The Protecting Cyberspace as a National Asset Act of 2010 – introduced June 10 by Sens. Joe Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del – is intended to strengthen and coordinate the security of federal civilian and critical infrastructure networks. The Senate Homeland Security and Governmental Affairs Committee unanimously approved an amended version of the bill by voice vote. Next, the bill will move to the full Senate floor for consideration.
Among the many provisions included in the nearly 200-page bill is one that would allow the president to authorize emergency measures to protect public or private critical infrastructure in the event or imminent threat of a cyber vulnerability, according to a summary of the legislation. The bill would not authorize the use of any new surveillance mechanisms or allow the government to take control of private networks.
Critics of the bill say it will give the government too much power, particularly giving the president a so-called “kill switch” to shut down the internet.
“While the bill makes it clear that it does not authorize electronic surveillance beyond that authorized in current law, we are concerned that the emergency actions that could be compelled could include shutting down or limiting internet communications that might be carried over covered critical infrastructure systems,” according to a letter sent Wednesday by the American Civil Liberties Union, Center for Democracy and Technology and 22 other groups to Lieberman and other lawmakers.
However, the president already has broad authority in current law to take over communications networks, according to a fact sheet about the bill issued by Lieberman and Collins on Wednesday. This legislation would actually make it “far less likely” for a president to use that power, lawmakers in support of the legislation argue.
The Communications Act of 1934 provides “nearly unchecked authority to the president" to close any wire communication facility or station, Lieberman and Collins said. The president requires no advance notification to Congress to exercise this authority, which can extend for up to six months after the “state or threat of war” has expired.
“[The cybersecurity bill] would bring presidential authority to respond to a major cyberattack into the 21st century by providing a precise, targeted and focused way for the president to defend our most sensitive infrastructure,” states the fact sheet from Lieberman and Collins.
Under the legislation, the president's authority would be limited to 30-day increments and may be extended beyond 120 total days only with Congressional approval. In addition, the president must use the “least disruptive means feasible” to respond to the threat, the bill states. Also, the authority does not authorize the government to “take over” critical infrastructure.
Proponents of the bill, meanwhile, say it is a much needed step forward.
The proposed law would implement changes to the Federal Information Security Management Act (FISMA) to update the way agencies protect their networks and systems.
Agencies currently waste billions of dollars paying for FISMA reports that are out of date and have no effect on reducing security vulnerabilities, Alan Paller, director of research at the SANS Institute, said in his testimony before the Senate Homeland Security and Governmental Affairs Committee last week. The bill presses agencies to instead focus their spending on continuous monitoring and risk reduction, he said.
Paller also commended provisions of the bill that would require the development of a supply chain risk management strategy to address vulnerabilities in technology implemented by the federal government. He also said the regulatory framework and emergency measures established for the critical infrastructure is “long overdue.”
Mark Bregman, executive vice president and chief technology officer at Symantec, said in a statement that the bill is a very strong step forward.
“The bill encompasses key elements for ensuring the protection of our nation's critical infrastructure by emphasizing the need for early warning capability, continuous real-time monitoring processes, and modernizing FISMA,” he said.