Re: LiebIerman bill lets president take emergency control of the Internet

[David Farber <dave () farber net>]

Begin forwarded message:

From: Stewart Baker <stewart.baker () gmail com>
Date: June 12, 2010 9:55:19 PM EDT
To: dave () farber net
Cc: Declan McCullagh <declan () well com>
Subject: Re: [IP] LiebIerman bill lets president take emergency control of the Internet

Dave,

I just noticed that Declan asked for my intervention on the question
of the Lieberman-Collins bill to deal with cybersecurity risks.
That's rare, but welcome, so two thoughts:

On one technical but important point, Declan has let his libertarian
instincts run away with his imagination.  The bill doesn't impose
obligations, even in an emergency, on "any company for which the
telephone system or Internet is 'essential.'" The bill applies to a
relatively limited set of critical facilities and to the information
infrastructure on which they depend.  So, if operators of our power
grid are dumb enough to be relying on the Internet and Window XP, then
the authority to order emergency measures would apply to the providers
of electric power, to their ISPs, and to Microsoft.  But other users
of the Internet, including Declan and Cnet, can tweet till the cows
come home, and neither they nor Twitter will ever be part of the
covered infrastructure.  Nor will they be subject to the emergency
authority.

Finally, the bill does not make anything illegal, breathing included.
It provides for the President to take emergency action if foreign
governments or organized crime attack networks that are essential to
our lives.  Is there anyone with an ounce of technical savvy who
thinks such an attack is impossible?  I've written a book, Skating on
Stilts, about the ways in which new, much-loved technologies create
new vulnerabilities in our society.
http://www.amazon.com/Skating-Stilts-Tomorrows-Terrorism-PUBLICATION/dp/0817911545/ref=sr_1_13?ie=UTF8&s=books&qid=1276392876&sr=1-13
Just the unclassified capabilities of criminals is enough to give rise
to concerns about the future of our networked economy, and no private
companies are even trying to establish networks that are proof against
attack by a determined, sophisticated nation-state.

So an attack is possible, maybe even likely.  Well, then, who's going
to take action to defend against it?  The Cato Institute?
TechAmerica?

As I said in a recent post elsewhere, if you like the BP oil spill,
you'll love cyberwar.
http://www.skatingonstilts.com/skating-on-stilts/2010/05/if-you-like-the-bp-oil-spill-youre-going-to-love-cyberwar.html
As the BP spill shows, companies are quite capable of creating
catastrophes well beyond their ability to remedy, and we have to plan
for that possibility.  The President needs the authority to coordinate
and prioritize the nation's response to an attack on our computer
networks.  Otherwise, we'll look as helpless as the President looks
today in response to the BP spill.  Except he won't be looking
helplessly at tarballs on the beach; in a worst-case emergency, he
might be looking helplessly at a country that lacks power, working
phones, and maybe even a reliable financial system.

So, if you like how Declan and the Cato Institute have solved the BP
crisis,you really are going to love their solution for a cyber attack.
Otherwise, the Lieberman-Collins bill looks like our best bet.

Stewart

PS  I'm in the process of releasing Skating on Stilts free, chapter by
chapter, under a Creative Commons license.  I'll be posting the
chapters over the next few weeks on www.skatingonstilts.com.



On 6/11/10, Dave Farber <dfarber () me com> wrote:
> Begin forwarded message:
>
> > From: Declan McCullagh <declan () well com>
> > Date: June 11, 2010 1:01:47 PM EDT
> > To: Dave Farber <dave () farber net>
> > Subject: Lieberman bill lets president take emergency control of the
> > Internet
>
> > Dave,
> >
> > IPers might be interested in the bill that Sen. Lieberman introduced
> > yesterday:
> > http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=4ee63497-ca5b-4a4b-9bba-04b7f4cb0123
> >
> > Here's an excerpt from my writeup:
> >
> > http://news.cnet.com/8301-13578_3-20007418-38.html
> > > A new U.S. Senate bill would grant the president far-reaching emergency
> > > powers to seize control of or even shut down portions of the Internet.
> > > The legislation announced Thursday says that companies such as broadband
> > > providers, search engines, or software firms that the government selects
> > > "shall immediately comply with any emergency measure or action developed"
> > > by the Department of Homeland Security. Anyone failing to comply would be
> > > fined.
> >
> > The most interesting section starts around page 76. After the president
> > declares a "cyber emergency," then "the owner or operator of covered
> > critical infrastructure shall immediately comply with any emergency
> > measure or action developed by the Director under this section during the
> > pendency of any declaration by the President under subsection (a)(1) or an
> > extension under subsection (b)(2)."
> >
> > The definitions are intriguing. A "covered critical infrastructure" is a
> > system or asset that is on a DHS list and "for which the national
> > information infrastructure (NII) is essential to the reliable operation of
> > the system or asset." NII is defined as "information infrastructure" (II)
> > "that is owned, operated, or controlled within or from the United States."
> > II is defined as the "framework that information systems" use to transmit
> > information, including "electronic devices" and "software."
> >
> > So translated, any company for which the telephone system or Internet is
> > "essential" can be ordered by DHS to do anything the department wants,
> > with warrantless wiretapping as the sole exception. There is no other
> > limit to this power, no appeal process, and no judicial review. (How many
> > companies would *not* fit into this elastic definition? Wouldn't your IP
> > list qualify too?)
> >
> > Now, I'm sure that DHS's defenders (Stewart Baker, are you reading this?)
> > will say that we should trust the department and that it would not misuse
> > this near-absolute authority. And they have a point. But that's a little
> > like making it illegal to breathe and then trusting prosecutorial
> > discretion to only put truly bad guys in prison. :)
> >
> > -Declan
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com


-- 
Stewart Baker
o: 202-429-6402
c: 202-641-8670




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com