Progress Snapshot

Volume 6, Issue 11 June 2010

Lieberman’s Cyberspace Protection Bill: Enhancing

Cybersecurity, or Establishing a New Uber-Authority?
by James E. Dunstan*

The Senate Homeland Security and Government Affairs Committee recently voted S.3480,
Senator Joe Lieberman’s Protecting Cyberspace as a National Asset Act of 2010 (“PCNAA”), out
of Committee.1 Though offering much-needed reform to the Federal government’s
cybersecurity system, this nearly 200-page blunderbuss of a bill sweeps private “critical
infrastructure”2 providers into a new bureaucratic morass. While others debate whether the
bill would create an “Internet Kill Switch,”3 none can deny that the bill would give the President
unprecedented powers over operation of the Internet, powers normally not granted unless the
country is involved in a declared war.4

What’s in a Name?
The bill’s title itself is ominous—suggesting an intent to nationalize the Internet, even if that is
not the idea. Since when is the Internet (or even the portion of the underlying
telecommunications infrastructure that resides within the borders of the United States), a
“National Asset”? Even the term itself is vague (and left undefined): Is the Internet the same
kind of “National Asset” as the Apollo Moon rocks? (The U.S. government has claimed
ownership of them, locked them away in a vault, and doles them out so miserly that we won’t
need to go back to the Moon for another 300 years!) Or is the Internet equivalent to the
petting zoos and other equally vital facilities that somehow wound up in the 77,000-item
National Asset Database created by the Department of Homeland Security?5

James E. Dunstan (jdunstan@pff.org) is a Senior Adjunct Fellow at The Progress & Freedom Foundation, the
founder of Mobius Legal Group, PLLC and of Counsel at Garvey Schubert Barer. The views expressed in this
report are his own, and are not necessarily the views of the PFF board, fellows or staff, or Mobius Legal Group.
1
Text of bill available at http://hdl.loc.gov/loc.uscongress/legislation.111s3480.
2
Section 3(2) of the bill refers to the definition in Section 1016(e) of the USA PATRIOT Act, codified at 42 U.S.C.
§ 5195c(e): “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those matters.”
3
See, e.g., http://www.skatingonstilts.com/skating-on-stilts/2010/06/calling-bull-switch.html,
4
“The President may issue a declaration of a national cyber emergency…” PCNAA, § 249(a)(1).
5
See, e.g., http://www.fas.org/sgp/crs/homesec/RL30153.pdf

1444 EYE STREET, NW  SUITE 500  WASHINGTON, D.C. 20005

202-289-8928  mail@pff.org  @ProgressFreedom  www.pff.org
Page 2 Progress Snapshot 6.11

In previous statutes, such as the Patriot Act6 and the Homeland Security Act of 2002,7 Congress
used terms such as “critical infrastructure” and “key resources,” which the White House has
referred to as “key assets.”8 Before Congress goes any further in the legislative process, it
should more closely consider what it means to declare something a “National Asset,” and the
impact that will have on the individual rights and liberties of American citizens—as well as
those who’ve invented and invested in those assets.

The Bill’s Definitions Are Hopelessly Overbroad & Vague

The bill defines “information infrastructure” to mean “the underlying framework that
information systems and assets rely on to process, transmit, receive, or store information
electronically, including—‘(A) programmable electronic devices and communications networks;
and ‘(B) any associated hardware, software, or data.’”9 The term “national cyber emergency,”
which would trigger the extraordinary powers of the President, is defined as “an actual or
imminent action by any individual or entity to exploit a cyber vulnerability in a manner that
disrupts, attempts to disrupt, or poses significant risk of disruption to the operation of the
information infrastructure [see definition above] essential to the reliable operation of covered
critical infrastructure.”10 These definitions, in combination, are so broad as to encompass end
user equipment, in addition to what is traditionally considered telecommunications
infrastructure. This means that every PC, laptop and cell phone, and every person’s own data,
would be subject to new regulation.

The definitions within the Act further contemplate that the newly established National Center
for Cybersecurity and Communications (“NCCC”) would establish “a national strategy to
increase the security and resiliency of cyberspace, that includes goals and objectives relating to
computer network operations, including offensive activities.”11 But with no definition of
“offensive activities,” the bill essentially hands the government a “blank check” for cyber-
mischief. Why would that be a good thing?

The Bill Would Grant Vast, Imperial Powers to the President over Communications
Under Section 249, if the President issues a declaration of national cyber emergency, all
affected critical infrastructure providers must implement response plans, developed pursuant
to a new set of regulations that the new Director of NCCC will promulgate within 270 days of
the bill’s enactment. The new DHS Cybersecurity Director will also have broad power to
“develop and coordinate emergency measures or actions necessary to preserve the reliable
operation, and mitigate or remediate the consequences of the potential disruption, of covered
critical infrastructure.” Owners and operators of critical infrastructure would be required to

6
Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001).
7
Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002).
8
See e.g., www.dhs.gov/files/publications/publication_0017.shtm.
9
PCNAA, § 241(10) (emphasis added).
10
PCNAA, § 241(17) (comment added).
11
PCNAA, § 101(a)(1)(A).
Progress Snapshot 6.11 Page 3

“immediately comply” with whatever emergency measures or actions the NCCC deems
necessary.
But why is this provision necessary? Section 706 of the Communications Act already provides
that the President, in time of “war or a threat of war, or a state of public peril or disaster or
other national emergency, or in order to preserve the neutrality of the United States,” may shut
down both wireless and wireline communications, or suspend certain FCC rules related to such
communications.12 Although the President has never directly invoked the power of Section
706, several Executive Orders have referenced it in connection with national disaster relief and
emergency preparedness.13
So why does the President suddenly need additional powers? Is it because Congress believes
that cyber threats don’t clearly fall within the Section 706 definition of war or national
emergency? Or does Congress really want the President to punch the giant red “KILL” button
every time a virus breaks out on the Internet? If lawmakers believe that the “critical
infrastructure” in need of protection is not clearly covered by Section 706, wouldn’t it be better
to tweak the language of that Section, rather than inventing a separate statutory authority
regulated by a new bureaucracy that has no prior relationship with the telecommunications
industry?

Regulatory Duplication
Transferring regulatory oversight of communications infrastructure providers from the FCC to
the newly-formed NCCC means the telecommunications industry will now be subject to yet
another bureaucratic overlord. Interestingly, the FCC is not even mentioned in PCNAA until
page 183 (of 197!), and then only to the extent that that the FCC will now be required to
consult with the NCCC “regarding any regulation, rule, or requirement to be issued or other
action to be required by the Federal agency relating to the security and resiliency of the
national information infrastructure.”14
So now we’ll potentially have at least two government agencies directly controlling the Internet
(not to mention the FTC!). We can only hope that they’ll cancel each other out. More likely,
we’ll get conflicting and confusing standards from each. And unlike the FCC, which has clear
statutory mandates under the highly deregulatory Telecommunications Act of 1996, 15 there’s
no sense that NCCC would regulate with a “light touch.” As mentioned above, the bill would
require all those responsible for “critical infrastructure” to “immediately” comply with a
Presidential or NCCC order under Section 249(c). Moreover, on an annual basis, industry
members would have to certify that they have implemented security measures “approved by

12
47 U.S.C. § 606.
13
See, e.g., Executive Order 12472, “Assignment of National Security and Emergency Preparedness
Telecommunications Functions,” April 3, 1984 (amended by E.O. 13286 of February 28, 2003, and changes
made by E.O. 13407 June 26, 2006), available at www.ncs.gov/library/policy_docs/eo_12472.html (last visited
June 17, 2010).
14
PCNAA, § 501.
15
See e.g., 47 U.S.C. §§ 230; 254(h)(2); 706(a)-(b).
Page 4 Progress Snapshot 6.11

the Director.”16 This is a more onerous burden than, for example, the FCC’s certification
requirements under the Communications Assistance to Law Enforcement Act (CALEA). 17 Finally,
industry would be required to report “any incident affecting the information infrastructure of
covered critical infrastructure to the extent the incident might indicate an actual or potential
cyber vulnerability, or exploitation of a cyber vulnerability, in accordance with the policies and
procedures for the mechanism established under subsection (b)(2)(B) and guidelines developed
under subsection (b)(3).”18 The burden for this compliance will fall heavily on the
telecommunications industry.19

Conclusion
The critical review above should not be read as a total castigation of the bill. Indeed, the last
half of the bill, Title III, is yet another, long-overdue attempt to get the Federal government’s
Internet assets more secure and under a single roof. Elevating the importance of this issue by
establishing the NCCC, with broad powers over Federal assets is probably a good thing. Inviting
private industry to participate on advisory councils to NCCC20 is similarly a good idea, especially
since some of the best cyberattack deterrence know-how currently resides in the private
sector. But declaring virtually all private communications infrastructure in the United States
“National Assets” over which NCCC has vast regulatory power, manifestly is not a good idea.
What would this bill mean for Americans as users of the Internet and telecommunications
services? How might this authority be used to exert control over sites, services and networks?
Contemplating the bill’s unintended consequences should send shivers up the spines of anyone
concerned with individual rights and freedoms and about the dangers of unbridled government
powers, especially in the hands of the Executive Branch, which seems to grow ever more
Imperial with every new President, regardless of party.
Let’s only hope that rational heads will prevail and this bill will die a quick death, or at the least
be hacked down to the important and uncontroversial—but significant—task of reorganizing
the Federal government’s assets and getting its own business in order.

16
PCNAA, § 250(a).
17
47 U.S.C. § 1001 et. seq.
18
PCNAA, § 246(c).
19
For an example of regulatory burden, the FCC’s Form 477, which merely requires a telecommunication service
provider to specify the speed of its data offerings, is estimated to take 72 hours twice a year to complete. See
http://www.fcc.gov/Forms/Form477/477tutorial.pdf. In practice, most providers, especially smaller ones,
have found that Form 477 takes hundreds of hours to complete twice a year. Complying with a whole new set
of regulations from an entirely new regulatory body will most likely require even more personnel time,
possibly requiring the equivalent of a full-time person just to oversee cybersecurity issues. For small ISPs and
other small business swept in by the bill, these new regulatory burdens could well stifle new entrants from
entering the market with new innovative products. The barriers to entry may be raised high enough so that
their business case can’t close because of regulatory costs and risks of non-compliance or mis-compliance.
20
PCNAA, § 247.
Progress Snapshot 6.11 Page 5

The Progress & Freedom Foundation is a market-oriented think tank that studies the digital revolution and its
implications for public policy. Its mission is to educate policymakers, opinion leaders and the public about issues
associated with technological change, based on a philosophy of limited government, free markets and civil liberties.
Established in 1993, PFF is a private, non-profit, non-partisan research organization supported by tax-deductible
donations from corporations, foundations and individuals. The views expressed here are those of the authors, and do not
necessarily represent the views of PFF, its Board of Directors, officers or staff.

The Progress & Freedom Foundation  1444 Eye Street, NW  Suite 500  Washington, DC 20005
202-289-8928  mail@pff.org  @ProgressFreedom  www.pff.org