Tangled Web Blog

The Internet Kill Switch Debate: Where Do You Stand?

Cybersecurity and cyber threats are part of our daily lives. Everyone has received some sort of malicious message or has (almost) clicked on a malicious site. Botnets are attacking banks and large corporations. Social engineering techniques are effectively stealing sensitive corporate information from employees who think they are doing good. It’s everywhere.

Most recently, vulnerabilities surrounding SCADA programs have played an increasing role in recognizing the potential dangers of utilizing the Internet for so many daily activities. Just think of Live Free or Die Hard…the fire sale attack. With so many things running on or controlled by the Internet, it’s no surprise people seem to lose sleep at night when they think of the panic that could be caused by someone taking advantage of core systems controlled over the Internet.

In the event of a national cybersecurity emergency, the Protecting Cyberspace as a National Asset Act (PCNAA) was proposed. This Act would enable the President to have authority over the Internet, essentially deciding which private sectors and government networks should be shut down in the event of a cyber attack. A recent amendment to the PCNAA states that the President cannot shut down a sector or network indefinitely, but rather can control it for 120 days, after which time Congressional approval is needed.

For some, this seems like a good idea in the making. For others, this could not be a worse idea.

The Good
Believe it or not, the President already has the authority to take over communications networks as needed, stated in the Communications Act, Section 706 (the Communications Act of 1934 was amended with the Telecommunications Act of 1996). Section 706, dubbed “War Emergency—Powers of the President,” enables the President to close any facility or station for wire communication and authorize the use of the facility or station by the federal government when presented with the threat of war. This can continue for up to six months after the threat expires, without Congressional approval.

With this existing authority in mind, Senator Joe Lieberman of Connecticut explained that his proposed PCNAA bill would enable the President to respond efficiently to the threat of a cyber attack in the 21st century with a precise defense. Additionally, according to a description of the PCNAA on Joe Lieberman’s website, the PCNAA would prevent the President from over-using the “broad authority” he has over communications networks in the current law.

The Bad
The initial proposal of this bill led many to believe it would enable the President to serve as some sort of “Internet overlord,” an idea that continues to cause discomfort and breed worry in the minds of many. As a post by Adam Cohen in TIME magazine points out:

“Imagine a President misusing this particular power: If the people are rising up against an unpopular Administration, the President could cool things down by shutting off a large swath of the Internet. He could target certain geographical regions (‘We’ve heard enough from New York and California for a while’). Or he could single out particular websites.”

But the biggest problem seems to be that no one really understands what the PCNAA would allow the President, and therefore the government, to do. As Cohen states, the Internet plays such an important role in our daily lives – be it expressing the freedom of speech or running a power grid – it’s a power that shouldn’t be handed over lightly.

The Poll
The Schwartz Security Practice recently conducted an informal poll across our security clients to gather their thoughts on the Internet kill switch debate. Not surprisingly, the majority of comments we received voted strongly against the existence of the Internet kill switch. Here are just a few thoughts:

Tom Kellermann, vice president of security awareness, Core Security Technologies, explained that “ISPs only currently voluntarily cooperate with shutting down malicious IP addresses and their C2s. There needs to be executive authority to thwart these technological attacks against the U.S. This is not a question of whether we should empower the government to turn off the internet, but instead, can the government civilize a hostile cyberspace?”

Paul Kocher, president and chief scientist, Cryptography Research, explained an Internet kill switch is not workable on either a technical or political level. He explained the equipment that drives the Internet is designed to be reliable, so creating a large-scale shut-down mechanism creates a host of problems. Some questions he proposed include:

How would the shut-down messages be broadcast (e.g., presumably “killed” equipment would no longer be forwarding these messages)? How would you test whether it worked? What would you do about existing equipment that doesn’t implement the kill switch?
How would you inform users about what’s happening? There isn’t any uniformly-supported method by which an ISP (or anyone else) can communicate with any network-connected device or end user. There isn’t a single language spoken by all users, and many embedded devices don’t even have a “user” in the normal sense of the word. Even if you created such a protocol, it’s not clear how you’d prevent the protocol from becoming abused or clogged with spam and advertisements.
Focusing specifically on the political side, who would control the switch and make decisions about when to use it? I’d recommend the following experiment to anybody in government considering a kill switch mandate: Get 10 large government agencies together and let them pick one agency that will control the “kill switch” for the other nine. They’ll never agree.

Anup Ghosh, founder & chief scientist, Invincea, explained that cooperation in the wild between organized communities is much more prevalent than previously thought. “These communities and major telcos monitor botnets and DDoS attacks so that when a DDoS attack occurs, the telcos cooperate fully to push back on the ISP, registrar or Autonomous System (AS) that is providing service to the offending DDoS hosts. In many cases, they will now support botnet sinkhole efforts to completely take down botnets. In other words, the private sector, along with organizations that monitor these things, is actually working together now to address these issues. So in reality, the potential for abuse probably outweighs any perceived risk of private entities not cooperating.” This echoes thoughts Cohen shared in his TIME magazine post.

Scott Cosby, vice president of products and operations, Invincea, stated “cutting off the internet would have a devastating effect on our country’s ability to function for government, industry and individuals. It strikes me that a more effective approach would be to prepare key defense organizations to function ‘off the grid,’ essentially backup and contingency planning to handle responses to a cyber attack. Flipping that type of switch would do more harm than a targeted attack.”

So where do you stand? Leave your comments below.