A wide-ranging cybersecurity bill introduced in the U.S. Senate this week would give the president unprecedented new powers to disconnect government and private-sector networks from the Internet in the event of security emergencies. But that provision is expected to be a hard sell in Congress.
The proposed bill, formally known as the Cybersecurity Act of 2009, was filed on Wednesday by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The legislation includes a long list of provisions that would give federal officials significant new authority to set and enforce data security standards for federal agencies, government contractors and key parts of the private sector.
For instance, the bill would empower the National Institute of Standards and Technology (NIST) to develop "measurable and auditable" security standards for government entities as well as companies in critical infrastructure industries. Meanwhile, a companion bill that also was introduced by Rockefeller and Snowe calls for the addition of a national cybersecurity adviser within the Executive Office of the President.
But the provision that is attracting the most attention is buried deep in the 51-page bill, in a section blandly titled "Cybersecurity Responsibility and Authority." It would give the president broad authority to directly intervene in security matters in both the public and private sectors. For starters, the bill would give the president the power to declare security emergencies and then curtail or shut down Internet traffic to and from any compromised federal or critical infrastructure networks.
The measure would also enable the White House to order individual government or critical private-sector networks to be disconnected from the Internet for reasons of national security. In addition, the president could classify any corporate network as a piece of critical infrastructure.
The presidential-powers provision makes the proposed legislation "a sweeping federal takeover of cybersecurity" responsibilities, said Leslie Harris, president and CEO of the Center for Democracy and Technology, a Washington-based think tank and lobbying group. If the bill is signed into law as written, it would give the executive office "unfettered discretion" to exert control over private-sector networks on national security grounds, Harris claimed.
That could result in a "breathtaking power grab" by the White House, added Harris, who said the provision appears to assume that the government is better than the private sector is at identifying security threats and responding to them during emergencies.