The White House needs to have the emergency authority to compel the private sector to protect U.S. critical infrastructure if it came under a sustained cyberattack, according to Sen. Susan Collins (R-ME) Tuesday.

"We simply cannot wait for a cyber 9-11 before our government takes this threat seriously and acts to protect these critical assets," said Collins, the ranking member of the Senate Committee on Homeland Security and Governmental Affairs, during a hearing on cybersecurity [1].

Discussing a new cybersecurity bill [2](.pdf) introduced by Chairman Joseph Lieberman (I-CT) last week, co-sponsor Collins said existing federal legislation does not provide the president the emergency powers to mandate private infrastructure owners and operators take necessary action to plug a cybervulnerability when it is exploited or is about to be exploited.

Under section 706 of the Communications Act of 1934 [3] the president can take control of the nation's airwaves during war or national emergency. "That authority was passed in January of 1942," said Collins. "It was passed a month after the attack by the Japanese on Pearl Harbor, obviously a very different time and long before the Internet was conceived of." Collins worries a devastating cyberattack may fall short of the thresholds of war or threat of war necessary to trigger the law's emergency powers.

Lieberman agreed. "If there's an attack on our electric grid, I don't see in the old telecommunications law the power in the president, or anybody for instance, to order a patch to be put on a part of the grid to protect it," he said.

Thus the bill's rationale to give the president new executive powers to protect critical infrastructure from a cyberattack.

According to the 197-page bill, after the president declares a national cyber emergency, he can order critical infrastructure owners and operators to respond to the vulnerability in the least disruptive way possible to its operations. This potential power has been viewed suspiciously by some companies and civil libertarians, a view Collins addressed.

"We have carefully circumscribed that authority," she said. "It is limited in duration and scope."

Under the proposed legislation, the president must notify Congress before exercising these powers. Once activated, the powers last for 30 days unless the president extends them. Collins also assured the public that the bill does not grant the government new surveillance powers or allow the government to take over private networks.

Collins said the emergency authority is necessary as congressional and civilian government computer networks are "under increasing assault on all fronts." Referencing a statistic reported by Senate Sergeant-at-Arms Terrance Gainer, Collins said congressional and civilian government computer networks are attacked an average of 1.8 billion times a month [4]. "The cyberthreat is real and the consequences of a major successful national cyberattack could be devastating," Collins said.

Fielding a question from Collins, Francis Fragos Townsend, the former White House Homeland Security Advisor under President George Bush, also agreed existing emergency powers were not sufficient to respond to a cyberattack.

"I can say unequivocally that the existing authorities are not adequate and they are ambiguous," she said.

Townsend, now chairwoman of the board of the Intelligence and National Security Alliance, noted that if the United States came under a cyberassault, the president would likely act and then go back and create the necessary authority later.

"It just cries out for us to establish the rules now in a thoughtful way," Collins said, before executive abuses occur.

 ♦ Photo of the White House by BAR Photography/Flickr [5]

Thumbnail: