ARCHIVED 6/24/10

June 24, 2010

CYBERSECURITY DRAFT WOULD NARROW CONTENTIOUS PROVISION ON INTERNET CONTROL

Tim Stark, CQ Today, 06/24/2010

A new draft of a Senate cybersecurity bill would narrow a provision that had become the most controversial part of the legislation by sparking fears that the president would get sweeping powers to take over the Internet in the event of an emergency.

The measure (S 3480), which the Homeland Security and Governmental Affairs Committee is to consider Thursday, had drawn opposition from some business and civil liberties groups because of language that critics labeled a “kill switch.” One industry group, TechAmerica, said the bill risked giving “absolute power” over the Internet to the White House.

But some business groups, including the Internet Security Alliance, had favored the original language, calling it an improvement over earlier efforts to spell out the administration’s emergency powers. The Internet Security Alliance had criticized a draft of a competing cybersecurity bill (S 773) that included the kill-switch provision.

The new, narrower version of the bill will be offered as a manager’s amendment Thursday by Chairman Joseph I. Lieberman, I-Conn.; Susan Collins, R-Maine; and Thomas R. Carper, D-Del. The rewritten provision curtails the scope of the president’s authority.

Under the original bill, a president’s command to the private sector would expire after 30 days, but no limits were placed on how often the president could renew the command if he deemed there was still an emergency.

Under the revised bill, emergency measures could only be extended three times, and any further extension would require congressional approval. The revised bill would also narrow the number of owners and operators — “covered critical infrastructure” — to whom the emergency measures would apply.

“The bill authorizes only the identification of particular systems or assets — not whole companies, and certainly not the entire Internet,” a committee document on the “myth vs. reality” of the bill states. “Only specific systems or assets whose disruption would cause a national or regional catastrophe would be subject to the bill’s mandatory security requirements.”

Obama administration officials told the committee last week that under the Communications Act (PL 73-416), the executive branch already has the authority to order emergency actions. Larry Clinton, president and chief executive officer of the Internet Security Alliance, said the new cybersecurity bill would be more restrictive than existing authorities, requiring that any declaration of an emergency meet extensive criteria.

Concerns Remain

But Greg A. Nojeim, senior counsel at the Center for Democracy and Technology, said there were still concerns about the emergency powers.

“They seem quite broad, and they give rise to concern that they could include shutdown or limiting Internet traffic in covered critical infrastructure,” said Nojeim, who also directs the center’s Project on Freedom, Security and Technology. “There is a broad grant of authority in the Communications Act, but it’s a provision that’s never been used to my knowledge and its scope is not entirely clear.”

He said the revisions to what qualifies as “covered critical infrastructure” were positive developments, however, and said the bill included important protections to prevent the emergency powers from trumping existing surveillance laws.

The emergency authority is not the only hot-button issue in the bill. There is still some dispute about who should lead the cybersecurity effort. The bill splits authority between a Senate-confirmed White House coordinator and the Department of Homeland Security, which under the bill would house a new National Center for Cybersecurity and Communications.

John McCain, R-Ariz., is trying to strike a provision establishing the Senate-confirmed White House cybersecurity adviser, according to a source familiar with amendments he is proposing. The White House has already established a so-called cyber-czar, but that position is not subject to Senate confirmation.

Another McCain amendment would include language ensuring that nothing in the bill would affect Department of Defense or National Security Agency systems. Both agencies play an important role in cybersecurity efforts, but some congressional staff membersare concerned that the amendment would preclude information-sharing and collaboration among those agencies and the new cybersecurity center.

A McCain spokeswoman did not return messages seeking comment.

Lieberman said last week that the Senate intends to combine multiple cybersecurity bills, including one already approved by the Commerce, Science and Transportation Committee. That bill is sponsored by Chairman John D. Rockefeller IV, D-W.Va., and Olympia Snowe, R-Maine.

While industry organizations have slowly warmed to several of the cybersecurity proposals working their way through Congress — in part because of changes lawmakers have made to their bills — some groups are wary of additional changes that might lie ahead.

Overall, those industry groups want to see legislation that allows flexibility in the private sector.

“The big message from the technology community is to be very sensitive to the global nature of the industry,” said Tom Gann, vice president of government relations for McAfee Inc. He praised several provisions in the Homeland Security and Governmental Affairs bill, such as an overhaul of federal agency practices in protecting their computer networks.

“We comply with standards and requirements from around the world,” he said. “We do better if we’re able to design our products for a global market and use standards that are developed in the market.”