New Threat Scenarios Drive Cybersecurity Planners to Mull Responses

As lawmakers consider giving the president emergency powers in case of an online attack, many in the field are offering scenarios for how to define a cybersecurity emergency and how far the government should reach to contain an attack. 

The Cybersecurity Act of 2009, sponsored by Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, envisions the president taking emergency control of the Internet, but backers say it's not about a takeover, but about directing a coordinated, public-private response. 

The bill "applies specifically to the national response to a severe attack or natural disaster. This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks," said Rockefeller spokeswoman Jessica Tice. 

An earlier version of the bill was revised this summer after critics called it unworkable. A newer version would allow the president to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised federal government or United States critical infrastructure information system or network."

The newer version replaces some of the language to allow the president to "direct the national response" to a cybersecurity emergency that the president would declare, said Greg Nojeim, senior counsel for the Center for Democracy and Technology, a group that wants the Internet to remain open, innovative and free. 

More On This...

That's an improvement over the first draft, he said. 

"The original version said that the president would have the power to shut down or limit Internet traffic in an emergency to a critical infrastructure. That language is actually dropped," Nojeim told FOX News. 

But the bill is unclear about how broad the president's power is. And what's more troubling to some is the application of emergency responses used in other situations to an area that has never faced that kind of security test. 

"If we were talking about the airports, well ... the military can go and take over the airports," said Larry Clinton, president of the Internet Security Alliance, which works on infrastructure security. "You can't go and take over the Internet. In order to secure the Internet, the government needs to work with the private sector that owns, operates and, in fact, creates 90 percent of this. So we need a collaborative process, not a government central command-and-control process."

Clinton said the Internet is no longer merely about telecommunications. Commerce on the World Wide Web equals trillions of dollars a day. Electric grids and national defense systems are all tied in online, he said. 

"Virtually everything now is wired through the Internet ... so we need a comprehensive system that will continually keep up with the threats," Clinton said. 

Dale Meyerrose, former chief information officer and associate director of national intelligence, said caution needs to be applied because current planning applies familiar terms with unfamiliar scenarios.

"It could even be a panic if you think about it," Meyerrose said. "A story catches hold, there's an attribution that says that country x has infiltrated something and nobody can take anything out of an ATM, or your power is going to go off or your water is going to turn off or whatever. And then a panic ensues. Those are the kinds of things (to consider) when you're talking about cyber 911s or cyber Pearl Harbors, in my view." 

Meyerrose said laws are in place already for a situation like the one eight years ago, when the United States was attacked and President Bush ordered all aircraft grounded until further notice. But those aren't easily applicable to cyberspace. 

"There are already provisions I believe -- and most of the folks in the business and the government believe -- that give the powers to the president that allow to effectively do what needs to be done in times of national emergency," Meyerrose said. 

"I would be troubled if the president didn't have some sort of emergency powers" for the Internet, he added. "The real ambiguity is, what's the trip wire for making it a national emergency?"

The Russians may have offered some clue to that scenario last summer when they accompanied their military attack on Georgia with cyber warfare. As Russian tanks rolled into the Caucasus nation, a silent and perhaps more damaging attack was being waged on the Internet to cripple the Georgian government's ability to communicate respond effectively. 

It is this type of 21st century attack that has cybersecurity analysts demanding the government clarify the lines of authority. 

"One wouldn't apply the same standards to the computer that runs the electric power grid or a nuclear power plant to the computer that is used by an individual user. This one-size-fits-all approach is doomed to fail. It's doomed to over-regulate the free speech-bearing part of the Internet that we all use and count on," said Nojeim.

Nojeim said the Senate bill under consideration provides for the government to certify cybersecurity professionals who would manage sensitive information systems that are part of the critical infrastructure but "a better approach" may be not only to educate people and provide training and scholarships in the field of cybersecurity, but also to use the government's procurement power to acquire better-secured information systems 

"The federal government needs to get its own cybersecurity house in order before it starts to tell the private sector what it ought to be doing," Nojeim said. "Many agencies of the federal government get failing grades for their cyber security measures. ... The government could lead in these ways without imposing this kind of heavy mandate." 

Clinton said the key is to have well-defined roles in the public and private sectors and a layout for who can do what in an emergency situation. He added that it's crucial to harness the market and make it cost-effective to secure the Web. 

"All the economic incentives now are in favor of the attackers. It's easy, it's comparatively easy to do an attack, there's lots of places you can attack, the benefits can be huge whereas security can be very expensive, you have to secure everything and what we have at risk, not only our personal identities but also our intellectual property and our national secrets, it's tremendous."

FOX News' Catherine Herridge contributed to this report.