Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
Progress Snapshot
Release 6.11, June 2010
by James E. Dunstan*
View as PDF
The Senate Homeland Security and Government Affairs Committee recently voted S.3480, Senator Joe Lieberman's Protecting Cyberspace as a National Asset Act of 2010 ("PCNAA"), out of Committee.[1] Though offering much-needed reform to the Federal government's cybersecurity system, this nearly 200-page blunderbuss of a bill sweeps private "critical infrastructure"[2] providers into a new bureaucratic morass. While others debate whether the bill would create an "Internet Kill Switch,"[3] none can deny that the bill would give the President unprecedented powers over operation of the Internet, powers normally not granted unless the country is involved in a declared war.[4]
What's in a Name?
The bill's title itself is ominous—suggesting an intent to nationalize the Internet, even if that is not the idea. Since when is the Internet (or even the portion of the underlying telecommunications infrastructure that resides within the borders of the United States), a "National Asset"? Even the term itself is vague (and left undefined): Is the Internet the same kind of "National Asset" as the Apollo Moon rocks? (The U.S. government has claimed ownership of them, locked them away in a vault, and doles them out so miserly that we won't need to go back to the Moon for another 300 years!) Or is the Internet equivalent to the petting zoos and other equally vital facilities that somehow wound up in the 77,000-item National Asset Database created by the Department of Homeland Security?[5]
In previous statutes, such as the Patriot Act[6] and the Homeland Security Act of 2002,[7] Congress used terms such as "critical infrastructure" and "key resources," which the White House has referred to as "key assets."[8] Before Congress goes any further in the legislative process, it should more closely consider what it means to declare something a "National Asset," and the impact that will have on the individual rights and liberties of American citizens—as well as those who've invented and invested in those assets.
The Bill's Definitions Are Hopelessly Overbroad & Vague
The bill defines "information infrastructure" to mean "the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including—'(A) programmable electronic devices and communications networks; and '(B) any associated hardware, software, or data.'"[9] The term "national cyber emergency," which would trigger the extraordinary powers of the President, is defined as "an actual or imminent action by any individual or entity to exploit a cyber vulnerability in a manner that disrupts, attempts to disrupt, or poses significant risk of disruption to the operation of the information infrastructure [see definition above] essential to the reliable operation of covered critical infrastructure."[10] These definitions, in combination, are so broad as to encompass end user equipment, in addition to what is traditionally considered telecommunications infrastructure. This means that every PC, laptop and cell phone, and every person's own data, would be subject to new regulation.
The definitions within the Act further contemplate that the newly established National Center for Cybersecurity and Communications ("NCCC") would establish "a national strategy to increase the security and resiliency of cyberspace, that includes goals and objectives relating to computer network operations, including offensive activities."[11] But with no definition of "offensive activities," the bill essentially hands the government a "blank check" for cyber-mischief. Why would that be a good thing?
The Bill Would Grant Vast, Imperial Powers to the President over Communications
Under Section 249, if the President issues a declaration of national cyber emergency, all affected critical infrastructure providers must implement response plans, developed pursuant to a new set of regulations that the new Director of NCCC will promulgate within 270 days of the bill's enactment. The new DHS Cybersecurity Director will also have broad power to "develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure." Owners and operators of critical infrastructure would be required to "immediately comply" with whatever emergency measures or actions the NCCC deems necessary.
But why is this provision necessary? Section 706 of the Communications Act already provides that the President, in time of "war or a threat of war, or a state of public peril or disaster or other national emergency, or in order to preserve the neutrality of the United States," may shut down both wireless and wireline communications, or suspend certain FCC rules related to such communications.[12] Although the President has never directly invoked the power of Section 706, several Executive Orders have referenced it in connection with national disaster relief and emergency preparedness.[13]
So why does the President suddenly need additional powers? Is it because Congress believes that cyber threats don't clearly fall within the Section 706 definition of war or national emergency? Or does Congress really want the President to punch the giant red "KILL" button every time a virus breaks out on the Internet? If lawmakers believe that the "critical infrastructure" in need of protection is not clearly covered by Section 706, wouldn't it be better to tweak the language of that Section, rather than inventing a separate statutory authority regulated by a new bureaucracy that has no prior relationship with the telecommunications industry?
Regulatory Duplication
Transferring regulatory oversight of communications infrastructure providers from the FCC to the newly-formed NCCC means the telecommunications industry will now be subject to yet another bureaucratic overlord. Interestingly, the FCC is not even mentioned in PCNAA until page 183 (of 197!), and then only to the extent that that the FCC will now be required to consult with the NCCC "regarding any regulation, rule, or requirement to be issued or other action to be required by the Federal agency relating to the security and resiliency of the national information infrastructure."[14]
So now we'll potentially have at least two government agencies directly controlling the Internet (not to mention the FTC!). We can only hope that they'll cancel each other out. More likely, we'll get conflicting and confusing standards from each. And unlike the FCC, which has clear statutory mandates under the highly deregulatory Telecommunications Act of 1996,[15] there's no sense that NCCC would regulate with a "light touch." As mentioned above, the bill would require all those responsible for "critical infrastructure" to "immediately" comply with a Presidential or NCCC order under Section 249(c). Moreover, on an annual basis, industry members would have to certify that they have implemented security measures "approved by the Director."[16] This is a more onerous burden than, for example, the FCC's certification requirements under the Communications Assistance to Law Enforcement Act (CALEA).[17] Finally, industry would be required to report "any incident affecting the information infrastructure of covered critical infrastructure to the extent the incident might indicate an actual or potential cyber vulnerability, or exploitation of a cyber vulnerability, in accordance with the policies and procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed under subsection (b)(3)."[18] The burden for this compliance will fall heavily on the telecommunications industry.[19]
Conclusion
The critical review above should not be read as a total castigation of the bill. Indeed, the last half of the bill, Title III, is yet another, long-overdue attempt to get the Federal government's Internet assets more secure and under a single roof. Elevating the importance of this issue by establishing the NCCC, with broad powers over Federal assets is probably a good thing. Inviting private industry to participate on advisory councils to NCCC[20] is similarly a good idea, especially since some of the best cyberattack deterrence know-how currently resides in the private sector. But declaring virtually all private communications infrastructure in the United States "National Assets" over which NCCC has vast regulatory power, manifestly is not a good idea. What would this bill mean for Americans as users of the Internet and telecommunications services? How might this authority be used to exert control over sites, services and networks? Contemplating the bill's unintended consequences should send shivers up the spines of anyone concerned with individual rights and freedoms and about the dangers of unbridled government powers, especially in the hands of the Executive Branch, which seems to grow ever more Imperial with every new President, regardless of party.
Let's only hope that rational heads will prevail and this bill will die a quick death, or at the least be hacked down to the important and uncontroversial—but significant—task of reorganizing the Federal government's assets and getting its own business in order.
* James E. Dunstan is a Senior Adjunct Fellow at The Progress & Freedom Foundation, the founder of Mobius Legal Group, PLLC and of Counsel at Garvey Schubert Barer. The views expressed in this report are his own, and are not necessarily the views of the PFF board, fellows or staff, or Mobius Legal Group.
[1] Text of bill available at http://hdl.loc.gov/loc.uscongress/legislation.111s3480.
[2] Section 3(2) of the bill refers to the definition in Section 1016(e) of the USA PATRIOT Act, codified at 42 U.S.C. § 5195c(e): "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
[3] See, e.g., http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.html,
[4] "The President may issue a declaration of a national cyber emergency…" PCNAA, § 249(a)(1).
[5] See, e.g., http://www.fas.org/sgp/crs/homesec/RL30153.pdf
[6] Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001).
[7] Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002).
[8] See e.g., www.dhs.gov/files/publications/publication_0017.shtm.
[9] PCNAA, § 241(10) (emphasis added).
[10] PCNAA, § 241(17) (comment added).
[11] PCNAA, § 101(a)(1)(A).
[12] 47 U.S.C. § 606.
[13] See, e.g., Executive Order 12472, "Assignment of National Security and Emergency Preparedness Telecommunications Functions," April 3, 1984 (amended by E.O. 13286 of February 28, 2003, and changes made by E.O. 13407 June 26, 2006), available at www.ncs.gov/library/policy_docs/eo_12472.html (last visited June 17, 2010).
[14] PCNAA, § 501.
[15] See e.g., 47 U.S.C. § § 230; 254(h)(2); 706(a)-(b).
[16] PCNAA, § 250(a).
[17] 47 U.S.C. § 1001 et. seq.
[18] PCNAA, § 246(c).
[19] For an example of regulatory burden, the FCC's Form 477, which merely requires a telecommunication service provider to specify the speed of its data offerings, is estimated to take 72 hours twice a year to complete. See http://www.fcc.gov/Forms/Form477/477tutorial.pdf. In practice, most providers, especially smaller ones, have found that Form 477 takes hundreds of hours to complete twice a year. Complying with a whole new set of regulations from an entirely new regulatory body will most likely require even more personnel time, possibly requiring the equivalent of a full-time person just to oversee cybersecurity issues. For small ISPs and other small business swept in by the bill, these new regulatory burdens could well stifle new entrants from entering the market with new innovative products. The barriers to entry may be raised high enough so that their business case can't close because of regulatory costs and risks of non-compliance or mis-compliance.
[20] PCNAA, § 247.
|