We've gotten a lot of e-mails from readers asking us to weigh in on the claim that President Barack Obama may soon be able to use a "kill switch" to shut down and take over the Internet. The rumors, which are spreading like wildfire through the technology blogosphere, are tied to a bill currently pending in Congress that would allow the president to implement "short-term emergency measures" to protect the United States from a cyber attack.
Discussion about the bill came up on a June 28, 2010, segment of the Glenn Beck show, guest-hosted by Judge Andrew Napolitano, a Fox News contributor. Napolitano argued that the bill is a "power grab" by the government, and that private companies are more than capable of protecting themselves against cyber-attacks. "There are mechanisms in place to shut down the Internet privately," said Napolitano.
We wondered whether Napolitano is right that private Internet providers have it all under control.
First, however, a little primer on cyber attacks. The most common are "penetration attacks" and "denial of service" attacks. The former consist of an unauthorized individual or group accessing a computer network. The latter entails crippling system functionality, which can result in a network shutdown. As an example, malicious hackers can take entire websites offline by generating so many access requests that the server comes to a halt. In August 2009, hackers used a denial of service attack to temporarily bring down Twitter.
We should note that "shutting down the Internet" is just one of the many ways to respond to a cyber attack, and probably not the best one at that. Michael Locasto, a computer security expert from University of Calgary, told us that in most cases, eliminating the Internet infrastructure "would be the absolute worst course of action system defenders could take," since it would make it much more difficult to coordinate efforts against a large-scale threat. A much better option would be to filter certain kinds traffic that was deemed harmful, said Mark Rasch, a technology expert and a former Department of Justice attorney.
That may be what Napolitano had in mind when he made the claim, but the wording of his statement makes it seem as though service providers could just take every network in the country offline and the problem would be solved.
Beyond that, the several experts we spoke with agreed that it is technologically possible for Internet Service Providers (ISPs) to significantly limit the flow of Internet traffic.
"If 'shutting down the Internet' means denying network access to everyone outside the U.S., or to everyone inside the U.S., then there is no fundamental scientific or technological barrier to achieving it," said Steven Low, professor of Computer Science and Electrical Engineering at the California Institute of Technology. Although the Internet consists of tens of thousands of computer networks, the core infrastructure is largely controlled by a few large providers, so-called Tier-1 ISPs.
If these providers decided to stop routing Internet traffic or dropped connections with their peers, we'd see major disruptions in connectivity. There are, however, a few caveats.
First, experts disagree on how difficult it would be for service providers to coordinate with one another during a widespread cyber attack.
"We've never had a widespread cyber attack against the U.S., and no one has ever had to coordinate any response to such an event. In fact, it isn’t clear we have any proper response strategy as a nation," said Salvatore Stolfo from Columbia University.
Michael Locasto told us that the network operator community is fairly tight-knit, so "it is conceivable that (network operators) could coordinate a response to a major event and terminate basic connectivity within a matter of minutes." Network operators who maintain the Internet backbone share cell phone information, have regular meetings, and often work together through established channels in emergencies.
Still, such a move would necessarily involve coordination by many people and groups. By design, the Internet does not have any form of "central authority." During an attack, private providers, who are often required by legal contracts to supply Internet access, would have to jointly agree to cut service. Some of our experts said that an attempt to put large segments of the Internet offline would most likely require some form of political and military involvement, not to mention corporate approval.
"I don't think that it can be done without some kind of government mandate (or) state of emergency," Christopher Kruegel of University of California Santa Barbara said.
Additionally, government agencies and the military use Internet networks that are only loosely connected to the wider network available to the public to browse websites and send e-mail. These limited-access networks are owned by private companies, but the providers are under strict contracts and regulation. So any attempt to cut off those connections would almost certainly require government involvement.
Napolitano claimed that "there are mechanisms in place to shut down the Internet privately." The experts we spoke with told us that it is technically possible for large service providers to severely limit Internet connectivity. Moreover, there are both formal and informal channels for network operators who manage the Internet backbone to communicate with each other in times of emergencies.
Still, there was disagreement among our experts on how difficult it would be for ISPs to coordinate with one another and whether the government would have to get involved. It is clear, however, that the government would have to participate in order to shut down its own networks, and there is an argument to be made that "shutting down the Internet" might hurt the response to a cyber attack more than it would help. We rate this Half True.