I just read an extremely interesting Web posting at http://news.cnet.com/8301-13578_3-10320096-38.html. A bill (S.773) in the US Senate would give the US President the ability to take control of the Internet if a cybersecurity emergency were to occur. Specially, the bill proposes that the President be given the authority to declare a cybersecurity emergency and to do whatever may be necessary to deal with it. The President could, for example, order that commercial arena computers be disconnected from the Internet.
As one would expect, this bill has already understandingly elicited negative reactions on the part of civil libertarians as well as Internet interest groups and organizations. The idea of the US government, which has a “big brother” image among a fair percentage of the US population, having the authority to disrupt commercial entities’ Internet connections has some fairly frightening potential repercussions. Think, for example, what happened when the well known distributed denial of service (DDoS) attacks against companies such as eTrade, eBay, ZDNet, and Amazon occurred in February of 2000. Loss estimates went as high as $20 million, even though the disruption lasted no more than just a few hours. Think of the potential damage to the US economy if the commercial sector’s connections to the internet were severed for, say, a day or two because the President declared an emergency.
Ironically, the US government (through DARPA) created the Internet, and yet this entity to which it gave birth has turned against its creator in the form of one attack after another against US government computers over decades. To say that the government is winning the war against cyberattackers is laughable; to say that the gap between risk and mitigated risk in government computing environments has been unacceptably large and growing every year is, in contrast, completely credible. The US government is going to somehow come to grips with the real nature of the Internet and the risks that the Internet creates. In a way, S.773 seems to show that at least someone in the US government is trying to get a grip on these issues. Bedlam and anarchy, best friends to cyberattackers, characterize the Internet. Having the ability to take control of the Internet under extreme circumstances is clearly in the best interest of the US; it could, for instance, help thwart massive DDoS attacks designed to render US government computers and networks inoperable.
BUT—because the Internet is such a diverse entity, is it really possible for one person or organization to achieve the level of control necessary to stave off a cybersecurity catastrophe? I honestly doubt it. In my mind this is a much more fundamental issue than the idea of the US government having the ability to disconnect the private sector for the Internet. So even if S.773 passes in the Senate, a similar version of this bill is drafted and passes in the House, and ultimately President Obama signs it, I honestly do not believe that the legislation would make as much difference as those opposed to S.773 would have us to believe.
And just one more thing—some individuals who praised the PATRIOT Act are now crying bloody murder over the proposed provisions of S.773. This makes absolutely no sense to me. The PATRIOT Act gives law enforcement an incredible amount of power, more than ever before in the US. All S.773 would do is give the President the ability to declare and react to a cybersecurity emergency. But given that a large percentage of the US population is functionally illiterate and doesn’t even know that the US Bill of Rights guarantees freedom of speech and religion or when the American Civil War was fought, I guess the inconsistency in the reactions to the PATRIOT Act and S.773 is understandable.