Big Telcos Love CISPA; More Immunity For Violating Our Customers Privacy?!? Sign Us Up!

from the of-course-they-like-it dept

It's well known that the big telcos and the federal government have an all-too-cozy relationship when it comes to handing over data on telco customers. This has included ignoring all the rules and going so far as handing over information based on a post-it note given to them by the FBI. The telcos general standpoint has been that they're happy to let the government reach deep into their data -- more or less adding a direct tap on all of us. Congress, however, gift-wrapped them immunity to any lawsuits from all of that kind of stuff. Still, these days, the telcos sure do like not being liable for coughing up their customer's private info to the government, so it should come as little surprise that they're practically shoving each other aside to support CISPA.

Two major trade groups, CTIA and US Telecom, each issued short statements saying that CISPA is a good thing. US Telecom claimed that the bill would make it more efficient to detect, deter and respond to cyberthreats. That would be nice if true, but no one's yet explained how that actually would work in practice. CTIA knows how to play the press, and started its press release by hyping up recent hack attacks. That CISPA likely would have done absolutely nothing to stop those attacks is conveniently ignored.

Meanwhile AT&T and Verizon each offered their own support for the bill, making it clear that protection from liability is the most important thing to them.

The telcos, of course, have nothing to lose and everything to gain from CISPA. It gives them even more freedom from liability in sharing your info, but doesn't present any specific regulatory burdens on them. Of course, shouldn't we be a lot more concerned about the views of the people whose privacy would be violated, than the views of those violating their privacy?

Filed Under: cispa, cybersecurity, immunity, information sharing, privacy, telcos
Companies: at&t, ctia, ustelecom, verizon

Here We Go Again: Latest Draft Of White House Cybersecurity 'Executive Order' Is Leaked

from the why-do-we-need-this-again? dept

Back in September, we posted a leaked version of a draft for a cybersecurity executive order that the White House had been passing around, mainly to try to force Congress into passing a cybersecurity law. With the last ditch attempt by Senator Harry Reid to move that process forward failing, it took exactly a week for the White House to revise its draft exec order, and start passing it around on November 21st. And, today, that new draft leaked as well. You can see the full draft here or embedded below.

It's basically more of the same. It insists that there's a problem without providing any real evidence of that. Much of the order focuses on increasing information sharing among and between different government agencies. As expected, it's designed to encourage private companies, who are "owners and operators of critical infrastructure" to "participate, on a voluntary basis, in the Enhanced Cybersecurity initiative." This is part of what had people so concerned about the various bill proposals: whether or not companies would get broadly defined as "owners and operators of critical infrastructure" and then be forced or pressured into sharing private information, all in the name of "cybersecurity!"

And, of course, what is "voluntary" when it's the federal government, often means what is likely to put you in a very uncomfortable position if you don't participate. In fact, the executive order makes this somewhat explicit:

The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 90 days of the date of this order, the Secretary and the Secretaries of Treasury and Commerce each shall make recommendations separately to the President... on what incentives can be provided to owners and operators of critical infrastructure that participate in the Program, under existing law and authorities, and what incentives would require legislation, including analysis of the benefits and relative effectiveness of such incentives.

So, yeah, "voluntary" belongs in quotes.

As for what counts as "critical infrastructure," well it basically involves various government agencies coming up with a list and then the government telling companies: "hey, you're critical infrastructure."

The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided with relevant threat information.

There is one oddity snuck into that subsection (a):

The Secretary shall not identify any commercial information technology products under this section.

I'm not quite sure what that means within this context (so feel free to chime in and explain it if you do know...). Is it suggesting that this only applies to other forms of infrastructure? If so, that would ease the concerns of a number of tech companies, who were worried that they'd be listed as "critical infrastructure" under a broad reading of any rule.

The exec order does include a shout out to protecting civil liberties, though you wonder how much that will matter in practice:

Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities based upon the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles and frameworks.

They also say that any programs will be reviewed by the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties to ensure that the program isn't causing any problems in those areas. For what it's worth, apparently the administration has been also reaching out to a lot of people to get in on the executive order -- a process described as "highly unusual" for an executive order.

Either way, it's still frustrating that the order brushes over what the real problems are. It just handwaves that question away by insisting that we're under attack, without providing either (a) evidence or (b) notification on what laws are currently causing issues here. That's unfortunate.

Filed Under: civil liberties, cybersecurity, executive order, information sharing, privacy, voluntary

White House Preparing Executive Order As A Stand-In For CISPA

from the doing-something dept

This isn't a huge surprise -- and last month we even discussed the possibility, but it sounds as though the White House has decided that, with the failure of Congress to pass a comprehensive cybersecurity bill (CISPA passed in the House, but the rather different Cybersecurity Act failed in the Senate), it is going to issue some sort of executive order to deal with "cybersecurity issues."

Late last week there was an awful lot of speculation over what would be, with some people arguing that it will do too much... and others arguing that it will do too little. However, late Friday, Jason Miller from Federal News Radio claimed to have seen a draft copy, and while he did not share the full copy, he did do a pretty thorough breakdown of what was in it. It sounds pretty similar to the Lieberman/Collins Cybersecurity Act -- the one that failed to gain Senate approval. The parts that concerned us the most in the bill -- concerning information sharing without real privacy protections -- appear to be in this executive order, and in some ways may be worse. While the President cannot grant liability protections for companies who share info with the government (a major concern we had), it sounds like this executive order will put tremendous pressure on companies to share info -- noting that it will begin a sort of "name and shame" program for companies who fail to take part. That seems like a recipe for a privacy disaster.

The thing that I'm still waiting for is for someone (anyone?!) to lay out exactly where the problems are with current regulations in the area. We keep hearing that there's a real risk (though the only demonstration of that seems to be inflated, hyperbolic stories), and that without information sharing, the risk is much greater. But what has not been shown by anyone, in either Congress or the administration, is why the necessary sharing can't happen under existing laws today. They just keep saying it can't but refuse to point to the specific things that are causing those problems today. That's what makes me most nervous about all of this. When those in power can't fully articulate the problem, it seems reasonable to be quite worried about the solution. It makes it way too easy for that "solution" to be much too broad and cause all sorts of collateral damage.

Filed Under: cybersecurity, information sharing, obama administration, privacy, white house

Can The President Use An Executive Order To Push Through Cybersecurity Rules?

from the sorta-maybe-possibly dept

With the Cybersecurity Act failing in the Senate, there's been some buzz that President Obama might push through a bunch of provisions via executive order. From a political standpoint, there are tons of reasons to do so. If nothing gets done, and some sort of attack does happen, opponents can claim that he failed to strengthen our cybersecurity. But this way, he can claim he's doing what he can, and pin the blame on Congress for not doing their part.

But what would it mean if he goes down this route? The Daily Caller has a hysterical and totally misleading piece claiming that this would allow for an "internet takeover." As skeptical as I am for the need for such cybersecurity legislation (and I'm pretty skeptical), that article is just pure hyperbole. This has nothing to do with "taking over the internet," and that's just someone who's lying or clueless.

The original link above, from The Hill, points out that, when it comes to industries that are already regulated, the administration could easily order them to include certain cybersecurity standards among their existing regulations:

Many companies managing vital computer systems are already heavily regulated. Lewis said the president could order agencies to require the industries they regulate to meet cybersecurity standards.

"You don't need new legislative authority to do that," Lewis said.

He noted that some regulatory agencies, including the Federal Communications Commission and the Nuclear Regulatory Commission, are independent and not bound to follow executive orders. But Lewis predicted that even the independent agencies would likely enforce an executive order on cybersecurity.

That likely would lead to some pushback concerning the limits of regulatory control, but if it actually solves the few problems we hear about (such as critical systems being connected to the internet) then perhaps it's a more reasonable way to deal with things.

The other part of the bill, which was the part that concerned us the most, concerning information sharing, would be much more difficult to go after via an executive order. Stewart Baker has an interesting analysis of the possibility there, and he comes at it from someone who is... well, more hostile towards those of us who believe that privacy rights are important. He's been railing against privacy rights activists and their attacks on the cybersecurity proposals for a while, and doing so in misleading and incomplete ways, unfortunately. He does the same here, suggesting that privacy lobbyists are a part of the problem, while completely misrepresenting their concerns, even to the point of suggesting that privacy activists don't want to allow info sharing because sharing attack info reveals "personal info of the attacker." That's silly. No one has ever argued for that, and Baker is setting up a strawman.

However, he does note ways in which the administration can at least clarify intent via executive order to get around these claimed limitations (which I'm not convinced are actual limitations, as he describes them):

It is hard to fix bad laws with an executive order, but in this case I’m not sure it can’t be done. States with two-party laws are a minority already (about a dozen states, depending on how you count), and their laws are under pressure in the courts (thanks to police officers claiming that it’s a felony for members of the public to record them without their consent). What’s more, despite claims about their chilling effect on signature filtering, two-party-consent laws don’t seem to have stopped the emergence of robust spam filtering by private companies. A clear presidential statement that allowing such laws to bar signature filtering threatens national security would almost certainly resolve any lingering doubts, especially if it’s backed by an order that the Justice Department intervene as necessary in private state suits that challenge signature filtering.

All that’s left then is the federal ban on unsubpoenaed information sharing, and even it might yield to a little creativity. Not everyone is subject to the ban. So can the parties who are covered by the restriction (ISPs, webmail providers) simply share their data with parties who aren’t covered (security firms)? And can the security firms in turn sell their data to government? Maybe so. Again, a clear presidential statement that such a measure is essential for national security would make the courts think twice before declaring that Tinker-to-Evers-to-Chance is simply an evasion of the ban on Tinker sharing with Chance.

However, he also notes that Obama might not want to "tussle" with privacy groups and so this section may get ignored. While I agree that there are some privacy extremists who set forth proposals that go way too far, I think many of the people who were concerned about the cybersecurity bill over privacy issues wouldn't necessarily be against very narrowly defined rules on information sharing, though it still seems unclear how much any existing law is really holding back info sharing for the purpose of cybersecurity. Passing data through third parties, of course, is a lot more controversial, depending on the controls and oversight involved. But, again, it's still unclear how big of a problem this really is.

Either way, it wouldn't surprise me to see some sort of use of Executive Orders here, but the limits on those would hopefully limit most of the really bad stuff found in the bill proposals.

Filed Under: cybersecurity, executive order, information sharing, privacy

Cybersecurity Bill: Protecting Us From Attacks... Or Keeping Our Own Attacks Secret?

from the seems-quite-likely dept

We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:

(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND  SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—

(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;

(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that  the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.

What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:

I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.

This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!

Filed Under: attacks, cybersecurity, information sharing, nsa, privacy, secrecy

Law Enforcement Already Has A Way To Share 'Cybersecurity' Info With Companies; Why Do We Need CISPA?

from the this-makes-no-sense dept

The whole CISPA situation keeps looking more and more questionable. For months, we've been raising the question of why we needed such a law in the first place, because the evidence of any online threat that required such a law seemed hyperbolic at best, and perhaps naively anecdotal, at worst. However, there's another dimension to the "why" question. It's not just that the actual risk hasn't been quantified, it's not clear that the government and companies actually need a new law to share such security info in the first place. As we stated, the "right" way to do this would be to look at where the actual roadblocks are today in sharing such info. And there's some evidence that such roadblocks don't even exist.

Kashmir Hill has a great post showing how the FBI and companies already share the kind of info that the bill's sponsors claim the bill is needed to allow.

The FBI has been information-sharing with private industry for over a decade without a bill like CISPA in place.

In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that “functions as a conduit between private industry and law enforcement.” Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA’s office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.

In other words, if sharing info was important, we already had a perfectly functional model that's been in place for 15 years. This means, either that the Congressional authors and supporters of this bill were completely ignorant of this or CISPA is really meant to sneak through something worse. Neither makes CISPA or its supporters look very good. I'm actually hoping that the truth is that they're just ignorant and passing laws on issues they don't understand, because the other choice is even more depressing.

Filed Under: cispa, cybersecurity, fbi, information sharing

There Is A 'Right Way' To Do Cybersecurity Information Sharing, But CISPA Is Not It

from the sharing-is-caring dept

We've argued, repeatedly, that the backers of various cybersecurity bills have failed to give a real reason for why such bills are needed. What is the imminent threat and why does it need legislation? The only point of issue that has made some sense is that you can envision areas where it would be quite useful for companies and governments to share specific threat- or attack-related information, for the purpose of stopping that (or related) threats and attacks. But that's a very limited scenario. The entire framework of CISPA ignores that, which is why it's unclear if the bill even could be fixed. That said, Julian Sanchez, over at the Cato Institute, has posted an interesting analysis of what information sharing regulation should look like. First, he discusses the problem with the CISPA setup:

CISPA worked by creating a sweeping exception to all other privacy and surveillance laws, granting blanket immunity to any “entity” that chose to share vaguely defined “cyber threat information”—potentially including the contents of e-mails or other online communications—with both private actors and the government. When civil liberties advocates cried foul at the prospect of such vast quantities of private data being handed over to government on a silver platter, the bill’s supporters tried to placate them by tacking on an array of after-the-fact anonymization requirements and use restrictions—forbidding the use of the data except for a “cybersecurity purpose” or for “the protection of the national security of the United States.”

That wasn’t much consolation to anyone who’s watched how the government has tried to interpret similar “purpose” restrictions in the past. In 2002, for example, then–Solicitor General Ted Olson argued for a highly expansive view of the “foreign intelligence purposes” for which information obtained through national security wiretaps could be used, including using evidence of misconduct unrelated to terrorism or espionage to force people to become informants. If a wiretap turned up evidence of tax evasion or rape, for instance, Olson suggested the government “could go to that individual and say we’ve got this information and we’re prosecuting and you might be able to help us. I don’t want to foreclose that.” It’s no great leap to imagine a future solicitor general arguing that extorting the cooperation of hackers, penetration testers, or other tech professionals would similarly serve a “cybersecurity purpose.”

Basically, take a broad, vaguely defined law for a specific purpose... but leave it open to allowing the government to stretch that definition, and the government will almost always do so.

But, again, you can see cases where information sharing could be useful, so Sanchez suggests what might make sense there:

Instead of indiscriminately adding a cybersecurity loophole to every statute on the books, why not figure out which specific kinds of information are useful to security professionals without compromising privacy, figure out which laws raise obstacles to that sharing, and then craft appropriately narrow exemptions? (One assumes the intelligence agencies can be afforded more discretion about when to share the information already in their own possession—whatever else one might say about it, “oversharing” is not among the NSA’s problems.)

The exceptions could be appropriately narrowly tailored depending on the sensitivity of the information involved. For instance, different sections of the Electronic Communications Privacy Act deal with different kinds of data. Subsections (1) and (2) of 18 USC §2702 deal with the contents of communications in transit through or stored by a communications provider, generally prohibiting use or disclosure of that information without specific consent. Subsection (3) covers subscriber information and transactional data about those communications, and generally permits voluntary sharing, but specifically prohibits sharing with governmental entities. Since that transactional information is typically less sensitive than communications themselves, an exemption there might allow providers a fair amount of discretion to determine what constitutes “cyber threat information” and permit sharing with government also, subject to the appropriate anonymization and use requirements. For the more sensitive contents, the exception might be limited to a relatively specific laundry list of kinds of data that are both unquestionably security-related and limited in their implications for privacy, such as malware signatures and attack payloads.

In other words, let's more carefully define the real problem here. The government is insisting that information needs to be shared, but that's not "the problem." Information can be shared already. The reason that CISPA works by creating a huge immunity umbrella is that the "problem" with sharing isn't that information can't be shared, but that certain already overburdensome regulations block certain kinds of sharing in situations where it makes sense. The answer isn't to remove all liability for the oversharing of info, but to narrowly create exceptions to where key information that actually is necessary to be shared can have that done without violating the law. In other words, as you dig deeper, it appears that the problem isn't about sharing information -- it's about a series of existing laws that failed to take into account future realities. So, a much more targeted and reasonable solution is to figure out exactly where that friction is, and to clear out those blockages. But, that's not what CISPA does.

Filed Under: cispa, cybersecurity, information sharing, julian sanchez
Companies: cato institute

Verizon's Claims That Its Info-Sharing Plans Are Harmless Ring Hollow

from the that-which-is-made-not-immediately-full-of-clarity dept

Over the weekend, David Weinberger, one of the co-authors of The Cluetrain Manifesto wrote that he'd gotten a 45-page pamphlet of legalese from Verizon Wireless saying he could opt out of letting the company share "Customer Proprietary Network Information" with other groups. The rather broadly worded statement, which said the company could give info like call records to "affiliates, agents and parent companies," kicked up some fuss online. GigaOM says that this is the same issue that popped up in late 2007, when Verizon sent a similar notice to its customers. Verizon's PR bloggers say that now, just like in 2007, there's nothing to worry about -- in fact, the PR person went so far as to merely cut and paste his comments on the issue from two years ago. He says that Verizon won't sell customer's info to third parties; it just needs their consent to share it among the Verizon group of companies so it can offer people bundled services.

Given the way the company is communicating the issue -- a bill insert few people will likely pay attention to, written in a format that's pretty difficult, if not impossible, for most average people to divine any real meaning from -- it's hard to accept the explanation at face value. This is representative of the lack of transparency telcos and ISPs often take on privacy issues. Instead of clearly explaining themselves and what they're doing with customer data, they shroud their efforts in secrecy and legalese, then just say "there's nothing to worry about, just move along." If there really is nothing to worry about, why can't they do a better job of making that clear to the public? Their method of communication, and the way they explain themselves, simply increases consumers' skepticism and makes it look like they've got something to hide. In addition, making the system opt-out, rather than opt-in, doesn't help either.

Filed Under: cpni, information sharing, pr
Companies: verizon