Lieberman’s Cybersecurity Bill Heads To Senate Vote
The Senate Homeland Security Committee marked up a comprehensive cybersecurity defense measure that critics claim gives the president a “kill switch” to shut down the Internet if the president declares a national emergency. But that’s not accurate, say the bill’s authors, who say it actually limits presidential power that already exists to halt Internet traffic. The bill, S-3480, would establish a national cybersecurity center and a formal cybersecurity czar appointed by the president and confirmed by the Senate (WID June 11 p1). It also requires owners of infrastructure deemed critical to the nation to adopt a range of security measures that they would choose to meet security requirements.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"This is no longer fantasy or fiction. It is a clear and present danger,” said bill author and Committee Chairman Joe Lieberman, I-Conn., at the markup. A full-scale cyberattack could turn off the nation’s electric grid or lead to the death of thousands of people, he said. Current efforts to combat cyber attacks are disjointed, understaffed and underfunded, he said.
Lieberman rejected arguments that the bill has a “kill switch” by posting a Wednesday op-ed statement on his committee’s website. The president already has broad authority to take over communications networks in the Communications Act of 1934. Section 706 of the bill grants presidential authority to “cause the closing of any facility or station for wire communication” and “authorize the use of control of any such facility or station” by the federal government. The president can do this without any advance notification to Congress, he said. It can be authorized if the president declares a threat of war exists and can be exercised for six months after such threat expires, he said.
An analysis of the marked up version of S-3480 provided by the Center for Democracy and Technology says it clarifies the definition of critical infrastructure to systems whose disruption would cause a high number of fatalities, severe economic consequences, mass evacuations with a prolonged absence or severe degradation of national security capabilities. It also limits to 120 days (in 30-day periods) the duration of a national emergency declared by the president, said CDT. The amended version also prohibits the federal government from restricting or banning communications carried by critical infrastructure but not specifically directed to or from the critical infrastructure unless the national cybersecurity center determined that it was absolutely necessary to preserve the infrastructure.
CDT Director Greg Nojeim welcomed the clarifications on what constitutes critical infrastructure, in a Thursday letter to the committee, but urged Lieberman to permit owners of infrastructure to appeal to federal courts if they disagreed. In a Thursday letter to the committee he also cautioned that the bill must still limit the scope of presidential authority to act in a national emergency. Nojeim welcomed the changes allowing communications to flow over critical infrastructure. In a separate letter on Thursday the libertarian Competitive Enterprise Institute still asked Congress to reject the bill because it gives government too much authority over the Internet in a national emergency. Cybersecurity can best be achieved by private, non-political solutions instead of government action, it argued. “The unmistakable tenor of the cybersecurity discussion today is that of government steering while the market rows,” wrote Vice President for Policy and Director of Technology Studies Wayne Crews. Law enforcement has a valid role in punishing the violation of computer networks but must coexist instead of crowd out private sector security technologies, he wrote. “Ill-conceived public policy could do grave damage,” he said.
But the bill is a “very strong step” toward creating a much-needed cybersecurity policy, said Symantec Executive Vice President and Chief Technology Officer Mark Bregman. “The bill encompasses key elements for ensuring the protection of our nation’s critical infrastructure by emphasizing the need for early warning capability, continuous real-time monitoring processes, and modernizing FISMA,” he said. “On behalf of Symantec, we are very encouraged by its passage out of committee today. We appreciate the efforts of Senators Lieberman, Collins and Carper on this cyber security bill and will continue working with them towards the goal of enactment this year.”