COMMENTARY – Some lawmakers on Capitol Hill are hell bent on implementing the recommendations of President Barack Obama’s Cyberspace Policy Review, in which the administration argued for a greater role for the Department of Homeland Security in securing the nation’s critical infrastructure from cyber attack.
And to prove how serious and misguided they are, some of these lawmakers like Sen. Joseph Lieberman (I-CT) and Sen. Majority Leader Harry Reid (D-NV) are about to introduce legislation that arguably will hurt innovation and jobs, and which may actually grant the DHS extraordinary regulatory powers that extend to the Internet.
Yes, the so-called Internet “kill switch” that so many believe is dead may, in fact, come back to haunt us if this legislation passes in its current form.
After reviewing a draft of proposed measures by Lieberman dated Jan. 27, 2012, which are expected to be incorporated in a bill by Sen. Reid, it is clear to me that Congress has launched a cunning effort to grant DHS “kill switch” powers without actually saying it.
The bill is dangerously vague in its definition of what constitutes critical infrastructure and seems to grant DHS unchecked authority to promulgate its own regulations that will be subject to undefined “enforcement actions” by the Secretary of Homeland Security and other agencies that may have regulatory authorities over the companies in specific economic sectors.
The authors of the legislation were careful not to list telecommunications (Internet) as a so-called “designated critical infrastructure.” Instead, critical infrastructure is defined in the bill as “a system or asset” that if accessed and damaged could result in “the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause…a mass casualty event…mass evacuations…catastrophic economic damage…[or] severe degradation of national security.”
Only a neophyte observer of national cybersecurity issues could read such language and not see a massive loophole for arbitrary Internet regulation. After publication of my book Black Ice in 2003, I testified before both the House and Senate on the state of critical infrastructure protection. It was clear to me then, as it is now, that all critical infrastructures have at least two things in common – their reliance on electricity and the Internet.
You cannot have a serious discussion about protecting critical infrastructure from cyber attack without talking about the public Internet.
In fact, my early research into cyber critical infrastructure protection revealed that CEOs in the energy sector, particularly electric utilities, forced their staffs to connect their public Internet-enabled desktops to the industrial control systems (known as Supervisory Control and Data Acquisition, or SCADA) that controlled the flow off electricity.
They did this so the executives could get a “real-time view” of capacity utilization and other economic indicators. Today, there is not a single critical infrastructure sector that does not in some way rely on the open, public Internet for its operations.
I recall watching Richard Clarke, the former White House cybersecurity czar who I interviewed at length for Black Ice, offer a proposal during the Microsoft Safenet Conference in Dec. 2000 in which he suggested the federal government needed to “bifurcate” the Internet into a secure zone for government and critical infrastructure and an open zone for everybody else. He was nearly laughed off the stage by the CEOs present, all of whom said their companies could not do business under such restrictions.
These and other concerns raised by the proposed Senate bill are not lost on some of the experts I talked to.
“If this passes and extends to the Internet, look for a new Internet to be created,” said Eric Hemmendinger, Head of Managed Security Solutions (MSS) Product Management for Tata Communications. “If you want to drive a critical infrastructure only Internet, give DHS the authority to regulate [the Internet].”
Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks, worries most about the economic drag a new regulatory regime will have on private companies that are caught up in the new reporting and certification requirements that they bill calls for.
“Quite honestly, a regulatory regime is counterproductive to what we need right now,” said Dix. “We don’t even know what covered critical infrastructure would be. It just concerns me.”
And Dix’s concerns are well-founded. Among the many things outlined in the draft legislation are a number of annual reporting and performance requirements that would waste valuable time while not demonstrating the effectiveness of protective measures put in place.
Companies would be forced to divert capital investments that could otherwise be used for security innovation, and spend money on mitigating cybersecurity risks identified by DHS. It even goes so far as to grant DHS the authority to determine the “appropriate qualifications” for private cybersecurity specialists employed at critical infrastructures.
Given the heavy-handed nature of the reporting and performance requirements, I’m left with the sinking feeling that Congress’ willingness to simply gloss-over enforcement issues is deliberate.
When one considers the number of questions raised by the bill’s language and the significance of the issues they relate to, it is hard to fathom a legislative process that would not demand clarity. For example:
What will the regulations be that the DHS will promulgate pursuant to the legislation?
What enforcement actions will be at the Secretary’s disposal? Can the Secretary of Homeland Security force an enterprise to shut down its Internet operations if hackers have compromised its network?
What if more than one company in the same critical infrastructure sector comes under attack simultaneously? Can the Secretary order a broader Internet disconnect for an entire economic sector?
What if multiple Internet Service Providers that serve critical infrastructure installations are the source of attacks or disruptions? Can the Secretary take ISPs offline?
These are serious questions that, at best, the current legislation fails to answer and, at worst, deliberately ignores.
Dan Verton is founder and president of Homeland Security Television, author of three books, including ” Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill), and a contributing editor to Breaking Gov.