During the recent revolution in Egypt, the government disabled Internet access throughout the country with the flip of a switch. Could the same thing happen in America? Practically, because the structure of the Internet in the United States is more complex and decentralized than in Egypt, it cannot be shut down as easily. However, several bills have been proposed that could give the government broad power to take over the Internet communications of any public or private entity it deems necessary.

The first bill introducing the concept of Presidential Internet “kill switch” power was S. 773, the Cybersecurity Act of 2009 (later the Cybersecurity Act of 2010). The original version of the bill gave the President the power to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.” The bill provides examples of “critical infrastructures,” such as private and public entities in the energy, information, telecommunications, emergency services, agriculture, food, water, public health, government, transportation, defense, banking, finance, chemicals and hazardous materials, postal, and shipping sectors. Due to the unpopularity of the kill switch provision, the bill was amended (PDF) to remove the kill switch power and require the President to work with government and private industry to define “cybersecurity emergency” and develop “detailed response and restoration plans.”  The amended bill also stated that it “does not authorize, and shall not be construed to authorize, an expansion of existing Presidential authorities.”

Senators Lieberman, Collins, and Carper introduced a similar bill, S. 3480, called the Protecting Cyberspace as a National Asset Act. The act would establish a National Center for Cybersecurity and Communications (NCCC) within the Department of Homeland Security. Like S. 773, the act would also give the President the power to declare a “cyber emergency” for “critical infrastructure.” After the President declared an emergency, the Director of the NCCC would assume control of the critical infrastructures and would direct the owners and operators to take unspecified actions with as little disruption to services as possible. The bill was amended to require the President to receive Congressional approval for any emergency lasting more than 120 days and was placed on the Senate Legislative calendar in December 2010.

Senators Lieberman and Collins issued a press release (PDF) to dispel fears that S. 3480 authorizes Internet kill switch power, arguing instead that the bill only impacts critical infrastructures. However, critics of the bill expressed concerns that it does not adequately define “critical infrastructure.” Unlike S. 773 (PDF), no examples of critical infrastructures are listed in S. 3480 (PDF). The definitions section of S. 3480 specifies that “critical infrastructure” has the meaning as defined as in section 1016(e) of the USA Patriot Act (PDF). Section 1016(e) states that “the term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” That definition did not satisfy the ACLU, the American Library Association, the Electronic Frontier Foundation, and many other organizations, who drafted an open letter (PDF) to the bill’s sponsors. The letter’s authors proposed modifications to the bill which would include more free speech and information privacy safeguards for the users of critical infrastructure networks.

In response to such criticisms, the senators changed the title of the bill to the “Cybersecurity and Internet Freedom Act” and introduced it as S. 413 in February 2011. S. 413 (PDF) introduces new language directly addressing the kill switch issue: “neither the President, the Director of the National Center for Cybersecurity and Communications, nor any other officer or employee of the Federal Government should have the authority to shut down the Internet.” Nonetheless, civil liberties groups are still opposed to any broad government authority over the Internet, and propose that “common-sense security practices” such as regular security updates and encryption will protect the United States better than any type of kill switch power over Internet service.

What would a cyberattack in the United States look like? Many believe that the Stuxnet computer worm, which appears to have targeted and disabled equipment used for uranium enrichment in Iran, was a successful cyberattack by a sophisticated enemy. Other possible attacks that have been suggested include infiltrating air traffic control computer systems and disrupting flights or hacking into the power grid and cutting power to customers. On the other hand, skeptics have criticized these doomsday scenarios as pure hype and fear mongering without factual support, publicized by government officials and industry players looking to profit off of cybersecurity investment. For example, Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee and supporter of the bill, said that the government is concerned that a hacker could open the floodgates of the Hoover Dam, killing thousands of innocent lives. The Bureau of Reclamation pointed out that the Hoover Dam and other facilities like it are not connected to the Internet.

Lawmakers considering the bill will need to balance the need for emergency executive power over the Internet without judicial review against the unforeseen consequences of declaring war in cyberspace. Cyberspace is a unique battleground, because as security expert Bruce Schneier notes, “when a nation is attacked in a regular conflict, a variety of military and civil institutions respond. The legal framework for this depends on two things: the attacker and the motive. But when you’re attacked on the Internet, those are precisely the two things you don’t know.” Schneier cautions that when the enemy is unknown, retaliation against the wrong target for the wrong reason becomes more likely. Two officers at the Office of Homeland Security expressed similar concerns, and cautioned against any declaration of cyberwar. They then proposed that the government’s role should be to fill in any remaining security gaps left open by private industry in order to ensure the security of the Internet in the United States. Whether or not the proposed bills adequately fill in these gaps without compromising the free and open nature of the Internet or individuals’ privacy when using the Internet remains an open question.



  1. Pingback: Internet “Kill Switch” Legislation: Can Obama Turn Off the … « switch

  2. Benjamin Holfeld March 10, 2011 at 6:10 pm

    First they ask for an internet kill switch
    Second they ask for a power-off switch
    Third they ask for a country self-destruction switch

    How stupid is that? If someone builds a hoover-dam that can be opened by a hacker, they should shut down the hoover-dam system but not the whole country!

  3. Michael F. Angelo March 14, 2011 at 4:39 am

    Great summary!!

    The question should not be how likely are they to be attacked, but why are they connected to the internet where they can be attacked? But then again this raises a number of issues – such as who was/is in responsible for connecting Critical Infrastructure Components to the Internet? I am willing to bet they did not think about security when they were doing it.
    IMHO It would be nice if the proposed law said ‘Before placing Critical Infrastructure Components on the Internet, you need to do a threat / attack model”. Imagine the threat model for the Hoover Dam on the Internet. Worst possible scenario, Damn is destroyed, area is flooded, and some portion of the country is without power. I can’t believe this would even sound like a good idea to a politician 🙂

    IMHO Kill the Kill Switch, and fix the real problem – Require threat modeling of Critical Infrastructure Elements before putting them on the Internet or just say no to putting them on to begin with.

    ps. More of my comments on the IKS can be found at http://bit.ly/gJyBvV

  4. Douglas Shanks March 15, 2011 at 9:30 am

    Why dose our goverment think of the the worse thing to do if the goverment really dose this to the american people then no one would known what to do. Our people have gotten so use to the freedoms that we have that even to think of taken away one of are biggest freedoms. I think would have such a negtive effect on the people and even worse consequces when we would all come togather to get are freedoms back like freedom to assambly, freedom to speak freely that’s why people come here not to be censored we all need to fouces on getting smarter and not repressing those that try to change things cause it is so clear that we as a people are not getting smarter but more lazy and the goverment would use this power to keep us down and not build us up which should be the main goal of everone in the world get smarter

  5. tec March 24, 2011 at 7:09 pm

    What you do not know is that they already have a kill switch for all Radio and TV. Its called the EAS system and it has no rules as to when it is activated. The president can activate it any time he wants and once activated it connects all TV and Radio channels both over the air and satellite and now cell phones to a audio broadcast from the white house.

    However most people think it will just be a short message. That’s true it can be however if you do not send the turn off command the system will stay active as long as they want it to stay active..

    This year the FCC will be testing the system for the first time ever.

    Look for a test message soon and you will see how the kill switch works.

    Perhaps now you will understand why they need a Internet kill switch. If they only kill or lock up your TV and satellite radio to the Obama radio channel you can just go to the net.

    They need the internet kill switch to be able to shut down all communications in the US at the push of a button.

%d bloggers like this: