The U.S. government is still grappling with the best way to protect the Internet from cyber attacks that could paralyze the nation.
Lawmakers recently introduced legislation that designates more responsibility for protecting cyberspace to the Department of Homeland Security, but many experts question whether the relatively new agency, created in the aftermath of the Sept. 11, 2001 attacks, is up to the task.
Cyber attacks could take down entire telecommunications systems, knock out power grids, manipulate financial systems and infiltrate every branch of government. It’s a nightmare scenario, and one that concerns a growing number of cyber experts.
“The effects could be catastrophic,” said Blaise Misztal, a national security expert at the Bipartisan Policy Center, a non-profit policy think tank in Washington.
A cyber-security bill introduced in June by Sen. Joe Lieberman, I-Conn., would delegate even more authority to Homeland Security, and shift the role of cyber protector away from the Department of Defense and the National Security Agency.
The legislation is a step in the right direction, some experts say. One reason: The NSA is the federal intelligence-gathering agency that secretly wiretapped U.S. phone calls and emails after the 9-11 attacks, in some cases without court-approved warrants. As a result, it is widely considered a spying organization that should not be monitoring information on private computer networks.
Yet private networks would likely be the target of any large-scale cyber attack and should be monitored closely, making cooperation between the government and businesses critical to cybersecurity, said Gregory Nojeim at the Center for Democracy and Technology, a Washington-based civil liberties group that works on Internet policies.
“Everyone seems to agree that more information needs to be shared between the government and the private sector,” Nojeim said.
But the public’s distrust of the NSA because of the wire-tapping scandals would make such partnerships difficult, Nojeim said.
“The NSA tends to operate secretively and without transparency,” Nojeim said. “In the cybersecurity context, such secrecy can inhibit rather than further the program.”
The success of the new cybersecurity program would hinge on information sharing. Under Lieberman’s legislation, private companies and government would share information about cyber threats through a new National Center for Cybersecurity and Communications in the Department of Homeland Security.
Major technology companies including Symantec, Microsoft and Verizon have publicly supported Liberman’s legislation, which is one of more than 30 cybersecurity bills Congress is considering.
While many experts prefer to see the NSA less involved in securing cyberspace, questions remain about whether Homeleand Security can handle the responsibility. A Government Accountability Office report released last year found that Homeland Security had repeatedly fallen short of fulfilling its cybersecurity responsibilities because it lacked organization and resources. As a result, the military and intelligence groups have kept control over most cybersecurity issues, which has made civil liberties groups squeamish.
Under the new bill, the NSA would still offer technical support to Homeland Security, which doesn’t have a workforce that is large enough or skilled enough to do cybersecurity, said Larry Castro, who spent 44 years at the NSA. He called the legislation “very, very ambitious.”
“In my mind, the department is not well resourced to be able to sign up to do it,” Castro said of Homeland Security.
Civil liberties groups are wary of government interference in cyberspace, contending that oversight of Internet communication could infringe on people’s freedom of speech.
“If they believe or suspect the government is in a position to listen into what’s happening on the internet, their ability to communicate anonymously has been taken away,” said Jay Stanley, senior policy analyst and privacy expert at American Civil Liberties Union.
The bill doesn’t give the government any new authority to access to private information on the Internet or have a “kill switch” through which the President could shut it down, despite some opponents’ claims.
“That would never or should never happen,” Castro said. “That’s not the government’s role.”
However, the President would have the authority to authorize emergency measures if he suspected a cyber system was under attack, which worries some experts. Emergency measures could include shutting systems down for 30 days, or longer, which seems to give the President “open-ended” authority, Nojeim said.
“We’re working to limit that authority … so there are no surprises when the emergency comes, should an emergency come,” Nojeim said.
