Barack Obama

Analysis: US Bill puts 'cyber-war' on legislative agenda

Critics say a controversial bill going through Congress would let the US President 'turn off the Internet' if vital services were threatened.

Online security experts have downplayed speculation around the possibility of a 'cyber war' breaking out between sovereign states as a result of offensive action, amid calls for new laws enabling greater governmental control over the US national interconnection infrastructure.

Senator Joe Liebermann, chairman of the Senate Homeland Security and Governmental Affairs Committee, has claimed that the US is under-prepared for online hostilities that could cripple vital services. He believes that new legislation is needed to shore up existing provisions against cyber-crime, and has introduced new proposals for countering state-sponsored threats.

Lieberman has sponsored a Bill - S3480, 'Protecting Cyberspace as a National Asset Act of 2010' - that recommends the establishment of a cyber-security chain of command within federal government. Bill S3480 was approved by the US Committee on Homeland Security and Governmental Affairs panel in June, and is now pending in Congress. It has become known as the 'Kill Switch' bill, as its critics allege that it empowers the President to effectively terminate US Internet connectivity in the event of an online 'blitzkrieg'.

With many developed countries' critical infrastructure now controlled by Internet-connected computer systems, often mediated across connections owned by private organisations, there are growing concerns in security agencies that governments would be unable to enforce necessary controls to mitigate the impact of a concerted campaign of cyber attacks.

Bill S3480's critics - and they are legion - point out that governments do not own the Internet, and therefore although they are of course entitled to take steps to defend their systems against attack, this does not extend to disabling their enemies' means of attack. In the non-virtual world governments can only usually enforce such draconian measures when a state of war or a state of emergency has been declared against a known adversary.

The Internet itself has proved a handy medium for denouncing Bill S3480. 'As a network engineer I find it troubling that the government seeks to label the Internet as a catalyst for any emergency on a catastrophic basis,' writes American blogger David P Shirk. 'People need to understand that it's not just the Internet that would be affected by this bill. Phone lines will also be cut or controlled as they can be used as a means to access the Internet.'

Not all security sector insiders share the views of either Lieberman or Shirk. Some see the concerns as alarmist. 'A lot of the talk is based on speculation and fear,' says David Emm, senior security researcher at Kaspersky Labs' global research & analysis team. 'Whenever this issue crops up it's always the same incidents that get cited - the attacks on Estonia, Georgia, and on Google - which on closer examination turn out not to be as clear-cut as was first supposed.'

Emm argues that some online activity that is generally classed as 'cyber attack' is actually more likely to represent expressions of political protest by hackers, rather than politically-motivated espionage. 'There are nationalists and demonstrators among the cyber criminal community just as there are in other sections of society,' Emm says, 'and they are making known their feelings about world events in the way they are most familiar with.'

In the UK the outgoing Labour government's policy toward cyber threats seemed to be that attack is the best form of defence. Last year security minister Lord West raised eyebrows when he admitted publicly that the UK had developed a cyber attack capability, admitting that 'We have an ability to do things, and we have got very good and very talented people who have worked on this'. His comments provoked criticism that the UK security agencies were entering into a new realm of security engagement where the ethical dimension had not been fully debated.

Three months later, the Government announced the creation of a new multi-agency Cyber Security Operations Centre and the establishment of an Office of Cyber Security within the Cabinet Office, tasked with co-ordinating national cyber-security policy.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them