Should Obama's 'internet kill switch' power be curbed?
Under a World War II-era law, the US president appears to have authority to disconnect computer systems and servers from the internet in the event of a national emergency. But the next US Congress is poised to change that.
The law was passed in 1942. The Japanese attack on Pearl Harbor had provoked fear of a foreign invasion of US soil, and Congress responded by giving President Franklin Roosevelt broad power to commandeer or shutter telephone and telegraph networks.
Nearly 70 years later, telegraph networks have disappeared, and the telephone is only one of many means of communication.
But although the 1942 law makes no mention of the internet - merely of "any facility or station for wire communication" - the Obama administration in June told Congress it would cite it in an emergency.
It has not been tested in court, but experts say section 706(d) of the Communications Act could give the president wide-ranging authority to shut down key computer systems.
With typical Washington hyperbole, the law has become known as the presidential "internet kill switch".'Clear rules needed'
The next US Congress will be under pressure to strengthen the nation's cyber defences, and a spectrum of security analysts, internet freedom advocates and senators say lawmakers must update those emergency war powers to limit or at the very least more clearly define the president's authority.
"The time is ripe for some articulation of this authority so we don't have presidents going off into the wild, but actually have a set of pretty clear rules," said Paul Rosenzweig, a former homeland security official under President George W Bush, now a fellow at the conservative Heritage Foundation.
Uncertainty over the interpretation of the current laws has left analysts speculating about how the president would use the "kill switch", and to what end.
One analyst told the BBC that if, for example, computer systems at Washington's natural gas and electric utilities became infected by a powerful internet worm, the president could order them to power down or disconnect from the internet to protect physical infrastructure, stem the infection, and allow them to be cleared.
Recent major cyber attacks
- 2010 - Stuxnet infects personal computers used by Iranian nuclear scientists
- 2009 - A major South Korean bank and newspaper and the country's spy service are slammed with co-ordinated attacks, which some blamed on North Korea
- 2008 - Foreign spies infiltrate secret US military computers in an attack launched from an infected flash drive
- 2007 - Estonian government and commercial computers bombarded with cyber attacks the country blamed on Russia
- 2000 - Major websites including Amazon.com and eBay crippled by "denial-of-service" attacks
In another hypothetical scenario described to the BBC, the president might order the shutdown of networks hosting Wall Street financial services infrastructure in order to avoid an imminent cyber attack.'Unlimited authority'
In both cases, the actions would have far-reaching consequences for the companies and individuals relying on the systems - for power, or to move money, analysts said.
Civil liberties campaigners are concerned at the potential for the power to be abused.
"It's unlimited," said Michelle Richardson, legislative counsel for the American Civil Liberties Union in Washington, about the president's current power.
"They have the authority, and we've seen since 9/11 that the executive branch has always pushed its power to the limit."
Privacy advocates say the law must be adjusted to ensure the president cannot use emergency war powers to snoop improperly on Americans' e-mail or other information.
It is unclear whether the disconnection of US networks would affect the internet elsewhere in the world, aside from blocking users from, say, a popular web page or service, technical experts say.
But Greg Nojeim, of the Center for Democracy and Technology, said there was "a high risk" of "a spillover effect in other countries".
However, it is nigh on impossible for the US president - or any single actor - to shut down the whole internet - a virtue of its globally distributed nature, analysts say.
"There's no plug to be pulled," John Kneuer, a former telecommunications policy official under President Bush, told the BBC.Stuxnet feared
Among several shortcomings in the 1942 law's application to the online world, it does not specify what constitutes cyber war - as opposed to a commercial hacking job. Nor is it even clear the law would treat a cyber attack by a foreign power as an act of war - a precondition of the president's use of the emergency powers.
End Quote Senator Susan Collins Maine Republican
The president's authority to deal with a catastrophic cyber attack aimed at critical infrastructure would be carefully defined - and constrained”
Nevertheless, the debate over the president's cyber war authority comes amid growing evidence that nations are deploying cyber weapons against adversaries.
The powerful internet worm Stuxnet, discovered this year to have infected computers across the globe, appears to have been designed specifically to target Iranian nuclear sites, causing alarm within the US and UK governments. Some analysts say it was so sophisticated it could only have been launched by a sovereign nation state.
In all, attacks on US government facilities this year topped 1.8 billion per month, according to the US Senate sergeant-at-arms.
US officials also fear cyber attacks on the private sector, which operates as much as 85% of the nation's critical infrastructure - power plants, major internet service providers, telephone companies and more.
The bipartisan group of US senators currently engaged in rewriting many US cyber security laws is keenly aware of the threat posed by such attacks. But the senators argue the president's emergency war powers must be better defined and delimited.
Legislation backed by Senators Susan Collins, a Maine Republican, and Joseph Lieberman, an independent from Connecticut, would allow the president to declare a "national cyber emergency" and permit the administration to direct a threatened system's operators to take action. The government would have to ensure the mandatory emergency measures were "the least disruptive means feasible".No advance warning
"The president's authority to deal with a catastrophic cyber attack aimed at critical infrastructure would be carefully defined - and constrained," Ms Collins said last week. "The president would not have the authority to take over critical infrastructure."
Some question the need for emergency presidential cyber authority.
Greg Nojeim says internet companies are better equipped than the government to decide whether to shut down their systems or remove them from the internet.
"Nobody has yet identified an actual real life circumstance in which an owner or operator decided not to isolate a network and the government thought it should be isolated," he said.
James Lewis, director of the technology and public policy programme at the Center for Strategic and International Studies in Washington, questions whether emergency shut-down power would be effective considering internet worms are usually discovered after they have struck.
"We almost never have advance warning," he said.