The Internet Police Are Coming: Introducing the Internet "Kill Switch"

A bill recently introduced by Joseph Lieberman in the US Senate threatens the basic tenets of a free and open internet through the creation of a new National Center for Cybersecurity and Communications (NCCC) within the Department of Homeland Security. In addition to giving the President the power to declare indefinite "National Cyber Emergencies", it would grant broad powers to the NCCC to coerce and entice key private internet infrastructure companies into compliance with new arbitrary government standards. A thorough read of the bill reveals the Feds may intend to rewrite the very structure of the internet for their own ends. ZDNet Australia covers many of the more onerous features:

A new US Senate Bill would grant the President far-reaching emergency powers to seize control of, or even shut down, portions of the internet.

The legislation says that companies such as broadband providers, search engines or software firms that the US Government selects "shall immediately comply with any emergency measure or action developed" by the Department of Homeland Security. Anyone failing to comply would be fined.

That emergency authority would allow the Federal Government to "preserve those networks and assets and our country and protect our people," Joe Lieberman, the primary sponsor of the measure and the chairman of the Homeland Security committee, told reporters on Thursday. Lieberman is an independent senator from Connecticut who meets with the Democrats.

Due to there being few limits on the US President's emergency power, which can be renewed indefinitely, the densely worded 197-page Bill (PDF) is likely to encounter stiff opposition.

According to the bill, the statutory limits on what would constitute a "National Cyber Emergency" are indeed broad:

an actual or imminent action by any individual or entity to exploit a cyber vulnerability in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure;

A simple statement by the President every 30 days would maintain the state of emergency with no details required to be revealed to the public.

TechAmerica, probably the largest US technology lobby group, said it was concerned about "unintended consequences that would result from the legislation's regulatory approach" and "the potential for absolute power". And the Center for Democracy and Technology publicly worried that the Lieberman Bill's emergency powers "include authority to shut down or limit internet traffic on private systems."

The idea of an internet "kill switch" that the President could flip is not new. A draft Senate proposal that ZDNet Australia's sister site CNET obtained in August allowed the White House to "declare a cybersecurity emergency", and another from Sens. Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to "order the disconnection" of certain networks or websites.

On Thursday, both senators lauded Lieberman's Bill, which is formally titled Protecting Cyberspace as a National Asset Act, or PCNAA. Rockefeller said "I commend" the drafters of the PCNAA. Collins went further, signing up at a co-sponsor and saying at a press conference that "we cannot afford to wait for a cyber 9/11 before our government realises the importance of protecting our cyber resources".

Under PCNAA, the Federal Government's power to force private companies to comply with emergency decrees would become unusually broad. Any company on a list created by Homeland Security that also "relies on" the internet, the telephone system or any other component of the US "information infrastructure" would be subject to command by a new National Center for Cybersecurity and Communications (NCCC) that would be created inside Homeland Security.

The only obvious limitation on the NCCC's emergency power is one paragraph in the Lieberman Bill that appears to have grown out of the Bush-era flap over wiretapping without a warrant. That limitation says that the NCCC cannot order broadband providers or other companies to "conduct surveillance" of Americans unless it's otherwise legally authorised.

Though the limitation on wiretapping is a blatantly hollow bone thrown to counter legitimate arguments against free speech encroachment, more dangerously, the new law will institutionalize the chilling repression of online free speech. It will establish a multi-tiered internet with assets that are either within the new National Information Infrastructure or not. For those that are in, the NCCC has broad powers, both carrots and sticks, to induce compliance with what it would deem acceptable content, both here and abroad. From ZDNet:

The NCCC also would be granted the power to monitor the "security status" of private sector websites, broadband providers and other internet components. Lieberman's legislation requires the NCCC to provide "situational awareness of the security status" of the portions of the internet that are inside the United States — and also those portions in other countries that, if disrupted, could cause significant harm.

Selected private companies would be required to participate in "information sharing" with the Feds. They must "certify in writing to the director" of the NCCC whether they have "developed and implemented" federally approved security measures, which could be anything from encryption to physical security mechanisms, or programming techniques that have been "approved by the director". The NCCC director can "issue an order" in cases of non-compliance.

Incentives to private companies that are critical to national infrastructure include civil immunity and/or taxpayer indemnification from civil lawsuits arising as a result of compliance, as well as large contracts for internet security providers, such as antivirus software developers.

Not mentioned in the article are a formalized citizen cyber-snitching program (page 101) and, more troubling, the ability of the new NCCC to rewire the internet from a standards and framework standpoint. From page 66 of the bill:

"(b) ANALYSIS AND IMPROVEMENT OF STANDARDS AND GUIDELINES.—For purposes of the program established under subsection (a), the Director shall—

"(1) regularly assess and evaluate cybersecurity standards and guidelines issued by private sector organizations, recognized international and domestic standards setting organizations, and Federal agencies; and

‘‘(2) in coordination with the National Institute of Standards and Technology, encourage the development of, and recommend changes to, the standards and guidelines described in paragraph (1) for securing the national information infrastructure.

With the weight of federal resources behind it, "encourage" and "recommend" may be read as "dictate" and "police".

The incredible success of the internet is based upon its guts being mere conduits for information that is processed at the ends. As David Isenberg wrote in his seminal paper in 1997, it is a Stupid Network, one

• with nothing but dumb transport in the middle, and intelligent user-controlled endpoints,
• whose design is guided by plenty, not scarcity,
• where transport is guided by the needs of the data, not the design assumptions of the network.

Any attempts to push information processing back into the middle of the network is a step back toward the old telephone company model. It is an inherent cap on future productivity gains even in the best-intentioned administered world. In a world of suspect intentions, abuse of new control powers is guaranteed. Opponents of (the deceptively named) net neutrality proposal should be especially alarmed as this new bill will put power they were afraid to give to ISP's into bureaucrats in Homeland Security. Opponents of the (also deceptively named) Fairness Doctrine should balk as it is the Fairness Doctrine on steroids.

Though horrific and sometimes avoidable, previous national emergencies were at least visible. With no public transparency or accountability, a National Cyber Emergency could be created with the push of a button and shut down all non-sanctioned internet traffic. The level playing field created by the Internet, with its unprecedented information sharing capabilities, is under attack. Senate bill 3480 must not be allowed to pass.

(ht The Coming Economic Depression)