No Internet Kill Switch is No Guarantee

In continued efforts to centralize the cybersecurity authority within the White House, more than 40 bills have been introduced that will dramatically alter the balance of power between the government and the private sector when it comes down to a crisis situation.

Protecting Cyberspace as a National Asset Act of 2010 (PDF document) is sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), and will shift the responsibility of federal agency cybersecurity from the Office of Management and Budget (OMB) to the Department of Homeland Security (DHS) by creating a new office called the National Center for Cybersecurity and Communications (NCCC), as outlined in a draft obtained by Federal News Radio.

The bill will also create a White House Office of Cyberspace Policy, which will be headed by a director level position requiring Congressional confirmation. 

Previously, proposed legislation had included language that would give the President authority to effectively throw a "kill switch" which would limit civilian access to the internet during a national cybersecurity related event in a effort to preserve critical communications and infrastructure functionality.

Though the contested language has been removed from more recent versions, it still clearly gives the executive branch ultimate authority over who, what, where, when and why the internet is used during a national crisis.

As stated in the FNR article, "the bill also gives the President the ability to declare a national cyber emergency if attacks on specific types of critical infrastructure would cause a national or regional disaster. The President would have to notify Congress of the emergency, why the existing security measures are deficient and what new things must be done to secure the networks. The President would then require the director of the NCCC to issue emergency measures that would last only 30 days."

The article goes on to say that "this would be used only in the most extreme circumstances and DHS or the White House would not be able to shut down private sector networks."

This strikes me as merely a semantic win for the private sector that in reality means very little with regard to the ability to effectively design and implement disaster recovery and business continuity strategies.

So private networks will not be "shut down," but does that guarantee there will be available bandwidth?

The explosive growth in virtualization, remote access, and telecommuting has already had a major impact on the development of enterprise business continuity plans, as witnessed during the H1N1 "swine flu" threat, and the majority of organizations simply plan to have employees stay home and work remotely when possible.

Given the nature of the proposed legislation, it seems that business continuity plans based on unfettered access to the internet and other communication technologies are not only short-sighted, but more or less nullified.

My own estimation is that we will likely see something akin to the "rolling brownouts" employed when electricity demand exceeds the grids ability to deliver enough power.

An "Internet Brownout" will not shut down private access to the web, but it might make your high speed broadband connection look like dial-up service from the early 1990s - not pretty.

Combine this lack of access to sufficient bandwidth with a dramatic increase in the number of users trying to reach their corporate networks, and the result will effectively be no different than if the "kill switch" mechanism were in place.

If your organization's functional continuity relies on access to the web, you might want to reevaluate the likelihood that the internet will be available when you need it most, despite lawmakers' recent assurances.