Members of the United States Congress recently revived, and then revised, controversial legislation dealing with governmental ability to control access to cyberspace. Now called the Cybersecurity and Internet Freedom Act, the legislation continues to raise eyebrows with free speech advocates, information security experts, and government watchdogs. The proposed law authorizes the United States government to effectively throw what has been labeled an Internet “kill switch” in cases of a national security emergency.
First introduced in June 2010 to amend the Homeland Security Act of 2002 and other laws to improve the security of U.S. cyber and communications infrastructure, the legislation authorizes the President to declare a “national cyber emergency” that would allow control over critical systems. Originally called the Protecting Cyberspace as a National Asset Act, it was re-introduced earlier this year – and commentators immediately sounded alarm bells. The legislation’s revival occurred at the same time that Egypt’s government attracted global media attention for sharply reducing Internet access during recent demonstrations.
In response to criticism, the proposed law’s congressional sponsors renamed it and revised other language specifically referencing an Internet shutdown to reduce unease over the authority conferred. However, those cosmetic changes will do little to ease public concerns. Still left unclear is what specifically constitutes a national cyber emergency, and the reach of the powers conferred on the President. The proposed legislation includes language authorizing the President to order certain measures or actions he deems necessary to preserve the reliable operation of, and to minimize the consequences of, the disruption of critical infrastructure. Adding to uncertainty over what many of the legislation’s terms mean, the President can declare a cyber emergency for 30 days, and extend it for an additional 30 days without Congressional oversight or any meaningful judicial review.
The only real check on the President’s powers, it seems, is that cyber emergency declarations apply only to systems or assets the government itself says constitute critical infrastructure. The proposed legislation tasks the U.S. Department of Homeland Security with establishing and maintaining a list of such systems and assets – which would include those maintained by both public and private entities. Certain requirements must be met to be on this list – the disruption of the system could cause “severe economic consequences” or worse, the system must be “a component of the national information infrastructure,” and a system can’t be placed on the list “based solely” on any First Amendment-protected activities. Despite these apparent limitations, the concerns above remain: left unsaid is how such requirements will be interpreted, and whether any meaningful check is in place to ensure against any over-reach of the government’s authority.
Regardless of these concerns, one cannot help but consider that its provisions reflect a basic technical misunderstanding of how the Internet and web-based computer connectivity operate. Also of concern is how the proposed legislation may make cyber security better at all, since a governmental crackdown in the event of an attack on cyber infrastructure would result in paralysis of personal and corporate communications around the country. It is also interesting to further note the timing of the legislation’s revival, in the wake of both the Egyptian government’s attempt to prevent communications from reaching the world outside of its borders as noted above, and the Wikileaks cables. The possible role of Wikileaks should not be minimized, given the numerous attempts to choke off Wikileaks’ ability to get its information out to the global community, and one must wonder whether a fear of media that cannot be easily controlled is at least in part behind the revival of this legislation.