S.3480, The Protecting Cyberspace as a National Asset Act of 2010, introduced by Sens Lieberman, Collins and Carper quietly passed committee last week on a voice vote and is now scheduled for debate on the US Senate floor. The controversial, nearly 200-page bill which amends the Homeland Security Act of 2002 has been criticized by civil liberties and industry groups alike, who say it grants the President the ability to order operators of “covered critical infrastructure” to disconnect parts of the Internet. As the Center for Democracy & Technology noted in its letter to the Senate Committee on Homeland Security & Governmental Affairs, the heart of the matter is 1) the ambiguity around what exact powers a newly created National Center for Cybersecurity and Communications (NCCC) housed within DHS would have, and 2) the definition of “covered critical infrastructure” (CCI). Our reading of the bill agrees with these general criticisms, the language is far to loose and needs to be tightened. We are also concerned with specific effects on the Internet’s DNS and possible extraterritorial effects of the legislation.
Is the DNS root zone considered CCI?
The bill defines CCI as
a system or asset
(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and
(B) (i) that is a component of the national information infrastructure; or
(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset;
The DHS maintained critical infrastructure list referred to above is secret. However, an IT Sector Baseline Risk Assessment being undertaken by DHS includes looking at the DNS and threats to the root zone in particular. Given this, it is not unreasonable to assume that the DNS root zone is on that list, therefore implicating operators of the root zone, including ICANN, VeriSign and the other root server operators based in the United States.
What are the extraterritorial effects on Internet governance?
The bill includes sections on international cooperation dealing with securing CCI (section 248) and national cyber emergencies (section 249). According to the language, USG agencies with “responsibilities for regulating the covered critical infrastructure” will carry out the international activities. If the DNS root is a CCI, this implies a US domestic agency will assume some sort of regulatory role over the DNS root when it comes to cyber security matters. The big question is who will do this – NTIA, NIST, FCC, DHS, DoD, State – and what effect this will have on NTIA's relationship with ICANN?
In any case, the agency could work with other governments to inform root server operators located outside the United States (i.e. in Japan, Sweden, and the Netherlands) of cyber vulnerabilities and pressure them to implement mitigation and remediation measures. Domestic government agencies and regulators working closely across borders is not new (see Anne-Marie Slaughter’s work, or e.g., the London Action Plan). As Slaughter notes, these “transgovernmental networks” can be helpful in casting US power in a different light, something the USG has always contended with in regard to its oversight of the DNS root. However, Slaughter and others have identified that these networks can also increase accountability concerns.
Finally, perhaps the most interesting text in sections 248 and 249 is that which requires the NCCC Director to carry out international cooperation “in manner consistent with any international agreement.” This may be a nod to agreements that exist around other CCIs, but we'll note that an international agreement protecting the DNS root zone from any government interference would go great lengths toward alleviating other countries' concerns about this legislation.