Senate panel approves controversial cyber security bill

The legislation's sponsors say the bill would not give the president an Internet 'kill switch'

A U.S. Senate committee has approved a wide-ranging cyber security bill that some critics have suggested would give the U.S. president the authority to shut down parts of the Internet during a cyber attack.

Sen. Joe Lieberman (I-Conn.) and other bill sponsors have refuted the charges that the Protecting Cyberspace as a National Asset Act gives the president an Internet "kill switch." Instead, the bill puts limits on the powers the president already has to cause "the closing of any facility or stations for wire communication" in a time of war, as described in the Communications Act of 1934, they said in a breakdown of the bill published on the Senate Homeland Security and Governmental Affairs Committee Web site.

[ See why InfoWorld's Bill Snyder argues that the Internet "kill switch" is a bad idea. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The committee unanimously approved an amended version of the legislation by voice vote Thursday, a committee spokeswoman said. The bill next moves to the Senate floor for a vote, which has not yet been scheduled.

The bill, introduced earlier this month, would establish a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, which would work with private U.S. companies to create cyber security requirements for the electrical grid, telecommunications networks, and other critical infrastructure.

The bill also would allow the U.S. president to take emergency actions to protect critical parts of the Internet, including ordering owners of critical infrastructure to implement emergency response plans, during a cyber emergency. The president would need congressional approval to extend a national cyber emergency beyond 120 days under an amendment to the legislation approved by the committee.

The legislation would give the U.S. Department of Homeland Security authority that it does not now have to respond to cyber attacks, Lieberman said earlier this month. "Our responsibility for cyberdefense goes well beyond the public sector because so much of cyberspace is owned and operated by the private sector," he said. "The Department of Homeland Security has actually shown that vulnerabilities in key private sector networks like utilities and communications could bring our economy down for a period of time if attacked or commandeered by a foreign power or cyber terrorists."

Other sponsors of the bill are Senators Susan Collins (R-Maine) and Tom Carper (D-Del.).

One critic said Thursday that the bill will hurt the nation's security, not help it. Security products operate in a competitive market that works best without heavy government intervention, said Wayne Crews, vice president for policy and director of technology studies at the Competitive Enterprise Institute, an antiregulation think tank.

"Policymakers should reject such proposals to centralize cyber security risk management," Crews said. "The Internet that will evolve if government can resort to a 'kill switch' will be vastly different from, and inferior to, the safer one that will emerge otherwise."

Cyber security technologies and services thrive on competition, he added. "The unmistakable tenor of the cyber security discussion today is that of government steering while the market rows," he said. "To be sure, law enforcement has a crucial role in punishing intrusions on private networks and infrastructure. But government must coexist with, rather than crowd out, private sector security technologies."

On Wednesday, 24 privacy and civil liberties groups sent a letter raising concerns about the legislation to the sponsors. The bill gives the new National Center for Cybersecurity and Communications "significant authority" over critical infrastructure, but doesn't define what critical infrastructure is covered, the letter said.

Without a definition of critical infrastructure there are concerns that "it includes elements of the Internet that Americans rely on every day to engage in free speech and to access information," said the letter, signed by the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, and other groups.

"Changes are needed to ensure that cyber security measures do not unnecessarily infringe on free speech, privacy, and other civil liberties interests," the letter added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantusG. Grant's e-mail address is grant_gross@idg.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies