In Search Of The Internet Kill Switch
The complete internet shutdown this week in Libya involved a new way to turn off web access for an entire country. Earlier this year, the total internet blockade in Egypt backfired and emboldened the protesters. China is well known for blocking internet services, but it’s not just China. Of course, having the government turn off the internet could never happen in the United States. We couldn’t condemn the action in other countries while at the time plan it here. No one would even suggest such a thing, right?
Wrong. The topic came up last June when Senators Joseph Lieberman, Susan Collins and Thomas Carper introduced the controversial “Protecting Cyberspace as a National Asset Act of 2010″. [PDF] One vague provision in the bill gave the President the power to “authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited.” It became known as the internet “kill switch” bill even though the words ‘kill’ and ‘switch’ are not found in the bill.
When talking about an internet kill switch, an image of a giant switch in the Oval Office, perhaps next to the “red telephone,” used to shut down the entire internet comes to mind. But that’s fiction and gives the bill’s sponsors cover to deny the bill contains a total kill switch. The internet was originally designed as a distributed network exactly to survive an attack. Egypt was able to turn off the internet by forcing its relatively few Internet Service Providers to shut down their servers. In Libya, the servers are answering, and the route is open but the traffic is being throttled down to zero. If the U.S government told the major Tier 1 ISPs to close, that’s technically not a single “kill switch” but it would cause a shutdown. In fact, one report claims, in the event of a cyberwar, an internet shutdown would cause more problems that it would prevent.
While denying the bill authorized a presidential “kill switch” in a fact sheet, Lieberman told CNN, “Right now, China, the government, can disconnect parts of its Internet in a case of war. We need to have that here, too.” Just because China does it is a laughable argument. It’s also clear he wants a way to turn the internet off.
Lieberman generously suggested the president is “not going to do it every day” (phew), but he did argue “we need the capacity for the president to say, internet service provider, we’ve got to disconnect the American internet from all traffic coming in from another foreign country, or we’ve got to put a patch on this part of it.” This sounds a lot like what might have been said inside Mubarak’s presidential palace.
The bill met with outcry from privacy and internet groups but was popular with the public. A study commissioned by Unisys last August, before the Eqyptian shutdown, showed a majority of Americans believe the president should have the power to control or kill portions of the internet if the U.S. was under a cyberattack by a foreign government.
The bill was approved by a Senate committee last December and then expired with the new Congress.
The legislation was re-branded and revised as the “Cybersecurity and Internet Freedom Act of 2011.” [pdf] Note the clever use of the phrase Internet Freedom for a bill that gives the government power over privately owned computer systems. Ironically, it was re-introduced on the same day as the Egyptian shutdown, when President Obama was called on “the Egyptian government to reverse the actions that they’ve taken to interfere with access to the internet.”
Lieberman changed his approach:
“We want to clear the air once and for all. As someone said recently, the term ‘kill switch” has become the ‘death panels’ of the cybersecurity debate. There is no so-called ‘kill switch’ in our legislation because the very notion is antithetical to our goal of providing precise and targeted authorities to the President. Furthermore, it is impossible to turn off the internet in this country.”
The new bill says “neither the President, the Director of the National Center for Cybersecurity and Coummunications, or any officer or employee of the United States Government shall have the authority to shut down the Internet.” But, it does give the Department of Homeland Security the power to issue decrees to privately owned companies in a cyber emergency.
Surprisingly, the President has the power to shutdown the internet already. This authority originated well before the internet existed, in the Communications Act of 1934 that created the FCC. Section 706 gives the President authority, in a state or threat of war, to “cause the closing of any facility or station for wire communication” with no advance warning. [PDF]
“A station for wire communication” may not sound like the routers that power the internet. But the Department of Homeland Security has cited the 1934 Act as one of the powers the President would rely on if the nation was under a cyberattack.
Why does our government even need the power to block the internet? One of the justifications for the bill, that’s even written into the legislation, is the fact that the computer systems of the government are probed or attacked an average of 1.8 billion times a month. Most of these involved attacks infiltrating government workers copies of Adobe Acrobat or Microsoft Office. Or, phishing attacks with malicious email attachments, hardly a reason to justify even a partial internet shutdown.
Collins argues the President needs the power to shut down “critical infrastructure” during a serious cyberattack. As an example, the sponsors say if a cyberthreat was detected, the President should be able to instantly shut down any infrastructure connected to “the system that controls the floodgates to the Hoover dam.” On the surface, it sounds reasonable. You wouldn’t want 10 trillion gallons of water to cause havoc.
But, I checked the Hoover Dam website. I couldn’t find a way to control the floodgates and I’d be surprised if that control was connected to the public internet. And even if a hacker could control it, the government should be able to cut off the connection without this legislation.
Lieberman says the bill is needed because “the internet can be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets.” Yes, the internet can be a dangerous place. It’s also essential to the freedom of its citizens and nation’s commerce. And, it’s pretty good at self-policing. In the case of the private banks, the banks themselves know more about protecting customers accounts than then government.
John Dvorak says the senators supporting the legislation “aren’t Internet experts trying to protect the Net from damage. They, to be frank, are clueless about the internet.” Recall former Senator Ted Stevens, who headed a committee in charge of regulating the internet, describing the net saying “It’s not a big truck. It’s a series of tubes.”
While TechCrunch and other blogs hosted by WordPress are hardly part of the nation’s “critical infrastructure” (wouldn’t that be great, though), those websites were hit by a huge cyber attack this week. Matt Mullenweg, who oversees the blog platform at wordpress.com, says the attack was the largest in its history. 98% of the attacks came from China. The target was a Chinese-language site, but it caused many other WordPress.com hosted sites to fail.
Let’s just pretend these sites were critical to the nation. The problem was the sites were shut down. An additional government-ordered shutdown isn’t the solution. Even if the sites were hacked, shutting down routers isn’t the answer. Private industry worked to identify and solve the problem, with no need for additional regulations.