lieberman's cyberspace protection bill: enhancing cybersecurity, or establishing a new...
TRANSCRIPT
-
8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
1/5
Progress SnapshotVolume 6, Issue 11 June 201
1444 EYE STREET, NW SUITE 500 WASHINGTON, D.C. 20005
202-289-8928 [email protected]@ProgressFreedomwww.pff.org
Liebermans Cyberspace Protection Bill: EnhancingCybersecurity, or Establishing a New Uber-Authority?
by James E. Dunstan*
The Senate Homeland Security and Government Affairs Committee recently voted S.3480,
Senator Joe LiebermansProtecting Cyberspace as a National Asset Act of 2010(PCNAA), out
of Committee.1
Though offering much-needed reform to the Federal governments
cybersecurity system, this nearly 200-page blunderbuss of a bill sweeps private critical
infrastructure2
providers into a new bureaucratic morass. While others debate whether the
bill would create an Internet Kill Switch,3 none can deny that the bill would give the President
unprecedented powers over operation of the Internet, powers normally not granted unless the
country is involved in a declared war.4
Whats in a Name?
The bills title itself is ominoussuggesting an intent to nationalize the Internet, even if that is
not the idea. Since when is the Internet (or even the portion of the underlying
telecommunications infrastructure that resides within the borders of the United States), a
National Asset? Even the term itself is vague (and left undefined): Is the Internet the same
kind of National Asset as the Apollo Moon rocks? (The U.S. government has claimed
ownership of them, locked them away in a vault, and doles them out so miserly that we wont
need to go back to the Moon for another 300 years!) Or is the Internet equivalent to the
petting zoos and other equally vital facilities that somehow wound up in the 77,000-item
National Asset Database created by the Department of Homeland Security?5
James E. Dunstan ([email protected]) is a Senior Adjunct Fellow at The Progress & Freedom Foundation, the
founder of Mobius Legal Group, PLLC and of Counsel at Garvey Schubert Barer. The views expressed in this
report are his own, and are not necessarily the views of the PFF board, fellows or staff, or Mobius Legal Group.1
Text of bill available athttp://hdl.loc.gov/loc.uscongress/legislation.111s3480.2
Section 3(2) of the bill refers to the definition in Section 1016(e) of the USA PATRIOT Act, codified at 42 U.S.C.
5195c(e): systems and assets, whether physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those matters.3 See, e.g.,http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.html,
4 The President may issue a declaration of a national cyber emergency PCNAA, 249(a)(1).
5 See, e.g.,http://www.fas.org/sgp/crs/homesec/RL30153.pdf
mailto:[email protected]:[email protected]:[email protected]://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.pff.org/http://www.pff.org/http://www.pff.org/http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480mailto:[email protected]:[email protected]:[email protected]://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://hdl.loc.gov/loc.uscongress/legislation.111s3480http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.fas.org/sgp/crs/homesec/RL30153.pdfhttp://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.htmlhttp://hdl.loc.gov/loc.uscongress/legislation.111s3480mailto:[email protected]://hdl.loc.gov/loc.uscongress/legislation.111s3480http://www.pff.org/http://www.twitter.com/ProgressFreedommailto:[email protected] -
8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
2/5
Page 2 Progress Snapshot 6.11
In previous statutes, such as the Patriot Act6
and the Homeland Security Act of 2002,7
Congress
used terms such as critical infrastructure and key resources, which the White House has
referred to as key assets.8
Before Congress goes any further in the legislative process, it
should more closely consider what it means to declare something a National Asset, and the
impact that will have on the individual rights and liberties of American citizensas well as
those whove invented and invested in those assets.
The Bills Definitions Are Hopelessly Overbroad & Vague
The bill defines information infrastructure to mean the underlying framework that
information systems and assets rely on to process, transmit, receive, or store information
electronically, including(A)programmable electronic devices and communications networks;
and (B) any associated hardware, software, or data.9 The term national cyber emergency,
which would trigger the extraordinary powers of the President, is defined as an actual or
imminent action by any individual or entity to exploit a cyber vulnerability in a manner that
disrupts, attempts to disrupt, or poses significant risk of disruption to the operation of the
information infrastructure [see definition above] essential to the reliable operation of covered
critical infrastructure.10 These definitions, in combination, are so broad as to encompass enduser equipment, in addition to what is traditionally considered telecommunications
infrastructure. This means that every PC, laptop and cell phone, and every persons own data,
would be subject to new regulation.
The definitions within the Act further contemplate that the newly established National Center
for Cybersecurity and Communications (NCCC) would establish a national strategy to
increase the security and resiliency of cyberspace, that includes goals and objectives relating to
computer network operations, including offensive activities.11
But with no definition of
offensive activities, the bill essentially hands the government a blank check for cyber -
mischief. Why would that be a good thing?
The Bill Would Grant Vast, Imperial Powers to the President over Communications
Under Section 249, if the President issues a declaration of national cyber emergency, all
affected critical infrastructure providers must implement response plans, developed pursuant
to a new set of regulations that the new Director of NCCC will promulgate within 270 days of
the bills enactment. The new DHS Cybersecurity Director will also have broad power to
develop and coordinate emergency measures or actions necessary to preserve the reliable
operation, and mitigate or remediate the consequences of the potential disruption, of covered
critical infrastructure. Owners and operators of critical infrastructure would be required to
6Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001).
7Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002).
8 See e.g.,www.dhs.gov/files/publications/publication_0017.shtm.
9PCNAA, 241(10) (emphasis added).
10PCNAA, 241(17) (comment added).
11PCNAA, 101(a)(1)(A).
http://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtmhttp://c/Users/bszoka/Downloads/www.dhs.gov/files/publications/publication_0017.shtm -
8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
3/5
Progress Snapshot 6.11 Page 3
immediately comply with whatever emergency measures or actions the NCCC deems
necessary.
But why is this provision necessary? Section 706 of the Communications Act already provides
that the President, in time of war or a threat of war, or a state of public peril or disaster or
other national emergency, or in order to preserve the neutrality of the United States, may shut
down both wireless and wireline communications, or suspend certain FCC rules related to suchcommunications.
12Although the President has never directly invoked the power of Section
706, several Executive Orders have referenced it in connection with national disaster relief and
emergency preparedness.13
So why does the President suddenly need additional powers? Is it because Congress believes
that cyber threats dont clearly fall within the Section 706 definition of war or national
emergency? Or does Congress really want the President to punch the giant red KILL button
every time a virus breaks out on the Internet? If lawmakers believe that the critical
infrastructure in need of protection is not clearly covered by Section 706, wouldnt it be better
to tweak the language of that Section, rather than inventing a separate statutory authority
regulated by a new bureaucracy that has no prior relationship with the telecommunications
industry?
Regulatory Duplication
Transferring regulatory oversight of communications infrastructure providers from the FCC to
the newly-formed NCCC means the telecommunications industry will now be subject to yet
another bureaucratic overlord. Interestingly, the FCC is not even mentioned in PCNAA until
page 183 (of 197!), and then only to the extent that that the FCC will now be required to
consult with the NCCC regarding any regulation, rule, or requirement to be issued or other
action to be required by the Federal agency relating to the security and resiliency of the
national information infrastructure.14
So now well potentially have at least two government agencies directly controlling the Internet
(not to mention the FTC!). We can only hope that theyll cancel each other out . More likely,
well get conflicting and confusing standards from each. And unlike the FCC, which has clear
statutory mandates under the highly deregulatory Telecommunications Act of 1996,15
theres
no sense that NCCC would regulate with a light touch. As mentioned above, the bill would
require all those responsible for critical infrastructure to immediately comply with a
Presidential or NCCC order under Section 249(c). Moreover, on an annual basis, industry
members would have to certify that they have implemented security measures approved by
1247 U.S.C. 606.
13 See, e.g.,Executive Order 12472, Assignment of National Security and Emergency Preparedness
Telecommunications Functions, April 3, 1984 (amended by E.O. 13286 of February 28, 2003 , and changes
made by E.O. 13407 June 26, 2006), available at www.ncs.gov/library/policy_docs/eo_12472.html(last visited
June 17, 2010).14
PCNAA, 501.15
See e.g., 47 U.S.C. 230; 254(h)(2); 706(a)-(b).
http://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.htmlhttp://c/Documents%20and%20Settings/User/Local%20Settings/Temp/www.ncs.gov/library/policy_docs/eo_12472.html -
8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
4/5
Page 4 Progress Snapshot 6.11
the Director.16
This is a more onerous burden than, for example, the FCCs certification
requirements under the Communications Assistance to Law Enforcement Act (CALEA).17
Finally,
industry would be required to report any incident affecting the information infrastructure of
covered critical infrastructure to the extent the incident might indicate an actual or potential
cyber vulnerability, or exploitation of a cyber vulnerability, in accordance with the policies and
procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed
under subsection (b)(3).18
The burden for this compliance will fall heavily on the
telecommunications industry.19
Conclusion
The critical review above should not be read as a total castigation of the bill. Indeed, the last
half of the bill, Title III, is yet another, long-overdue attempt to get the Federal governments
Internet assets more secure and under a single roof. Elevating the importance of this issue by
establishing the NCCC, with broad powers over Federal assets is probably a good thing. Inviting
private industry to participate on advisory councils to NCCC20
is similarly a good idea, especially
since some of the best cyberattack deterrence know-how currently resides in the private
sector. But declaring virtually all private communications infrastructure in the United StatesNational Assets over which NCCC has vast regulatory power, manifestly is nota good idea.
What would this bill mean for Americans as users of the Internet and telecommunications
services? How might this authority be used to exert control over sites, services and networks?
Contemplating the bills unintended consequences should send shivers up the spines of anyone
concerned with individual rights and freedoms and about the dangers of unbridled government
powers, especially in the hands of the Executive Branch, which seems to grow ever more
Imperial with every new President, regardless of party.
Lets only hope that rational heads will prevail and this bill will die a quick death, or at the least
be hacked down to the important and uncontroversialbut significanttask of reorganizing
the Federal governments assets and getting its own business in order.
16PCNAA, 250(a).
1747 U.S.C. 1001 et. seq.
18PCNAA, 246(c).
19 For an example of regulatory burden, the FCCs Form 477, which merely requires a telecommunication service
provider to specify the speed of its data offerings, is estimated to take 72 hours twice a year to complete. Seehttp://www.fcc.gov/Forms/Form477/477tutorial.pdf. In practice, most providers, especially smaller ones,
have found that Form 477 takes hundreds of hours to complete twice a year. Complying with a whole new set
of regulations from an entirely new regulatory body will most likely require even more personnel time,
possibly requiring the equivalent of a full-time person just to oversee cybersecurity issues. For small ISPs and
other small business swept in by the bill, these new regulatory burdens could well stifle new entrants from
entering the market with new innovative products. The barriers to entry may be raised high enough so that
their business case cant close because of regulatory costs and risks of non -compliance or mis-compliance.20
PCNAA, 247.
http://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdfhttp://www.fcc.gov/Forms/Form477/477tutorial.pdf -
8/9/2019 Lieberman's Cyberspace Protection Bill: Enhancing Cybersecurity, or Establishing a New Uber-Authority?
5/5
Progress Snapshot 6.11 Page 5
The Progress & Freedom Foundation is a market-oriented think tank that studies the digital revolution and its
implications for public policy. Its mission is to educate policymakers, opinion leaders and the public about issues
associated with technological change, based on a philosophy of limited government, free markets and civil liberties.
Established in 1993, PFF is a private, non-profit, non-partisan research organization supported by tax-deductible
donations from corporations, foundations and individuals. The views expressed here are those of the authors, and do not
necessarily represent the views of PFF, its Board of Directors, officers or staff.
The Progress & Freedom Foundation 1444 Eye Street, NW Suite 500 Washington, DC 20005
202-289-8928 [email protected]@ProgressFreedomwww.pff.org
mailto:[email protected]:[email protected]:[email protected]://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.twitter.com/ProgressFreedomhttp://www.pff.org/http://www.pff.org/http://www.pff.org/http://www.pff.org/http://www.twitter.com/ProgressFreedommailto:[email protected]