White House proposal includes Internet kill switch, senators warn
The Internet "kill switch" debate that has swirled around proposed legislation is back -- but now the senators whose bill first prompted the use of the term are warning that it is President Barack Obama's plan that includes it.
Proposed cybersecurity legislation released by the Obama administration earlier this month is similar to legislation now pending in the Senate, but it does not contain the explicit emergency powers contained in the bill introduced by Joseph I. Lieberman (I-Conn.) and Susan M. Collins (R-Maine). Instead, it seems to rely on a 77-year-old law that gives the president broad autority to shut down communicatons networks.
“The administration appears to be relying on potentially sweeping authority in the outmoded Telecommunication Act of 1934,” Collins said. “This authority is far broader than the authority in our bill,” which she said “carefully constrains” the president’s power over the Internet.
Under cybersecurity plan, agencies would answer to DHS
Lieberman's new cybersecurity bill forbids a kill switch
Lieberman and Collins, the chairman and ranking member, respectively, of the Senate Homeland Security and Governmental Affairs Committee, held a hearing May 23 on the White House proposal. A panel of officials from the Homeland Security, Defense and Justice departments, and the National Institute of Standards and Technology, made the first in a round of appearances before congressional committees to support the proposal.
Philip R. Reitinger, who was making his farewell appearance before the committee as the outgoing deputy undersecretary for the DHS National Protection and Programs Directorate, acknowledged that the 1934 law was not designed for the current environment. But he said that “we would use the authority that it brings to bear in the right way.”
He characterized the president’s proposal not as a bill, but as the administration’s input into the legislative process, and said that presidential authority during a cyber emergency is one of the areas that would need to be negotiated.
Lieberman and Collins each cited a litany of recent computer breaches in government and the private sector to illustrate the need for improving the nation’s cybersecurity posture.
“We urgently need to pass strong cybersecurity legislation,” Lieberman said. “If we don’t do something soon, the Internet is going to become a digital Dodge City.”
Lieberman and Collins introduced a bill in the last Congress that did not move to the Senate floor for a vote, and have reintroduced legislation this year. Lieberman said that Senate Majority Leader Harry Reid (D-Nev.) has made cybersecurity a priority in this session and is working with the Republicans leadership and with leaders in the six Senate committees claiming jurisdiction over the issue to ensure passage this year.
The administration proposal released May 12 now is a part of those negotiations. Under both proposals, DHS would oversee cybersecurity in civilian government agencies and would have a more clearly defined role in protecting privately owned critical infrastructure. The approach to critical infrastructure protection would be a risk-management approach based on incentives and rewards.
“Cyberspace is not a place that is amenable to prescriptive, top-down regulation,” Reitinger said.
In the government arena, DHS would have the assistance of DOD but would remain in charge of civilian systems while DOD defended the .mil environment. The two departments have signed a memorandum of agreement for sharing information and resources. Robert J. Butler, DOD deputy assistant secretary for cyber policy, affirmed at the hearing that DHS has the lead. However, “DOD has unparalleled cybersecurity expertise,” said Reitinger.
Both bills would move policy and oversight under the Federal Information Security Management Act from the Office of Management and Budget to DHS, where it could be collocated with the operational activities of DHS.
In addition, the administration proposal would make existing criminal laws, including the Racketeering Influenced and Corrupt Organization statute, explicitly applicable to cybercrime, said Jason C. Chipman, senior counsel to the deputy attorney general.
Where the Senate and White House proposals differ is in executive branch authority and legislative branch oversight. The Senate bill would create an Office of Cybersecurity Coordinator in the White House, similar to position one now held by Howard Schmidt but requiring Senate confirmation.
“Whoever holds that position should be accountable to Congress,” Lieberman said.
The original Lieberman-Collins bill created controversy because of what critics called a “kill switch” provision that would have given the president authority over portions of the Internet during an emergency. This section was rewritten in the current bill to define the limits of the president’s authority and require congressional oversight.
Leaving these provisions out of the administration proposal would leave the president with far greater authority than that contained in the Senate bill, Collins said. She said the 1934 law, which applies to radio stations and which the administration has said gives the president authority over any communications infrastructure in an emergency, allows the president to shut down, take over or confiscate the equipment of stations.
“The president’s authority under this law is enormously broad,” she said, and she questioned why the administration would propose relying on it without updating it.
Both Reitinger and Chipman said the issue is open for negotiation. “It merits discussion,” Chipman said.