A federal cybersecurity bill that critics say creates a presidential "kill switch" for the Internet could be added on to a defense spending bill and passed without much debate, technology news sources report.
Sen. Thomas Carper (D-DE), one of the sponsors of the Protecting Cyberspace as a National Asset Act, told GovInfoSecurity.com that the Senate is considering attaching the bill as a rider to a defense authorization bill likely to pass through Congress before the mid-term elections.
"It's hard to get a measure like cybersecurity legislation passed on its own," Carper said.
Carper, along with Sen. Joe Lieberman (I-CT) and Sen. Susan Collins (R-ME), introduced the bill in June in an effort to combat cyber-crime and the threat of online warfare and terrorism. Critics say the bill would allow the president to disconnect Internet networks and force private websites to comply with broad cybersecurity measures. Future US presidents would have those powers renewed indefinitely.
The bill (PDF) states that Internet service providers, search engines and other Internet-related businesses "shall immediately comply with any emergency measure or action developed" by the Department of Homeland Security.
But many observers point out that that doesn't necessarily amount to a "kill switch" -- and, in fact, the president already has the power to shut off the Internet. As Time magazine points out, the Communications Act of 1934 grants the president the power to shut down wire communications during a time of war, and the Internet is now recognized as a wire communication medium.
Yet the proposed law authorizes the president to declare "cyber emergencies" -- potentially expanding the president's power to shut down the Internet to times when the US is not technically at war.
And even some backers of the proposed legislation argue the bill is too broad and vague, and the powers granted to the executive branch could be unpredictable as a result.
A summary (DOC) of the bill issued by Sen. Lieberman's office describes the powers granted to the president:
The Act will provide a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures, limited in both scope and duration, to protect the nationÃ¢â‚¬â„¢s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance about the threat and the emergency measures that will be taken to mitigate it. Any emergency measures imposed must be the least disruptive necessary to respond to the threat. These emergency measures will expire after 30 days unless the President orders an extension. The bill does not authorize any new surveillance authorities, or permit the government to Ã¢â‚¬Å“take overÃ¢â‚¬Â private networks.
The bill "authorizes the president to declare 'cyber emergencies,' without spelling out what would happen next," states an editorial at the Scranton Times-Tribune. "It is certain that the Internet will be a prime means of communication during an emergency. Given the history of the government over-stepping even constitutional constraints during such times, the bill's sponsors should retool it to be more specific."
Security expert and Cryptography Research CEO Paul Kocher describes the bill as a "Rorschach blot -- on one level it's absurd, and on others it's impractical and frightening."
Kocher said, "When you build something that will shut down a massively critical piece of infrastructure that people have tried to make reliable, that's a more frightening prospect than anything that could have inspired such a defense ... It's a very blunt weapon."
GovInfoSecurity notes that the House of Representatives passed a version of the defense authorization bill last spring that included cyber-security measures. If the Senate follows suit, a final version of the cyber-security legislation would be worked out in conference committee.