Much of this post has already been published by Glenn Reynolds, who generously cast me as Marshall McLuhan in a debate between him and Andrew Sullivan about the Lieberman-Collins cybersecurity bill. But Glenn doesn’t encourage comments, and experience suggests that there are several commenters who would burst a gasket if they couldn’t explain just how wrong Stewart Baker’s posts are. You know who you are, so here you go: comment away.
I thought I made this point pretty clear in my last post on the topic, but I’ve been surprised how many people misinterpreted it. So I’ll say it again, with exegesis: the claim that the Lieberman-Collins bill contains a kill switch is, well, a bunch of bull switch.
Let’s start with its origin. The epithet “Internet kill switch” was first coined to describe (to attack, really) a much different bill proposed by a different committtee. Maybe that bill justified the term.
But Lieberman’s bill doesn’t. It is a lot more limited and careful in responding to a serious threat — the possibility that another nation might use our increasingly networked infrastructure to disrupt phone, banking, and power service in large parts of the country. Since those services are in private hands, the government needs some legislative authority to respond to such an attack. (We don’t usually ask private companies to respond to military attacks on their own.)
So what authority does the bill propose to give the government? To cut to the chase, it doesn’t grant authority over “the Internet.” It gives the President the power to order certain critical infrastructure owners to protect themselves in a coordinated way.
Here’s a more detailed breakdown of who’s covered (My apologies, but this is a little complicated.)
- First, to be covered, an asset must be part of the critical infrastructure, which is defined under existing law as systems and assets “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” That is pretty carefully focused on things like nuclear power plants and the New York Stock Exchange, not the Internet at large .
- Second, under section 241, even assets that arguably fit this definition are not covered unless they are identified on a list prepared by DHS (as far as I know, the list has not made public, because we don’t want to give adversaries a handy list of the best targets).
- Third, the authority only applies to a portion of that list, specifically to IT systems that support (or are themselves) critical infrastructure.
So the authority doesn’t extend to the Internet writ large, only to certain identified IT systems whose loss would have a debilitating effect on national security, health and safety. It can’t be used to shut down the blogosphere, not even if Secretary Napolitano finds it personally debilitating not to get a morning fix of Andrew Sullivan.
Okay; it doesn’t cover the whole Internet. But at least it’s a “kill switch” for the networks it covers, right?
Nope, not that, either. Under the bill, in an emergency, section 249 of the bill lets the government order owners of critical infrastructure to do two things:
- First, the government can tell them to implement their own emergency response plans, which are required by a different section (248) of the bill.
- Second, the government can “develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences” of an attack. And in developing these measures, the government must choose “the “least disruptive means feasible.”
No doubt there’s room for quibbling and improvement in the bill’s language, but a kill switch it ain’t.