Internet Kill Switch:”A control in search of a risk”

Proposed legislation giving the President power to shut down parts of the Internet in a national emergency is often described as an Internet “Kill Switch”.

Proponents of this bill believe it would secure critical infrastructure systems against catastrophic cyber attacks, but some information security experts argue the measure is short-sighted and unlikely to work.

Senator Joseph Lieberman (left) introduced Protecting Cyberspace as a National Asset Act of 2010 in June last year. (DoD photo by Mass Communication Specialist 1st Class Chad J. McNeeley/Creative Commons)

Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.) introduced the Protecting Cyberspace as a National Asset Act of 2010 in June last year. It immediately came under fire for giving the President an overreaching power to shut down the Internet and halt all communication.

But Leslie Phillips, spokeswoman for the Senate Homeland Security committee, said in an email that it is impossible to shut down the Internet completely, and “the legislation proposed contains nothing that would allow the federal government to do so.”

The emergency measures proposed in the legislation are directed only at critical infrastructure systems – “systems which if attacked or disrupted could cause mass casualties, evacuations, and economic damage,” according to Phillips.

“We are talking about the electric grid, energy supply lines, telecommunications, financial networks, water systems, etc,” she added.

According to Paul Rohmeyer, an information security expert, proponents of a controlled or limited shut-down measure, show a lack of understanding of how the Internet works and of its distributive nature.

Rohmeyer believes that the capability for “intelligent isolation”, or shutting down parts of the Internet without disrupting the whole system, might be developed in the future but does not exist today.

“If someone were today to make a proclamation to shut services to particular groups of companies, I’m not quite sure how we can actually do it simply because of the diversity in connection points and paths and the fact that these networks are largely global entities now, most organizations have multiple access points to the Internet ,” Rohmeyer said.

Bruce Schneier, another information security expert, commented in an article that building a selective shutdown capability would result in a huge “security vulnerability.”

“We would make the job of any would-be terrorist intent on bringing down the Internet much easier. Any actual shutdown would be far more likely to be a result of an unfortunate error or a malicious hacker than of a presidential order,” Schneier wrote.

Even if a workable Internet “Kill Switch” was developed in the future, the risks of shutting down parts of the Internet are too great.

In this day and age, the Internet has become an important “means of production for many industries” and shutting down parts of the Internet would result in massive economic losses to businesses, according to Rohmeyer.

“We are in an era of increasing globalization, by stopping communications at any point we will disrupt the ability for U.S. companies to serve the global markets and we will similarly disrupt global organizations from serving us,” he added.

But scenarios could be envisioned when public interests trump set-backs to private entities, and when security concerns far outweigh economic considerations.

In theory, an enemy state could use a malicious worm like the Stuxnet worm, which was used to disable Iranian nuclear reactors, and launch a cyber attack against U.S. nuclear facilities.

The threat of “cyber war is not science fiction,” in fact it’s an everyday occurrence, according to Philips.

However, Rohmeyer argues that these are “theorized cyber threats” and the legislation gives “ambiguous description of so-called catastrophic events.”

“This is a control in search of a risk,” Rohmeyer said. “I don’t believe, based on public information, that we as a nation have faced anything that would rise to the level of things being blunted or the impact decreased if such powers were in the hands of the federal government.”

The legislation, as it stands now, fails to provide a convincing argument for giving the President such overreaching power. Moreover, little consideration has been given to the workability of a kill switch and its potential risks.

Both Rohmeyer and Schneier stress the need for implementing alternative security measures to an Internet “Kill Switch.”

“I don’t think we should be viewing things in this sort of “on or off” switch mentality. Certainly we can identify alternative controls or response mechanisms to the identified threats other than shutting off service,” said Rohmeyer.

Schneier agrees. “Just implementing the capability would be very expensive; I would rather see that money going toward securing our nation’s critical infrastructure from attack,” he wrote.


Comments are closed.