Cybertelecom Federal Internet Law & Policy An Educational Project

Internet "Kill Switch"

Law

• 18 USC § 606 War Powers of the President

Legislation

• The Cybersecurity and Internet Freedom Act | PDF
• S.413 Cybersecurity and Internet Freedom Act of 2011 Sponsor: Sen Lieberman, Joseph I. [CT] (introduced 2/17/2011)
• January 28, 2011 Egypt turns off Internet access.
• February 1, 2011 LIEBERMAN, COLLINS, CARPER STATEMENT ON CYBERSECURITY
• ""The steps the Mubarak government took last week to shut down Internet communications in Egypt were, and are, totally wrong.  His actions were clearly designed to limit internal criticisms of his government.  Our cybersecurity legislation is intended to protect the U.S. from external cyber attacks. Yet, some have suggested that our legislation would empower the President to deny U.S. citizens access to the Internet. Nothing could be further from the truth.            "We would never sign on to legislation that authorized the President, or anyone else, to shut down the Internet.  Emergency or no, the exercise of such broad authority would be an affront to our Constitution."
• February 17, 2011 LIEBERMAN, COLLINS, CARPER INTRODUCE BILL TO ADDRESS SERIOUS CYBER SECURITY THREATS Legislation Expressly Prohibits President from Turning off the Internet
• " Lieberman said: "We want to clear the air once and for all. As someone said recently, the term 'kill switch" has become the 'death panels' of the cybersecurity debate. There is no so-called 'kill switch' in our legislation because the very notion is antithetical to our goal of providing precise and targeted authorities to the President.  Furthermore, it is impossible to turn off the Internet in this country. This legislation applies to the most critical infrastructures that Americans rely on in their daily lives - energy transmission, water supply, financial services, for example - to ensure that those assets are protected in case of a potentially crippling cyber attack. "
• "neither the President, the Director of the National Center for Cybersecurity and Communications or any officer or employee of the United States Government shall have the authority to shut down the Internet."
• The Cybersecurity and Internet Freedom Act
• SEC. 249. NATIONAL CYBER EMERGENCIES.

`(a) Declaration- `(1) IN GENERAL- The President may issue a declaration of a national cyber emergency to covered critical infrastructure if there is an ongoing or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure. Any declaration under this section shall specify the covered critical infrastructure subject to the national cyber emergency. `(2) NOTIFICATION- Upon issuing a declaration under paragraph (1), the President shall, consistent with the protection of intelligence sources and methods, notify the owners and operators of the specified covered critical infrastructure and any other relevant private sector entity of the nature of the national cyber emergency. `(3) AUTHORITIES- If the President issues a declaration under paragraph (1), the Director shall-- `(A) immediately direct the owners and operators of covered critical infrastructure subject to the declaration under paragraph (1) to implement response plans required under section 248(b)(2)(C); `(B) develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure; `(C) ensure that emergency measures or actions directed under this section represent the least disruptive means feasible to the operations of the covered critical infrastructure and to the national information infrastructure; `(D) subject to subsection (g), direct actions by other Federal agencies to respond to the national cyber emergency; `(E) coordinate with officials of State and local governments, international partners of the United States, owners and operators of covered critical infrastructure specified in the declaration, and other relevant private section entities to respond to the national cyber emergency; `(F) initiate a process under section 248 to address the cyber risk that may be exploited by the national cyber emergency; and `(G) provide voluntary technical assistance, if requested, under section 242(f)(1)(S). `(4) REIMBURSEMENT- A Federal agency shall be reimbursed for expenditures under this section from funds appropriated for the purposes of this section. Any funds received by a Federal agency as reimbursement for services or supplies furnished under the authority of this section shall be deposited to the credit of the appropriation or appropriations available on the date of the deposit for the services or supplies. `(5) CONSULTATION- In carrying out this section, the Director shall consult with the Secretary, the Secretary of Defense, the Director of the National Security Agency, the Director of the National Institute of Standards and Technology, and any other official, as directed by the President. `(6) PROHIBITED ACTIONS- The authority to direct compliance with an emergency measure or action under this section shall not authorize the Director, the Center, the Department, or any other Federal entity to-- `(A) restrict or prohibit communications carried by, or over, covered critical infrastructure and not specifically directed to or from the covered critical infrastructure unless the Director determines that no other emergency measure or action will preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of the covered critical infrastructure or the national information infrastructure; `(B) control covered critical infrastructure; `(C) compel the disclosure of information unless specifically authorized by law; or `(D) intercept a wire, oral, or electronic communication (as those terms are defined in section 2510 of title 18, United States Code), access a stored electronic or wire communication, install or use a pen register or trap and trace device, or conduct electronic surveillance (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801)) relating to an incident, unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, or the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.). `(7) PRIVACY- In carrying out this section, the Director shall ensure that the privacy and civil liberties of United States persons are protected. `(b) Discontinuance of Emergency Measures- `(1) IN GENERAL- Any emergency measure or action developed under this section shall cease to have effect not later than 30 days after the date on which the President issued the declaration of a national cyber emergency, unless-- `(A) the Director details in writing why the emergency measure or action remains necessary to address the identified national cyber emergency; and `(B) the President issues a written order or directive reaffirming the national cyber emergency, the continuing nature of the national cyber emergency, or the need to continue the adoption of the emergency measure or action. `(2) EXTENSIONS- An emergency measure or action extended in accordance with paragraph (1) may-- `(A) remain in effect for not more than 30 days after the date on which the emergency measure or action was to cease to have effect; and `(B) unless a joint resolution described in subsection (f)(1) is enacted, be extended for not more than 3 additional 30-day periods, if the requirements of paragraph (1) and subsection (d) are met. `(c) Compliance With Emergency Measures- `(1) IN GENERAL- Subject to paragraph (2), the owner or operator of covered critical infrastructure shall immediately comply with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2). `(2) ALTERNATIVE MEASURES- `(A) IN GENERAL- If the Director determines that a proposed security measure, or any combination thereof, submitted by the owner or operator of covered critical infrastructure in accordance with the process established under section 248(b)(2) will effectively mitigate or remediate the cyber risk associated with the national cyber emergency that is the subject of the declaration under this section, or effectively mitigate or remediate the consequences of the potential disruption of the covered critical infrastructure based on the cyber risk at least as effectively as the emergency measures or actions directed by the Director under this section, the owner or operator may comply with paragraph (1) of this subsection by implementing the proposed security measure, or combination thereof, approved by the Director under the process established under section 248. `(B) COMPLIANCE PENDING SUBMISSION OR APPROVAL- Before submission of a proposed security measure, or combination thereof, and during the pendency of any review by the Director under the process established under section 248, the owner or operator of covered critical infrastructure shall remain in compliance with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2), until such time as the Director has approved an alternative proposed security measure, or combination thereof, under this paragraph. `(3) INTERNATIONAL COOPERATION ON NATIONAL CYBER EMERGENCIES- `(A) IN GENERAL- The Director, in coordination with the head of the sector-specific agency with responsibility for covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, shall-- `(i) consistent with the protection of intelligence sources and methods and other sensitive matters, inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in national or regional catastrophic damage in the United States and the government of the country in which the information infrastructure is located of any cyber risks to the information infrastructure that led to the declaration of a national cyber emergency; and `(ii) coordinate with the government of the country in which the information infrastructure is located and, as appropriate, the owner or operator of the information infrastructure, regarding the implementation of emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure that is the subject of the national cyber emergency. `(B) INTERNATIONAL AGREEMENTS- The Director shall carry out this paragraph in a manner consistent with applicable international agreements. `(d) Reporting- `(1) IN GENERAL- Except as provided in paragraph (2), the President shall ensure that any declaration under subsection (a)(1) or any extension under subsection (b)(2) is reported to the appropriate committees of Congress before the Director mandates any emergency measure or actions under subsection (a)(3). `(2) EXCEPTION- If notice cannot be given under paragraph (1) before mandating any emergency measure or actions under subsection (a)(3), the President shall provide the report required under paragraph (1) as soon as possible, along with a statement of the reasons for not providing notice in accordance with paragraph (1). `(3) CONTENTS- Each report under this subsection shall describe-- `(A) the nature of the national cyber emergency; `(B) the reasons that risk-based security requirements under section 248 are not sufficient to address the national cyber emergency; `(C) the actions necessary to preserve the reliable operation and mitigate the consequences of the potential disruption of covered critical infrastructure; and `(D) in the case of an extension of a national cyber emergency under subsection (b)(2)-- `(i) why the emergency measures or actions continue to be necessary to address the national cyber emergency; and

Expodential Dummies

`(ii) when the President expects the national cyber emergency to abate. `(e) Statutory Defenses and Civil Liability Limitations for Compliance With Emergency Measures- `(1) DEFINITIONS- In this subsection-- `(A) the term `covered civil action'-- `(i) means a civil action filed in a Federal or State court against a covered entity; and `(ii) does not include an action brought under section 2520 or 2707 of title 18, United States Code, or section 110 or 308 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1810 and 1828); `(B) the term `covered entity' means any entity that owns or operates covered critical infrastructure, including any owner, operator, officer, employee, agent, landlord, custodian, provider of information technology, or other person acting for or on behalf of that entity with respect to the covered critical infrastructure; and `(C) the term `noneconomic damages' means damages for losses for physical and emotional pain, suffering, inconvenience, physical impairment, mental anguish, disfigurement, loss of enjoyment of life, loss of society and companionship, loss of consortium, hedonic damages, injury to reputation, and any other nonpecuniary losses. `(2) APPLICATION OF LIMITATIONS ON CIVIL LIABILITY- The limitations on civil liability under paragraph (3) apply if-- `(A) the President has issued a declaration of national cyber emergency under subsection (a)(1); `(B) the Director has-- `(i) issued emergency measures or actions for which compliance is required under subsection (c)(1); or `(ii) approved security measures under subsection (c)(2); `(C) the covered entity is in compliance with-- `(i) the emergency measures or actions required under subsection (c)(1); or `(ii) security measures which the Director has approved under subsection (c)(2); and `(D)(i) the Director certifies to the court in which the covered civil action is pending that the actions taken by the covered entity during the period covered by the declaration under subsection (a)(1) were consistent with-- `(I) emergency measures or actions for which compliance is required under subsection (c)(1); or `(II) security measures which the Director has approved under subsection (c)(2); or `(ii) notwithstanding the lack of a certification, the covered entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of-- `(I) emergency measures or actions for which compliance is required under subsection (c)(1); or `(II) security measures which the Director has approved under subsection (c)(2). `(3) LIMITATIONS ON CIVIL LIABILITY- In any covered civil action that is related to any incident associated with a cyber risk covered by a declaration of a national cyber emergency and for which Director has issued emergency measures or actions for which compliance is required under subsection (c)(1) or for which the Director has approved security measures under subsection (c)(2), or that is the direct consequence of actions taken in good faith for the purpose of implementing security measures or actions which the Director has approved under subsection (c)(2)-- `(A) the covered entity shall not be liable for any punitive damages intended to punish or deter, exemplary damages, or other damages not intended to compensate a plaintiff for actual losses; and `(B) noneconomic damages may be awarded against a defendant only in an amount directly proportional to the percentage of responsibility of such defendant for the harm to the plaintiff, and no plaintiff may recover noneconomic damages unless the plaintiff suffered physical harm. `(4) CIVIL ACTIONS ARISING OUT OF IMPLEMENTATION OF EMERGENCY MEASURES OR ACTIONS- A covered civil action may not be maintained against a covered entity that is the direct consequence of actions taken in good faith for the purpose of implementing specific emergency measures or actions for which compliance is required under subsection (c)(1), if-- `(A) the President has issued a declaration of national cyber emergency under subsection (a)(1) and the action was taken during the period covered by that declaration; `(B) the Director has issued emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2); `(C) the covered entity is in compliance with the emergency measures required under subsection (c)(1) or that the Director has approved under subsection (c)(2); and `(D)(i) the Director certifies to the court in which the covered civil action is pending that the actions taken by the entity during the period covered by the declaration under subsection (a)(1) were consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2); or `(ii) notwithstanding the lack of a certification, the entity demonstrates by a preponderance of the evidence that the actions taken during the period covered by the declaration under subsection (a)(1) are consistent with the implementation of emergency measures or actions for which compliance is required under subsection (c)(1) or that the Director has approved under subsection (c)(2). `(5) CERTAIN ACTIONS NOT SUBJECT TO LIMITATIONS ON LIABILITY- `(A) ADDITIONAL OR INTERVENING ACTS- Paragraphs (2) through (4) shall not apply to a civil action relating to any additional or intervening acts or omissions by any covered entity. `(B) SERIOUS OR SUBSTANTIAL DAMAGE- Paragraph (4) shall not apply to any civil action brought by an individual-- `(i) whose recovery is otherwise precluded by application of paragraph (4); and `(ii) who has suffered-- `(I) serious physical injury or death; or `(II) substantial damage or destruction to his primary residence. `(C) RULE OF CONSTRUCTION- Recovery available under subparagraph (B) shall be limited to those damages available under subparagraphs (A) and (B) of paragraph (3), except that neither reasonable and necessary medical benefits nor lifetime total benefits for lost employment income due to permanent and total disability shall be limited herein. `(D) INDEMNIFICATION- In any civil action brought under subparagraph (B), the United States shall defend and indemnify any covered entity. Any covered entity defended and indemnified under this subparagraph shall fully cooperate with the United States in the defense by the United States in any proceeding and shall be reimbursed the reasonable costs associated with such cooperation. `(f) Joint Resolution To Extend Cyber Emergency- `(1) IN GENERAL- For purposes of subsection (b)(2)(B), a joint resolution described in this paragraph means only a joint resolution-- `(A) the title of which is as follows: `Joint resolution approving the extension of a cyber emergency'; and `(B) the matter after the resolving clause of which is as follows: `That Congress approves the continuation of the emergency measure or action issued by the Director of the National Center for Cybersecurity and Communications on XXXXXXXXXXXX for not longer than an additional 120-day period.', the blank space being filled in with the date on which the emergency measure or action to which the joint resolution applies was issued. `(2) PROCEDURE- `(A) NO REFERRAL- A joint resolution described in paragraph (1) shall not be referred to a committee in either House of Congress and shall immediately be placed on the calendar. `(B) CONSIDERATION- `(i) DEBATE LIMITATION- A motion to proceed to a joint resolution described in paragraph (1) is highly privileged in the House of Representatives and is privileged in the Senate and is not debatable.

Hearings

• The Senate Committee on Homeland Security and Governmental Affairs hearings on Protecting Cyberspace as a National Asset Act of 2010 S. 3480 June .

International

• China
• Egypt
• Iran
• Libya