Aides defend presidential powers in cybersecurity bill
Legislation does not allow 'shutdown' of the Internet, defenders say
Senate aides familiar with proposed legislation that would define the president’s power to deal with a cybersecurity emergency say the bill wouldn’t give the government sweeping control over the country’s digital infrastructure as some critics have claimed.
The controversy stems from language in a bill introduced in April by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The measure’s original language said the president could declare a cybersecurity emergency and order the “shutdown” of Internet traffic to and from government systems or networks and those considered critical infrastructure. In addition, the president could, in the interest of national security, order the disconnection of such networks or systems.
Many critics took that to mean the president would be able to shut down the Internet by declaring a cybersecurity emergency. But Senate aides say the intention of the bill is to clarify the president’s authority to secure national cyber infrastructure from attack, which would be in line with the executive branch's existing power to lead response to national emergencies. Meanwhile, a second draft of the bill eliminates terms, such as “shutdown,” that fueled the controversy, according to one aide familiar with the legislation.
“To be very clear, the Rockefeller/Snowe bill will not empower a government shutdown or takeover of the Internet, and any suggestion otherwise is misleading and false,” said Jena Longo, a press officer for the majority on the Senate Commerce, Science and Transportation Committee, in a written statement. Rockefeller is chairman of the committee.
The firestorm erupted last month after a copy of the second draft was leaked to the press.
The aide said the legislation is evolving, and although it’s possible that quarantining or disconnecting a network could be the correct response to a particular attack, that would rarely be the case. The goal of the bill is to have a preplanned, agreed-upon public/private plan for dealing with cybersecurity emergencies and make it clear that the president would lead the response to such emergencies, the aide said.
Alan Paller, director of research at the SANS Institute, said such a national plan is necessary. When organizations suffer large-scale denial-of-service attacks, they usually can do nothing, he said. Only Internet service providers, which have control over networks, can take action.
“If you believe that cyberattacks will be part of warfare — and we have lots of reason to believe that – then you have to have a national strategy that allows you to respond quickly," he said. "ISPs have to be part of that solution under the direction of the president.”
Meanwhile, Roger Thornton, founder of Fortify Software, said that although the idea of emergency government powers over computer networks sounds a little unsettling, it isn’t alarming given the exceptional conditions that would trigger such a reaction.
“There’s really nothing that controversial about that when you consider that the president has powers to nationalize all sorts of things in the case of a national emergency,” he said, adding that the president also has the power to launch a nuclear strike.
“If you want to find something to not like, you’re going to find it" in the proposed legislation, said Thornton, who has seen the second draft of the bill. "If you want to find something to like, you’re going to find it because it’s broad and comprehensive.”
The Senate aide said the Rockefeller/Snowe bill attempted to outline a comprehensive plan and that aides from different committees are trying to coordinate their approaches.
The aide said the Homeland Security and Governmental Affairs Committee was also working on legislation, but the plan was still for the commerce committee to mark up the Rockefeller/Snowe legislation.
Ben Bain is a reporter for Federal Computer Week.