Emergency Internet control bill gets a rewrite

After private sector outcry, Democratic Sen. Jay Rockefeller has rewritten a cybersecurity bill that was criticized for giving the president emergency power over the Internet.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

Sen. Jay Rockefeller alarmed technology and telecommunications firms last year when he announced a plan for the president to seize "emergency" control of the Internet. Now the West Virginia Democrat is trying again with a new version that aides hope will be seen as less extreme.

During a closed-door meeting on Capitol Hill on Wednesday attended by about a dozen industry representatives, CNET has learned, Rockefeller's staff pitched a revised version of his controversial cybersecurity legislation.

It says that after the president chooses to "declare a cybersecurity emergency," he can activate a "response and restoration plan" involving networks owned and operated by the private sector. In an attempt to limit criticism, instead of spelling out the plan's details, the latest draft simply says that it must be developed by the White House in advance.

There is no requirement that the emergency response plan be made public, meaning it could still include a forcible disconnection of critical Web sites from the Internet--which is what the March 2009 version of the legislation had proposed.

Larry Clinton, president of the Internet Security Alliance, whose members include Verisign, Verizon, and Raytheon, says no disconnection language is explicitly in the bill: "We are pleased that the 'kill switch' allowing for the government to shut down private sector access to the Internet has been eliminated."

But, Clinton said, "We think the bill still has a long way to go." If the private sector is expected to help out with national security, he said, there ought to be liability protections, insurance breaks, and tax credits for small businesses.

A spokesman for Rockefeller did not respond to repeated requests for comment on Wednesday. Sen. Olympia Snowe, a Maine Republican, is a co-sponsor of the legislation.

The Senate Commerce Committee is scheduled to vote for March 24 on the Rockefeller bill, which will replace an existing measure known as S.773. Because Rockefeller is chairman of the committee, the bill is expected to be approved with little dissent.

Other portions of the 62-page draft bill would create certification requirements for "critical infrastructure information system personnel working in cybersecurity" and punish certain companies that "fail to demonstrate" that they comply with federal specifications. A third section would order the National Science Foundation to fund anti-anonymity research that aims to "to determine the origin of a message transmitted over the Internet."

Liesyl Franz, vice president for information security at TechAmerica, one of the industry's largest trade associations, said her group does not support the new version at this time and is still reviewing the language.

"We have to see whether that makes sense," Franz said, referring to the licensing and certification sections. "We've often talked about how companies and industries are very different."

Franz added: "Frankly, we'd rather not see a prescriptive plan. Seeing a process for developing a plan to get to a goal is a little bit more palatable for the industry."

The revised Rockefeller bill, called the Cybersecurity Act of 2010, does stress that the White House should develop its cyber-emergency plan "in collaboration" with the private sector. It also says "this section does not authorize...an expansion of existing presidential authorities."