A controversial bill handing President Obama power over privately owned computer systems during a "national cyberemergency," and prohibiting any review by the court system, will return this year.
Internet companies should not be alarmed by the legislation, first introduced last summer by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), a Senate aide said last week. Lieberman, an independent who caucuses with Democrats, is chairman of the Senate Homeland Security and Governmental Affairs Committee.
"We're not trying to mandate any requirements for the entire Internet, the entire Internet backbone," said Brandon Milhorn, Republican staff director and counsel for the committee.
Instead, Milhorn said at a conference in Washington, D.C., the point of the proposal is to assert governmental control only over those "crucial components that form our nation's critical infrastructure."
Portions of the Lieberman-Collins bill, which was not uniformly well-received when it became public in June 2010, became even more restrictive when a Senate committee approved a modified version on December 15. The full Senate did not act on the measure.
The revised version includes new language saying that the federal government's designation of vital Internet or other computer systems "shall not be subject to judicial review." Another addition expanded the definition of critical infrastructure to include "provider of information technology," and a third authorized the submission of "classified" reports on security vulnerabilities.
The idea of creating what some critics have called an Internet "kill switch" that the president could flip in an emergency is not exactly new.
A draft Senate proposal that CNET obtained in August 2009 authorized the White House to "declare a cybersecurity emergency," and another from Sens. Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to "order the disconnection" of certain networks or Web sites. House Democrats have taken a similar approach in their own proposals.
Lieberman, who recently announced he would not seek re-election in 2012, said last year that enactment of his bill needed to be a top congressional priority. "For all of its 'user-friendly' allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets," he said.
Civil libertarians and some industry representatives have repeatedly raised concerns about the various proposals to give the executive branch such broad emergency power. On the other hand, as Lieberman and Collins have highlighted before, some companies, including Microsoft, Verizon, and EMC Corporation, have said positive things about the initial version of the bill.
But last month's rewrite that bans courts from reviewing executive branch decrees has given companies new reason to worry. "Judicial review is our main concern," said Steve DelBianco, director of the NetChoice coalition, which includes eBay, Oracle, Verisign, and Yahoo as members. "A designation of critical information infrastructure brings with it huge obligations for upgrades and compliance."
In some cases, DelBianco said, a company may have a "good-faith disagreement" with the government's ruling and would want to seek court review. "The country we're seeking to protect is a country that respects the right of any individual to have their day in court," he said. "Yet this bill would deny that day in court to the owner of infrastructure."
Other industry representatives say it's not clear that lawyers and policy analysts who will inhabit Homeland Security's 4.5 million square-foot headquarters in the southeast corner of the District of Columbia have the expertise to improve the security of servers and networks operated by companies like AT&T, Verizon, Microsoft, and Google. American companies already spend billions of dollars on computer security a year.
"Declaration of a national cyber emergency"
The revised Lieberman-Collins bill, dubbed the Protecting Cyberspace as a National Asset Act, works this way: Homeland Security will "establish and maintain a list of systems or assets that constitute covered critical infrastructure" and that will be subject to emergency decrees. (The term "kill switch" does not appear in the legislation.)
Under the revised legislation, the definition of critical infrastructure has been tightened. DHS is only supposed to place a computer system (including a server, Web site, router, and so on) on the list if it meets three requirements. First, the disruption of the system could cause "severe economic consequences" or worse. Second, that the system "is a component of the national information infrastructure." Third, that the "national information infrastructure is essential to the reliable operation of the system."
At last week's event, Milhorn, the Senate aide, used the example of computers at a nuclear power plant or the Hoover Dam but acknowledged that "the legislation does not foreclose additional requirements, or additional additions to the list."
A company that objects to being subject to the emergency regulations is permitted to appeal to DHS secretary Janet Napolitano. But her decision is final and courts are explicitly prohibited from reviewing it.
President Obama would then have the power to "issue a declaration of a national cyberemergency." What that entails is a little unclear, including whether DHS could pry user information out of Internet companies that it would not normally be entitled to obtain without a court order. One section says they can disclose certain types of noncommunications data if "specifically authorized by law," but a presidential decree may suffice.
"No amount of tightening of what constitutes 'critical infrastructure' will prevent abuse without meaningful judicial review," says Berin Szoka, an analyst at the free-market TechFreedom think tank and editor of The Next Digital Decade book. "Blocking judicial review of this key question essentially says that the rule of law goes out the window if and when a major crisis occurs."
For their part, Lieberman and Collins say the president already has "nearly unchecked authority" to control Internet companies. A 1934 law (PDF) creating the Federal Communications Commission says that in wartime, or if a "state of public peril or disaster or other national emergency" exists, the president may "authorize the use or control of any...station or device."
In congressional testimony (PDF) last year, DHS Deputy Undersecretary Philip Reitinger stopped short of endorsing the Lieberman-Collins bill. The 1934 law already addresses "presidential emergency authorities, and Congress and the administration should work together to identify any needed adjustments to the act," he said, "as opposed to developing overlapping legislation."