There's been some minor outrage about the Protecting Cyberspace as a National Asset Act, PCNAA, introduced by Sens. Lieberman and Collins, with some commentators calling it an "Internet Kill Switch". That description is maybe a bit exaggerated; it's based on Section 249 "National Cyber Emergencies", which reads in part:
The President may issue a declaration of a national cyber emergency to covered critical infrastructure. Any declaration under this section shall specify the covered critical infrastructure subject to the national cyber emergency....
Subject to paragraph (2), the owner or operator of covered critical infrastructure shall immediately comply with any emergency measure or action developed by the Director under this section during the pendency of any declaration by the President under subsection (a)(1) or an extension under subsection (b)(2).
In theory, of course, the "emergency measure or action" could be an order to shut down the whole Internet, but considering how drastic and unpopular that would be it's not very likely.
In my opinion the things to worry about are the less dramatic, but much more ripe for abuse, items in Section 248 "Cyber Vulnerabilites..." and Section 250 "Enforcement". Section 248 empowers a new National Center for Cybersecurity and Communications (NCCC) to regulate critical information infrastructure, both public and private. In part:
...in consultation with the National Cybersecurity Advisory Council and any private sector entity determined appropriate by the Director, the Director shall issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber vulnerabilities through the adoption of security measures that satisfy the security performance requirements identified by the Director....
This is vague. At one end, it could be generic stuff like certifying that you follow standard precautions about passwords, firewalls, etc. But it could also mean that the Director can order you to load his "security software" onto your system. At the end there appears to be a safety clause:
ALTERNATIVE MEASURES-(i) IN GENERAL- The owners and operators of covered critical infrastructure shall have flexibility to implement any security measure, or combination thereof, to satisfy the security performance requirements described in subparagraph (A) and the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director under this section...
Pretty reasonable and unintrusive, eh? They give you the ability to choose your own measures (note the word) as long as you meet the performance requirements. But back in Section 247, it allowed the Director to issue "recommended" measures. Now jump to Section 250:
Not later than 6 months after the date on which the Director promulgates regulations under section 248(b), and every year thereafter, each owner or operator of covered critical infrastructure shall certify in writing to the Director whether the owner or operator has developed and implemented, or is implementing, security measures approved by the Director under section 248 and any applicable emergency measures or actions required under section 249 for any cyber vulnerabilities and national cyber emergencies.
Note the wording. You don 't certify that you meet the performance requirements. You certify that you implemented the measures, and those measures require approval. And while you are awaiting approval, you are required to do it their way. Anyone can write performance specs to effectively force selection of a particular product, engineers trying to wire a contract do it all the time.
I don't believe there's any conspiracy intended here, but there is plenty of opportunity for abuse. You can bet that security software companies will be lobbying hard to get their products mandated. It's also very likely that the performance requirements will require keeping records that could be useful to the government for a variety of purposes legal and not.
But why would the communications companies agree to all this? The answer is at the end of Section 250.
(d) Limitation on civil liability
Telcos get immunity in return for doing what the govt wants. Sound familiar? Some defenders of this bill are dragging out the BP disaster as justification. They need to think hard about Section 250(d).
One last thing abiout this bill. Sen. Lieberman is ever vigilant in defense of our liberties, so the PCNAA bill requires "consultation" with the Privacy and Civil Liberties Oversight Board, PCLOB, who will make sure that nobody's rights are violated. There's just one little problem: it doesn't exist.
When President Bush two years ago failed to name members to a federal board to monitor the protection of civil liberties, Democrats and activist groups were duly outraged, seeing it as one more example of his administration's indifference to the subject. But more than a year into a new presidency, the Privacy and Civil Liberties Oversight Board—created by Congress in 2007—remains as much a cipher under Barack Obama as it was under George W. Bush. The White House has yet to nominate a single person to sit on the five-person board. It has no members, no staff, and no office.
President Obama has chosen important things like the 28 members of the President’s Commission on White House Fellowships, and the four individuals to serve on the Ronald Reagan Centennial Commission. But Privacy and Civil Liberties Oversight? He's busy or structurally constrained or something.