Days before August recess, Senate Democrats are scrambling to pass legislation creating a new federal bureaucracy to set supposedly “voluntary” standards for cybersecurity. The bill, spearheaded by Sen. Joe Lieberman (I-Conn.), also gives companies sweeping immunity from being sued for a range of actions aimed at countering cyber threats. While Senate Majority Leader Harry Reid has said he’ll allow few amendments to the bill, he will allow a vote on a crucial amendment (SA 2732) backed by Senators Rand Paul (R-Ken.) and Al Franken (D-Minn.).
Before any amendments are voted on, however, Reid needs the support of 60 Senators to proceed. Fortunately for supporters of limited government, it’s unclear whether Reid has the votes to clear this morning’s vote.
If the bill does moves forward, it should include the Paul/Franken amendment. Their amendment would strike a section of the bill designed to encourage companies to monitor their networks and use so-called “countermeasures” against cyber attacks. While these may be sensible strategies for combating cyber threats, the bill doesn’t just permit such practices; it actually lets companies break promises they’ve made to their customers, with complete impunity. It also denies those harmed by countermeasures or monitoring their day in court.
The bill’s countermeasures section would permit an Internet provider to “modify, redirect, or block information” stored or transmitted on its network to fight cyber threats. What does this mean?
For one thing, a network owner might block The Onion Router (“Tor”), a popular anonymity service used by political dissidents worldwide to avoid oppressive governments. Tor is also used by some hackers to transmit stolen data, making the service a potential target for Internet providers worried about cyber attacks. The Lieberman bill would also let Internet providers monitor their business subscribers’ sensitive internal communications — including customer and personnel data — even if explicitly barred by the provider’s service agreement.
To be sure, network owners should have the right to block Tor — or, for that matter, any other content they don’t want to carry. They should also be free to monitor their networks for potentially harmful transmissions. We strongly support private property rights, including those of Internet providers, as we told a federal appeals court last month in an amicus brief arguing against the FCC’s “net neutrality” regulations.
But respecting property rights doesn’t mean a network owner should be able to promise its users one thing, then do the opposite. If a provider promises to let Tor traffic (or simply all traffic) flow across its network without interference, that promise should be as enforceable as any other contract. Holding people and companies to their voluntary contracts is, after all, a fundamental role of government — and a prerequisite for a well-functioning marketplace.
Critics of the Paul/Franken amendment argue that federal laws like the Wiretap Act deny companies the ability to protect their networks from cyber attacks. Although this claim is disputed by legal experts (the President’s own cybersecurity proposal does not list monitoring and countermeasures among network security practices that existing laws impede), we support revising laws that proscribe how companies can operate their networks.
The Lieberman bill, however, throws out the baby with the bathwater: It effectively guts not only provisions of the Wiretap Act (which restricts network operators from monitoring their networks in certain cases), but all forms of legal recourse currently available to customers of Internet and cloud providers. This overreach should alarm policymakers of all persuasions. We rarely agree with technocrat organizations like Free Press, which also supports the Paul/Franken amendment, yet groups across the ideological spectrum have warned Senators that the Lieberman bill simply goes too far in immunizing actions in the name of cybersecurity.
That’s not all. The Lieberman bill even immunizes a company’s harmful actions that violate the bill’s provisions, so long as the company reasonably believed in good faith it was following the statute. In other words, even users harmed by countermeasures employed to counter non-existent cyber threats might have no recourse against their provider.
The Paul/Franken amendment would help ensure the Lieberman bill doesn’t cannibalize private contracts between cloud-computing providers and their customers. For the cloud computing revolution to realize its vast potential, Internet providers must be able to make enforceable promises about when they’ll monitor their networks or use countermeasures.