No Internet Kill Switch is No Guarantee

Sunday, June 13, 2010

Anthony M. Freed


In continued efforts to centralize cybersecurity authority, more than 40 bills have been introduced that will dramatically alter the balance of power between the government and the private sector when it comes to a crisis situation.

One such legislative proposal, Protecting Cyberspace as a National Asset Act of 2010 is sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), will shift the responsibility for federal agency cybersecurity from the Office of Management and Budget (OMB) to the Department of Homeland Security (DHS) by creating a new office called the National Center for Cybersecurity and Communications (NCCC), as outlined in a draft obtained by Federal News Radio.

The bill will also create a White House Office of Cyberspace Policy, which will be headed by a director-level position requiring Congressional confirmation. 

Previously, proposed legislation had included language that would give the President authority to effectively throw a "kill switch" to limit civilian access to the internet during a national security event to preserve critical communications and infrastructure functionality.

Though the contested language has been removed from more recent versions, it still clearly gives the executive branch ultimate authority over who, what, where, when and why the internet is used during a national crisis.

As stated in the FNR article, "the bill also gives the President the ability to declare a national cyber emergency if attacks on specific types of critical infrastructure would cause a national or regional disaster. The President would have to notify Congress of the emergency, why the existing security measures are deficient and what new things must be done to secure the networks. The President would then require the director of the NCCC to issue emergency measures that would last only 30 days."

The article goes on to say that "this would be used only in the most extreme circumstances and DHS or the White House would not be able to shut down private sector networks."

This seems to indicate no more than a semantic win for the private sector, and in reality means very little with regard to the ability to effectively design and implement disaster recovery and business continuity strategies.

So private networks will not be "shut down," but does that guarantee there will be available bandwidth?

The explosive growth in virtualization, remote access, and telecommuting has already had a major impact on the development of enterprise business continuity plans, as witnessed during the H1N1 "swine flu" threat, as the majority of organizations simply plan to have employees stay home and work remotely when possible.

Given the nature of the proposed legislation, it seems that business continuity plans based on unfettered access to the internet and other communication technologies are not only short-sighted, but more or less nullified.

It is feasible that we will likely see something akin to the "rolling brownouts" employed when electricity demand exceeds the grids ability to deliver enough power. An "Internet Brownout" will not shut down private access to the web, but it might make your high speed broadband connection look like dial-up service from the early 1990s - not pretty.

Combine this lack of access to sufficient bandwidth with a dramatic increase in the number of users trying to reach their corporate networks, and the result will effectively be no different than if the "kill switch" mechanism were in place.

If your organization's functional continuity relies on access to the web, you might want to reevaluate the likelihood that the internet will be available when you need it most, despite lawmakers' recent assurances.

Possibly Related Articles:
Enterprise Security Policy Security Awareness
Federal Military Municipal State/County
Legal Government Cyber Security
Post Rating I Like this!
Theresa Payton Great points especially regarding an internet brownout.
David Dennis Great points to consider, but we need to consider the definition of "private networks" as well as the nature of potential "cyber national security event". Do private networks include home users? How might they be able to tell the difference between my kids watching Hulu and me using a VPN into work?

And something security specialists should naturally think about but don't often think through: What is the chance that cyber attacks won't originate (at least in part) from private networks? How willingly would people (or national leadership) accept quarantining parts of the Internet if attacks originated from NASDAQ or a Visa clearinghouse?
Anthony M. Freed Great points - somewhere in those forty-plus bills may be the answer.

But as is usually the case with legislation, the real impact can not be determined until after implementation - then they go back and try to clean up the mess they made.

Only the lobbyists and lawyers know - Congress may pass laws, but that does not mean they took the time to read them.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.