ProjectCyW-D

Last week, Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) introduced the Cyber Security Awareness Act of 2011(S.813). Senator Whitehouse explained the need for the bill:

“[W]e as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy. This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests.”

To remedy this problem, the proposed legislation would require the Department of Homeland Security and the Department of Defense each to submit annual reports to Congress providing statistics about the number of cyberattacks against computers in the .gov and .mil domains, as well as the estimated costs of those attacks. The legislation also calls for annual reports from the Department of Justice and FBI about the numbers of cybercrime investigations, prosecutions, and convictions. Finally, it calls for reports on cyber vulnerabilities and proposed responses from regulators of critical infrastructure, as well as the financial industry.

I have written extensively in the past about the poor quality of public policy discourse on the issue of cybersecurity in the United States. Three issues in particular have been of concern: 1) the lack of clear definitions of key terms and problems, 2) the inconsistent use and quality of evidence backing claims of serious cyber threats, and 3) the lack of transparency by both government and industry. Thus, while I appreciate the Senators’ attempts to address the transparency issue, I am not convinced that greater transparency is truly achievable without addressing the first two concerns, which are not addressed by the proposed legislation.

First, key terms will remain undefined. The bill calls for reports to Congress from DHS and DOD about cyber “intrusions,” “breaches,” “incidents,” and “sabotage.” But it is not entirely clear what those terms (and others) actually mean. Each reporting agency could define them in a different way, making it difficult to compare results across reports and agencies. This will make it difficult to get the kind of overarching view of cybersecurity threats that the Senators claim (correctly) is badly needed.

Second, the annual timeframe of the reporting requirement will exacerbate this problem. Most reports will only be made to Congress once per year. But in the arena of quickly evolving cyber threats, this time scale is too long. While yearly or quarterly summary reports should be required, more frequent, near real-time reporting that is available on the Web should also be required.

Third, Web availability of reporting raises the question of to what degree the reports mandated by this legislation actually serve to increase public awareness. All mandated reports will be to Congress and not directly to the public. If the goal is “public awareness,” then there should be some mechanism for getting this information directly to the public in a form that is understandable and useful. In short, if the concern is public awareness of fast-moving cyber threats at a time when “open government” is supposed to be a priority, annual written reports directly to Congress with no public-facing Web component are inadequate.

Fourth, the work of generating reports meant to raise public awareness is set to occur before or co-occurent with efforts to assess “impediments to public awareness” (sec. 10). This raises two problems. One is that there is no mechanism in the legislation for the results of that assessment to shape future public awareness campaigns. The other is that there is no mandate to assess what the public currently does and does not know about cybersecurity. Ideally, current public awareness should be assessed first and then a plan created for overcoming impediments and addressing gaps in awareness. At minimum, there should be a mechanism by which reporting requirements can be changed based on the results of an assessment of public awareness and related impediments.

Fifth, in each case, reporting requirements include the option of submitting “a classified annex as necessary to protect sources, methods, proprietary or sensitive business information, and national security.” While it is understandable that some information must remain classified, it is not clear how this legislation will guard against the well-known tendency towards over-classification, which is a key cause of poor public awareness of cyber threats in the first place.

Finally, another contributor to poor public awareness (and, hence, poor public discourse on cybersecurity) is the way in which evidence is deployed (or not) in support of claims made about cyber threats and vulnerabilities. There are too many claims made that are insufficiently supported with adequate evidence (see my previous posts linked above). The proposed legislation does nothing to address that problem. For example, it asks for “estimated costs for remedying the breaches” from both DHS and DOD. But how will Congress and the public be certain about the accuracy of these estimates or the data and methods used to calculate them? Add in the lack of agreed definitions and there is a very real possibility that instead of meaningfully increasing public awareness, these reports will merely serve as one more vehicle for reporting agencies to pad their own budget requests.

In conclusion, while the spirit of the Senators’ legislation is to be applauded, it is not clear that it will actually solve the problem it seeks to address. What’s more, if problems of definition, over-classification, and questionable use of evidence are not adequately addressed, the legislation could actually serve to further undermine public awareness instead of improving it.

The Egyptian government’s recent cutting of all Internet traffic in and out of the country in response to ongoing protests calling for the resignation of President Hosni Mubarak has garnered a great deal of international attention and condemnation. One result has been a renewed debate in the United States about the possibility of creating a so-called Internet “kill switch.”

The kill switch is associated with S.3480, The Protecting Cyberspace as a National Asset Act [PDF], which is co-sponsored by Senator Joseph Lieberman (I-CT), Senator Susan Collins (R-ME), and Senator Tom Carper (D-DE). The bill, which was first introduced in June 2010, has come under fire for supposedly giving the President the ability to do what Egypt did last week–i.e. cut off the nation’s connection to the rest of the Internet during a time of crisis. But does it really? It’s hard to say. And therein lies the problem.

In a statement released this week, Senators Lieberman, Collins, and Carper explain

The steps the Mubarak government took last week to shut down Internet communications in Egypt were, and are, totally wrong. His actions were clearly designed to limit internal criticisms of his government. Our cybersecurity legislation is intended to protect the U.S. from external cyber attacks. Yet, some have suggested that our legislation would empower the President to deny U.S. citizens access to the Internet. Nothing could be further from the truth.

We would never sign on to legislation that authorized the President, or anyone else, to shut down the Internet. Emergency or no, the exercise of such broad authority would be an affront to our Constitution.

The remainder of their press release provides more detail about how their proposed legislation, in its current form, would not allow the President to do what Mubarak did in Egypt. They end by saying that they “will ensure that any legislation that moves in this Congress contains explicit language prohibiting the President from doing what President Mubarak did.”

On the surface, this all sounds very reassuring. But when confronted with similar concerns about the granting of “kill switch” authority to the President in S.3480, Senator Lieberman’s description of the powers that his legislation would grant the President sounds very much like what we have witnessed in Egypt. In an interview with Senator Lieberman on June 20, 2010, CNN’s Candy Crowley said,

First of all, you have an Internet bill, it has been called the “kill switch bill” that would allow the president to seize control or shut down portions of the Internet if the U.S. was under some sort of cyber attack. […] [T]here are a lot of people out there who think that what you are granting the president is absolute power to shut down freedom of speech.

Senator Lieberman responded by saying, “No way, and total misinformation.” But then he went on to clarify, saying

We need the capacity for the president to say, Internet service provider, we’ve got to disconnect the American Internet from all traffic coming in from another foreign country… Right now, China, the government, can disconnect parts of its Internet in a case of war. We need to have that here, too.

Disconnecting the American Internet sounds very much like what we have just seen in Egypt. Senator Lieberman’s comments could be read as indicating that he is not talking about a total shutdown of the Internet, only the blocking of traffic from select foreign countries. But it is not entirely clear.

Invoking China, a government known to engage in filtering and censoring of the Internet on a massive scale, to justify his argument has only added to the controversy. Only months earlier, Secretary of State Hilary Clinton had criticized China for its restrictions on Internet freedom.

This week’s response by Senators Lieberman, Collins, and Carper only seems to add to the confusion over what powers over the Internet they intend for their bill to give the President.

Finally, the Bureau of Reclamation has recently fired back, claiming that one of the main cyber-doom scenarios being used by promoters of S.3480–i.e. that hackers could open the floodgates on the Hoover Dam, killing thousands–is impossible.

So is there an “Internet kill switch” buried in the Lieberman, Collins, Carper cybersecurity bill? It is still not entirely clear. The seeming contradictions in the statements made by the sponsors of the bill can cause one to question the veracity of those statements, whether the sponsors themselves really understand what powers their bill would grant the President, or both. Add in the fact that Senator Lieberman has identified China as a model for U.S. cybersecurity policy on top of using dubious cyber-doom scenarios to encourage support for their bill, and one wonders if Senators Lieberman, Collins, and Carper can be relied upon to deliver meaningful cybersecurity legislation that balances protection of critical infrastructures and the protection of Americans’ own Internet freedoms.