The vast set of intrusions known collectively as "Google-China" produced a cloud of uncertainty over the whole enterprise of cybersecurity but also a silver lining: it illustrated in stark terms the degree to which collective action (called "cooperative" action by a government sensitive to terms like "collective") is critical to properly build a legal framework
Today, the Senate Commerce Committee endorsed the Cybersecurity Act of 2010, written by Sens. Jay Rockefeller and Olympia Snowe. When the first version was introduced last year, critics in the corporate and civil libertarian sectors essentially put their boots down on a provision that would seem to codify the president's authority to shut down the Internet in cases of national emergencies. The debate over the "kill switch" provision was a powerful reminder to the Senate that the reality of cyber law did not comport with the public's understanding of the cyber threat, and that it had to tread very carefully in political waters were the surf was either extremely choppy or as still as a stone.
Since then, though, at least among businesses, there's been a conceptual shift towards a greater appreciation for what role they have to play so that government doesn't have to do as much. The Commerce bill conceives of cybersecurity as a fundamentally un-Westphalian concept; that is, it respects no boundaries, and government cannot simply act by putting its arms around the borders and securing its citizens and companies. Again, note the stark fact: the government cannot secure the country on its own, according to the U.S. Congress.
The bill itself, in revised form, addresses some of the concerns that both civil libertarians and businesses brought to bear after its first incarnation was introduced. In the main, it shifts the responsibility for identifying what constitutes critical infrastructure to those who know -- the businesses who actually provide the networks and systems that deal with electrical power and financial transactions and communication. It creates a collaborative rule-making process that is iterative and open to revision, explicitly acknowledging that just because some computer is considered critical today doesn't mean that it's going to be critical tomorrow.
Section 403 of the bill deals with the thicket of laws that must be combed through in order to come up with the right statutory language to foster information sharing between businesses and the government. A large number of companies refused to share information about the China intrusions with the government because they were worried about legal liability, the potential for the news to leak, or the implicit grant of authority to an agency like the NSA to begin clandestine monitoring of their assets. This bill envisions a real-time information sharing environment where companies can notify the government about threats and government can provide classified information to companies to help them deal with potential threats.The Senate bill assumes that the president already has the power to take over parts of the nation's critical infrastructure during times of national emergencies pursuant to his Article II powers under the Constitution. It does not attempt to define or limit these powers. The Obama White House believes it has the authority, and in any event, would probably act regardless of whether Congress gave them an endorsement or not. The bill's authors assume that the White House wouldn't deal with Congress when an emergency hits. It errs on the side of giving the executive branch maximum authority while requiring immediate transparency. If the government takes over or shuts down part of the Net that isn't considered critical infrastructure, Congress would be in a position almost immediately to question whether the exercise of power was proper or not.
Not surprisingly, the White House endorses this particular approach, and there are no plans to offer any umbrella-like cyber legislation anytime soon. In the wake of the Google attacks, there is momentum in Congress to get something done this year, if not early next year. There remain many committees of jurisdiction who have hands in this contraption, including Judiciary, Intelligence, Homeland Security and even Finance.
Thumbnail photo credit: Phillipe Lopez/AFP-Getty Images
Instead of providing a one-size-fits-all government standard for cyber-excellence, the bill asks industry to take a crack at coming up with its own version of best practices, and then it will work in concert with the government to publicly identify those companies who do a good job -- a Good Cyber Housekeeping Seal of Approval. There's a fallback mechanism if industry fails to do the job right, and the bill provides a series of positive and negative incentives to make sure that cyber hygiene becomes a value that consumers of cyber products will take into account.
Now to the "kill switch" provision. What the bill does do is make plain the common sense fact that there are situations where it is conceivable that cyber attacks could constitute an act of war, or a major natural disaster or a terrorist act. That type of constitution automatically puts the onus on the president to act in whatever way he desires to contain it. This worries civil libertarians; are there no prior restraints?
One reason is that the authors of the Senate bill have decided that the protections that flow from limiting the president's ability to act during national emergencies beforehand are outweighed by the need to give him flexibility during the crisis. It's a judgment call. In order to make it seem less scary, the bill calls for rehearsals and war-gaming scenarios -- the results of which would be given to Congress -- that might provide a realistic sense of what a president would do, and would not do, during a given emergency. Section 201 of the bill explicitly says that it is not authorizing any expansion of presidential authority. And it requires the president to notify Congress within 48 hours of any action taken to shut down any non-governmental website or traffic node or program.