Experts debate expansion of president’s cybersecurity powers

Existing laws already give the president broad discretion on how to respond to cyberattacks, despite language in a Senate bill that proposes giving the president specific powers during such events, according to experts.

“The president already has emergency powers to take any action necessary to act in a national emergency,” said Jeffrey Addicott, director of the Center for Terrorism Law at St. Mary’s University School of Law. “This includes cyberspace.”

The president has that power under the National Security Strategy, Addicott said. The most recent National Security Strategy was published in 2006.

Addicott said the bill -- S.773 -- probably included the language to more clearly define how government officials expect to react to a potential threat, Addicott said. There are precedents for presidents acquiring authority in situations where they do not legally need it, he said.

“For example, all presidents can make war without congressional approval, but all presidents go to Congress to seek authorization, if not declaration of war, which was last done in World War II,” he said.

A Senate Commerce Committee staff member agreed that the president already has wide authority when responding to cyberattacks, but the bill makes it clear that the president's authority includes securing the national cyber infrastructure from attack, according to a CNET report.

The bill, introduced earlier this year and still under consideration, proposes giving the president the power to shut down and disconnect government or private computer networks or systems connected to critical infrastructures that are compromised by cyberattacks.

Some Internet companies and technology organizations oppose the presidential powers section of the bill.

Industry group TechAmerica officials said they are still reviewing the bill but do have some concerns with the proposed law.

“For example, we do note that the provision on presidential authority was modified to not specify powers to halt Internet traffic over private-sector networks and are examining the legislation to see if it reflects a true public-private partnership for addressing this issue,” said Charlie Greenwald, TechAmerica’s vice president of communications.

Limiting the president’s control to just critical infrastructures is not much of a restraint because about 85 percent of the nation’s critical infrastructures are controlled by private industry, Addicott said.

A Homeland Security Department list of critical infrastructure includes energy plants, chemical facilities, defense-related production, banks and other private entities, Addicott said.

“In my opinion, from a legal point of view the critical infrastructure should be considered a ‘commons’ and thus, the federal and state governments have an obligation to ensure that it is protected,” he said. “How far they should go in this role is open to debate.”

Since the Clinton administration, the government’s approach to cybersecurity for owners of private computer systems consisted of cooperative engagements rather than mandatory regulations, Addicott said.

“It appears that the Obama administration is taking steps towards increased regulation of private operators,” Addicott said.