Nobody in Washington ever got rich making predictions about the political process. Nevertheless, I will go out on a limb and predict that at some point in the coming debate over the Senate cybersecurity bill, you will hear or read the words “Internet Kill Switch.”
I wish I could find out who coined the phrase and give him an award for creativity. There are few three-word phrases that a) so readily capture the imagination of the public; and b) so effectively encapsulate the viewpoint of those who utter it. The rallying cry against the Internet kill switch is one of the most effective political memes of the past year or two.
But what does it really mean and what are the real concerns? After all, even those who use the phrase don’t actually think that President Obama (or one of his successors) could “kill” the Internet. It’s a web of connections that is virtually impossible to kill, if the sense of it is to destroy or disable it completely. There is no Red On/Off Switch to pull.
Rather the phrase “kill switch” has become an effective shorthand code for the following practical question: What (if any) powers should the President have to direct private sector actors to take action (to and including shutting down access to portions of the network) in a time of emergency? And that question is a very interesting one with both legal and policy aspects to it. In this post, I will try to outline the arguments on either side and explain a bit about the legal landscape.
The Existing Law
To some degree, the Internet may already be subject to emergency regulation. The Obama administration has said in public testimony that it believes the Executive Branch already has sufficient emergency authority to require Internet service providers to act as directed, citing Section 706 of the Communications Act of 1934. According to Phillip Reitinger, then-DHS Deputy Undersecretary in testimony in June 2010: “Section 706 of the Communications Act and other laws already address Presidential emergency authorities and Congress and the Administration should work together to identify any needed adjustments to the Act, as opposed to developing overlapping legislation.”
Section 706 (currently codified as 47 U.S.C. §606) allows the federal government to “cause the closing of any facility or station for wire communication” and “authorize the use of control of any such facility or station” after having declared that a state of war, or the threat of one, exists. More pointedly, it provides (in §606(c)) that: “Upon proclamation by the President that there exists war or a threat of war, or a state of public peril or disaster or other national emergency, or in order to preserve the neutrality of the United States, the President, if he deems it necessary in the interest of national security or defense, may suspend or amend, for such time as he may see fit, the rules and regulations applicable to any or all stations or devices capable of emitting electromagnetic radiations within the jurisdiction of the United States.”
The Administration (and other lawyers) argue that this provision gives the President ample authority to act in time of cyber emergency. After all, computers are clearly devices capable of emitting electromagnetic radiation. Others doubt that premise. They note that the law itself pre-dates the existence of the Internet by roughly 50 years and that stretching the language to cover the Internet would be legally problematic.
It seems fair to say that there is some ambiguity in the law and that plausible arguments could be made on either side. More practically, it seems likely that any effort to use the Communications Act to govern a cyber emergency would be fraught with litigation risks and possible conflict. To the extent one sees a need for Presidential authority, there is certainly good reason to want a firmer legal basis for action than exists already.
Draft Legislative Proposals
Despite the existing legal ambiguity it is by no means clear whether any codification of a new Presidential emergency authority will be in the base bill that the Senate is soon to consider. Nor is it clear what, if any, amendment language will be offered on the subject. Still, some indicators of possible legislative structures can be discerned in earlier legislation.
Section 249 of the bill introduced earlier this Congress by Senators Joe Lieberman (ID–CT), Susan Collins (R–ME), and Tom Carper (D–DE) would authorize the use of Presidential emergency powers to protect critical infrastructure from cyber attacks. The President would be given the power to “issue a declaration of a national cyberemergency.” After such a declaration the Department of Homeland Security (DHS) would be authorized to demand that critical infrastructure operators “immediately comply with any emergency measure or action” decreed. Most notably, no “notice” would be required “before mandating any emergency measure or actions.” Furthermore, a company could be added to the “critical” infrastructure list one moment and ordered by DHS to “immediately comply” with its directives the next.
The logic of this structure makes some sense. The reality is that if pre-enforcement judicial review of any governmental order is required, it is possible that the governmental response will be delayed so long that it proves ineffective. On the other hand, it is clear that post-enforcement judicial review is of less value to an effected party since by definition it can grant relief only after the order has already been issued and implemented. Thus, at a minimum, the new draft authority would be a significant administrative lever for compelling private sector compliance with Executive demands for action.
Policy Issues
So that, naturally, leads to the question of whether or not new authority would be a good idea from a policy perspective. There are certainly good arguments in favor of the idea. Clearly, the federal government needs the ability to protect its own interests, some of which require use of the private-sector portions of the Internet. Likewise, the government has an interest in the continuity of operations in critical infrastructure like water treatment facilities or the electric grid, even though those are operated by the private sector. And, too, the government is charged with providing “for the common defense,” and all Americans would expect it to play a role in defending, say, the West Coast electrical grid against a Chinese assault.
But equally clearly, giving the government power over the private sector and the Internet is fraught with peril to civil liberties. Even though the draft Lieberman-Collins legislation has explicit language denying presidential power to cut Americans off from the Internet generally (and even though any President of either party should not be presumed to exercise powers granted in a dictatorial way) the recent experiences in Egypt make it clear how relatively easy it is for an autocratically minded leader to take control of private actiivty.
Other opponents argue that the authority is unnecessary. Though we cannot be completely sanguine about the civic responsibility of private sector actors, generally, they contend that any critical infrastructure operator under concerted assault will take all necessary and feasible steps to protect itself, even in the absence of a Presidential directive. PEPCO, after all, doesn’t want to see the grid crash any more than the President does. Presidential direction is only necessary, they contend, if a) the government knows something about a threat or vulnerability that the private sector doesn’t; and b) the private sector won’t voluntarily act on the government’s knowledge if the government shares it.
Finally, some contend that Presidential cyber emergency authority would be ineffective. They argue that the pace of threats on the Internet is so swift that the designation and demand for compliance structure adopted by the legislative proposal would, inevitably, be too far behind in addressing actual threats.
Supporters respond (with some persuasiveness) to these last two points that while the arguments are true for ongoing assaults, they are less apt in the context of an anticipated attack. There may be situations where the government knows of certain intrusion potentials that the private sector (for business reasons) has not yet have mitigated. Of course, that response stretches the conception of a “cyber emergency” a bit more broadly than some might like – but it also puts into perspective the core of the dispute: Are there emergency cases where a President can and should be able to direct private sector actions on the network?