For the past decade, the federal government has been moving to gain effective control over the internet. Now, thanks to legislation just crafted by Sen. Joseph Lieberman of Connecticut, the government may finally realize its goal of being able to control virtually all aspects of the vast internet, including private internet systems.
The decade-long process began in earnest in 2001, when the Bush Administration secured passage of legislation giving it jurisdiction to prosecute computer hackers anywhere in the world if the packets of information travelled through a U.S. computer or router and affected a “federal interest computer.”
Then, in 2006, the Senate voted to ratify the Cybercrime Treaty that essentially internationalized all “cybercrimes,” so that crimes committed in any country that is a signatory to the treaty can be investigated by any other signatory country. The treaty contains extremely broad definitions of “cybercrime” with no meaningful privacy protections.
Two years later, during his last year in office, President George W. Bush signed an executive order centralizing in the National Security Agency (NSA) the power to monitor the computer networks of all federal agencies. As a result of this non-legislative initiative, federal law enforcement and intelligence agencies were empowered to monitor even private, domestic networks if they suspected unauthorized intrusions.
Shortly after taking office in January 2009, President Barrack Obama sought and obtained significantly increased funding for federal cybersecurity activities. Also in 2009, the administration created a cybersecurity office in the White House, and a new military command dedicated to cybersecurity in the Defense Department. Problems continue to plague the government’s efforts to protect government cyber systems against intrusions, however, based largely on technical difficulties and privacy concerns.
Undaunted, the Congress for the past year has been toying with legislation to protect the government’s vast cyber-systems, but which at the same time would grant the president and the Department of Commerce in particular, vast and virtually unfettered power to commandeer even private computer network systems under the vague notion of a potential cyber-threat. None of these bills has gained sufficient traction to pass either house of the Congress. Lieberman hopes his latest attempt, encumbered by the unwieldy title, the “Protecting Cyberspace as a National Asset Act” (“PCNAA”), will break that losing streak.
PCNAA would greatly expand the federal cybersecurity bureaucracy, this time largely within the Department of Homeland Security. In particular, a new National Center for Cybersecurity and Communications (NCCC), would gain power to issue enforceable commands to any private company that “relies” on the internet. Any internet traffic or private internet system could be shut down under emergency powers granted in the legislation. These powers could be exercised if the government determines there is a vaguely-defined “incident” that even “potentially jeopardizes” any internet or communications network.
Federal interference in the private sector would not be limited to “emergencies.” As noted, for example, by privacy expert Declan McCullagh in a recent article, the NCCC would be able to monitor the “security status” of private websites and internet systems.
Anticipating industry opposition to the legislation, the draft bill makes a significant effort to essentially buy-off private-sector opposition, by granting immunity from civil lawsuits to companies that might commit costly errors or harm customers as a result of complying with government directives under the legislation. As another indirect inducement to gain industry support, Lieberman’s bill makes clear that federal agencies will be making massive new purchases of products to enhance the security of their cyber systems.
Protecting government computers and internet systems from hackers and other external threats is a critically important responsibility of governments at all levels. However, using that responsibility to gain control over private cyber systems is neither warranted nor necessary. In fact, by thus overreaching, the government may be delaying and hampering its efforts to protect the very government systems over which it should be concerned.