Risk
6/24/2010
02:27 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Senators Say Cybersecurity Bill Has No 'Kill Switch'

The bill narrows existing broad Presidential authority to take over telecommunications networks according to the lead sponsors of the bill.

Two co-sponsors of a prominent cybersecurity bill were forced Thursday to defend their bill against allegations that their bill would give the President broad authorities to take over or even shut down the Internet.

Sens. Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, who along with Sen. Thomas Carper, D-Del., are the lead sponsors of the Protecting Cyberspace as a National Asset Act, issued a fact sheet saying that, in fact, the bill narrows existing broad Presidential authority to take over telecommunications networks.

The bill, introduced earlier this month and being marked up by the Senate homeland security and government affairs committee on Thursday, is one of the most prominent of dozens of cybersecurity bills on Capitol Hill.

The bill isn't likely to make it into law in its current form, as Senate majority leader Harry Reid, D-Nev., has indicated that there will be a process to merge bills -- including another prominent bill by Sens. Jay Rockefeller, D-W.Va., and Olympia Snow, R-Maine -- into something more comprehensive. In addition, it has to be merged with whatever comes out of the House of Representatives.

However, it is likely to play a big part in whatever final legislation makes it to the Senate floor. Thus, language in the bill such as that giving the Department of Homeland Security power to compel Internet firms to "comply with an emergency measure or action" it decides to take, has raised a few eyebrows, including from technology industry group TechAmerica and the Center for Democracy and Technology.

"America's technology companies are concerned about the unintended consequences that would result from the legislation's regulatory approach," TechAmerica President and CEO Phil Bond said in a statement earlier this month. "We are continuing to evaluate the emergency powers in the bill to make sure they provide for coordination with industry at every step and to mitigate the potential for absolute power."

In their fact sheet, Lieberman and Collins note that a law already on the books, the Communications Act of 1934 (as modified in the 1990s), empowers the President to close "any facility or station for wire communication," effectively allowing him to shut down the Internet if necessary.

In contrast, Lieberman and Collins say, their legislation would not give the government power to "take over" critical infrastructure, and would instead give the President power to respond to a major cyber attack on critical infrastructure in a "precise, targeted and focused way."

The authority would be limited to 30-day increments, critical infrastructure owners and operators could propose alternative security measures, and the President is required to use the "least disruptive means feasible" to respond to the cyber threat.

In addition, the fact sheet says, such intervention could only occur in the event of a national or regional catastrophe, where an attack could cause "mass casualties, severe economic consequences, mass evacuations or severe degradation of national security capabilities."

Regardless of the fuss, some language about Presidential powers will likely be included in any final bill. Speaking on a panel discussion at a cybersecurity event earlier this week, Senate commerce, science and transportation committee staffer Jacob Olcott, whose committee passed the Rockefeller-Snowe legislation onto the full Senate earlier this year, said that there's broad agreement some sort of related language should be there.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.