Cybersecurity and executive power.

Author:Opderbeck, David W.

Table of Contents I. Introduction II. Cyberwar and the Move to Regulate Cyberspace A. Cyberwarfare, Cyberterrorism, and Organized Cybercrime B. Major Cybersecurity Proposals: 2009-2012 1. The Cybersecurity Acts of2009 and 2010 2. Protecting Cyberspace as a National Asset Act of 2010 3. The Cybersecurity and Internet Freedom Act of 2011. 4. The Cybersecurity Act of 2012 III. Presidential Power and Cyber Emergencies A. Inherent Presidential Powers B. Delegated Powers and the Nondelegation Doctrine C. Nondelegation and the War on Terror D. Nondelegation, Government Power, and FISA E. Nondelegation and NSA Security Letters IV. Towards a Policy Matrix for Executive Authority and Cybersecurity A. Cyber-Minimalism: Cybersecurity and The Telecommunications Act of 1934 B. Cyber-Maximalism (or Cyber-Middle-ism): Child Pornography V. The Matrix A. Building the Matrix B. Entering the Matrix VI. Conclusion I. Introduction

In January and February 2011, an extraordinary wave of popular revolt swept through parts of North Africa. (1) Citizens in Tunisia and Egypt, who had been dominated by autocratic governments for decades, overthrew their rulers, including long-time Egyptian president Hosni Mubarak. (2) Some called the events in Egypt a "Facebook Revolution," symbolized by its youthful leaders, such as Google executive Wael Ghonim. (3) The Internet and social networks facilitated a degree of coordination and courage among ordinary people that would have been unthinkable less than a decade ago. Ghonim, who was imprisoned for twelve days before Mubarak's fall for helping organize protests through Facebook, exuberantly stated after Mubarak resigned, "This revolution started on Facebook. This revolution started ... in June 2010 when hundreds of thousands of Egyptians started collaborating content." (4)

In fact, cyberspace was in many ways the front line of the Egyptian revolution. Although Mubarak apparently lacked the support among the Egyptian military for sustained attacks on civilians, he waged a desperate last-gasp battle to shut down access to the Internet so that organizers could not effectively communicate with each other, the public, or the outside world. (5)

Could a similar battle over cyberspace be waged in developed democracies, such as the united states? Policymakers in the west are justifiably concerned about cyberattacks, cyberterrorism, and the possibility of cyberwar. The raging question is whether a democratic state governed by constitutional principles and committed to free speech and private property rights can promote cybersecurity without destroying the Internet's unique capacity to foster civil liberties.

Cyberspace is as vulnerable as it is vital. The threat is real. President Obama recently declared that "cyber threat is one of the most serious economic and national security challenges we face as a nation" and that "America's economic prosperity in the 21st century will depend on cybersecurity." (6) Cybersecurity has been described as "a major national security problem for the United States." (7) Private and public cyber-infrastructure in the united states falls under nearly constant attack, often from shadowy sources connected to terrorist groups, organized crime syndicates, or foreign governments. (8) These attacks bear the potential to disrupt not only e-mail and other online communications networks, but also the national energy grid, military-defense ground and satellite facilities, transportation systems, financial markets, and other essential facilities. (9) In short, a substantial cyberattack could take down the nation's entire security and economic infrastructure. (10)

U.S. policymakers are justifiably concerned by this threat. Existing U.S. law is not equipped to handle the problem. The United States currently relies on a patchwork of laws and regulations designed primarily to address the "computer crime" of a decade ago, as well as controversial antiterrorism legislation passed after the September 11 attacks, and some general (and equally controversial) principles of executive power in times of emergency.

Current proposals for containing the threat, however, could significantly increase U.S. government power--particularly presidential power--over the Internet. An influential report that informs current U.S. policy bluntly offers this remedy for holes in cybersecurity: "Regulate cyberspace." (11) According to the report, "[t]he United States must ... set minimum standards for securing cyberspace in order to ensure that the delivery of critical services in cyberspace continues if the United States is attacked." (12)

This broad regulatory approach was reflected in a bill introduced in the Senate, the "Cybersecurity Act of 2009." (13) The Cybersecurity Act's most controversial provision was a grant of authority to the President to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." (14) In short, the President would have been authorized to shut down cyberspace, or at least the portion of cyberspace that interfaces with the United States.

Cyber civil libertarians reacted to this proposal with swift anger. No threat, they argued, justifies empowering the President with an Internet "kill switch." (15) In response to these complaints, more recently proposed legislation softens the kill switch language. (16) Nevertheless, it appears that the President could retain the power to "disconnect" compromised portions of the Internet without the need for any prior judicial review.

Cybersecurity policy thus raises fascinating and difficult questions about regulatory design, executive power, and jurisdiction over "cyberspace." This Article examines the President's ability to exert emergency control over cyberspace under U.S. law. Part II describes some serious threats to cybersecurity, including the practice of cyberwar, and surveys existing law and proposed legislation relating to cybersecurity. Part III examines constitutional limitations and the President's ability to control cyberspace, including in a time of cyber crisis or cyberwar. Part IV begins to develop a matrix for constructing a balanced cybersecurity policy, which is explored more fully in Part V.

  1. Cyberwar and the Move to Regulate Cyberspace

    1. Cyberwarfare, Cyberterrorism, and Organized Cybercrime

      Cyber is the new domain of international espionage, sabotage, and war. China, Russia, the United Kingdom, and the United States employ extensive cyber spying networks. (17) A coordinated series of denial-of-service and other attacks could cripple a state's political and communications systems, as happened during "Web War 1" between Russia and Estonia in 2007. (18) Cyberattacks can directly impact "real" infrastructure: "As computer networks collapse, factories and chemical plants explode, satellites spin out of control and the financial and power grids fail." (19)

      In June 2010, for example, a computer worm called "Stuxnet" was discovered in Iran. (20) At first inspection, it appeared to be a routine bit of malware. Closer analysis, however, revealed that Stuxnet was carefully designed to disrupt the sort of systems that help control equipment at nuclear power plants. (21) Stuxnet's subtlety and sophistication suggested to most experts that it was engineered not by rogue hackers, but rather by an entity with the resources of a nation-state, and that it was specifically targeted to damage Iran's nuclear capabilities. (22) It almost certainly was a cyberattack launched by Israel or the United States. (23)

      Recent evidence suggests that Stuxnet successfully curtailed Iran's production of refined uranium. (24) The Stuxnet attack appears to have bled into "real" space: the Iranian scientist chiefly responsible for eradicating Stuxnet from Iran's nuclear plants was killed on November 29, 2010, by assassins on motorbikes who stuck a bomb to his car. (25)

      While Stuxnet is an example of a probable cyberattack by the United States and its allies, many experts believe that the United States is among the most vulnerable nations to a cyberattack. Every aspect of the U.S. economy and infrastructure depends on digital interconnections. Leading cybersecurity writer Richard Clarke suggests that "cyber war places this country [the United States] at greater jeopardy than it does any other nation." (26) Indeed, many experts believe that, even now,

      [c]omputer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States.... (27) The Senate Committee on Commerce, Science, and Transportation recently reported that "[d]uring 2008, there were 54,640 identified [cyber]attacks against the Department of Defense; in 2009, there were 71,661 incidents reported; and through June 30 of 2010, there were 60,026 incidents reported." (28) Most analysts now agree that cyberwar is inevitable. (29)

      Cyberspace also provides a home base for organized crime and terrorism. The distribution of malware designed to harvest personal and corporate information now is largely run by syndicates, many based in Russia, Nigeria, China, Brazil, or other organized crime havens, that control networks of tens of millions of infected computers called "botnets." (30) Cybercrime may cost the U.S. economy $1 trillion annually, (31) and cybercriminals frequently launder money through "virtual" worlds, such as Second Life. (32) Moreover, "there is a growing swell of opinion that [terrorist] hackers will eventually be bold enough and powerful enough to launch attacks that will damage and destroy critical national infrastructure." (33) In...

To continue reading