The Kill Switch: 'Death Panels of Cyber Security'

Fears over an Internet kill switch erupted last month in the wake of Egypt’s successful blackout, sounding alarms even among tech-dependant Westerners who once believed access to the web was an untouchable freedom.

While a similar blackout is far less likely in a nation such as the U.S., filled with loads of Internet service providers and stringent laws protecting civil rights, some say Washington should be imposing more regulations over the web in an effort to curtail cyber threats against critical infrastructures, including those operated by private entities.

Not surprisingly, the debate is split about government regulation over the Internet, but experts at least agree the time is now for companies to start building their own cyber armies in defense against rising cases of espionage that threaten their most valued corporate secrets and finances.

“We are, as a nation, dependent on our cyber infrastructure working properly, and the bulk of that is owned by the private sector,” said Christopher Fountain, CEO of SecureInfo, a provider of cyber security services and capabilities to the federal government and commercial sector. “Having the government concerned about that makes sense.”

Congress is considering a bill called ‘Cybersecurity and Internet Freedom Act of 2011’ that would establish mandatory security requirements and benchmarks for entities deemed as critical, or those used by Americans on a daily basis such as energy transmissions, water supply,transportation and the financial system, while at the same time giving the President the ability to shut particular federal systems of assets whose disruption would cause national or regional catastrophes.

Despite its language strictly prohibiting a situation where the government could shut down the Internet to stifle freedom of speech rights, the bill has been widely criticized by those who fear it would place too much power in lawmakers' hands.

Independent Senator Joe Lieberman, one of the legislation’s backers, said last month the term “kill switch” has become the “death panels of the cybersecurity debate.”

The fear of an Internet kill switch in the U.S. was brought to the forefront in February after former Egyptian leader Hosni Mubarak ordered the country’s four providers to pull the plug in a desperate effort to quell social-media planning efforts that led to country-wide protests calling for his ouster, a move that knocked out 90% of web traffic in seconds.

“Originally I thought it would be impossible, but thanks to Mubarak we have had a perfect demonstration of how you would shut the Internet in your own country,” said Richard Stiennon, security expert and chief research analyst at IT-Harvest.

An Internet blackout in the U.S. would disrupt business operations and impede civil liberty rights, he said, sparking public outrage similar to that seen in cases of eminent domain.

“It’s the exact reaction you’d get from property owners whose properties are being condemned so that a highway can be built, only it would be much more devastating because it would destroy the business,” he said.

But from the point of view of strategy, an Internet kill switch would not be feasible in the U.S., according to GreyLogic CEO Jeffrey Carr, a cyber warfare expert and author. The idea of a shutdown happening in the West, he said, is “far removed from the reality of how cyber warfare is conducted today.”

In order to disable the Internet, Washington would have to acquire regulatory control of thousands of ISPs, which would not only be an unrealistic task but could work to the perpetrator’s advantage. Cyber attacks are usually covert, undetected missions, and there’s a good chance the offender is already in the network long before it gets to the point of an attack, Stiennon said, and by then, “it’s way too late to do anything.”

“The ultimate goal in any cyber attack would be to shut the Internet,” he said. “If there were an ability to do that, the method to do so would become a target,” creating a “huge vulnerability to the U.S.”

Overlooking Defense

But whether or not the legislation is approved by Congress, cyber security in the U.S. remains a point of issue, with many claiming it is largely underestimated by the private sector. Companies have been criticized for understating risks of cyber espionage and warfare, or how to defend against them.

The Senate’s Sergeant at Arms reported last year that the computer systems of Executive Branch agencies and Congress are probed or attacked an average of 1.8 billion times per month, costing roughly $8 billion annually.

Cyber espionage, meanwhile, has been on the rise in the private sector, including the Nasdaq OMX Group (NASDAQ:NDAQ), which said earlier this year that a confidential document-sharing service it runs was hacked, and McAfee (NYSE:MFE), which admitted that Chinese spies infiltrated five Western energy companies’ networks. Most recently, EMC (NYSE:EMC) said its RSA security division experienced an "extremely sophisticated cyber attack" against its products used by customers for double authentication purposes.

“The threat of cyber espionage must be addressed by enterprises as it is as relevant to them as it is to national security organizations,” Graham Titterington, an Ovum principal analyst, said in a note.

Federal entities already follow a cyber benchmark system under the Federal Information Security Management Act [FISMA] of 2002, and Fountain, who estimated that roughly 90% of all critical infrastructures are owned by the private sector, suggested the government impose similar regulations on critical commercial industries.

He likened the proposed cyber security bill to the Patriot Act of 2001 that placed more stringent record keeping and reporting requirements on financial institutions, noting the legislation would provide “greater incentives” via newly established offices that would ensure companies “are implementing best practices in the defense against cyber attacks,” while inflicting penalties on those that fail to comply.

Washington may need to provide funding or some kind of protection so companies can boost their defense budget without fearing a shareholder lawsuit if profits were to slip on the expenses, according to Carr, who also suggested a performance metric for companies such as McAfee selling the solutions.

“Critical infrastructure remains highly vulnerable because companies aren’t spending what they need to spend to harden their networks,” he said. “Companies need to invest the money to build their own defense.”

Awareness and education are key steps in preventing an attack, as is compliance with certain regulations. Companies, according to Jay Bavisi, president of the International Council of Electronic Commerce Consultants, need to “get out of the world of ignorance,” and put security at the forefront.

“Without cyber security, shareholder value is completely out the window,” Carr said. “The industry needs a wake-up call.”