STEWART BAKER, guestblogging, says:
I feel a little like Marshall McLuhan in the last funny Woody Allen movie. Glenn has invited me to step into the debate between him and Andrew Sullivan about the Lieberman-Collins cybersecurity bill and its alleged Internet kill switch.
Andrew Sullivan will probably regret this in the long run, but he and I agree. (To his credit, Glenn knew that when he invited me to post here).
The widespread claim that the bill contains a kill switch is, well, a bunch of bull switch.
The epithet “Internet kill switch” was first coined to describe (to attack, really) a much different bill proposed by a different committee. Maybe that bill justified the term.
But Lieberman’s bill doesn’t. It is a lot more limited and careful in responding to a serious threat — the possibility that another nation might use our increasingly networked infrastructure to disrupt phone, banking, and power service in large parts of the country. Since those services are in private hands, the government needs some legislative authority to respond to such an attack. (We don’t usually ask private companies to respond to military attacks on their own.)
So what authority does the bill propose to give the government? To cut to the chase, it doesn’t grant authority over “the Internet.” It gives the President the power to order certain critical infrastructure owners to protect themselves in a coordinated way.
Here’s a more detailed breakdown of who’s covered (My apologies, but this is a little complicated.)
- First, to be covered, an asset must be part of the critical infrastructure, which is defined under existing law as systems and assets “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” That is pretty carefully focused on things like nuclear power plants and the New York Stock Exchange, not the Internet at large .
- Second, under section 241, even assets that arguably fit this definition are not covered unless they are identified on a list prepared by DHS (as far as I know, the list has not made public, because we don’t want to give adversaries a handy list of the best targets).
- Third, the authority only applies to a portion of that list, specifically to IT systems that support (or are themselves) critical infrastructure.
So the authority doesn’t extend to the Internet writ large, only to certain identified IT systems whose loss would have a debilitating effect on national security, health and safety. It can’t be used to shut down the blogosphere, not even if Secretary Napolitano finds it personally debilitating not to get a morning fix of Andrew Sullivan.
Okay; it doesn’t cover the whole Internet. But at least it’s a “kill switch” for the networks it covers, right?
Nope, not that, either. Under the bill, in an emergency, section 249 of the bill lets the government order owners of critical infrastructure to do two things:
- First, the government can tell them to implement their own emergency response plans, which are required by a different section (248) of the bill.
- Second, the government can “develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences” of an attack. And in developing these measures, the government must choose “the “least disruptive means feasible.”
No doubt there’s room for quibbling and improvement in the bill’s language, but a kill switch it ain’t.
In short, if you think that a cyberattack is possible, and I’ve devoted big chunks of a website to explaining why an attack is highly likely, then this bill simply gives the President the minimum authority he’ll need to assure protection for our most important assets — like phones, banks, power.
Then why is the blogosphere, right and left, full of fulmination about the kill switch? This post is long enough already, so I’ll just say that I think it’s a combination of privacy ideologues who automatically condemn new government authorities, even necessary ones, and anti-regulatory business interests — what I call the privacy-industrial complex. If you want to know more, it’s a theme I develop at length in Skating on Stilts.
[Glenn adds: Me, a dupe of the privacy-industrial complex? Say it ain’t so! But I’m sure Andrew won’t be troubled by these powers when they’re employed by the Palin Administration!]