On April 1 (that date may be no accident), Sen. Jay Rockefeller and his co-sponsors introduced the Cybersecurity Act of 2009 (S.B. 773) with companion legislation creating the office of Cybersecurity Advisor to the president (S.B. 778).
One blogger warns that if these bills pass, the president will have the authority to unplug the internet and federalize private computer networks.
The Washington Post account is similarly breathless: "Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway."
But before FoxNews cries “Socialism” yet again and starts dumping sacks of silicon chips alongside those millions of wasted tax-day teabags (do these superpatriots even know what teabagging means to a hard-core socialist?), it might be useful to actually look at the legislation in question, which won’t bring us any closer to 1984.
Responding to the attacks of 9/11, the USA Patriot Act authorizes warrantless surveillance of our digital activity, and some attorneys general might see that as permission for the occasional waterboarding of systems administrators. But the Cybersecurity Act, which anticipates a devastating attack on the nation’s digital resources, seeks to avert such an attack while preserving the right to privacy and protecting our civil liberties.
The bill creates a Cybersecurity Board to oversee the development of security standards for government computers, create scholarships for computer science students working on security issues, and encourage a broader awareness of digital security among businesses and the general public. And it authorizes the president to appoint a Cybersecurity Advisor to – think about it – advise the president on the best way to protect the nation’s critical networks.
Unlike the USA Patriot Act, which mentions the need to protect civil liberties twice in its 402 pages but doesn’t really mean it, the Cybersecurity Act seeks to placate fears that all our domains are belong to .gov by explicitly linking internet security with the preservation of civil liberties:
- All actions and decisions of the proposed Cybersecurity Board “must respect privacy and civil liberties.”
- The Board is charged with determining whether the national cybersecurity policy adequately addresses “societal and civil liberty concerns.”
- And the Secretary of Commerce is charged with developing an awareness campaign that “communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities.”
The Cybersecurity Act won’t put the U.S. on a par with the 13 countries labeled “internet enemies” by Reporters sans frontières, including Myanmar, Cuba, Egypt, Iran, North Korea, Saudi Arabia, Syria, and Vietnam. The Cyberczar won’t field internet police squads like China and Turkey to imprison bloggers or block websites that might not follow the party line. Nor can the Office of Cybersecurity shut down the nation’s computers on a whim the way Myanmar does, keep the internet out entirely, like North Korea, or severely limit online access like Cuba, whose communications minister called the internet a “tool for global extermination” in 2007.
Furthermore, at the same time that the bill charges the security office with developing ways “to determine the origin of a message transmitted over the Internet,” the kind of big-brotherism sure to alarm the Twittersphere, it enjoins the Cyberczar to consider “how to support privacy in conjunction with improved security.”
But what’s worrying internet freedom fighters most is this little clause, which empowers not the Cyberczar but the president to unplug the internet:
The president “may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.”
The president is never very far from a briefcase with the nuclear launch codes and the red telephone. He can get the Russian president on the horn in thirty seconds or blow up the world in the interests of national security. But to the most paranoid among us, the Cybersecurity Act makes possible a Dr. Strangelove scenario where the president yanks us offline in the middle of a chat session, and some people think that’s just a little too much.
It’s one thing to have the launch codes, but should the president have your url as well?
Because, according to the law, it’s not just federal computers that can be booted offline, but also “United States critical infrastructure information systems or networks.” Presumably these are the networks run by banks and financial institutions, hospitals, police departments, and hedge fund managers. But they could also include university networks, where students are harmlessly Facebooking. And in a big enough emergency the president could even take down the food network, or Amazon.com. The interests of national security can be that compelling.
Fortunately the president likely to sign this legislation if it passes is Barack Obama, and we know he loves his BlackBerry and his laptop. Even if he’s forced to take some networks offline in an emergency, Pres. Obama’s not going to power down the national grid, because he knows our survival depends on our connectivity, and because the internet itself is designed to self-repair, continuing to function even when key nodes go offline. And no doubt David Plouffe will be reminding the president how important it is to keep on texting even when the numbers look bad, and his daughters will be pressuring him to get Facebook up and running as soon as possible.
But any cybersecurity law has to provide for less tech-savvy presidents as well, for those who might think of the internet as a series of tubes, or worse yet, those who think that if you can’t find something on Wikipedia, then either it didn’t happen or it’s not important enough to pursue.
So it wouldn’t hurt to make the presidential power to take networks offline both more specific, say to protect the nation’s defenses as well as its governmental, financial, and transportation networks, and more realistic: the internet is so complex and so borderless that, unless you live in Cuba or Myanmar, there is no single switch to shut it down.
The Cybersecurity Act may turn out to be moot, after all, since the National Security Agency has announced that it wants the job of protecting government networks for itself, and in pursuing that goal the NSA hasn't been as scrupulous about preserving the privacy or civil liberties of ordinary citizens as Congress or the courts.
So as long as we’re revising the Cybersecurity Act, it wouldn’t hurt to mention one last time just how critical it is to preserve civil liberties both online and off in wartime as well as peacetime.