Jan 312011

A lot of recent discussion has focused on the idea of the “Internet Kill Switch”, introduced as part of United States Senate bill S.3408 (PDF) Protecting Cyberspace as a National Asset Act of 2010″ in 2010, and its implications for a government-imposed blackout of the United States and its Internet communications as mandated by the President.

In particular, the ability of the Egyptian government to coerce backbone providers to essentially drop the country off the Internet, most likely through disabling of BGP associations has been interpreted as a frightening precedent for enabling the United States government to shut off dissent.

The Telecommunications Act of 1934 (full text here) already gives the President very broad powers over communications infrastructure in cases of “war or emergency” (Sec. 606).  This act, while obviously focused on radio communication, does not specify the communications medium.  Sec. 606(a) and (c) specifically pretty much specify that, in case of war or emergency, the President can effectively do as he sees fit with American communications infrastructure.  No distinction is made between private and government communications.

I had a look at S.3408. As far as I can tell, it establishes a directory of “Cyberspace Policy” which basically oversees most US non-military resources.

Most of it seems eminently reasonable (e.g. advising the President on security issues, coming up with risk management and incident response methods, helping to coordinate development and implementation of standards, making sure one hand knows what the other is doing, etc.)  The law also defines the responsibilities of US-CERT, which already exists.

Where it gets a bit weird is Sec. 244(g)(1) – I may be misinterpreting this, but says that the Director of US-CERT can obtain “any…information…relevant to the security of…the national information infrastructure necessary to carry out the duties, responsibilities, and authorities under this subtitle” (editing is non-destructive, i.e. I tried to not change the meaning of the phrase.) It’s very ambiguous, and implies to me a seeming total lack of control over what information (including confidential, personal data) the Director can access from anyone, anywhere. The bill does specify data protection/privacy requirements, but these appear to be often unclearly worded (a lot of use of subjective wording like “as necessary” or “reasonable”).

Sec. 248 seems very sensible (i.e. cooperate with other agencies, private companies, and foreign governments when dealing with vulnerabilities and attacks, but in terms of “recommendations”). 248(b)(2)(C) basically seems to say “come up with a plan in case shit gets real”. Fair enough.

Sec. 249 “National Cyber Emergencies” is where I assume the problem lies.  The Director, when the President declares this, can require owners of “critical infrastructure” that’s covered by 248(b)(2)(C) to take emergency measures that are the “least disruptive means feasible”. Such emergencies have a 30 day runtime, but seem to be extendable indefinitely. “Critical infrastructure” is defined as relating to section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)) — i.e.

the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

On the other hand, Sec. 3 (14) refers to “Federal information infrastructure”, Department of Defense systems, “national security systems”, and “national information infrastructure”:

(A)(i) that is owned, operated, or con trolled within or from the United States; or

(ii) if located outside the United States, the disruption of which could result in national or regional catastrophic damage in the United States; and

(B) that is not owned, operated, controlled, or licensed for use by a Federal agency.

This is extremely vague, and despite the reference to the USA PATRIOT Act definition above, no information is provided as to who defines this.  Good luck getting AT&T staff in Germany to shut off lines when ordered to by headquarters.  Similarly, under the above definition, the Zambian national Cobalt Thorium G mining corporation’s email servers could be construed to fall under (B).  Talking Points Memo had an interesting run-down on the “Kill Switch” issue, but unfortunately glossed over the aspect of defining what is covered.

The rest of the bill deals with definitions of agency responsibilities, mainly on how to secure government information infrastructure and information.

Interestingly, S.3408 also spends a lot of time discussing the responsibilities of US-CERT and the Director of Cyberspace Policy with regards to risk management, communication (e.g. ensuring that the left hand knows what the right hand is doing), establishment and application of standards, vulnerability and threat response, and generally things that the industry has been screaming about for years.  The Russian Federation, Chinese People’s Liberation Army, and Israel, among others, have established significant information warfare capabilities, variously specializing in sabotage, espionage, denial of service, and other aspects.

The United States, by comparison, maintains the National Security Agency, US-CERT and numerous public-private partnerships, various military units specialized in “cyberwarfare”, and branches of several government agencies for preventative, offensive, and defensive operations.  Coordination among these makes sense, especially if it involves single points of contact and distribution for vulnerability and threat information (beyond the Dept. of Homeland Security‘s asinine “color” threat scheme (which is being discontinued in any case.)

The idea of any government being able to “shut down” communications is arbitrarily egregious, but that’s a political, ideological concern.  However, on a purely practical level, I don’t see it as feasible for the United States to do so.

Ars Technica has a discussion about the “hows” of disconnecting a country.  They make a good point:

Like in Egypt, in Europe almost all interconnection happens in the capitals of the countries involved. Not so in the US: because the country is so large, and traffic volumes are so high, large networks may interconnect in as many as 20 cities. Numerous intercontinental sea cables land in the Boston, New York, Washington DC, Miami, Los Angeles, and Seattle regions. So in Egypt or many medium-sized countries, killing the connections between ISPs wouldn’t be too hard. In the US, this would be quite difficult.

Likewise, DNS is out due to the distributed nature of root servers.

More importantly, though, Constitutional issues aside, the U.S. is simply too distributed.  Too many commercial interests are involved (shut down the NYSE’s connectivity, and Goldman Sachs bankers will show up on the White House lawn with shotguns), U.S. law enforcement and regulatory bodies are too decentralized to reliably be able to enforce a shutdown at an ISP level as what happened in Egypt.

Read the bill, draw your own conclusions, but don’t panic-monger.

 Posted by at 2:23 pm