Currently pending before the US Congress, the proposed Cybersecurity Act of 2009 contains provisions that would give the US President power to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.”
In this context, ‘United States information system’ means any computing device in the US, not just those owned or contracted to the Federal government.
The concept that a political figure has an ability to exercise this kind of power is enough to take almost anyone’s breath away. The Internet has quickly become as important as any institution in the world when it comes to economic processes, flow of news and information, government and social wellbeing.
So much so that an attack on, or one projected through the Internet, can conceivably be staged on a scale as to seriously disturb national security or constitute an act of war. In such circumstances, I would have to agree that the President and government should have power to effectively respond to hostile acts and it would be unacceptable if they didn’t.
That said, it is important that any such use of powers to take control of the Internet, private or public networks, or associated hardware would have to be exercised carefully. Unintended and/or collateral damage to people and property is the most obvious risk of a clumsy exercise of power.
It is also possible that those launching a cyberattack may structure it in such a way as to invite a disproportionate or unintentionally damaging response. Here the government would look incredibly stupid by doing the cyberattackers’ work for them.
We also know very little about what would constitute effective action in the face of a concerted cyber-borne assault. The short history of cybersecurity reveals a chronic and recurring inability to deal with even the minor disruptions we have seen thus far, much less courses of action to follow in the event of what would inevitably be called a “Digital Pearl Harbor” or “Cyber 9/11.”
Any government faced with an event such as the electricity grid unable to provide power, payment networks going down, disruption of the air traffic control system, or widespread corruption of financial institution account records, would be overwhelmed by contradictory advice on the nature of the threat, how to combat it, and operational measures required to execute a chosen response. In short, all decisions and actions would take place in a fog-of-(cyber)-war atmosphere.
Finally, what checks and controls can we put in place to prevent abuse of cybersecurity powers? Wartime, or something similar, has a tendency to disorient Presidential moral bearings, often persuading them that liberty must be temporarily sacrificed to ensure its long term preservation.
For every Richard Nixon or Dick Cheney, history offers us an Abraham Lincoln, Woodrow Wilson, or Franklin Roosevelt abusing power in wartime, often with enthusiastic public consent.
I don’t today have answers to some of the questions I posed above, but these and others should be addressed as we think and act on how governments behave in combating hostile cyberactions launched against its citizens.
It’s not something we can rush into with little consideration, but we also dare not wait to be attacked to begin the process of defining what we expect from our government in the event of cyberdisasters—natural, human-made, or instigated by hostile forces.