Bruce Schneier has an interesting essay up on his blog, “Schneier on Security”, about a bill introduced in the US Senate by Sen. Joe Lieberman, the “Protecting Cyberspace as a National Asset Act”, S.3480. The bill has sometimes been described as providing for an “Internet Kill Switch” that could be used by the President in the event of a cyber-attack on US infrastructure. More specifically, what it seems to do is:
- Provide for identification of critical network infrastructure components
- Require an emergency plan to be prepared to deal with attacks against these components
- Give the President the authority to declare an emergency which would activate these plans
Presumably, part of these plans would involve disallowing access to or from certain portions of the Internet.
Schneier discusses several reasons (really, underlying false assumptions) why this is a bad idea:
- It is not possible to draw a line that separates the US portion of the Internet from everything else.
- The effects of a selective shutdown would be almost impossible to predict (and how could they possibly be tested?).
- It’s using an atomic bomb to kill a canary. The Good Guys who use the Internet would probably be hurt as much as, or more than, the perpetrators of any attack
But I think his other objection (it’s number 3 in his list) actually is the most compelling. We can’t do something like this securely.
Take a step back, and ask yourself what an attacker would be aiming to do. Presumably, it would be to cause disruption of those activities and services that depend on the Internet for communications. So we should build a system designed to selectively disrupt Internet communications in order to protect ourselves? That system, if it were built, would instantly become the biggest, juiciest hacking target in the world, from the perspective of the Bad Guys. And, given time and effort, they would find a way to break in. No one has ever constructed a totally-secure computer system, and I don’t expect that to change any time soon.
The diversity of the Internet as it exists today, and the fact that it has no central control, are good things from a security perspective, just as diversity leads to more robust biological systems.