Obama’s power over Internet is central factor in cybersecurity debate

Legislation that would give the president authority to shut down at-risk Internet networks would strengthen the country’s cyber infrastructure in an emergency, according to some security experts.

But industry and consumer groups argue the government shouldn’t meddle with private networks.

How and when President Barack Obama could intervene in public and private information systems has become the central point of contention in the new draft of the Cybersecurity Act of 2009.

Senate staffers have circulated the draft with industry groups, civil liberties advocates and security experts. The bill was first introduced four months ago by Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.), and ranking member Olympia Snow (R-Maine).

The debate over the legislation comes as the Obama administration struggles to coordinate a national approach to cybersecurity.

Obama pledged to create a cybersecurity czar in the White House. But that post remains empty after Melissa Hathaway, acting senior director of cybersecurity and a front-runner for the job, resigned last month. Industry groups argue the government should fix its own security systems before adding mandates to the private sector.

Rockefeller’s original bill gave the president the power to limit Internet traffic to critical networks — in both the public and private sectors — for national security reasons or in the case of an emergency. Industry groups raised alarm about that level of government interference, and the new draft dropped the specific language, instead allowing the president to direct a “national response” to the cyber threat.

That language is "an improvement" over the initial bill, but is too ambiguous, said Greg Nojeim, senior counsel for the Center for Democracy and Technology.

“What does national response mean?” he said. “The scope of (the president’s) power to direct private-sector critical infrastructure information system operators is left undefined and is problematic for that reason.”

Others say the president should be able to take such action. James Lewis, senior fellow for the Center for Strategic and International Studies, which last year issued a set of cybersecurity recommendations to Congress, likened the provision to President George W. Bush’s call to shut down airlines after the attacks of Sept. 11, 2001.

“It seems foolish not to have the same authority for cyberspace,” he said. “It’s not that the president will wake up in a bad mood one day and implode Yahoo. This would apply only to severe national emergencies. … This is a great opportunity to blast us into a new level of discussion about cybersecurity.”

A Senate staffer with knowledge of the bill said the draft was circulated to stakeholders, including network operators and consumer advocates, in order to get more feedback on the provisions.

Senate Commerce Committee spokeswoman Jena Longo said in a statement that “the bill will not empower a ‘government shut down or takeover of the Internet.’ … The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government’s response.”

She added that the president “has always had the Constitutional authority, and duty, to protect the American people and direct the national response to any emergency that threatens the security and safety of the United States.”

The bill would also require cybersecurity professionals and critical infrastructure operators to go through a more rigorous certification process to be developed by the Commerce Department. Opponents of the provision say the security industry has already developed its own certification requirements and shouldn’t have to jump through other government hoops.

Alan Paller, director of research for the Sans Institute, which provides computer security training, said most of the government contractors and employees hired to secure federal networks do not have enough skills for the job.

“You have to set a high bar and create a demand for these credentials,” he said. “The security technology is useless without people who know how to use it.”

The original version of the bill also called for a “clearinghouse” for private and public cybersecurity threats, allowing the Commerce Department to seize data vulnerable to attacks even if it contains personal information about citizens.

Privacy advocates bristled at that idea. The new draft drops the reference to the Commerce Department having the power override privacy statutes to get access to information, but it still allows the government to require the sharing of potentially sensitive data.

“Companies are concerned they would provide information to the government about vulnerabilities that could be useful to competitors if disclosed,” Nojeim said. “The bill’s scope isn’t clear.”

Industry groups are also closely watching a number of other cybersecurity bills.

Sen. Tom Carper (D-Del.), a member of the Homeland Security and Governmental Affairs Committee and chairman of the subcommittee that handles government information, aims to update the Federal Information Security Management Act, a 7-year-old law requiring agencies to conduct annual reviews of their information system security efforts.

His bill, the Information and Communications Enhancement Act, introduced in April, would require agencies to have “an annual independent information security effectiveness evaluation.”

Security experts have been pushing for more robust FISMA standards for at least two years.

“Right now you can get a good FISMA rating and not be secure at all,” Lewis said. “We need to move from a paper test to performance-based metrics.”

Sen. Joe Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee, introduced a bill in April directing the Department of Homeland Security to work with other intelligence agencies to create a plan to protect critical electric infrastructure from cyber attacks. A companion bill has been introduced in the House by Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee.

Nojeim said the CDT largely supports the other cybersecurity bills. “It’s about strengthening FISMA and getting the government’s own house in order, which is a prerequisite to any discussion about what the government should require of the private sector.”