Proposed Emergency Powers for a Computer Network Attack

When Senators Lieberman, Collins, and Carper proposed legislation last week to deal with the risk of a large-scale attack on our computer infrastructure, the libertarian-privacy attack was not long in coming.  Declan McCullagh, a committed libertarian journalist for Cnet, posted a long story full of angst about the bill.

It would, he said, “”grant the president far-reaching emergency powers to seize control of or even shut down portions of the Internet.” He claimed that, under the bill, “companies such as broadband providers, search engines, or software firms that the government selects ‘shall immediately comply with any emergency measure or action developed’ by the Department of Homeland Security. Anyone failing to comply would be fined.”  Warrantless wiretapping is excluded as an emergency power.

“Because there are few limits on the president’s emergency power, which can be renewed indefinitely,” McCullagh predicted (and pretty obviously hoped), “the bill is likely to encounter stiff opposition.”  He cited concerns expressed by TechAmerica, the Center for Democracy and Technology, and the Cato Institute.

On one technical but important point, Declan may have misread the bill.  He seems to think (judging from a post of his on Dave Farber’s list) that the bill would impose obligations on any company for which the telephone system or Internet is “essential.” I assume that’s why he says that search engines are covered by the bill.  I doubt that they are, because the bill in fact applies to a relatively limited set of critical facilities — and to the information infrastructure on which those facilities depend.

So, if operators of our power grid are dumb enough to run their systems by relying on the Internet and Windows XP, then the bill’s authority to order emergency measures would apply to the providers of electric power, to their ISPs, and to Microsoft.  Otherwise the ISPs and Microsoft are in the clear.  As for the rest of us, including our search engines, we’re in the clear from the start.

The broader issue is whether Declan is right to hate the bill.  Certainly the privacy-industrial complex is gearing up for a scare campaign.  But I think it’s fair to ask the privacy campaigners two questions before joining them in chanting “Internet kill switch.”

First, do they believe that foreign governments can’t attack networks that are essential to our lives? Frankly, I don’t think there’s anyone with an ounce of technical savvy who thinks such an attack is impossible, or even improbable.  I laid out the case for that risk in chapter 9 of Skating on Stilts:

If you’re a foreign government, breaking into U.S. networks is a twofer. You can start by stealing secrets. But if push comes to shove, you can use your access to destroy the same systems you’ve been exploiting. Corrupt the backup files, then bring the whole system down. Or start randomly changing data and emails until no one can trust anything in the system. It wouldn’t take much to create chaos. The financial crisis of 2008 became a panic when bankers began to disbelieve each other. No one trusted the other guy’s books, so they stopped lending, and theworld crashed. Could that same mistrust be created by modifying or destroying a few firms’ computer accounting and trading records? We probably don’t want to find out.

It’s no secret how to fight a war against the United States. Slow us down, then cause us pain at home and wait for antiwar sentiment to grow. Cyberattacks are ideal for that strategy. Everything in the country, from flight plans and phone calls to pipelines and traffic lights, is controlled by networks susceptible to attack. A determined, state-sponsored attacker could bring them all down—and blame it on some “>hacker liberation front so we wouldn’t even know whom to bomb.

(I have posted all of chapter 9 in an easily accessible archive for www.skatingonstilts.com. The excerpt is licensed for free copying and distribution.)

So if the answer to my first question is yes, an attack is possible, my second question is “Who do you think should take action in response to the attack?”  Cato Institute?  TechAmerica?

Fat chance.

As the BP oil spill shows, companies are quite capable of setting the stage for catastrophes well beyond their ability to remedy.  We properly expect the government to regulate companies to address risks that can’t be internalized by the companies taking the risks.  And when disaster strikes despite those efforts, we expect the President to have the authority to respond.

If another country launches a computer network attack on US infrastructure, do we want the President to look as helpless as he looks today in response to the BP spill?  Remember, he won’t be looking  helplessly at a few tarballs on the beach; in a worst-case emergency, he might be looking helplessly at a country that lacks power, working phones, and maybe even a reliable financial system.

If that happens, Declan McCullagh, the Cato Institute, and TechAmerica won’t even be returning your phone calls.