lieberman's cyberspace protection bill: enhancing cybersecurity, or establishing a new...

8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?

1/5

Progress SnapshotVolume 6, Issue 11 June 201

1444 EYE STREET, NW SUITE 500 WASHINGTON, D.C. 20005

202-289-8928 [email protected]@ProgressFreedomwww.pff.org

Liebermans Cyberspace Protection Bill: EnhancingCybersecurity, or Establishing a New Uber-Authority?

by James E. Dunstan*

The Senate Homeland Security and Government Affairs Committee recently voted S.3480,

Senator Joe LiebermansProtecting Cyberspace as a National Asset Act of 2010(PCNAA), out

of Committee.1

Though offering much-needed reform to the Federal governments

cybersecurity system, this nearly 200-page blunderbuss of a bill sweeps private critical

infrastructure2

providers into a new bureaucratic morass. While others debate whether the

bill would create an Internet Kill Switch,3 none can deny that the bill would give the President

unprecedented powers over operation of the Internet, powers normally not granted unless the

country is involved in a declared war.4

Whats in a Name?

The bills title itself is ominoussuggesting an intent to nationalize the Internet, even if that is

not the idea. Since when is the Internet (or even the portion of the underlying

telecommunications infrastructure that resides within the borders of the United States), a

National Asset? Even the term itself is vague (and left undefined): Is the Internet the same

kind of National Asset as the Apollo Moon rocks? (The U.S. government has claimed

ownership of them, locked them away in a vault, and doles them out so miserly that we wont

need to go back to the Moon for another 300 years!) Or is the Internet equivalent to the

petting zoos and other equally vital facilities that somehow wound up in the 77,000-item

National Asset Database created by the Department of Homeland Security?5

James E. Dunstan ([email protected]) is a Senior Adjunct Fellow at The Progress & Freedom Foundation, the

founder of Mobius Legal Group, PLLC and of Counsel at Garvey Schubert Barer. The views expressed in this

report are his own, and are not necessarily the views of the PFF board, fellows or staff, or Mobius Legal Group.1

Text of bill available athttp://hdl.loc.gov/loc.uscongress/legislation.111s3480.2

Section 3(2) of the bill refers to the definition in Section 1016(e) of the USA PATRIOT Act, codified at 42 U.S.C.

5195c(e): systems and assets, whether physical or virtual, so vital to the United States that the incapacity or

destruction of such systems and assets would have a debilitating impact on security, national economic

security, national public health or safety, or any combination of those matters.3 See, e.g.,http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.html,

4 The President may issue a declaration of a national cyber emergency PCNAA, 249(a)(1).

5 See, e.g.,http://www.fas.org/sgp/crs/homesec/RL30153.pdf
mailto:[email protected]:[email protected]:[email protected]://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.pff.org/http://www.pff.org/http://www.pff.org/http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480mailto:[email protected]:[email protected]:[email protected]://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://hdl.loc.gov/loc.uscongress/legislation.111s3480mailto:[email protected]://hdl.loc.gov/loc.uscongress/legislation.111s3480http://www.pff.org/http://www.twitter.com/ProgressFreedommailto:[email protected]


2/5

Page 2 Progress Snapshot 6.11

In previous statutes, such as the Patriot Act6

and the Homeland Security Act of 2002,7

Congress

used terms such as critical infrastructure and key resources, which the White House has

referred to as key assets.8

Before Congress goes any further in the legislative process, it

should more closely consider what it means to declare something a National Asset, and the

impact that will have on the individual rights and liberties of American citizensas well as

those whove invented and invested in those assets.

The Bills Definitions Are Hopelessly Overbroad & Vague

The bill defines information infrastructure to mean the underlying framework that

information systems and assets rely on to process, transmit, receive, or store information

electronically, including(A)programmable electronic devices and communications networks;

and (B) any associated hardware, software, or data.9 The term national cyber emergency,

which would trigger the extraordinary powers of the President, is defined as an actual or

imminent action by any individual or entity to exploit a cyber vulnerability in a manner that

disrupts, attempts to disrupt, or poses significant risk of disruption to the operation of the

information infrastructure [see definition above] essential to the reliable operation of covered

critical infrastructure.10 These definitions, in combination, are so broad as to encompass enduser equipment, in addition to what is traditionally considered telecommunications

infrastructure. This means that every PC, laptop and cell phone, and every persons own data,

would be subject to new regulation.

The definitions within the Act further contemplate that the newly established National Center

for Cybersecurity and Communications (NCCC) would establish a national strategy to

increase the security and resiliency of cyberspace, that includes goals and objectives relating to

computer network operations, including offensive activities.11

But with no definition of

offensive activities, the bill essentially hands the government a blank check for cyber -

mischief. Why would that be a good thing?

The Bill Would Grant Vast, Imperial Powers to the President over Communications

Under Section 249, if the President issues a declaration of national cyber emergency, all

affected critical infrastructure providers must implement response plans, developed pursuant

to a new set of regulations that the new Director of NCCC will promulgate within 270 days of

the bills enactment. The new DHS Cybersecurity Director will also have broad power to

develop and coordinate emergency measures or actions necessary to preserve the reliable

operation, and mitigate or remediate the consequences of the potential disruption, of covered

critical infrastructure. Owners and operators of critical infrastructure would be required to

6Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001).

7Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002).

8 See e.g.,www.dhs.gov/files/publications/publication_0017.shtm.

9PCNAA, 241(10) (emphasis added).

10PCNAA, 241(17) (comment added).

11PCNAA, 101(a)(1)(A).
http://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtm


3/5

Progress Snapshot 6.11 Page 3

immediately comply with whatever emergency measures or actions the NCCC deems

necessary.

But why is this provision necessary? Section 706 of the Communications Act already provides

that the President, in time of war or a threat of war, or a state of public peril or disaster or

other national emergency, or in order to preserve the neutrality of the United States, may shut

down both wireless and wireline communications, or suspend certain FCC rules related to suchcommunications.

12Although the President has never directly invoked the power of Section

706, several Executive Orders have referenced it in connection with national disaster relief and

emergency preparedness.13

So why does the President suddenly need additional powers? Is it because Congress believes

that cyber threats dont clearly fall within the Section 706 definition of war or national

emergency? Or does Congress really want the President to punch the giant red KILL button

every time a virus breaks out on the Internet? If lawmakers believe that the critical

infrastructure in need of protection is not clearly covered by Section 706, wouldnt it be better

to tweak the language of that Section, rather than inventing a separate statutory authority

regulated by a new bureaucracy that has no prior relationship with the telecommunications

industry?

Regulatory Duplication

Transferring regulatory oversight of communications infrastructure providers from the FCC to

the newly-formed NCCC means the telecommunications industry will now be subject to yet

another bureaucratic overlord. Interestingly, the FCC is not even mentioned in PCNAA until

page 183 (of 197!), and then only to the extent that that the FCC will now be required to

consult with the NCCC regarding any regulation, rule, or requirement to be issued or other

action to be required by the Federal agency relating to the security and resiliency of the

national information infrastructure.14

So now well potentially have at least two government agencies directly controlling the Internet

(not to mention the FTC!). We can only hope that theyll cancel each other out . More likely,

well get conflicting and confusing standards from each. And unlike the FCC, which has clear

statutory mandates under the highly deregulatory Telecommunications Act of 1996,15

theres

no sense that NCCC would regulate with a light touch. As mentioned above, the bill would

require all those responsible for critical infrastructure to immediately comply with a

Presidential or NCCC order under Section 249(c). Moreover, on an annual basis, industry

members would have to certify that they have implemented security measures approved by

1247 U.S.C. 606.

13 See, e.g.,Executive Order 12472, Assignment of National Security and Emergency Preparedness

Telecommunications Functions, April 3, 1984 (amended by E.O. 13286 of February 28, 2003 , and changes

made by E.O. 13407 June 26, 2006), available at www.ncs.gov/library/policy_docs/eo_12472.html(last visited

June 17, 2010).14

PCNAA, 501.15

See e.g., 47 U.S.C. 230; 254(h)(2); 706(a)-(b).
http://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.html


4/5

Page 4 Progress Snapshot 6.11

the Director.16

This is a more onerous burden than, for example, the FCCs certification

requirements under the Communications Assistance to Law Enforcement Act (CALEA).17

Finally,

industry would be required to report any incident affecting the information infrastructure of

covered critical infrastructure to the extent the incident might indicate an actual or potential

cyber vulnerability, or exploitation of a cyber vulnerability, in accordance with the policies and

procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed

under subsection (b)(3).18

The burden for this compliance will fall heavily on the

telecommunications industry.19

Conclusion

The critical review above should not be read as a total castigation of the bill. Indeed, the last

half of the bill, Title III, is yet another, long-overdue attempt to get the Federal governments

Internet assets more secure and under a single roof. Elevating the importance of this issue by

establishing the NCCC, with broad powers over Federal assets is probably a good thing. Inviting

private industry to participate on advisory councils to NCCC20

is similarly a good idea, especially

since some of the best cyberattack deterrence know-how currently resides in the private

sector. But declaring virtually all private communications infrastructure in the United StatesNational Assets over which NCCC has vast regulatory power, manifestly is nota good idea.

What would this bill mean for Americans as users of the Internet and telecommunications

services? How might this authority be used to exert control over sites, services and networks?

Contemplating the bills unintended consequences should send shivers up the spines of anyone

concerned with individual rights and freedoms and about the dangers of unbridled government

powers, especially in the hands of the Executive Branch, which seems to grow ever more

Imperial with every new President, regardless of party.

Lets only hope that rational heads will prevail and this bill will die a quick death, or at the least

be hacked down to the important and uncontroversialbut significanttask of reorganizing

the Federal governments assets and getting its own business in order.

16PCNAA, 250(a).

1747 U.S.C. 1001 et. seq.

18PCNAA, 246(c).

19 For an example of regulatory burden, the FCCs Form 477, which merely requires a telecommunication service

provider to specify the speed of its data offerings, is estimated to take 72 hours twice a year to complete. Seehttp://www.fcc.gov/Forms/Form477/477tutorial.pdf. In practice, most providers, especially smaller ones,

have found that Form 477 takes hundreds of hours to complete twice a year. Complying with a whole new set

of regulations from an entirely new regulatory body will most likely require even more personnel time,

possibly requiring the equivalent of a full-time person just to oversee cybersecurity issues. For small ISPs and

other small business swept in by the bill, these new regulatory burdens could well stifle new entrants from

entering the market with new innovative products. The barriers to entry may be raised high enough so that

their business case cant close because of regulatory costs and risks of non -compliance or mis-compliance.20

PCNAA, 247.
http://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdf


5/5

Progress Snapshot 6.11 Page 5

The Progress & Freedom Foundation is a market-oriented think tank that studies the digital revolution and its

implications for public policy. Its mission is to educate policymakers, opinion leaders and the public about issues

associated with technological change, based on a philosophy of limited government, free markets and civil liberties.

Established in 1993, PFF is a private, non-profit, non-partisan research organization supported by tax-deductible

donations from corporations, foundations and individuals. The views expressed here are those of the authors, and do not

necessarily represent the views of PFF, its Board of Directors, officers or staff.

The Progress & Freedom Foundation 1444 Eye Street, NW Suite 500 Washington, DC 20005

202-289-8928 [email protected]@ProgressFreedomwww.pff.org
mailto:[email protected]:[email protected]:[email protected]://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.pff.org/http://www.pff.org/http://www.pff.org/http://www.pff.org/http://www.twitter.com/ProgressFreedommailto:[email protected]