Does Senate Cyber Bill Include an ‘Internet Kill Switch’?
Recent efforts by the government of Egypt to shut down that country’s Internet have led many to ask whether the same thing could happen in the U.S.
In particular, there has been concern about whether cybersecurity legislation proposed in the Senate would give the President the power to limit Internet communications. At the end of this post, I offer a concrete suggestion for truly clarifying the bill to preclude government interference with the Internet. To understand both our lingering concern and my proposed fix, here’s the context:
The bill at issue is the Cybersecurity and Internet Freedom Act (“CIFA”), introduced on February 17 by Senators Lieberman, Collins and Carper. The CIFA, which is similar to legislation approved by a Senate committee last year, will likely be brought before the full Senate in the coming months, so the questions about what the bill authorizes are important.
Cybersecurity is a serious problem that Congress needs to address. The CIFA legislation would clarify in a helpful way the cybersecurity roles of federal agencies and the White House, beef up protection and resilience of federal networks, and facilitate information sharing between the private sector and the federal government. In some ways, the “kill switch” debate has overshadowed the bill’s other important provisions, and it would be a significant step forward if the “kill switch” language could be dropped or revised to put this debate to rest.
Concerned with distancing their bill from the actions of Egypt, CIFA’s lead sponsors released statements indicating that this year’s bill explicitly prevents the President from shutting down the Internet and denying that their legislation was ever intended to “empower the President to deny U.S. citizens access to the Internet.” Others remain concerned that the bill contains what amounts to an Internet “kill switch.” Who’s right?
No 'Kill Switch' Here
To begin with, the bill does not authorize the Government to shut down the Internet to squelch dissent Egypt-style. And, as my colleague Joshua Gruenspecht, has already pointed out, there are significant technological differences between the Internet in Egypt and in the U.S., making it harder as a practical matter for the government here to achieve blanket compliance with an order that seemed politically motivated or otherwise illegal.
However, the CIFA does include a vaguely worded provision that enhances the government’s authority over the Internet and that authorizes the Department of Homeland Security in an emergency to shut down some elements of the Internet or to curb some Internet communications, without adequate clarity and limitations. Despite a statement in the bill disclaiming any authority to “shut down the Internet,” the open-ended emergency provision is problematic both for civil liberties and for owners and operators of the critical infrastructure that could be put under an emergency order.
Specifically, the CIFA empowers the President to declare a “cyber emergency” that triggers authority in the Department of Homeland Security to “direct” the owners and operators of “covered critical infrastructure” to implement response plans approved by the government [1]. DHS is also authorized to “develop and coordinate” emergency measures “necessary to preserve the reliable operation” of covered critical infrastructure. The emergency actions DHS can direct must represent the least disruptive means feasible to the operations of covered critical infrastructure and hardware and software essential to operation of covered critical infrastructure.
There is little doubt that the emergency powers that DHS would possess under the bill when the President declares a cybersecurity emergency include authority to shut down or limit Internet traffic. This is clear because the bill specifically calls out, and limits, this authority. Under the CIFA, communications traffic flowing over an Internet backbone system (or other critical infrastructure system) can be restricted or shut down when a DHS official determines that no other emergency measure will preserve the reliable operation of a computer or related hardware or software that is essential to the operation of covered critical infrastructure.
In contrast, a separate provision of the bill states that, “neither the President … or any officer or employee of the United States Government shall have the authority to shut down the Internet.”
On its face, this disavowal is not satisfying, because it does not deny the government the power to shut down parts of the Internet or to selectively control communications over the Internet during an emergency. And under the terms of the bill, the key components of the Internet clearly could fit within the definition of “critical infrastructure” that can be the subject of emergency measures. In fact, one problem with the bill is the definition of “covered critical infrastructure.” The term is defined as a system or asset the destruction or disruption of which would cause a national or regional catastrophe and that is included on a secret list of assets established by the DHS under criteria that are not published. CDT understands why the list itself might not be something the government would want to disclose. However, the criteria for getting on the list should be objectively verifiable, quantified to the extent possible, and specified in the legislation.
Right of Appeal
This year’s version of the legislation properly includes a right for an owner or operator of a system or asset to appeal a designation that it is “critical.” This is important – and it is something CDT has recommended – because the “covered critical infrastructure” designation results in extensive obligations, including sharing incident information, certifying compliance with security measures recognized by DHS, submitting to evaluations, and implementing emergency measures that DHS requires. The right to appeal, though, would be more meaningful if the criteria for the designation were specified with particularity and it should be incumbent on Congress, in granting heavy regulatory authority, to spell out the criteria for determining what is regulated.
Moreover, while the bill allows appeal of the initial designation of a system or asset as critical, it offers no right to appeal the decision of the DHS to actually invoke emergency powers with respect to a designated asset or system – not to the owner of the covered critical infrastructure nor to someone harmed by the shut down of their traffic. A person adversely affected by an unlawful exercise of authority to shut down or limit Internet traffic should be able to go to court to stop that illegal action, and to do it on an expedited basis.
Such procedural checks and balances would help mitigate concerns with the potential for misuse of the emergency provisions. However, in our view, when it comes to the Internet, the case has not been made for giving the government the authority to shut down or limit communications traffic flowing over private systems. Owners and operators of critical infrastructure already have control over their systems and strong financial incentives to protect them. They already limit or cut off Internet traffic to particular systems when they need to do so. They know better than do government officials whether their systems need to be shut down or isolated. If a government agency has specific knowledge that would help inform that decision, the agency should share it. To our knowledge, a circumstance has not yet arisen in which an owner or operator of a critical system kept it running when it clearly needed to be shut down. The government’s failure to date to protect its own systems gives reason to question the assumption that underlies the proposed authority: that the government knows best.
Unintended Consequences
The potential list of unintended consequences to both the economy and to critical infrastructures themselves from even a limited shut down of some Internet traffic is long. It could interfere with the flow of billions of dollars necessary for the daily functioning of the economy. It could deprive doctors of access to medical records. It could deprive manufacturers of critical supply chain information. Even if the power was exercised rarely, its mere existence poses other risks, such as enabling the government to coerce costly conduct by threatening to shut down a system.
Finally, giving the government the power to shut down or limit Internet traffic even in limited circumstances would create perverse incentives. Private sector operators will be reluctant to share information if they know the government could use that information to order them to shut down. And, when they determine that shutting down a system would be advisable, private sector operators could lose precious time waiting to be ordered to shut down so that they would less likely be held liable for the damage a shut down could cause others.
The CIFA bill does not include an “Internet kill switch” intended to squelch dissent, but the bill certainly confers on the government a dangerous authority to shut down or limit Internet traffic that is subject to misuse and abuse.
The effect of the new provision stating that no government official shall have the authority to “shut down the Internet” is ambiguous. Given the controversy, we think there is a better way to “kill the kill switch.” Building on language already in the bill, we think the relevant limitation on DHS authority in an emergency should read:
Prohibited Actions.—The authority to direct compliance with an emergency measure or action under this section shall not authorize … any … Federal entity to—
(A) restrict or prohibit communications carried by, or over, covered critical infrastructure.
(This prohibition should apply only to non-Federal covered critical infrastructure: The government has, and should have, emergency authority to shut down parts of its own communications networks if they are compromised.)
We would also extend such a prohibition to the authorities granted in the Communications Act of 1934. As the sponsors of the CIFA point out, Section 706(d) of the Communications Act gives the President broad and ambiguous authority to close “any facility or station for wire communication” when the President proclaims that there is a war or a threat of war. The CIFA language about no “authority to shut down the Internet” would apply to Section 706 as well. We believe that it is unclear that Section 706 already confers power on the President to shut down or limit Internet traffic in time of war or threat of war. The sponsors are right, though, when they say that Section 706 is ambiguous, and it is also outdated.
Though the effect of the limitation the CIFA would put on Section 706 is uncertain, the sponsors are on the right track: It should be made clear that Section 706 does not confer authority to shut down or limit Internet traffic.
[1] The President can declare a cybersecurity emergency when there is an action by an individual or an entity that has the capability and intent to exploit a “cyber risk” that could disrupt a computer or software or hardware that is essential to the operation of covered critical infrastructure. A “cyber risk” is any physical or virtual risk to a computer or related hardware or software, which, if exploited, would pose a significant risk of disruption to a computer, hardware or software essential to the reliable operation of covered critical infrastructure.