Let's stipulate: this is a good and needed debate to have. Major changes are coming to the way businesses, individuals and the government join to protect the country from cyber security threats, and there's a significant public interest in debating the how and the why in public. Declan McCullagh, CBS News.com's chief technology writer, is open about his libertarian bent, and he's rightfully skeptical about new laws. He's obtained the draft of a cyber security bill that the Senate Commerce Committee plans to mark up in September. His reading of the bill leads him to the conclusion that it would give the president "emergency control of the Internet."
[The bill] would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
A few things to keep in mind. One: the president already has the authority to shut down parts of the Internet in emergencies. The bill restates the power and expands it to make sure that any system that is too big to fail cannot be allowed to fail at the expense at the rest of the system. The analogy the bill's authors use is that of the president's power to order all aircraft to land in the event of a systemwide emergency. That power is -- powerful! -- but we're generally OK with it. The Internet, of course, is different, in kind and expanse. There's a broad sense that it should be free, unfettered, and allowed to evolve on its own. There's a broad sense that the Internet is to citizens today what guns were to civillian militias of the founding era -- the trenchline against tyranny. (Editorial note: I agree.)
Maybe the White House should have this power in extreme emergencies, but it had better be clear about what those emergencies entail, and it had better accept accountability if it oversteps its authority. There is, aside from the obvious definitional issues, an inherent trade-off in codifying this power, and it's going to be tough to find a balance that satisfies everyone.
Incidentally, this bill hasn't been written in secret; from the start, civil liberties groups and industry have been involved, though they might not like the end result. The Senate Commerce Committee released a summary of the bill in April that includes the emergency provisions. ("...including the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack..")
Where I might add a note of caution -- America's cyber infrastructure is already being monitored on a very high level by the Department of Defense and the National Security Agency, which, by law, cannot (yet) delve into the type of deep packet inspection that would allow it to capture malignant worms and viruses before they spread. The NSA -- that NSA. One reason why Sens. Rockefeller and Snowe are so eager to give the White House, the Department of Homeland Security, and the Commerce Department more statutory authority is because they do not want the NSA to become the protector by default. As controversial as cyber monitoring is, as much as it violates our sense of what the Internet is, and as much as it rightly provokes debate about government intrusion, Congress wants these decisions to be transparent and the decision-makers held accountable.
Disclosure: I am a consultant to CBS News.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.