Sen. Christopher Bond, R-Mo., co-sponsored a cybersecurity bill that would appoint a cyber director who reports directly to the president and give that person a degree of authority over the cyber budgets of federal agencies. (File photo / Getty Images)
Should the president retain authority to shut down parts of the Internet in the event of a serious cyber attack on the United States? Should private companies be required to share cyber threat information with the government? Should Internet service providers be required to build "back doors" to let government agencies monitor Internet traffic? Should warrantless searches of online activity be expanded? Who should be in charge of cybersecurity — the Defense Department? The Department of Homeland Security? The National Security Agency?
Congress has spend much of 2010 pondering these and other questions central to cybersecurity, but at this point it is unlikely that lawmakers will take any action in the little time they have left before the 111th Congress adjourns for good in December.
"I'm not optimistic of major cybersecurity legislation passing at this late time," said Louis Tucker, Republican staff director on the Senate Intelligence Committee. Tucker's boss, Sen. Christopher Bond, R-Mo., co-sponsored a cybersecurity bill that would appoint a cyber director who reports directly to the president and give that person a degree of authority over the cyber budgets of federal agencies.
After the Nov. 2 election, Congress has only a few weeks in session, during which it has to decide whether to extend tax cuts and to pass appropriations bills to keep the government going.
"Considering the objections to some of the cyber bills out there, comprehensive legislation will probably have to wait until next year," Tucker said Tuesday during a cybersecurity discussion at the Heritage Foundation think tank.
If cybersecurity legislation passes next year, it will be without Bond's help. He's retiring.
Tucker's gloomy assessment was seconded by Brandon Milhorn, the Republican staff director on the Senate Homeland Security and Governmental Affairs Committee.
"It will be difficult to do anything controversial after the election," he said.
The cyber security legislation sponsored by Sens. Joseph Lieberman, I-Conn., Susan Collins, R-Maine, and Tom Carper, D-Del., probably falls into that category.
The bill would give the president authority to take "emergency measures to protect the nation's most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited."
One problem with the bill is that it doesn't say exactly what the powers it proposes to grant the president, said Michelle Richardson, legislative counsel for the American Civil Liberties Union. The powers "are not defined. They could be as broad as the Communications Act powers that would allow the government to seize control of the communications structure and shut it down or use it to its own ends."
The Communications Act is a 1934 law that gives presidents the authority to pull the plug on wire communications during a war or the threat of war.
When applied to the cyber realm, she said, the Communications Act gives the president "a kill switch" that could shut down parts of the Internet.
Aides to Lieberman, Collins and Carper say their legislation is intended to limit the president's authority to do that. The Lieberman-Collins-Carper bill would require the president to get congressional approval before blocking the Internet, and it would limit the action to no more than 120 days. The bill would also require the president to use "the least disruptive means feasible" to respond to a cyber threat.
It "does not authorize the government to take over critical infrastructure," say aides to the three senators.
The bill would also create an Office of Cyberspace Policy in the White House to oversee federal efforts to secure cyberspace and set cyberspace policy. And it would create a National Center for Cybersecurity and Communications at the Department of Homeland Security to lead federal efforts to defend government and private networks from attackers.
The bill favors defending critical networks with real-time monitoring, and establishing security requirements for private sector networks.
The operators of private networks would be required to report significant breaches to government officials, which would share threat analysis with other network operators. In exchange, network operators would receive liability protection.
Privacy advocates like Richardson are leery.
Before Congress grants the president more power over cyber critical infrastructure, the Obama administration must "disclose what authority it thinks it already has," she said. So far, it has not done so.
Federal agents already have vast power through the Foreign Intelligence Surveillance Act to spy on individuals, including citizens who send e-mails overseas or make international phone calls, the ACLU says.
The executive branch can track and surveil Internet users and it can demand and obtain records from Internet and communications companies without court orders, with cursory court orders and with actual warrants, Richardson said.
"Considering the incredible authority the government already has, the admin must demonstrate the need" for more authority, and there must be a public discussion before Congress grants any more authority, she said.