Joe Lieberman wants to give the federal government the power to take over civilian networks' security, if there's an "imminent cyber threat." It's part of a draft bill, co-sponsored by Senators Lieberman and Susan Collins, that provides the Department of Homeland Security broad authority to ensure that "critical infrastructure" stays up and running in the face of a looming hack attack.

The government's role in protecting private firms' networks is one of the most contentious topics in information security today. Several bills are circulating on Capitol Hill on how to keep power and transportation and financial firms running in the event of a so-called "cybersecurity emergency."

Last week, Deputy Defense Secretary William Lynn floated the idea of extending a controversial cybersurveillance program to hacker-proof the firms. Meanwhile, the military's new Cyber Command is readying itself to march to these companies' aid.

Lieberman and Collins' solution is one of the more far-reaching proposals. In the Senators' draft bill, "the President may issue a declaration of an imminent cyber threat to covered critical infrastructure." Once such a declaration is made, the director of a DHS National Center for Cybersecurity and Communications is supposed to "develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure."

"The owner or operator of covered critical infrastructure shall comply with any emergency measure or action developed by the Director," the bill adds.

These emergency measures are supposed to remain in place for no more than 30 days. But they can be extended indefinitely, a month at a time.

The DHS cybersecurity director has to ensure that the emergency measures "represent the least disruptive means feasible" and that "the privacy and civil liberties of United States persons are protected," according to the bill. It also allows the private firms to handle network threats on their own – if DHS approves of the measures.

Senate staffers familiar with the bill acknowledge that it grants broad powers over private businesses; the staffers couldn't think of an analog in the physical world, except for the Federal Aviation Administration's authority to ground air traffic after 9/11. But the staffers say that the emergency powers will only apply to a relatively small number of companies, and only in the most extreme cases – when an electronic exploit might cause "catastrophic regional or national damage" resulting in "thousands of lives or billions of dollars" lost.

In order for the President to declare such an emergency, there would have to be knowledge both of a massive network flaw – and information that someone was about to leverage that hole to do massive harm. For example, the recent "Aurora" hack to steal source code from Google, Adobe and other companies wouldn't have qualified, one Senate staffer noted: "It'd have to be Aurora 2, plus the intel that country X is going to take us down using that vulnerability."

A second staffer suggested that evidence of hackers looking to leverage something like the massive Conficker worm – which infected millions of machines and was seemingly poised in April 2009 to unleash something nefarious – might trigger the bill's emergency provisions. "You could argue there's some threat information built in there," the staffer said.

The Lieberman/Collins bill is hardly the the most extreme cybersecurity proposal that's circulated on Capitol Hill in recent years. That dubious distinction belongs to a bill from Senators Jay Rockefeller and Olympia Snowe that empowered the feds to "order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security." That provision was neutered after a public outcry. Now, it calls on the U.S. government to "develop and rehearse detailed response and restoration plans" in the event of a major network threat.

[Photo: DHS]

See Also: