What do ‘Cybersecurity Emergency’ Powers Mean for the Internet

Could President Obama soon gain the power to shut down the Internet? This is a question that has vexed security experts, legal scholars, and bloggers across the Web for the past week, ever since Cnet’s Declan McCullagh made public a leaked draft of S. 773, a cybersecurity bill currently pending in the U.S. Senate. Buried in the bill are a series of vague provisions that, depending on how you read them, can be construed as giving the President the sweeping authority to seize control of any computer in the United States.

In an opinon essay on CBSNews.com, writer Bruce Henderson observed that S. 773 “has unleashed a flood of criticism on how [the bill] would give the government a ‘kill switch’ for the Internet.”  But other experts have expressed skepticism toward such claims. According to Simon Ou, an assistant professor in computing and information sciences at Kansas State University, “the Internet is composed of a large number of small networks, both in the U.S. and abroad, that are interconnected through various networking protocols. I don't think any one nation has the authority or capability to ‘shut down’ the Internet."

Even if Obama were to merely gain the power to issue orders to operators of U.S.-based systems, there is still much to be concerned about. From telecommunications backbones to the power grid, virtually anything connected to some other computer in America would potentially be fair game for Obama to exercise “emergency” powers provided for by S. 773. In the event of a severe cyberattack, the federal government would gain the power to literally come in and take control of private computers, all in the name of safeguarding America’s “critical infrastructure.”

What, exactly, constitutes a “critical” network? It’s anyone’s guess – S.773 would give the President the sole discretion to define “critical information systems.” The bill does not provide for an independent review procedure.

Worried yet? You should be. After all, this is the same federal government that’s arguably the single greatest violator of individual privacy in the United States. If anything, government already has far too much power to control our lives and compel the disclosure of private information. Remember, it was only three years ago that the National Security Agency was found to be illegally wiretapping hundreds of millions of Americans without any court oversight using private telephone networks. To give the government even more power to impose dictates on private networks that transport sensitive personal data would be to ignore the important lessons from the post-9/11 era.

S. 773 is only the latest reminder of how tempting it can be for politicians in both parties to expand the federal government’s authority over “critical” private networks. Proposals to collectivize and centralize cybersecurity, however, threaten not only our freedom, but our security, too.

In fast-moving, competitive frontier industries like information technology, the small delays that inevitably accompany government “oversight” can have serious repercussions. When big government asserts authority over security technologies, it stymies the emergence of more robust information security practices. S. 773 aims to make America’s vital networks safer, but giving the government more power to impose mandates on private networks will make us less secure, not more secure.

Instead of granting new power to the federal government to control private networks, any cybersecurity legislation should restrict its focus to securing government networks and keeping government agencies on the cutting edge of communications technology. To be sure, if the nation does suffer a serious cyberattack, a swift response will be crucial. Government may well have an important role to play in identifying and punishing wrongdoers. But the ultimate responsibility and authority to defend private networks properly rests with network owners, not government.