Should President Obama have the power to shut down domestic Internet traffic during a state of emergency?
Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) think so. On Wednesday they introduced a bill to establish the Office of the National Cybersecurity Advisor—an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure. That broad power is rattling some civil libertarians.
The Cybersecurity Act of 2009 (PDF) gives the president the ability to "declare a cybersecurity emergency" and shut down or limit Internet traffic in any "critical" information network "in the interest of national security." The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president.
The bill does not only add to the power of the president. It also grants the Secretary of Commerce "access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access." This means he or she can monitor or access any data on private or public networks without regard to privacy laws.
Rockefeller made cybersecurity one of his key issues as a member of the Senate intelligence committee, which he chaired until last year. He now heads the Committee on Commerce, Science and Transportation, which will take up this bill.
"We must protect our critical infrastructure at all costs—from our water to our electricity, to banking, traffic lights and electronic health records—the list goes on," Rockefeller said in a statement. Snowe echoed her colleague, saying, "if we fail to take swift action, we, regrettably, risk a cyber-Katrina."
But the wide powers outlined in the Rockefeller-Snowe legislation has at least one Internet advocacy group worried. "The cybersecurity threat is real," says Leslie Harris, head of the Center for Democracy and Technology (CDT), "but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."
The bill could undermine the Electronic Communications Privacy Act (ECPA), says CDT senior counsel Greg Nojeim. That law, enacted in the mid '80s, requires law enforcement seek a warrant before tapping in to data transmissions between computers.
"It's an incredibly broad authority," Nojeim says, pointing out that existing privacy laws "could fall to this authority."
Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, says that granting such power to the Commerce secretary could actually cause networks to be less safe. When one person can access all information on a network, "it makes it more vulnerable to intruders," Granick says. "You've basically established a path for the bad guys to skip down."
The bill's scope, she says, is "contrary to what the Constitution promises us." That's because of the impact it could have on Internet users' privacy rights: If the Commerce Department uncovers evidence of illegal activity when accessing "critical" networks, that information could be used against a potential defendant, even if the department never had the intent to find incriminating evidence. And this might violate the Constitutional protection against searches without cause.
"Once information is accessed, it can be used for whatever purpose, no matter the original reason for accessing something," Granick says. "Who's interested in this [bill]? Law enforcement and people in the security industry who want to ensure more government dollars go to them."
Nojeim, though, thinks it's possible the bill's powers could be trimmed as it moves through Congress. "We will be working with them to clarify just what is needed and how to accomplish that," he says. "We're hopeful that some of the very broad powers that the bill would confer won't be included."