks, she said, "the government needs to go to court and get a court order."

That concern was punctuated by a report yesterday that Homeland Security erroneously seized 84,000 Web domains and took them offline. Former congressman Bob Barr, now an NRA board member and newspaper columnist, wrote that the mistake shows that "no government--no matter how benign or well-meaning--should be empowered to control the Internet."

The Electronic Frontier Foundation said today that it continues to have concerns about the Lieberman-Collins bill. "The president would have essentially unchecked power to determine what services can be connected to the Internet or even what content can pass over the Internet in a cybersecurity emergency," said EFF Senior Staff Attorney Kevin Bankston. "Our concerns have not changed."

Some of the companies and industry groups listed as supporting last June's version of the bill, before the protests in Egypt, the FBI's push on Internet wiretapping, and the Justice Department's campaign for Internet data retention, stopped short of endorsing the revised version.

Larry Clinton, president of the Internet Security Alliance, pointed to his letter to the Senate committee last year saying the legislation "is in need of additional refinement." Clinton said in an e-mail today that "much more needed to be done before we could support enactment."

Microsoft said it did not have a position on the legislation. "The bill language just came out, and so we really need to review it before we can provide further comment," a representative said today.

From "Protecting Cyberspace" to "Internet Freedom"
Many portions of the revised bill, also sponsored by Sen. Tom Carper (D-Del.), are generally uncontroversial, dealing with topics such as boosting the federal government's information security, recruiting federal "cybersecurity personnel," and funding research into secure versions of Internet protocols. (The bill previously was called the Protecting Cyberspace as a National Asset Act; as part of its makeover it's been renamed the "Cybersecurity and Internet Freedom Act.")

But all of the recent attention has been focused on the sections handing the president emergency powers. The new version follows the same process as the old one: President Obama would be given the power to "issue a declaration of a national cyberemergency." Once that happens, Homeland Security would receive sweeping new authorities, including the power to require that so-called critical companies "shall immediately comply with any emergency measure or action" decreed.

No "notice" needs to be given "before mandating any emergency measure or actions." That means a company could be added to the "critical" infrastructure list one moment, and ordered by Homeland Security to "immediately comply" with its directives the next.

The U.S. Senate's Homeland Security and Governmental Affairs Committee, which Lieberman chairs, appears to believe that it's not necessary to include explicit judicial review of the president's emergency authority once exercised, believing it's implicit. Any such lawsuit filed by a targeted company would likely focus on language saying the emergency decrees should be "the least disruptive means feasible."

The president may declare a "cyberemergency" for 30 days, and extend it for one 30-day period, unless Congress votes to approve further extensions.

Homeland Security will "establish and maintain a list of systems or assets that constitute covered critical infrastructure" and that will be subject to those emergency decrees.

Homeland Security is only supposed to place a computer system (which could include a server, Web site, router, and so on) on the list if certain requirements are met. First, the disruption of the system could cause "severe economic consequences" or worse. Second, the system is "a component of the national information infrastructure," such as the Internet, or relies on that infrastructure. Third, it can't be placed on the list "based solely" on any First Amendment-protected activities.

A committee report from December says that senators hope that Homeland Security will interpret that language to include a "combination" of factors, including mass casualties or evacuations, over $25 billion in damages, or "severe degradation" of national security. The suggestion, however, appears to be nonbinding and doesn't actually appear in the legislation.

One big change: Earlier versions of the bill barred companies from filing a lawsuit objecting to being placed on that list. The revised version explicitly permits judicial review as long as the lawsuit is filed in the District of Columbia.

"A state of public peril"
A 1934 law (PDF) creating the Federal Communications Commission says that in wartime, or if a "state of public peril or disaster or other national emergency" exists, the president may "authorize the use or control of any...station or device." That could sweep in the Internet, but it's not entirely clear it does. (The revised bill says that existing authority may not be used to "shut down the Internet," but does not otherwise limit it.)

In congressional testimony (PDF) last year, the Obama administration stopped short of endorsing the Lieberman-Collins bill. The 1934 law already addresses "presidential emergency authorities, and Congress and the administration should work together to identify any needed adjustments to the act," DHS Deputy Undersecretary Philip Reitinger said, "as opposed to developing overlapping legislation."

A draft Senate proposal that CNET obtained in August 2009 authorized the White House to "declare a cybersecurity emergency," and another from Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to "order the disconnection" of certain networks or Web sites. House Democrats have taken a similar approach.

In a statement, Lieberman said there's no "kill switch" in this bill.

"It is impossible to turn off the Internet in this country," he said. "This legislation applies to the most critical infrastructures that Americans rely on in their daily lives--energy transmission, water supply, financial services, for example--to ensure that those assets are protected in case of a potentially crippling cyberattack."

The ACLU's Richardson believes the problem was never a "kill switch." She said: "The question is bigger than that. It's generally, can the government interfere with communications...The question is: Are there significant protections in there?"

Jim Harper, director of information policy studies at the free-market Cato Institute and a member of a Homeland Security advisory panel, says that supporters of the bill have yet to make the argument that such governmental emergency powers will do more good than harm.

"They recognize that a total Internet kill switch is totally unacceptable," Harper said today. "A smaller Internet kill switch, or a series of kill switches, is also unacceptable...How does this make cybersecurity better? They have no answer."