On Tuesday night, president Barack Obama appeared before the American
people and again acknowledged digital data theft and data destruction
as one of the most important issues facing the nation. “No foreign
nation, no hacker, should be able to shut down our networks, steal our
trade secrets, or invade the privacy of American families, especially
our kids. We are making sure our government integrates intelligence to
combat cyber threats, just as we have done to combat terrorism. And
tonight, I urge this Congress to finally pass the legislation we need to
better meet the evolving threat of cyber-attacks, combat identity
theft, and protect our children’s information.”
It was a rallying cry for greater “cyber security.” But according to
many security experts, “security” and the specific cyber-security
proposal the president unveiled last week could be a pretext for
expanded, unchecked surveillance that may not actually make the nation
safer. The ideas in the proposal face no strong political resistance
especially since the information collection organism would not be the
government itself but rather private companies reporting user
information to the government.
The post-Snowden era
What prompted the inclusion of cyber security in the address? The
president has been restrained in his discussions of what some consider
to be the most significant cyber attack on a US entity in recent memory,
the Sony hack. (Sony Pictures is a sub unit of Sony America and is
still ultimately part of the Sony parent company, which is Japanese.)
Obama called the hack an act of “cyber vandalism” not tantamount to war.
But in the days leading up to the State of the Union address, the Obama administration released a cyber security proposal,
which will be sent to Congress, that speaks directly to the Sony
incident. The key component of the proposal is, indeed, “integration.”
Specifically, it affords private companies liability protection to share
information with the Homeland Security Department’s National
Cybersecurity and Communications Integration Center.
The chief of the NSA’s Tailored Access Division Robert Joyce, has described the Sony hack
as a key moment that will fundamentally change the way the United
States deals with the murky threat posed by shadowy enemies with
laptops. It was, in popular if clichéd Washington, DC parlance, “a game
changer.” Joyce was not alone in that assessment.
“We had seen cyber attacks but we’ve never seen a
nation-state…destroy data,” former Rep. Michael Rogers, R-Mich., told a
group at the Bipartisan Policy Center in Washington, DC last week. It
was that willful destruction of data, as opposed to simply theft, that
elevated the Sony hack to an incident more urgent than any of the recent
high profile attacks that had affected major corporations, which were
aimed primarily at the theft of data for narrow, mercantile purposes.
Rogers, a seven-term congressman, has indicated he would be leaving the House for greener (sounding) pastures in radio.
But during his tenure, where he served as the head of the House
Intelligence Committee, he earned a reputation as one the National
Security Agency’s most stalwart allies at the agency’s moment of
greatest shame.
The bill that perhaps best characterized that reputation, House
Resolution 3523, the Cyber Intelligence Sharing and Protection Act, or
CISPA, never actually became law, having stalled in the Senate after
passing the House. It would have granted liability protections to
corporations that would then be able to share that information with the
government, specifically the Department of Homeland Security, DHS.
It was an idea that predates Rogers and CISPA—in 2008, the Bush White House put out National Security Presidential Directive – 54 that
outlined the US interest in information sharing in the name of
cybersecurity. But it was Rogers who refined it and pushed to enshrine
it in legislation.
CISPA would give companies the freedom to share user data
with DHS where the info could then go to virtually any other law
enforcement agency for use in any investigation related to crimes from
drug trafficking to copyright infringement. It sent a clear message to
some of America’s biggest companies: “We need you to do our spying
for us.”
Privacy advocates argued that the bill’s language was too broad. It
would allow every company from Google to Apple to Facebook to share
information on their users with the government outside of the parameters
of the Electronics Communications Privacy Act as well as the
Wiretap Act.
In April 2012, the president vowed that
if the bill made it to his desk, he would veto it: “Cybersecurity and
privacy are not mutually exclusive. Moreover, information sharing, while
an essential component of comprehensive legislation, is not alone
enough to protect the Nation’s core critical infrastructure from cyber
threats. Accordingly, the Administration strongly opposes H.R. 3523, the
Cyber Intelligence Sharing and Protection Act, in its current form.”
Anonymous…or something like it
Last week, Americans watched much of that resolve whither away. The
proposal that the president rolled out shares a lot in common
with CISPA with one exception, it purports to anonymize data. But the
White House proposal would still allow for the sharing of user data with
the government outside of privacy laws.
What sort of information does the new proposal promise to share, or rather integrate? In a call with reporters, a White House official said that the information would “primarily” not be content.
Shareable information does include anything that falls under the
category of cyber threat indicator, which includes any data relating to
“malicious reconnaissance, including communications that reasonably
appear to be transmitted for the purpose of gathering technical
information related to a cyber threat,” which could mean everything from
attempting to access restricted files to—possibly—asking fairly routine
questions about how a site runs or what a company does with user data.
“The White House proposal relies heavily on privacy guidelines that
are currently unwritten. What these guidelines say and when they are
applied will be critical to protecting Internet users. Privacy
protections and use restrictions must be in effect before information
sharing occurs,” Harley Geiger, the senior counsel for the Center for
Democracy and Technology said in a press release following the announcement.
Other privacy advocates were quick to call the proposal unnecessary,
as companies can already share information related to threats with the
government (but within the parameters of the Privacy Act). More
disturbing for many in the technology community was a provision in the
legislation to amend RICO laws in a way that could charge hackers,
computer scientists, or just curious users with felonies just for
finding—or searching for—security errors in web sites or services.
Jeff Moss, the founder of the famous Black Hat and DEFCON conference,
expressed such concern to Defense One. Every year Black Hat
and DEF CON bring together thousands of hackers from around the world to
showcase their research into cyber vulnerabilities. The events together
comprise the one of the best forums to expose such vulnerabilities.
“I do worry about its chilling effects if enacted into law. Unless
there is a carve out for research, the liability for clicking on links
to security tools alone is worrying…even more so if RICO style laws are
applied due to their broad nature and potential for abuse by aggressive
prosecutors. We have had many decades to get used to prosecuting
organized crime, but prosecuting technical computer crime is newer and
harder to explain to juries. In that regard clear and easy to understand
‘red lines’ while more simplistic might be a better place to start,”
said Moss.
In other words, the legislation could actually make the Internet less secure by criminalizing research into vulnerabilities.
Mark Jaycox, of the Electronic Frontier Foundation, concurred that
provisions in the legislation may “chill the computer security research
that is a central part of our best defense against computer crime.” Jaycox writes that
the legislation could make you a felon for “sharing
your HBO GO password.” He adds that “the expansion of the definition may
impact researchers who commonly scan public websites to detect
potential vulnerabilities. These researchers should not have to face a
felony charge if a prosecutor thinks they should have known the site
prohibited scanning.”
The single section that makes the White House proposal somewhat more
palatable than CISPA is the provision demanding that user data
“establish a process to anonymize and safeguard information.”
But anonymization may offer false reassurance. In fact, researchers
have shown that anonymization is data is something of a joke. In a 2013
paper published in the Nature Scientific Reports, MIT researchers
Yves-Alexandre de Montjoye and César A. Hidalgo, discuss an experiment
where they took a random sample of 1.5 million cell users over 15 months
and found that, when locational cell phone data is anonymized, just
four data points—information created by the anonymous user—was enough to
effectively reveal the users identity for 95% of all users.
“I agree, 100%. The way the data comes in. There isn’t a whole lot of
benefit. Why make a law that says anonymize it,” said Robert
Twitchell, CEO of Dispersive Technologies.
One of the key benefits of sharing cyber information with other
investigative bodies is affixing attribution, which permanent
anonymization would undermine.
Moreover, the information that the public shares with DHS, if it is
in fact related to some future cybersecurity event, would likely be
shared with the NSA. According to the White House, that sharing, or
integration, would be “as close to real time as possible.”
How do we know that the NSA would be one of—if not the—main
recipient? Remember when the Federal Bureau of Investigation expressed a
high degree of confidence that the attack could be attributed to North
Korea? You could be forgiven for thinking that it was, in fact,
the FBI that reached that conclusion. But according to recently revealed documents, the NSA did the work.
As David Sanger and Martin Fackler report in The New York Times, the NSA was
accessing North Korean networks, communications and cyber operations
for years prior to the Sony hack. That’s what allowed the United States
to so quickly attribute the attacks to North Korea, though many still claim the US is overlooking evidence of an inside job. But it wasn’t enough to allow them to actually stop the attack.
Not every law maker agrees that the Sony hack serves as justification
for an information sharing bill, especially one that could put people’s
privacy in danger. Rep. Zoe Lofgren, D-California, who represents parts
of San Jose (Silicon Valley) told The Hill:
“I fear we may have taken the wrong lesson from these recent
high-profile attacks. These attacks were not the result of a missed
opportunity to share information, but rather caused by substantial and
obvious security failures and a culture of treating cyber security as
an afterthought.”
At the Bipartisan Policy Center event, former Central Intelligence
Agency director Michael Hayden bullishly predicted that some form of
information sharing would pass this year. Both political and public
concerns about privacy and overreaching agencies have given way to
worries about lost data and remotely hijacked infrastructure. “We are
entering the post-Snowden era,” he claimed.
Rogers himself was more cautious but he acknowledged that the
involvement of the president in passing cyber-sharing legislation was a
“significant change,” possibly enough to push something through.
Rep. Will Hurd, R-Texas, told Defense One that the President’s
comments during the State of the Union suggest a softening on CISPA.
“I‘m hoping that the president’s comments suggest he’s not going to
veto CISPA. I think this is an area that the President and Congress can
work together.” Hurd, a former CIA operative, is considered rising star
specifically on issues related to cyber security.
Hurd, however, has also expressed some hesitation about some of the
more hawkish elements of the proposal. In discussing the potential
changes in RICO law, he was dim on any proposal that might harm cyber
security research. “We don’t want to limit that. I think Black Hat is a
very helpful forum where you have all of this research, they’re looking
at the cutting edge procedures in this space. It’s a great forum for
understanding where it’s going on. This is one of those areas where
reasonable people can be reasonable people.”
Following the event at the Bipartisan Policy Center, Rogers loitered
for a bit to glad-hand friends and fans who wished him well in his new
career. As he got on to an elevator, Defense One asked him if he felt at
all validated that the president’s proposal so closely resembled
Rogers’s bill, the one that the president had vowed to veto. Rogers
looked off into the distance, and smiled wistfully. “Success has many
fathers,” he said as the doors closed in front of him.
No comments:
Post a Comment