X

Senate readies for fight over cybersecurity surveillance

Sen. Joe Lieberman says his cybersecurity bill is necessary to prevent terrorists from dumping "raw sewage into our lakes." But privacy groups call it a big step toward Big Brother.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
Sen. Joe Lieberman is hoping for better cybersecurity luck this time around.
Sen. Joe Lieberman is hoping for better cybersecurity luck this time around. CBS

Sen. Joseph Lieberman spent years fighting unsuccessfully for a so-called Internet kill switch that would grant the president vast power over private networks during a "national cyberemergency."

Now Lieberman (I-Conn.), who did not seek re-election, is hoping a more modest version of his proposal will be approved before he leaves office in January. Senate Majority Leader Harry Reid (D-Nev.) has inserted the cybersecurity bill into the Senate's post-election calendar, and a vote could happen as early as this week after debate on a proposal to open more public land for hunting and fishing.

That move has reignited a long-simmering dispute over privacy, regulation, and cybersecurity, with Republicans saying Lieberman's bill is overly regulatory, and the U.S. Chamber of Commerce calling it deeply "flawed." Civil liberties groups including the Electronic Frontier Foundation oppose Lieberman's bill on privacy grounds, warning that it gives "companies new rights to monitor our private communications and pass that data to the government."

Cybersecurity Act of 2012 Excerpts

"There is established a National Cybersecurity Council... The Council shall establish procedures under which each owner of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure... The term 'critical cyber infrastructure' means critical infrastructure identified by the Council...

"Notwithstanding any other provision of law...[Homeland Security] may acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic...

"The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic or to deploy countermeasures..."

"What we hope changes this time is that Sen. Reid will not block amendments like he did last time," a spokesman for Sen. Mitch McConnell, the Republican minority leader, told CNET yesterday. "A lot of people have good ideas for improving/changing the bill, but they were all blocked from offering their amendments for a vote last time -- despite Sen. Reid's public pledge that the bill would be 'subject to as fair, thorough, and open a process as is conceivable.'"

During a vote in August that fell largely along party lines, Republicans blocked Lieberman's Cybersecurity Act of 2012 from moving forward. It received a vote of 52 to 46, but under Senate procedures, a 60-vote supermajority was required.

Neither Reid nor Lieberman responded to requests for comment from CNET yesterday. An aide to Sen. Tom Carper -- a Delaware Democrat who is co-sponsoring Lieberman's bill and is expected to take the lead on cybersecurity topics next year -- said Carper is ready to work with critics to address their concerns, but the Senate shouldn't put off addressing cybersecurity threats any longer.

One significant development since the failed vote over the summer: President Obama's threat to bypass the Congress by implementing part of Lieberman's bill through an executive order.

Many Democrats like that idea. In a letter to the White House in September, Delaware Sen. Christopher Coons and Connecticut Sen. Richard Blumenthal say it's time for an executive order "directing the promulgation of voluntary standards" by the Department of Homeland Security. A few weeks later, Lieberman recommended much the same thing.

This could ratchet up the pressure on Republicans to agree to Lieberman's approach. On the other hand, an executive order wouldn't get Democrats everything they want, so they have an incentive to try again in the Senate.

A spokesman for Sen. Daniel Coats (R-Ind.) said yesterday that:

It is imperative that Congress pass a balanced cyber security bill this year given the threat of cyber attacks against our government and key sectors of our economy. An Executive Order simply cannot provide the statutory authorities and protections needed to address the serious danger posed by cyber attacks. This critical issue demands the input of both Republicans and Democrats, White House and Congress, and the public and private sectors. It would be a disservice to the American people if Senate Majority Leader Harry Reid plays another game of political football with cyber security legislation as he did in August when he abruptly cut off bipartisan negotiations.

In 2010, Lieberman proposed handing Homeland Security emergency powers to seize control of or even shut down portions of the Internet, including the authority to issue directives to broadband providers, search engines, or software firms. "Our economic security, national security and public safety are now all at risk from new kinds of enemies -- cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals," he said at the time.

That idea didn't exactly meet with universal applause, especially after Egypt's government provided an impromptu demonstration by trying to pull the plug on the country's Internet links. By early last year, Lieberman's original proposal had morphed into a slightly revised version, with increased judicial review, that was designed to assuage critics' concerns. It didn't work.

Lieberman's latest version removes an explicit kill switch. Instead, it allows Homeland Security to "intercept" any telecommunications traffic that is "transiting" federal networks. It also grants corporations more legal authority to monitor and block their customers' activities. And it imposes new regulations on companies deemed by a new National Cybersecurity Council to be "critical cyber infrastructure."

In remarks in July, Lieberman called on his colleagues to join him because otherwise terrorists could "dump raw sewage into our lakes, rivers and streams." It's a question, he said, of "how best to protect our national and economic security in this wired world where threats come not from land, sea or sky, but in invisible strings of ones and zeroes." (See related CBS News video.)

Opposition to Lieberman's bill hasn't fallen entirely along party lines. Sen. Ron Wyden, an Oregon Democrat who has emerged as the Senate's leading defender of privacy rights, said he voted against the bill because it "does not sufficiently safeguard Internet users' privacy and civil liberties."

EFF says the Cybersecurity Act is "dangerously vague," especially because it mentions "modify[ing] or block[ing] data packets," which the group believes could lead to results like "blocking Tor traffic entirely under the guise of operating cybersecurity countermeasures." The ACLU said the good news is that the bill doesn't include a kill switch, but "the bad is that it permits companies to share American internet use data with military agencies like the NSA." (The ACLU felt more warmly after some pre-vote tweaks.)

The Republican-backed alternative proposal, which the House of Representatives approved in April, is hardly a paragon of privacy.

The GOP-drafted Cyber Intelligence Sharing and Protection Act, or CISPA, would permit Internet companies to hand over confidential customer records and communications to the National Security Agency and other portions of the U.S. government. It's designed to trump all existing federal and state laws, including ones dealing with wiretaps, educational records, and medical privacy.