The arguments for (and against) an Internet kill switch

The "Internet kill-switch" that might have been included in earlier cybersecurity bills (and maybe not) provoked a great deal of argument. The idea that the president might have a means to actually shut down the Internet, or even part of it, during a cyber-emergency evoked a lot of concern.

However, applying the same concept on a departmental level within the federal government could be a good idea, according to some.

Panelists at MeriTalk’s June 26 cybersecurity discussion on Capitol Hill explored the hotly debated issue of an Internet kill switch – a single shutoff mechanism that would halt all online traffic during a cyber emergency.

In the event an agency has a security breach, should the Homeland Security Department be able to cut off its Internet access while the threat is being mitigated? asked an event attendee.

The state of Delaware’s central IT organization already has that capability in place but “the legislative branch is not happy that we have that authority,” said William Hickox, chief operating officer at Delaware Department of Technology and Information.

“It’s a kill switch on a departmental level, and we will use it to protect the department from itself, protect [departments] from each other, or if there’s an issue, we have a kill switch that will take out departments or branches of government,” he said. “The legislative branch is not pleased we maintain that authority, but they have yet to act legislatively to restrict that current authority.”

Gary Gagnon, senior vice president and chief security officer at The MITRE Corporation, expressed unease over a kill switch capability.

“I get real nervous when I hear about a kill switch,” he said. “I don’t think we fully understand the dependency and complexity of the networks we are operating on a daily basis, and to have other organizations saying they sufficiently understand the procedures to deny another organization access . . . could have consequences.”

Existing laws and supporting and policies grant the agency CIO and designated approval authority the power for making decisions including those around a kill switch capability and potential tradeoffs, said John Streufert, director of the National Cyber Security Division at DHS.

“Having been a CISO and managed security in a number of cabinet-level departments, I think leaving that flexibility with cabinet-level CISOs . . . is a very positive thing because they’re closest to the impact and hold the responsibility over data,” he said.