Last summer, I wrote about a bill, proposed by Sen. Joe Lieberman, to provide an “Internet Kill Switch” that the President could use to disconnect US installations from the Internet in the event of a cyber attack on US infrastructure. Although that bill was approved by the Homeland Security and Governmental Affairs Committee, it died with the outgoing Congress. The “Threat Post” blog at Wired is now reporting that a very similar bill is about to be introduced again, this time sponsored by Sen. Susan Collins. There is perhaps a little irony in the timing, in view of the move by Egyptian authorities to cut off Internet access there in the wake of anti-government protests.
The actual bill has not been introduced at this point, so no one can say for sure what it contains. It seems clear, though, that it is intended to apply to both government and private-sector systems.
An aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.
This seemed like a bad idea last summer, and I cannot see that it has improved any with age. Any responsible operator of an infrastructure system surely knows how it is connected (if it is) to the Internet, and how to break that connection if necessary. If the aim of the legislation is to allow the President to tell system operators that there is an emergency, and that they need to take action, I think he can do that now. If the aim is to put together some sort of controlling “meta system” that can shut off access, it is a really bad idea, for all the reasons that I outlined in that earlier post. It would introduce a single point of failure into a system that, at present, is fairly decentralized and resilient; and that failure point would be the biggest prize possible for an attacker.
Update Sunday, 30 January, 13:18 EST
Ars Technica has a post in “Law & Disorder” on how Egypt’s disconnection may have been done. It also points out the considerably greater complexity of the Internet infrastructure in the US.