'Kill switch' bill returns just as Egypt shuts down Internet

Sen. Joe Lieberman (I-Conn) and his co-sponsors plan to reintroduce a comprehensive cybersecurity bill during this Congress, but recent events in Egypt have reignited controversy over the potential for what has been called a presidential Internet “kill switch” in the legislation. The "kill switch" debate surfaced last year when Lieberman first introduced the bill, even though cybersecurity experts largely agreed that there was no such thing in the legislation.

The Mubarak government last week shut down most of Egypt’s Internet and wireless telecom infrastructure in response to massive antigovernment protests. Some critics of the Protecting Cyberspace as a National Asset Act have pointed to this as a warning of what could happen if the president were to be given the authority to shut down or disconnect from the Internet some critical infrastructures in the event of a cyberattack or emergency.

The bill, introduced unsuccessfully last year, would have given the president the power to order the disconnection of systems under attack from the Internet, in a declared emergency. Opponents described the power as a "kill switch" that would allow the president to shut down the Internet. Security experts disputed that claim, however. 

The Lieberman-Collins bill just authorizes standard filtering like that done by Internet service providers every day, but in a nationally-coordinated fashion," wrote Alan Paller, founder and research director of the SANS Institute, during that debate. "The only kill switch appears to be in Section 706 of the Communications Act of 1934 that already gives the president the power in a time of national security emergency to shut down or disrupt network traffic."

In a statement issued Tuesday, Lieberman, who is chairman of the Homeland Security and Governmental Affairs Committee, ranking member Sen. Susan Collins (R-Maine) and Sen. Tom Carper (D-Del.), condemned Egypt’s action as “totally wrong” and defended their own legislation.

Related coverage:

“Our cybersecurity legislation is intended to protect the U.S. from external cyberattacks,” the statement says. “Yet, some have suggested that our legislation would empower the president to deny U.S. citizens access to the Internet. Nothing could be further from the truth. We would never sign on to legislation that authorized the president, or anyone else, to shut down the Internet. Emergency or no, the exercise of such broad authority would be an affront to our Constitution.”

Dr. Tarek Saadawi, an Egyptian-born professor of electrical engineering in the City College of New York’s Grove School of Engineering, who participated in modernizing the Egyptian network, cautioned against cybersecurity legislation.

“I object to this type of thing,” Saadawi said of the Egyptian shutdown, and he objected to the idea of U.S. government control of the Internet in the name of security. “I find it difficult to accept in principle.”

He said that regulation is more likely to stifle innovation than promote security and that security is best left to the technical experts. He added that a complete shutdown of the U.S. Internet infrastructure would be more difficult than in Egypt.

Saadawi took part in a five-year program funded by USAID to modernize the Egyptian telecommunications system, beginning in 2000. Although the system was small by U.S. standards, it had a modern fiber-optic core and Saadawi said Egypt was rapidly advancing in e-government.

“They had a good infrastructure and it was growing,” he said. “But it is not as complex as the U.S., so it is easier to control bigger portions of it because there are fewer gateways.”

The Protecting Cyberspace act was introduced in the 111th Congress, where it died when it was not acted on. Lieberman and his co-sponsors plan to reintroduce similar legislation in the current session of Congress. Last week, Senate Majority Leader Harry Reid of Nevada introduced S.21, the Cyber Security and American Competitiveness Act of 2011, as a place-holder bill, “to indicate that he believes passing cybersecurity this Congress is among his top priorities,” said HSGA Committee Communications Director Leslie Phillips.

The current bill is a Sense of Congress resolution in favor of “bipartisan legislation to secure the United States against cyberattack, to enhance American competitiveness and create jobs ... and to protect the identities of American citizens and businesses.”

The resolution does not give specifics, but calls for improving the capacity of the government and private sector to respond to attacks on the private infrastructure and for increasing its resiliency.

The senators’ statement suggests that new cybersecurity legislation would contain provisions similar to those in their previous bill for disconnecting critical systems when threatened or under attack. These provisions are narrower and better crafted than what the senators called the “broad and ambiguous” powers under existing law.

“For example, in the event of a war or threat of war, the Communications Act of 1934 authorizes the president to take over or shut down wire and radio communications providers,” the statement says. “This law is a crude sledgehammer built for another time and technology. Our bill contains a number of protections to make sure that broad authority is not used.”

The bill targeted only critical infrastructure, defined emergency conditions for invoking the authority, and set limits on the length of time it could be used without congressional approval.

“The legislation expressly forbids any action that would violate the First Amendment and also prohibits limiting internet traffic, e-mails, and other forms of communication (except those between critical infrastructure providers) unless no other action would prevent a regional or national catastrophe,” the statement says.

Saadawi, in condemning the Egyptian shutdown, did not compare it with proposed U.S. regulation.

“It was an extreme case,” he said of the Egyptian government’s action. But he said it would be useful to consider that action as a worst case scenario when thinking about the possibility of putting additional security controls on the Internet.