Internet Freedom and Security

Internet Freedom and Security

The issue of internet freedom and security contains aspects of Net Neutrality, Homeland Security, and Intellectual Property. However, the actions taken by Congress to create what some people call an internet kill swith have prompted it to be listed as a separate viewpoint here.

The issue so far consists of three pieces of legislation and a list of seizures by ICE of websites that are invovled in intellectual property violations or child pornography.  Those pieces of legislation are:

  • S 3480 - the internet kill switch
  • HR 3261 - the Stop Online Piracy Act (SOPA)
  • S 968 - the PROTECT IP Act

 

Internet Kill Switch

In June of 2010, Senator Lieberman of Connecticut put forth S 3480. The bill's official title was the Protecting Cyberspace as a National Asset Act of 2010, but it came to be known as the internet kill switch. The legislation contained 5 titles which created an office of cyberspace policy, created a National Center for Cyber Security and Communications, detailed Federal Information Security Management, and detailed the  recruiting, hiring, and training of cyber security personnel.

The primary feature of the legislation was that it allowed the President to declare a state of cyber emergency during which all previously identified critical infrastructure would be required to follow predesignated emergency procedures which would likely include shutting off the internet. The idea was that critical infrastructure items such as the hoover dam could be cut off from the internet if a virus was growing on the internet that could threaten that infrastructure. The wording of the legislation is vague and the legislation itself only sets up the bureaucracy to define the critical infrastructure and to eventually define the procedure in the case of a cyber emergency.

Critics of the plan called it the "internet kill switch" because it would give the President the power to shut down the internet to as much of the country as deemed necessary in the event of a cyber attack. The timing of the legislation was suspicious as it came just after Egypt's leaders shut down the internet there in an attempt to quell dissent.

The sponsor of the legislation, Senator Lieberman, stated that China had similar measures in place in the case of an outside cyber attack and the US would be safer under such a program. However, the language does not cite that the cyber threat must come from outside the US.

 

PROTECT IP Act

S 968 was introduced in May of 2011 by Senator Patrick Leahy of Vermont and received 24 co-sponsors. It was titled the PROTECT IP Act of 2011 which was an acronym for "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011."

The legislation allows the Attorney General or any person to bring a complaint against a rogue website that is devoted to infringing activities. The court can then order the internet service provider to remove access to that site and allow advertisers and financial services to cease providing service to that site.

ISPs and advertisers are also allowed to take voluntary actions without liability against any site that they deem as either infringing in intellectual property or endangering public health. This includes sites devoted to drug reimportaiton, prescription drugs, or misbranded drugs.

 

Stop Online Piracy Act - SOPA

The Stop Online Piracy Act was introduced into the US House in late October of 2011. It is very similar to S 968, the PROTECT IP act, and basically contains the same legislation with additional components.

 

Legislation

The table below provide the reader with a links to the full pdf texts of the legislation and to the official summaries. These summaries also show the list of co-sponsors and any votes on the legislation.

Bill Number Bill Title
Link to Summary Link to Text
S 3480 Protecting Cyberspace as a National Asset Act of 2010 Bill Summary Bill Text
HR 3261 Stop Online Piracy Act - SOPA (House) Bill Summary Bill Text
S 968 Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 or PROTECT IP Act of 2011 Bill Summary Bill Text

 

S 3480 - The Internet Kill Switch

In June of 2010, Senator Lieberman of Connecticut put forth S 3480. The bill's official title was the Protecting Cyberspace as a National Asset Act of 2010, but it came to be known as the internet kill switch. The legislation contained 5 titles which created an office of cyberspace policy, created a National Center for Cyber Security and Communications, detailed Federal Information Security Management, and detailed the  recruiting, hiring, and training of cyber security personnel.

The primary feature of the legislation was that it allowed the President to declare a state of cyber emergency during which all previously identified critical infrastructure would be required to follow predesignated emergency procedures which would likely include shutting off the internet. The idea was that critical infrastructure items such as the hoover dam could be cut off from the internet if a virus was growing on the internet that could threaten that infrastructure. The wording of the legislation is vague and the legislation itself only sets up the bureaucracy to define the critical infrastructure and to eventually define the procedure in the case of a cyber emergency.

Critics of the plan called it the "internet kill switch" because it would give the President the power to shut down the internet to as much of the country as deemed necessary in the event of a cyber attack. The timing of the legislation was suspicious as it came just after Egypt's leaders shut down the internet there in an attempt to quell dissent.

The sponsor of the legislation, Senator Lieberman, stated that China had similar measures in place in the case of an outside cyber attack and the US would be safer under such a program. However, the language does not cite that the cyber threat must come from outside the US.

 

Office of Cyberspace Policies

Title I of the legislation creates the Office of Cyberspace Policy under the executive office whose purpose is to develop a national strategy to increase the security and resiliency of cyberspace, that includes goals relating to:

  • computer network operations, including offensive activities, defensive activities, and other activities;
  • information assurance;
  • protection of critical infrastructure and key resources;
  • research and development priorities;
  • law enforcement;
  • diplomacy;
  • homeland security;
  • protection of privacy and civil liberties;
  • military and intelligence activities; and
  • identity management and authentication;

 

The office was also tasked with overseeing, coordinating, and integrating all policies and activities of the Federal Government across all instruments of national power relating to ensuring the security and resiliency of cyberspace, including—

  • diplomatic, economic, military, intelligence, homeland security, and law enforcement policies and activities within and among Federal agencies; and
  • offensive activities, defensive activities, and other policies and activities necessary to ensure effective capabilities to operate in cyberspace;

(3) ensure that all Federal agencies comply with appropriate guidelines, policies, and directives from the Department of Homeland Security, other Federal agencies with responsibilities relating to cyberspace security or resiliency, and the National Center for Cybersecurity and Communications; and (4) ensure that Federal agencies have access to, receive, and appropriately disseminate law enforcement information, intelligence information, terrorism information, and any other information (including information relating to incidents provided under sub- sections (a)(4) and (c) of section 246 of the Homeland Security Act of 2002, as added by this Act) relevant to— (A) the security of the Federal information infrastructure or the national information infrastructure; and

A Director of Cyberspace Policy will be appointed by the President at the advice and consent of the Senate. The Director will advise the President regarding the establishment of policies, goals, objectives, and priorities for securing the information infrastructure of the Nation. The Director will coordinate across agencies and have access to classified information as needed to fulfill their job.

 

Center for CyberSecurity

The second title of the legislation creates the National Center for CyberSecurity and Communications. It allows the President to appoint a Director at the consent of the Senate. That Director is to lead the organization to coordinate and prepare for future cyber emergencies and force compliance of private and public entities to prepare for such an emergency. This includes risk based assessments of covered critical infrastructure and suggestions of compliance mechanisms.

Among the dozens of duties listed for the Director of the Center was the development and implementation of a public education program to make the people more aware of cybersecurity systems and needs. It was also to be designed to make the public more aware of failures to keep up with effective security. The legislation also creates a United States Computer Emergency Readiness Team (CERT). 

The primary role of the Director is to identify and evaluate the risks to cyber security. The Director is then required to submit a plan to address any found shortfalls in public or private industry cybersecurity.

(2) FACTORS TO BE CONSIDERED.—In identifying and evaluating cyber risks under paragraph (1), the Director shall consider—

  • (A) the actual or assessed threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities;
  • (B) the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption of the reliable operation of covered critical infrastructure;
  • (C) the threat to or impact on national security caused by a disruption of the reliable operation of covered critical infrastructure;
  • (D) the extent to which the disruption of the reliable operation of covered critical infrastructure will disrupt the reliable operation of other covered critical infrastructure;
  • (E) the harm to the economy that would result from a disruption of the reliable operation of covered critical infrastructure; and
  • (F) other risk-based security factors that the Director, in consultation with the head of the sector-specific agency with responsibility for the covered critical infrastructure and the head of any Federal agency that is not a sector-specific agency with responsibilities for regulating the covered critical infrastructure, determine to be appropriate and necessary to protect public health and safety, critical infrastructure, or national and economic security.

 

In addition to creating the National Center for CyberSecurity and the Office of CyberSpace Policies, the primary component of the legislaiton was that it gave the President the ability to call a national cyber emergency.

(a) DECLARATION.—‘(1) IN GENERAL.—The President may issue a declaration of a national cyber emergency to covered critical infrastructure if there is an ongoing or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure. Any declaration under this section shall specify the covered critical infrastructure subject to the national cyber emergency.

(2) NOTIFICATION.—Upon issuing a declaration under paragraph (1), the President shall, consistent with the protection of intelligence sources and methods, notify the owners and operators of the specified covered critical infrastructure and any other relevant private sector entity of the nature of the national cyber emergency.

(17) the term ‘national cyber emergency’ means an actual or imminent action by any individual or entity to exploit a cyber risk in a manner that disrupts, attempts to disrupt, or poses a significant risk of disruption to the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure;

(18) the term ‘national information infrastructure’ means information infrastructure—

  • (A) that is owned, operated, or controlled within or from the United States; and
  • (B) that is not owned, operated, controlled, or licensed for use by a Federal agency;

 

In executing this cyber emergency, the federal government has the right to:

  • Force infrastructure owners to implement response plans required under section 248(b)(2)(C);
  • develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure;
  • ensure that emergency measures or actions directed under this section represent the least disruptive means feasible to the operations of the covered critical infrastructure and to the national information infrastructure;
  • subject to subsection (g), direct actions by other Federal agencies to respond to the national cyber emergency;
  • coordinate with officials of State and local governments, international partners of the United States, owners and operators of covered critical infrastructure specified in the declaration, and other relevant private section entities to respond to the national cyber emergency;
  • initiate a process under section 248 to address the cyber risk that may be exploited by the national cyber emergency; and
  • provide voluntary technical assistance, if requested, under section 242(f)(1)(S)

 

There is a list of actions that the government is not allowed to take during this time. In addition to ensuring that the privacy and civil liberties of each person is preserved, the federal government cannot:

  • restrict or prohibit communications carried by, or over, covered critical infrastructure and not specifically directed to or from the covered critical infrastructure unless the Director determines that no other emergency measure or action will preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of the covered critical infrastructure or the national information infrastructure;
  • control covered critical infrastructure;
  • compel the disclosure of information unless specifically authorized by law; or
  • intercept a wire, oral, or electronic communication (as those terms are defined in section 2510 of title 18, United States Code), access a stored electronic or wire communication,
  • install or use a pen register or trap and trace device, or conduct electronic surveillance (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.1801)) relating to an incident unless otherwise authorized under chapter 119, chapter 121, or chapter 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

 

Once declared, the national emergency is in effect for 30 days. To extend the emergency beyond that, the Director must submit details in writing why the emergency measure or action remains necessary to address the identified national cyber emergency and  the President must issue a written order or directive reaffirming the national cyber emergency, the continuing nature of the national cyber emergency, or the need to continue the adoption of the emergency measure or action. Even with these measures, the extension can only remain in effect an additional 30 days and only three 30 day extensions can be passed unless a joint resolution of Congress is passed. 

 

Federal Information Security Management

In the first part of the third title, Congress finds that since 2002 the Federal Government has experienced multiple high-profile incidents that resulted in the theft of sensitive information amounting to more than the entire print collection contained in the Library of Congress, including personally identifiable information, advanced scientific research, and prenegotiated United States diplomatic positions.

The title then requires that the Director and the agency compile a list of covered critical infrastructure items that will have to comply with the new rules for cyber security. The legislation then points out that an item cannot be specified to be controlled as critical infrastructure if its sole value is free speech.

(1) IN GENERAL.—Subject to paragraphs (2) and (3), the Secretary, in coordination with sector specific agencies and in consultation with the National Cybersecurity Advisory Council and other appropriate representatives of State and local governments and the private sector, shall establish and maintain a list of systems or assets that constitute covered critical infrastructure for purposes of this subtitle.

(2) REQUIREMENTS.—

(A) IN GENERAL.—A system or asset may not be identified as covered critical infrastructure under this section unless such system or asset meets each of the requirements under subparagraph (B)(i), (ii), and (iii).

(B) REQUIREMENTS.—The requirements referred to under subparagraph (A) are that—

  • (i) the destruction or the disruption of the reliable operation of the system or asset would cause national or regional catastrophic effects identified under section 210E(a)(2)(B)(iii);
  • (ii) the system or asset is on the prioritized critical infrastructure list estab lished by the Secretary under section 210E(a)(2); and
  • (iii)rnrn
    • (I) the system or asset is a component of the national information infrastructure; or
    • (II) the national information infrastructure is essential to the reliable operation of the system or asset.

(3) LIMITATION.—A system or asset may not be identified as covered critical infrastructure under this section based solely on activities protected by the first amendment to the United States Constitution.

 

Senator Lieberman - State of the Union

In June of 2010, Senator Lieberman appeared on State of the Union with Candy Crowley and was asked about the proposed legislation. He stated that at a time of cyber-war, the US should be able to shut down traffic from outside the US if it was attempting to harm US infrastructure. He pointed to China's ability for the government to shut down part of the internet within the country and stated that the US needed to have that ability as well.

 

Letter to Congress

Days after the legislation was proposed, numerous watchdog groups sent a letter to the sponsors of the legislation noting the potential for misuse of the provisions of the legislation.

June 23, 2010
The Honorable Joseph Lieberman
The Honorable Susan Collins
The Honorable Tom Carper
Senate Committee on Homeland Security and Government Affairs
340 Dirksen Senate Office Building
Washington, DC 20510

RE: Civil Liberties Issues in Cybersecurity Bill

Dear Senators Lieberman, Collins and Carper: The Homeland Security and Government Affairs Committee will soon consider the Protecting Cyberspace as a National Asset Act, S. 3480. We are privacy, civil liberties and civil rights groups writing to express our concerns about the legislation. Changes are needed to ensure that cybersecurity measures do not unnecessarily infringe on free speech, privacy, and other civil liberties interests. Scope. The legislation, among other things, creates a National Center for Cybersecurity and Communications (NCCC) with significant authority over covered critical infrastructure (CCI) owners and operators. This makes the determination of what is, and is not, a CCI system or asset important to the scope of the legislation. However, the bill does not adequately define CCI, giving rise to concern that it includes elements of the Internet that Americans rely on every day to engage in free speech and to access information. Some have regarded the national communications system itself as a “critical infrastructure” in other contexts. We ask that you clarify the scope of the legislation by restrictively defining CCI so that cybersecurity responsibilities the bill imposes fall only on truly critical network components.

Preserving Free Speech in Cybersecurity Emergencies. The bill authorizes the NCCC, in an emergency declared by the President, to take unspecified emergency actions to preserve the reliable operation of particular covered critical infrastructure. The government can compel companies that own or operate critical infrastructure systems to take those undefined actions for 30‐day periods that may be renewed indefinitely. While the bill makes it clear that it does not authorize electronic surveillance beyond that authorized in current law, we are concerned that the emergency actions that could be compelled could include shutting down or limiting Internet communications that might be carried over covered critical infrastructure systems. This section should be amended to articulate the specific emergency actions the NCCC can compel, and any applicable limits on those actions. It should also be amended to ensure that emergency measures undertaken do not unnecessarily disrupt Internet communications. The Internet is vital to free speech and free inquiry, and Americans rely on it every day to access and to convey information. Any cybersecurity action the government requires that would infringe on these rights of free speech and free inquiry must meet a traditional First Amendment strict scrutiny test: (i) the action must further a compelling governmental interest; (ii) it must be narrowly tailored to advance that interest; and (iii) it must be the least restrictive means of achieving that interest. Finally, the bill should also be amended to require an independent assessment of the effect on free speech, privacy and other civil liberties of the measures undertaken to respond to each emergency the President declares. It is imperative that cybersecurity legislation not erode our rights.

Information Sharing and Privacy. The bill requires CCI owners and operators to share cybersecurity “incident” information with DHS, which will share some of that information with law enforcement and intelligence personnel. It includes an important limitation: the incident reporting mandate does not authorize any federal entity to compel disclosure relating to an incident or conduct surveillance unless otherwise authorized under the surveillance statutes or other laws. However, the bill does not indicate what might be included in an “incident report” and we are concerned that personally‐identifiable information will be included. To minimize the privacy impact of sharing personally identifiable information, we ask that you ensure that information sharing activities be conducted only in accordance with principles of Fair Information Practices as articulated by the DHS Privacy Office. Transparency. Cybersecurity measures that have an impact on the public should be transparent to the public to the maximum extent possible. Unlike other proposals, your legislation does not appear give the National Security Agency and the Department of Defense an outsized role in securing civilian government and privately‐owned networks. Such a role would no doubt mean less transparency about cybersecurity activities, and more concern about whether they comply with the law. While the bill includes several provisions requiring reports to Congress, including reports about cybersecurity emergencies and about monitoring Internet traffic to and from government agencies for cybersecurity purposes, it should clarify that these reports must be made available to the public. We would like to explore with you other reporting requirements that would help the public better assess the impact of cybersecurity measures on civil liberties.

Thank you for considering our views. If you would like to discuss them further, orwould like to respond to this letter, please contact Michelle Richardson at the American Civil Liberties Union, 202/715‐0825.

Sincerely,
American Civil Liberties Union
American Library Association
American Association of Law Libraries
Association of Research Libraries
Bill of Rights Defense Committee
Center for Democracy & Technology
Citizens Committee for the Right to Keep and Bear Arms
Competitive Enterprise Institute
Constitution Project
Cyber Privacy Project
Defending Dissent Foundation
DownsizeDC.org
Electronic Frontier Foundation
Government Accountability Project
Liberty Coalition
Liberty Guard
Muslim Public Affairs Council
Muslimah Writers Alliance
National Lawyers Guild – National Office
OpenTheGovernment.org
OMB Watch
Political Research Associates
Rutherford Institute
U.S. Bill of Rights Foundation
cc:
Howard Schmidt, Cybersecurity Coordinator, The White House
Philip Reitinger, Deputy Under Secretary, National Protection and Programs
Directorate, Department of Homeland Security
Members of Senate Homeland Security and Government Affairs Committee
Rep. Jane Harman
Rep. Peter T. King

 

 

Response by Congress

On June 23, 2010, Members of the Senate responded to criticisms of the legislation by putting out a "Myth vs Fact" paper addressing the internet kill swith accusation and many others.

Myth vs. Reality
The Facts About S. 3480,
“Protecting Cyberspace as a National Asset Act of 2010”

WASHINGTON – Ahead of the Thursday, June 24, mark-up of this critical cybersecurity bill, Senators Joe Lieberman, ID-Conn, Chairman of the Senate Homeland Security and Governmental Affairs Committee, and Susan Collins, R-Me., its Ranking Member, today issued a “Myth vs. Reality” fact sheet to describe the intent and impact of their bipartisan legislation and to address some misconceptions about the bill.

FACTS:

The threat of a catastrophic cyber attack is real. It is not a matter of “if” an attack will happen; rather, it is a matter of “when.” This past March, the Senate’s Sergeant at Arms reported that the computer systems of the Executive Branch agencies and the Congress are now under cyber attack an average of 1.8 BILLION times per month.

Additionally, cyber crime costs our national economy billions of dollars annually.

And, as intelligence officials have warned, malicious cyber activity occurs on a daily basis, on an unprecedented scale, and with extraordinary sophistication. As the former Director of National Intelligence Michael McConnell testified in February, “If we went to war today, in a cyber war, we would lose.”

MYTH #1:

S. 3480 authorizes a “kill switch” that would allow the President to shut down the Internet.

REALITY:

Rather than granting a “kill switch,” S. 3480 would make it far less likely for a President to use the broad authority he already has in current law to take over communications networks.

Section 706 of the Communications Act of 1934 provides nearly unchecked authority to the President to “cause the closing of any facility or station for wire communication” and “authorize the use of control of any such facility or station” by the Federal government. Exercise of the authority requires no advance notification to Congress and can be authorized if the President proclaims that “a state or threat of war” exists. The authority can be exercised for up to six months after the “state or threat of war” has expired.

The Department of Homeland Security, in testimony before the Committee on June 15, 2010, indicated that Section 706 is one of the authorities the President would rely on if the nation were under a cyber attack.

S. 3480 would bring Presidential authority to respond to a major cyber attack into the 21st century by providing a precise, targeted, and focused way for the President to defend our most sensitive infrastructure. The authority in S. 3480 would be limited to 30-day increments and may be extended beyond 120 total days only with Congressional approval. The President must use the “least disruptive means feasible” to respond to the threat. The authority does not authorize the government to “take over” critical infrastructure. It does not authorize any new surveillance authorities. The President would be required to provide advance notice to Congress of the intent to declare a national cyber emergency or as soon as possible after a declaration, with reasons why advance notice was not possible. Owners/operators of covered critical infrastructure would be allowed to propose alternative security measures to respond to the national cyber emergency. Once approved by the Director of the National Center for Cybersecurity and Communications (NCCC), these security measures could be implemented instead of those previously required to respond to the cyber threat. Owner/operators that implement these emergency measures receive limited, civil liability protections for their actions.

MYTH #2:

S. 3480 would give the President the authority to take over the entire Internet.

REALITY: S. 3480 would direct the President to set risk-based security performance requirements and, in a national cyber emergency, order emergency measures for our nation’s most critical infrastructure - those systems and assets that are most critical to our telecommunications networks, electric grid, financial system, and other components of critical infrastructure. The bill authorizes only the identification of particular systems or assets – not whole companies, and certainly not the entire Internet. Only specific systems or assets whose disruption would cause a national or regional catastrophe would be subject to the bill’s mandatory security requirements. To qualify as a national or regional catastrophe, the disruption of the system or asset would have to cause: mass casualties with an extraordinary number of fatalities; severe economic consequences; mass evacuations of prolonged duration; or severe degradation of national security capabilities, including intelligence and defense functions. The bill expressly prohibits the Secretary from identifying systems or assets as covered critical infrastructure “based solely on activities protected by the first amendment of the United States Constitution.” This prohibition would also prevent the identification of specific websites for censorship. The owners/operators of covered critical infrastructure identified by the Secretary could appeal the inclusion of the particular system or asset on the list through administrative procedures.

The list of covered critical infrastructure would be developed collaboratively, working with the private sector.

MYTH #3:

S. 3480 would give the President the authority to conduct electronic surveillance and monitor private networks.

REALITY:

This allegation is false. The bill creates no new authority to conduct electronic surveillance. It gives the government no new authority to compel the disclosure of private information. It does not alter the limitations of the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act. S. 3480 would establish a public/private partnership to secure cyberspace. It would encourage the private sector to voluntarily provide information about threats and vulnerabilities to our nation’s information technology infrastructure. Although owners/operators of covered critical infrastructure would be required to report on cyber attacks on their networks, the National Center for Cybersecurity and Communications (NCCC) would not have the authority to compel this disclosure. Information provided to the NCCC by the private sector would be protected from unauthorized disclosure. This system would rely on voluntary sharing of threat and vulnerability data and would help create a collaborative environment between the NCCC and the private sector.

MYTH #4:

S. 3480 would give the President the authority to regulate the Internet, which would limit innovation, impose costs on American businesses, and undermine competition, both at home and abroad.

REALITY:

The bill would set risk-based security performance requirements only for the owners/operators of our most critical systems and assets, which if disrupted would cost thousands of lives or billions of dollars in economic damage. The risk-based security performance requirements set by the NCCC would be developed in collaboration with the private sector.
Rather than setting specific standards, the NCCC would employ a risk-based approach to evaluating cyber risk. The owners/operators of covered critical infrastructure would develop a plan for protecting against those risks and mitigating the consequences of an attack. These owners/operators would be able to choose which security measures to implement to meet applicable risk-based security performance requirements.

This collaborative model would allow for continued innovation and dynamism that are fundamental to the success of the IT sector.

More fundamentally, the vast majority of this legislation embodies a public/private partnership to improve cyber security. Working cooperatively with the private sector, the NCCC would produce and share useful warning, analysis and threat information with the private sector. Furthermore, the NCCC would share information and work with the private sector to develop and promote best practices. The NCCC would provide voluntary technical assistance to the private sector to encourage adoption of best practices.

MYTH #5:

By including a strategy to ensure security is considered in federal information technology procurements, the bill would upset international standards for information technology products and services.

REALITY:

For too long, the federal government has failed to adequately account for security when procuring information technology products and services. S. 3480 would require the government to develop a strategy to consider security risks in information technology procurements. It would be similar to efforts already under way at the Departments of Defense and Homeland Security. This is simply a high level strategic effort that encourages collaboration by all stakeholders – it would not preclude particular businesses from contracting with the government.

The strategy would be developed by the Secretary of Homeland Security, in collaboration with all affected stakeholders – including the private sector. The strategy would be required to consider security based on risk, mission criticality, and cost effectiveness. The strategy would explicitly incorporate existing preferences for commercial-off-the-shelf products and services in Federal procurements.

The strategy would not circumvent or set aside international standards. Indeed, the bill would require the strategy developers to “place particular emphasis on the use of internationally-recognized standards and standards developed by the private sector.” If existing standards are not sufficient, the bill would direct the strategy to devise a process, working with the National Institute for Standards and Technology, to make recommendations for improvements to these standards.

To the extent necessary to implement the strategy, the FAR Council would incorporate portions of the strategy into the Federal Acquisition Regulations (FAR). These regulations would be the subject of public notice and comment under the well-established administrative process applicable to FAR changes.

These improvements in federal acquisition policy should have beneficial ripple effects in the larger commercial market. As a large customer, the federal government can contract with companies to innovate and improve the security of their IT services and products. With the government’s vast purchasing power, these innovations can establish new security baselines for services and products offered to the private sector and the general public. These improvements would develop by operation of the market and innovations among market competitors, not by regulation.

 

S 968 - PROTECT IP Act of 2011

S 968 was introduced in May of 2011 by Senator Patrick Leahy of Vermont and received 24 co-sponsors. It was titled the PROTECT IP Act of 2011 which was an acronym for "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011."

The legislation allows the Attorney General or any person to bring a complaint against a rogue website that is devoted to infringing activities. The court can then order the internet service provider to remove access to that site and allow advertisers and financial services to cease providing service to that site.

ISPs and advertisers are also allowed to take voluntary actions without liability against any site that they deem as either infringing in intellectual property or endangering public health. This includes sites devoted to drug reimportaiton, prescription drugs, or misbranded drugs.

 

Definitions

The legislation starts off with a number of definitions, one of which was the definitions of an internet site dedicated to infringing activities. This is defined as an internet site that:

  • (A) has no significant use other than engaging in, enabling, or facilitating the—rn
    • (i) reproduction, distribution, or public performance of copyrighted works, in complete or substantially complete form, in a manner that constitutes copyright infringement under section 501 of title 17, United States Code;
    • (ii) violation of section 1201 of title 17, United States Code; or
    • (iii) sale, distribution, or promotion of goods, services, or materials bearing a counterfeit mark, as that term is defined in section 34(d) of the Lanham Act; or
  • (B) is designed, operated, or marketed by its operator or persons operating in concert with the operator, and facts or circumstances suggest is used, primarily as a means for engaging in, enabling, or facilitating the activities described under clauses (i), (ii), or (iii) of subparagraph (A);

 

Rogue Websites

The primary component of the PROTECT ID Act was that it grants the Attorney General the right to commence action against a rogue website in either an "in personam" manner or an "in rem" manner. In particular, the AG may commence in personam action against a registrant of a nondomestic domain name used by an Internet site dedicated to infringing activities; or an owner or operator of an Internet site dedicated to infringing activities accessed through a nondomestic domain name. If the Attorney General is unable to find a person to serve in personam, the Attorney General may commence an in rem action against a non-domestic domain name used by an Internet site dedicated to infringing activities.

The legislation allows the Attorney General to ask the courts to issue restraining orders, preliminary injunctions, or  injunctions against the nondomestic domain name, the registrant of the domain name, or the owner of a domain name that is dedicated to infringing activities, and require those domains to cease and desist. For the AG to have this ability, the domain name of the website must be used within the United States to access the internet, and the site must conduct business directed to residents of the United States and harm intellectual property rights of those within the United States.

After the site is identified, notices are sent to the owners. After that, the internet service provider is requried to take actions to prevent people from accessing that website. Financial transaction providers and internet advertisers are also prevented from doing business with the site. Any entity that is complying with court orders is immune from liability for actions taken against the webiste.

To enforce the law, the Attorney General may bring an action for injunctive relief against any party receiving a court order issued pursuant to the law that knowingly and willfully fails to comply with the court order.

An order against a website can be rescinded if the website takes corrective measures, or if the site name expires and a new order claims the name.

 

Eliminating the Financial Incentive to Steal IP

In a section titled "Eliminating the Financial Incentive to Steal Intellectual Property Online," a qualifying plaintiff may commence action against a website that it claims is infringing on its intellectual property rights. The procedures and actions to be taken are identical to those outlined for the Attorney General.

 

Voluntary Action

In addition to allowing the AG and individuals to bring injunctive action against websites, the legislation has a section titled "Voluntary Action Against Websites Stealing American Intellectual Property." The legislation allows any internet service provider or advertising service to take voluntary action against a website in manners described above without being held liable for damages to those websites. This action can be denial of service or refusal to provide advertising service.

The legislation does not merely permit voluntary action against websites devoted to stealing intellectual property, it also allows voluntary action against internet sites engaged in infringing activities that endanger public health. This includes sites devoted to medical purposes that sell counterfeit products or controlled or non-controlled prescription medication. It could also be a site that has no significant use other than providing prescription drugs without a prescription or misbranded drugs.

 

HR 3261 - Stop Online Piracy Act

The Stop Online Piracy Act was introduced into the US House in late October of 2011. It is very similar to S 968, the PROTECT IP act, and basically contains the same legislation with additional components.

Definitions

The legislation starts off with a number of definitions, one of which was the definitions of a foreign infringing site. This is defined as an internet site that:

  • the Internet site or portion thereof is a U.S.-directed site and is used by users in the United States;
  • the owner or operator of such Internet site is committing or facilitating the commission of criminal violations punishable under section 2318, 2319, 2319A, 2319B, or 2320, or chapter 90, of title 18, United States Code
  • the Internet site would, by reason of acts described above, be subject to seizure in the United States in an action brought by the Attorney General if such site were a domestic Internet site.

 

Preventing US Support of Foreign Infringing Sites

The Stop Online Piracy Act grants the Attorney General the right to commence action against a foreign infringing website in either an "in personam" manner or an "in rem" manner. In particular, the AG may commence in personam action against a registrant of a nondomestic domain name used by an Internet site dedicated to infringing activities; or an owner or operator of an Internet site dedicated to infringing activities accessed through a nondomestic domain name. If the Attorney General is unable to find a person to serve in personam, the Attorney General may commence an in rem action against a non-domestic domain name used by an Internet site dedicated to infringing activities.

The legislation allows the Attorney General to ask the courts to issue restraining orders, preliminary injunctions, or  injunctions against the nondomestic domain name, the registrant of the domain name, or the owner of a domain name that is dedicated to infringing activities, and require those domains to cease and desist. For the AG to have this ability, the domain name of the website must be used within the United States to access the internet, and the site must conduct business directed to residents of the United States and harm intellectual property rights of those within the United States.

After the site is identified, notices are sent to the owners. After that, the internet service provider is requried to take actions to prevent people from accessing that website. Financial transaction providers and internet advertisers are also prevented from doing business with the site. This legislation also states that search engines must act within 5 days to ensure that no links to the site or any portion of the site are are priovided through search resulst. Any entity that is complying with court orders is immune from liability for actions taken against the webiste.

To enforce the law, the Attorney General may bring an action for injunctive relief against any party receiving a court order issued pursuant to the law that knowingly and willfully fails to comply with the court order.

An order against a website can be rescinded if the website takes corrective measures, or if the site name expires and a new order claims the name.

 

Market-Based Systems

In a section titled "Market-Based system to Protect US Customers and Prevent US Funding of Sites Dedicated to Theft of US Property," a qualifying plaintiff may commence action against a website that it claims is infringing on its intellectual property rights. The procedures and actions to be taken are identical to those outlined for the Attorney General.

 

Voluntary Action

In addition to allowing the AG and individuals to bring injunctive action against websites, the legislation has a section titled "Voluntary Action Against Websites Stealing American Intellectual Property." The legislation allows any internet service provider or advertising service to take voluntary action against a website in manners described above without being held liable for damages to those websites. This action can be denial of service or refusal to provide advertising service.

The legislation does not merely permit voluntary action against websites devoted to stealing intellectual property, it also allows voluntary action against internet sites engaged in infringing activities that endanger public health. This includes sites devoted to medical purposes that sell counterfeit products or controlled or non-controlled prescription medication. It could also be a site that has no significant use other than providing prescription drugs without a prescription or misbranded drugs.

 

Denying US Capital to Notorius Infringers

This section allows the Intellectual Property Enforcement Coordinator, in consultation with the Secretaries of Treasury and  to identify and conduct an analysis of notorious foreign infringers whose activities cause significant harm to holders of intellectual property rights in the United States. They are to take public input and provide a report to Congress.

 

Additional Enhancements to Combat IP Theft

In a separate title, the Stop Online Piracy Act increases penalties associated with IP theft.

 

Site Seizures

The Department of Homeland Security has seized a number of sites for intellectual property violations in recent years. This is done through the authority of the Immigration and Customs Enforcement Act.

 

82 Sites for Copyright Violations

In November of 2010, courts in eight states and Washington, D.C., allowed the U.S. Department of Justice and the U.S. Department of Homeland Security's Immigration and Customs Enforcement (ICE) to shut down 82 sites including Torrent-finder.com, DVDscollection.com, Sunglasses-mall.com, and NFLjerseysupply.com. The reason given for the shut downs was copyright violations. The banner displayed on the sites after the seizure is shown below with the statements made by Attorney General Eric Holder.

With today's seizures, we are disrupting the sale of thousands of counterfeit items. We are cutting off funds to those looking to profit from the sale of illegal goods and exploit the ingenuity of others. And, as the holiday shopping season gets underway, we are also reminding consumers to exercise caution when looking for deals and discounts online. To put it simply: If a deal seems too good to be true, it probably is.

 

10 Websites for Sports Violations

In February of 2011, ICE seized 10 sites that it accussed of illegally providing access to content from the major professional sports organizations, namely the National Football League, National Basketball Association and the National Hockey League. The sites were not accused of hosting the pirated sporting content themselves, but instead provide links to other websites where people can access it illegally.

The U.S. Attorney in Manhattan. said the following about the seizures:

The illegal streaming of professional sporting events over the Internet deals a financial body blow to the leagues and broadcasters, who are forced to pass their losses off to fans by raising prices for tickets and pay-per-view events. With the Super Bowl just days away, the seizures of these infringing websites reaffirm our commitment to working with our law enforcement partners to protect copyrighted material and put the people who steal it out of business.

 

84000 Sites by Mistake

In February of 2011, ICE shut down a number of sites for both counterfeit property and child pornography. One of the sites that was shut down was done so by mistake. The site was mooo.com, which belongs to the DNS provider FreeDNS. It is the most popular shared domain at afraid.org and as a result of ICE's actions 84,000 subdomains were wrongfully seized as well. All sites were redirected to the banner below indicating involvement in a child pornography ring.

[1] Website: PC World Article: Courts Shut Down 82 Sites for Alleged Copyright Violations Author: Grant Gross Accessed on: 11/04/2011

[2] Website: Politico Article: Feds seize sports websites before Super Bowl Author: JENNIFER MARTINEZ Accessed on: 11/04/2011

[3] Website: TorrentFreak Article: U.S. Government Shuts Down 84,000 Websites, By Mistake Author: NA Accessed on: 11/04/2011