Debating Executive Control of the Internet: A Critical Ethical Analysis of the 'Kill Switch' Bill

Since its mainstream popularity blossomed in the late 1990’s, the Internet has become tightly woven into the fabric of modern society. Linking together many formerly disconnected institutions and technics, the invention of this high-speed communication medium has also pushed freedom of speech issues to the forefront of the debate about protecting the highly pervasive technology and the critical infrastructure it serves from disruptive events. There is a protectable national security interest in ensuring that the Internet does not serve as a route for terrorists or hackers to commit digital attacks on the many vital services which are now inextricably connected to the network. Legislation intended to amend Homeland Security provisions in order to more effectively protect our internet infrastructure, including important private entities, has been under discussion in the US Congress over the last few years. Being able to critically analyze the implications of a cyber-security bill requires a wide array of technical, legal, and political contextual information.

Infiltration has already occurred on the US energy grid, when Chinese and Russian hackers allegedly planted malicious software to recover structural information about our power systems and possibly disable them in the event of an all-out war.1 Last year the insidious Stuxnet worm, purportedly designed by by Israel or another set of state-funded agents to attack the control centers of Iranian nuclear facilities, spread rapidly to targeted utility and manufacturing systems computers and reportedly caused major damage to Iran’s uranium enrichment project.2 Meanwhile, an online organization known as WikiLeaks has been publishing clandestine information provided by whistleblowers, including thousands of US State Department diplomatic cables, whose disclosure has instigated widespread domestic controversy and international upheaval. Prominent political figures, including Senator Joe Lieberman, called for the prosecution of WikiLeaks founder Julian Assange under espionage laws for publishing classified documents,3 even though his lack of US citizenship renders him technically ineligible for treason charges, and the publishing of whistle-blowing documents is not currently illegal.4 Reacting defensively to the intense political and commercial censure of WikiLeaks, the loosely-knit ‘Anonymous’ hacking group unleashed a distributed denial-of-service (DDoS) attack, ‘Operation Payback’, on financial institutions associated with cutting off monetary resource channels to the publishing collective.5

Knowing these types of cyber-attacks and security breaches are inevitable and, indeed, are already occurring at a rapidly increasing pace, the United States government has sought to expand its power to protect critical infrastructure from Internet-based mischief. Senator Joe Lieberman (I-Conn), Sen. Susan Collins (R-Maine) and Sen. Tom Carper (D-Del) introduced the “Protecting Cyberspace as a National Asset Act of 2010”6, amending the Homeland Security Act of 20027 to specifically appoint a responsible authority to enact digital security measures in preparation for and during a national cyber-emergency. However, the proposed legislation came under intense scrutiny from various civil liberty fronts because it didn’t protect against potential abuses of power granted to stifle free speech.8 Critics began referring to the legislation as the “Internet kill switch” bill, a phrase which grew in notoriety in January 2011 as dictator Hosni Mubarek effectively “pulled the plug” on Internet access for days to millions of Egyptian citizens while they participated in a popular uprising against his brutal regime.9 In response to the events in Egypt and to assuage critics10, a slightly revised version entitled the “Cybersecurity and Internet Freedom Act of 2011” was reintroduced with a specific prohibition on executive shutdown of the Internet and some legal recourse for providers objecting to their placement on the critical infrastructure list. Nevertheless, the proposed legislation still contains significant provisions that could fail to achieve the bill’s stated mission of increasing cyber-security, while at the same time contributing to a set of unanticipated negative repercussions.

Protecting critical technical infrastructure such as energy, water, sewer, and financial systems from cyber-attacks inflicted by malicious parties is an increasingly important responsibility of government, especially as traditional methods of warfare are on the decline. Senator Collins quipped at the introduction of their bill, “we cannot afford to wait for a ‘cyber 9/11’ before our government finally realizes the importance of protecting our digital resources.”11 To address this challenge, the Cybersecurity Act seeks to refine the power available to the president in the event of a national emergency. The Communications Act of 1934, which established the Federal Communications Commission, already authorizes the president the “use or control of any…station or device” during wartime or in a “state of public peril or disaster or other national emergency.”12 The proposed legislation seeks to update “a crude sledgehammer built for another time and technology”13 by precisely targeting executive powers. It would create an Office of Cyberspace Policy within the Executive Branch, and require the Director to be approved by the Senate. The new office would be responsible for devising the cyber-security strategy of the federal government, and coordinating with the president and other departments to implement a set of cyber-emergency preparedness guidelines. Other major goals of of the bill include reforming the risk management procedures of the government software procurement process, increasing the federal recruitment of cyber security personnel, and funding research into secure Internet protocols. The most controversial aspect of the bill, the part that has been labeled an “Internet kill switch”, are the provisions for a national cyber emergency:

The President may issue a declaration of a national cyber emergency to covered critical infrastructure if there is an ongoing or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.14

The President would be able to set a state of emergency for 30 days, and extend the period up to 120 days, until joint Congressional approval was required. Covered critical infrastructure may include privately held assets, as long as they were designated on the list as having met several criteria. The risk of the disruption of the system would have to cause a “mass casualty event” or “severe economic consequences”, and the system would need to be inextricably linked to the national infrastructure. However, a system could not be placed on the list “based solely on activities protected by the first amendment to the United States Constitution.” An owner or operator would be notified of the system’s inclusion on the list, and would be required to develop an emergency response plan and work with the newly created National Center for Cybersecurity and Communications (NCCC) to secure their operations. The legislation prohibits the authority to restrict communications “unless the Director determines that no other emergency measure or action will preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of the covered critical infrastructure”. Additionally, it bars control of the system, disclosure of information unlawfully, communication interception, and specifically demands that “the Director shall ensure that the privacy and civil liberties of United States persons are protected.” In a change from the previous version of the bill, the Cybersecurity and Internet Freedom Act of 2011 now allows owners of designated critical infrastructure to appeal their inclusion on this list in a federal court, and specifically declares that “neither the President, the Director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the Federal Government should have the authority to shut down the Internet.” The proponents of this legislation are justifying executive control over Internet infrastructure by utilizing the prospective Public Harm Principle. They have asserted that the critical national infrastructure of the Internet and related systems is considered a protectable public interest, and the unreasonable risk of an unsecured critical system attached to the network during a cyber-emergency should be prevented by coercively restricting owners and operators of such systems into cooperating with the government’s new security program.

Opponents and critics of the Cybersecurity and Internet Freedom Act of 2011 object to the legislation and some of its underlying presumptions for three primary reasons. First, civil rights advocates argue that the ambiguity of some key definitions in the bill render its First Amendment protections inadequate. They make the claim that the President could declare an cyber-emergency and put any system considered critical infrastructure on the list, thereby obtaining an immediate mandate over the operations of that system.8 What seems to be at dispute is the ambiguously defined conditions of what constitutes either a state of cyber-emergency or a piece of critical covered infrastructure. Of the unrevised version of the bill, Tim Karr, campaign director of the Free Press media reform nonprofit group, said that “the government is looking broadly at the new reality of anti-government hackers, they’re looking at WikiLeaks….They’re also granting broad authority to act against an as yet undefined threat.”15 Still, even with the addition of the Freedom Act and the mechanism for an operator’s federal court appeal of inclusion on the list, the EFF Senior Staff Attorney Kevin Bankston said that “our concerns have not changed…the president would have essentially unchecked power to determine what services can be connected to the Internet or even what content can pass over the Internet in a cybersecurity emergency.”8 Even though the Internet Freedom Act declares that no government authority can “shut down the Internet,” nothing about the bill prevents the shaping of Internet traffic or shutting down certain websites or portions of the Internet as long “no other emergency measure or action will preserve the reliable operation” of the system, and the reasoning isn’t based “solely” on protected speech. To many, this implies that the content of the speech can be used as a contributory factor for control of the infrastructure it’s housed within. If a group such as Anonymous were to engage in a widespread ‘hacktivist’ DDoS protest against a financial network, this bill could conceivably give the president the authority to declare a cyber-emergency and shut down private websites and Internet services perceived to be aiding the attackers, all without any judicial or congressional review.

This brings us to the critics’ second point of contention, that the proposed legislation’s lack of review of the President’s exercised authority raises profound concern about due process. Greg Nojeim, the director of the Center for Democracy and Technology’s Project on Freedom, Security and Technology asked:

What if the authority the bill gives the government to shut down or limit Internet traffic was abused? What would be the remedy? The bill does not allow for a remedy. There’s no authority for an objective decision-maker to ensure the decision … is properly based on a true emergency…. There ought to be a way to deal with a shutdown order that should not have been issued in the first place.15

Some security authorities point out that the Department of Defense and the Department of Homeland Security already possess legal means with which to block or prioritize Internet communication16, but there is concern that even these currently held capabilities have been abused. In February 2011, the web file-sharing community was in an uproar about how “the Department of Justice and Homeland Security’s ICE office proudly announced that they had seized domains related to counterfeit goods and child pornography. What they failed to mention, however, is that one of the targeted domains belongs to a free DNS provider, and that 84,000 websites were wrongfully accused of links to child pornography crimes.”17 The critics of domain seizure policy, often associated with the debate over copyrighted material infringement, point to the common practice of obtaining ex parte warrants from judicial council to seize domains:

That [process of obtaining such warrants] raises procedural problems, however: when the magistrate gets the request for seizure warrant, he or she hears only one side — the prosecutor’s. Without any opposing counsel, the judge is unlikely to learn whether the accused sites are general-purpose search engines or hosting sites for user-posted material, or sites providing or encouraging infringement.18

If the intent of the bill’s revision was to address the critique of lack of checks and balances, it has clearly not assuaged former congressman Bob Barr, who asserted that “no government – no matter how benign or well-meaning – should be empowered to control the Internet. Moreover, the Congress should take a long, hard look at how federal agencies are using — and abusing – their existing powers to control parts of the Internet.”19

Last, but certainly not least, the third point of contention with the proposed cyber-security legislation is that technical experts question the efficacy and utility of a policy that may prove to be more harmful than helpful. TechRepublic writer Michael Kassner helpfully interviewed several security gurus about the concept of a kill switch. The Internet was initially designed for military applications, and as Dr. Anup Ghosh explained, “replication and redundancy was built into the network design from its original ARPANET origins in routing and naming to protect against single-failure modes in the Internet.”20 Even in non-military applications, as John Gilmore’s famous saying goes, “the Net interprets censorship as damage and routes around it.”21 So merely shutting down or limiting one portion of the Internet may not necessarily protect the rest of the system from a worm or cyber-attack. And in the process of triggering a cyber-emergency, it’s almost certain that collateral damage to all the highly interconnected and dependent infrastructure would constitute an enormous social harm, which Dr. Ghosh named an ‘economy kill switch.’ Chillingly, he raised the point that “an adversary could trigger a Presidential decision to implement” a shutdown of infrastructure, thereby turning our own defenses into a self-inflicted DoS attack. Kassner further consulted expert Cormac Herley, who alarmingly pointed out that “for all we know there are babies in ventilators controlled by machines that poll the Internet for something or other. Now it’s a really, really bad idea that babies in ventilators have any such dependency but you don’t know what stops working until you hit the switch.” Many people familiar with the challenges of securing systems and networks believe that the best and least difficult solution for enduring cyber-attacks is the distribution of knowledge and training personnel in best security practices. They object to a centralized, authoritarian view of how security should be implemented, because the technology works as a distributed delegation system and is not necessarily suited for top-down control.

A critical analysis of the Cybersecurity and Internet Freedom Act of 2011 has yielded many points for the graph of a final policy assessment. On the one side we have supporters of the bill, who invoke the urgent need for more network security authority. They caution that there are serious unintended consequences for allowing the status quo to hold, such as infiltration of our critical infrastructure with virulent worms. While their argument that threat of digital sabotage warrants protection is fairly convincing, the use of hyperbole to draw a false equivalence between a cyber-attack and 9/11 clouds the issue of threat magnitude. The serious implications of wielding power to control the Internet require the burden of proof to lay on the claimant of that authority. Without a sufficient definition of the nature of threat or the threshold that would trigger a cyber-emergency, or the conditions by which an asset may be declared of critical national infrastructure importance, there are no independent measures which can be compared to the government’s cyber-security actions. Technically clear definitions and criteria are utterly critical to ensure that this granted authority would be the least disruptive means necessary to avert cyber-emergencies. Therefore, proponents should refine the bill in order to guarantee that the requested power be used in the most ethically refined manner.

On the other side of the argument we have legal and technical skeptics of the legislation. Free speech advocates decry a lack of protection for speech and due process. There is concern that the Cybersecurity and Internet Freedom Act and other bills under discussion could be utilized to squelch new forms of political dissent, such as anonymous whistle-blowing, online organizing activities, and DDoS hacktivism, which is seen as a form of digital sit-in. Domain seizures of copyright-infringing or obscene material have already been performed in a manner that alarms promoters of due process, so there is good reason to question the lack of protections available in the proposed bill. Security experts have reservations about the efficacy and potential collateral damage of any mechanism which sought to protect the Internet by turning it off. The complex and pervasive nature of the Internet makes it difficult to completely segregate one discrete service from every other point in the system. Current technological trends indicate that the Internet routing system could be evolving into an even more distributive mesh network structure, such that a complete or partial shutdown might be impossible to implement. In a parallel fashion, information dispersal through highly connected nodes has actually strengthened freedom of speech by rendering censorship very impractical. The combination of these effects make parts of the legislation irrelevant and dangerous: a centralized authority can’t stop data from spreading, and it can’t shut the net down, but heavy-handed attempts to do so would damage existing links or hinder the Internet’s efforts at recovery, along with all the critical infrastructure that is connected. If government authority weren’t acting in good faith for the public welfare, they might find any legal or technical control over the Internet irresistible to abuse, especially if they weren’t knowledgeable of or concerned with the potential ramifications of exercising such power. In conclusion, the dubious benefit of implementing the Cybersecurity and Internet Freedom Act of 2011 is far outweighed by the almost certain harm inflicted upon the network it is supposed to protect. The least disruptive recommendation for securing our national infrastructure is to update software, keep firewalls and anti-virus programs running, and encourage more education and training in truly effective technical measures. The Internet works best when authority remains distributed.

Short URL