A few weeks ago, I was privileged to be a panelist on the panel, “Protection and the Moral Dilemma: Going Offline in the Name of Security”, the kickoff event of the DHS GFIRST summit in Nashville, Tennessee.
The panel itself included senior security experts from across the spectrum of the public sphere: DHS, the FBI, DoD, state government, and even well-known security author Winn Schwartau.
At the heart of the discussion was a proposal included in the Senate bill “Protecting Cyberspace as a National Asset Act of 2010″ (S.3480), introduced by Senators Lieberman (I-CT), Collins (R-ME) and Carper (D-DE).
What makes this bill different from other cybersecurity legislation floating around Congress today is the concept of an “Internet Kill Switch” – the idea that the federal government (presumably, the President) would have the authority and ability to “disconnect” the United States – or even individual networks within our borders – from the Internet in cases of extreme national security, such as a broad-based attack from outside the country.
As you might imagine, this was a very lively discussion. The conversation split into two topics: the ethical and constitutional aspects of disconnecting either individual organizations or the entire country from the global Internet; and the technical aspects of doing so. From the ethical perspective, here were some of the key issues brought up by the panelists, as well as participants from the audience regarding the concept of an “Internet Kill Switch”:
- Conditions for the Kill Switch. The S.3480 bill doesn’t define the specific conditions under which the President (or any other body, such as the DHS) could disconnect assets from the Internet. Both our panelists and several audience members identified this lack of clarity of exactly what defines a “national security event” to be disturbing. While we seemed to agree that some big-ticket items might qualify (a broad-based, coordinated attack from outside the United States, for example), other possible conditions seemed ambiguous: what about when malware propagates inside a private industry network? Should those systems be disconnected from the Internet? The clear-cut line becomes blurred in many scenarios.
- Scope of the Kill Switch. Even if there’s a clear case justifying some sort of action, what would be the scope of that effort? Are we talking about a complete disconnection of the United States from the global Internet (NAPs, TICs, and backup connections)? Or would the scope of such an action be limited to just one agency, private company, or service provider? These questions of scope – the target of a “kill switch” and which assets would be disconnected – were of critical concern to both panelists and audience members.
- The Kill Switch addresses the symptom, not the problem. In many cases – such as the malware propagation scenario mentioned above – a “kill switch” doesn’t really solve the problem. It provides triage for disconnecting problematic systems, but it doesn’t get rid of the underlying issue, regardless of whether that issue is poor application or database security, poor malware detection, or poor user training and security awareness. A triage approach is a tiny, temporary bandage on a gaping wound.
From the technical perspective, there were also a number of questions related to the details of implementing a “kill switch”, including:
- Backup and redundant networks. The Internet was designed to be a robust network, with redundant connections and routing paths. In addition, in both the public and private sector backup networks are an extremely common, ranging from dark fiber to earth stations and satellite uplinks. Given these backups and redundancies, could a “kill switch” provision really be effective when so many alternate paths are available for connecting systems to the global Internet? More importantly, who would be responsible for documenting and tracking all of these connections?
- Cloud and mobile computing. The advent of outsourced cloud computing – particularly the public cloud – coupled with the dramatic rise in mobile computing adds a tremendous layer of complexity to this issue of a “kill switch”. When assets being attacked are hosted by a third-party cloud provider, or users have access to mobile cellular networks running IP in order to access Internet-based resources, the number of potential points to circumvent and action are significant.
As the saying goes, the devil is in the details. Ultimately, both we on the panel and our audience didn’t solve all of the ethical or technical issues surrounding this complex issue, but we did come to a consensus that, regardless of whether you are for or against the idea of disconnecting public or private assets from the Internet, the authority, scope and processes associated with such a herculean task need to be thoroughly considered – and very well defined – before anyone touches the switch.