On Cyber Bill, Skepticism Warranted -- But Nuance Needed

Marc Ambinder Aug 28 2009, 1:35 PM ET

Let's stipulate: this is a good and needed debate to have. Major changes are coming to the way businesses, individuals and the government join to protect the country from cyber security threats, and there's a significant public interest in debating the how and the why in public. Declan McCullagh, CBS News.com's chief technology writer, is open about his libertarian bent, and he's rightfully skeptical about new laws. He's obtained the draft of a cyber security bill that the Senate Commerce Committee plans to mark up in September. His reading of the bill leads him to the conclusion that it would give the president "emergency control of the Internet."

[The bill] would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

A few things to keep in mind. One: the president already has the authority to shut down parts of the Internet in emergencies. The bill restates the power and expands it to make sure that any system that is too big to fail cannot be allowed to fail at the expense at the rest of the system. The analogy the bill's authors use is that of the president's power to order all aircraft to land in the event of a systemwide emergency. That power is -- powerful! -- but we're generally OK with it. The Internet, of course, is different, in kind and expanse. There's a broad sense that it should be free, unfettered, and allowed to evolve on its own. There's a broad sense that the Internet is to citizens today what guns were to civillian militias of the founding era -- the trenchline against tyranny. (Editorial note: I agree.)

Maybe the White House should have this power in extreme emergencies, but it had better be clear about what those emergencies entail, and it had better accept accountability if it oversteps its authority. There is, aside from the obvious definitional issues, an inherent trade-off in codifying this power, and it's going to be tough to find a balance that satisfies everyone.

Incidentally, this bill hasn't been written in secret; from the start, civil liberties groups and industry have been involved, though they might not like the end result. The Senate Commerce Committee released a summary of the bill in April that includes the emergency provisions. ("...including the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack..")

(Update: Jamie Smith, communications director for the committee, sent along this statement: "The President of the United States has always had the Constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States. The Rockefeller-Snowe Cybersecurity bill makes it clear that the President's authority includes securing our national cyber infrastructure from attack. The section of the bill that addresses this issue, applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks. To be very clear, the Rockefeller-Snowe bill will not empower a "government shut down or takeover of the internet" and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the President directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response. Chairman Rockefeller and Senator Snowe are deeply committed to transparency and an open exchange of ideas in crafting this legislation." )

Where I might add a note of caution -- America's cyber infrastructure is already being monitored on a very high level by the Department of Defense and the National Security Agency, which, by law, cannot (yet) delve into the type of deep packet inspection that would allow it to capture malignant worms and viruses before they spread. The NSA -- that NSA. One reason why Sens. Rockefeller and Snowe are so eager to give the White House, the Department of Homeland Security, and the Commerce Department more statutory authority is because they do not want the NSA to become the protector by default. As controversial as cyber monitoring is, as much as it violates our sense of what the Internet is, and as much as it rightly provokes debate about government intrusion, Congress wants these decisions to be transparent and the decision-makers held accountable.

Disclosure: I am a consultant to CBS News.