New Cybersecurity Act Eliminates Internet Kill Switch

In a rewritten version of the cybersecurity bill, President Obama no longer has a kill switch for the Internet.

When the Cybersecurity Act of 2009 was unveiled last August, a controversial passage would have allowed the president to take emergency control of the entire Internet in the event of a serious threat, giving him effectively a "kill switch" -- the power to shut down all online traffic by unilaterally seizing private networks.

During a closed-door meeting on Capitol Hill Wednesday, co-sponsor Senator Jay Rockefeller, D-W.V. pitched a revised version of his legislation that strips the president of the power to turn off the Web.

The new draft, now called the Cybersecurity Act of 2010, says that after the president chooses to "declare a cybersecurity emergency," he can activate a "response and restoration plan" involving networks owned and operated by the private sector.

Larry Clinton, president of the Internet Security Alliance, which represents the telecommunications industry, applauded the removal of the Internet off switch.

"We had been very clear in our opposition to that provision," he told "In addition to being bad policy, it was a poison pill for the bill," he said.

Collaboration between the public and private sectors will occur via a newly formed upper-level body mandated in the bill, and possibly existing organizations as well.

"Private companies and the government must work together to protect our nation, our networks and our way of life from the growing cyber threat," said Rockefeller in a statement. "The networks that American families and businesses rely on for basic day-to-day activities are being hacked and attacked every day," he added.

Co-sponsor Sen. Olympia Snow, D-Maine, agreed, calling it "imperative that the public and private sectors marshal our collective forces in a collaborative and complementary manner to confront this urgent threat."

Clinton believes that this and other changes represent a major step forward for the Cybersecurity Act, saying "the bill has transformed itself fairly significantly." He cited a removed provision mandating cybersecurity for the public sector, which has been eliminated, as well as a requirement that the government post public notices about weak spots in the infrastructure -- essentially advertising to hackers where to strike.

But he still thinks the bill is too focused on audits and compliance, pointing out that there's a real difference between regulatory compliance and actual security. "Many organizations now spend more of their security budgets on compliance than actual security -- they're fearing the auditor more than the hacker!"

Clinton thinks the bill will probably pass the Commerce Committee next Wednesday, but it still faces a number of other departments, such as Homeland Security, Commerce, Banking, and so on. But he's pleased with the latest changes.

"We're definitely moving forwards, and that's a good thing."