Senator Ron Wyden Slams Cybersecurity Legislation Proposals For Eroding Trust & Privacy

from the privacy-should-be-the-default,-not-the-exception dept

Senator Ron Wyden took to the floor of the Senate earlier this week to speak out against pretty much all of the current cybersecurity proposals out there arguing that "privacy should be the default, not the exception." While noting that narrowly targeted cybersecurity rules could be helpful in protecting consumers, he stated that it seems clear that these bills are much more focused on opening up the internet for government to spy and monitor activities online: The full speech is chock full of good points, such as the importance of trust in creating a functioning internet, and how these bills can ruin that by cutting away at our privacy:

Congress’ effort to develop a comprehensive approach to cyber security must not erode that trust. When Americans go online to consume digital services and goods, they must believe and know with some certainty that their privacy is adequately protected. The content Americans consume must be at least as private as their library records, video rentals, and book purchases in the brick and mortar world. Our law enforcement and Intelligence agencies should not be free to monitor and catalog the speech of Americans just because it’s online.

But the bill passed by the other body, known as CISPA, would erode that trust. As an attempt to protect our networks from real cyber-threats CISPA is an example of what not to do. CISPA repeals important provisions of existing electronic surveillance law that have been on the books for years without instituting corresponding privacy, confidentiality, and civil liberties safeguards. It creates uncertainty in place of trust, it erodes statutory and constitutional civil rights protections, and it creates a surveillance regime in place of the targeted, nimble, cyber-security program that is needed to truly protect this nation.

Unfortunately, S. 2105, the bill before the Senate shares some of these defects. Currently Internet services and service providers have agreements with their customers that allow them to police and protect their networks and users. Rather than simply allowing these internet companies to share information on users who violate their contracts and pose a security threat, the House and Senate proposals authorize a broad based information sharing regime that can operate with impunity. This would allow the personal data of individual Americans to be shared across a multitude of bureaucratic, military, and law enforcement agencies. This takes place regardless of the privacy agreements individual Americans have with their service providers.

In fact, both the House and Senate bills subordinate all existing privacy rules and constitutional principles to the poorly defined interest of “cyber-security.”

Wyden goes even further later in the speech noting -- as many of us have been arguing all along -- that these bills are a massive overreaction to the possibility of an issue, which are much more about ways for government contractors to profit from fear:

As they stand, these bills are an overreaction to a legitimate fear. The American people will respond by limiting their online activities. That’s a recipe to stifle speech, innovation, job creation, and social progress.

I believe these bills will encourage the development of a cyber security industry that profits from fear and whose currency is Americans private data. These bills create a Cyber Industrial Complex that has an interest in preserving the problem to which it is the solution.

There's a lot more in the speech that's worth hearing, so check it out.

Filed Under: cispa, cybersecurity, overreaction, ron wyden

White House Cybersecurity Boss -- Who Argued Against Overhyping Threats -- Resigns

from the too-bad dept

There's been a lot of attention lately on various "cybersecurity" bills making their way through Congress, and the White House's role in the debate has been pretty important. So it's interesting to see that the White House's cybersecurity czar, Howard Schmidt, has announced that he's resigning. While I don't always agree with Schmidt, he was one of the few (perhaps only?) high level government officials talking about online security issues who seemed willing to avoid hyperbole. In fact, he actually hit back against those who kept talking about "cyberwar," saying there was no such thing and it was "a terrible concept." One hopes that his successor, Michael Daniel, will be similarly willing to push back against the rush of hype around "cybersecurity."

Filed Under: cispa, cybersecurity, howard schmidt, michael daniel, white house

Fearmongering About Cyberwar And Cybersecurity Is Working: American Public Very, Very Afraid

from the for-no-clear-reason dept

Well, it looks like all the fearmongering about hackers shutting down electrical grids and making planes fall from the sky is working. No matter that there's no evidence of any actual risk, or that the only real issue is if anyone is stupid enough to actually connect such critical infrastructure to the internet (the proper response to which is: take it off the internet), fear is spreading. Of course, this is mostly due to the work of a neat combination of ex-politicians/now lobbyists working for defense contractors who stand to make a ton of money from the panic -- enabled by politicians who seem to have no shame in telling scary bedtime stories that have no basis in reality.

But it's all working. And, by working, I mean scaring the public unnecessarily. As reported by Wired, a new survey from Unisys finds that Americans are more worried about cybersecurity threats than terrorism, and they seem pretty worried about those threats. When asked about which security issues were the highest priority, survey respondents noted:

1. Protecting government computer systems against hackers and criminals (74 percent)
2. Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent)
3. Homeland security issues such as terrorism (68 percent)

Of course, it's likely that the vast majority of the American public has absolutely no idea what the actual risk is of any of these things happening. But they are familiar with computers, and there's been a lot of talk about cybersecurity lately, so "ooooooh, scary!" Now, here's where the mainstream press could come in and point out the lack of evidence for any real or significant cybersecurity threat and help people realize that they might be best off focusing their attention elsewhere. But talking about planes falling from the sky is much more fun.

Filed Under: cispa, cybersecurity, cyberwar, terrorism
Companies: unisys

A Speculative Example Of CISPA's Potential For Abuse

from the just-barely-fiction dept

In all the talk about how CISPA represents a threat to privacy and civil liberties, it's easy to get lost in the legislative semantics and to lose track of the very real dangers the bill presents. It's not as though CISPA is going to be signed and the next day everyone's going to wake up having always been at war with Eastasia, but the bill is a significant step in the erosion of key privacy rights that stem from the 4th Amendment—the sort of rights citizens are supposed to be vigilant about giving up to the government, even if it doesn't mean their lives are going to change overnight. At the same time, it's not a purely philosophical issue: CISPA or a similarly problematic bill can and will be abused if it becomes law.

Over at Lifehacker, Adam Dachis spoke to law professer Derek Bambauer and used their conversation as the basis for a piece of speculative fiction from the point of view of someone who falls victim to CISPA abuse. It's a well-executed concept that steers clear of sensationalism and presents a realistic example of how CISPA would grant the government new powers in areas far beyond cybersecurity, and how innocents might get swept up by those powers. The fictional narrator, who struggles through an ethically challenging college assignment on child pornography laws, has his name dragged through the mud after the school turned its computer logs over to the feds as part of a hacking investigation and his search history landed him under scrutiny. This nicely demonstrates one of the big problems with CISPA: the affirmative search permissions it would grant, which allow the government to dig through cybersecurity data for evidence of other crimes.

The story's message can't really be conveyed in snippets, but here's a brief excerpt:

As I continued my research I found more and more instances of laws with vaguely-defined terms that were designed to be tough on crime. No one bothered to oppose them in fear of being painted weak, or as a lover of terrorism and sexual deviancy. As a result, innocent people ended up in jail as collateral damage. The law had chosen to try and assuage our fears by sacrificing our freedoms as payment. But even worse, it didn't seem to be working. When you cast a wide net, you not only catch too many fish but so many that you can't find the fish you're actually looking for. People who broke the law weren't getting caught because the resources previously utilized to catch them were diverted to finding offenders before they actually offended. It's a nice thought to think we can preemptively prevent a crime, but it just doesn't work.

Whether it's Chinese hackers or child pornography, it's vital that hot-button panics don't override evidence and common sense in crafting legislation. Even more importantly, people should only allow the government to bypass their rights under extremely limited circumstances, if at all. There's a famous quote about liberty and security, but I don't want to Google it lest I end up on a watch-list somewhere...

Filed Under: cispa, cybersecurity, derek bambauer, fiction, privacy

CISPA Sponsor Warns Bill Is Needed Because China's Chinese Hackers From China Are Stealing All-American Secrets (China!)

from the give-them-to-us-instead dept

While the focus on the cybersecurity debate shifts to the Senate, the supporters of CISPA are still loudly trumpeting that bill's supposed merits. Though the final legislation that will go before the President is undecided, and may not even be based on CISPA in the end, the details of the bill are still very important, as they contribute to the overall shape of the discussion about cybersecurity. As part of the ongoing media campaign, CISPA author Mike Rogers took to the pages of The Detroit News last week to drum up support with a screed that reeks of nationalist fearmongering and utterly misrepresents the scope and purpose of the language in the bill.

The United States, over time, became a global superpower with its hard work and know-how leading to innovations in new manufacturing, health care and information technologies. Now China is trying to use cyber espionage and theft to take a short cut to achieving superpower status.

It began with China stealing hard-copy business plans and sensitive research-and-development information from U.S. and other Western companies when their executives traveled to China. U.S. companies soon began noticing a surge in counterfeit products as their innovations were being stolen, re-engineered, and sold by Chinese companies on global markets.

With the Internet boom, China turned its focus to cyber espionage and began stealing the hard work and innovations of U.S. companies on a far larger scale.

Rogers should be careful—if he says 'China' any more times, Fu Manchu might appear in the mirror and drain his 401(k). Once he's got the reader good and scared of the Yellow Menace (having thrown in a few emotional appeals to hardworking Michigan autoworkers for good measure), he explains how CISPA is needed to take care of all those annoying regulations that limit government power and protect people's privacy:

Unfortunately, American companies are not getting the best protection available.Today, the U.S. government has intelligence information about the threat posed by nation-state actors that could help the American private sector better protect itself. However, we don't currently have a mechanism for allowing the government to share intelligence about cyber threats with the private sector, nor do we have the ability for private sector companies to share information with others in the private sector, and with the government on a voluntary basis, so that the private sector can better protect itself.

And you know what? That's fine. Even though there is a lot of debate about the true scope of foreign cyber threats, if there is a way for the government and the private sector to share anonymous network analysis data in order to improve technological defenses against hacking and malware attacks, it makes sense to legislate a mechanism for them to do so. Unfortunately, CISPA goes way beyond that—now explicitly so.

This goes back to my opinion when CISPA was amended and passed in the House: my initial reaction that it had gotten much worse was partially incorrect, but even though the amendments did technically limit the government's power under the bill, I still had (and have) a problem with the way they expanded the stated intent and purpose. From the very start, CISPA supporters have insisted (as Rogers does in this column) that it's basically all about technical considerations in fighting off foreign cyber attacks. Initially, privacy and civil liberties groups objected that it would allow the government to do much more, including accessing the private data of American citizens without a warrant—and the response was basically "no, no, it has nothing to do with that".

Right up to the last minute of debate before the House vote, CISPA's backers held to the talking points and expounded on the threat from China and the need to share technical network data. But, to appease privacy groups, they supported an amendment to limit the ways the government could use shared data under the bill to a set of explicit purposes. And what were those purposes? Far from just foreign threats, they include investigating domestic cybercrime, investigating domestic violent crime, protecting children from exploitation, and of course the catch-all "national security" that was already in the language.

It feels trite to add the obligatory preventing violence and protecting children is a good thing here, because d'uh, but when exactly did CISPA become a bill about these things? If the government wants new exceptions to privacy laws for the purposes of fighting crime, that's a major discussion with obvious constitutional implications—a discussion that privacy groups have been trying to start all along, but have been brushed off with claims that CISPA is just about rebuffing those devious foreigners. Now CISPA explicitly includes provisions for collecting evidence on domestic crime, but Rogers is still writing editorials like this one that don't mention anything to do with child exploitation, violent crime, or anything else that doesn't have the word China attached to it.

Rogers finishes the piece with a rather astonishing little rallying call:

It took Michigan's auto industry decades to achieve its prominence and the United States centuries to become a global superpower. We cannot let China steal it all away in a few short years.

I'm not sure how long it's been since Rogers visited Flint, but I think it's changed a little since he was last there. Nonetheless, the point is clear: if the government can't snoop your data for child porn and affiliations with Anonymous, the Chinese are going to start manufacturing American cars and destroy the Michigan auto industry, in turn toppling the U.S. as an economic superpower. Wait, did I say "clear"?

Filed Under: china, cispa, cybersecurity, michigan, mike rogers, nationalism

White House Reiterates Plans To Veto CISPA In Its Current Form; Though For The Wrong Reasons

from the amendments-not-convincing dept

As I'm sure you remember, the House passed CISPA with a few amendments -- some of which may have limited the possible abuses, while at the same time expanding the scope. Right before the bill went up for a vote, the White House stated that it would veto CISPA, if it got to the President's desk. It appears that, even with the amendments, the White House is still not willing to support the bill. White House "Cybersecurity Coordinator" Howard Schmidt appeared on CSPAN reiterating the White House's objections to CISPA, specifically calling out the problematic privacy issues.

That said, the White House is still supporting the Lieberman cybersecurity bill in the Senate, which isn't quite as bad as some of the other proposals, but still has plenty of problems. And, most importantly, still doesn't include any clear explanation for why it's needed. It's bizarre and troubling that no one in the federal government seems willing to provide a real justification for any of these bills others than "oooooh, it's scary out there on the internet!!"

Filed Under: cispa, cybersecurity, veto, white house

Fearmongering Around 'Cyber' Threats Puts Internet Openness At Risk

from the it's-a-problem dept

Susan Crawford has an intriguing column over at Bloomberg where she notes that the ongoing effort by politicians to fearmonger around the idea of "cybersecurity" and "cyberwar," is a lot more problematic than just a sneaky way to do away with basic privacy protections. Instead, she argues, it's going to create massive damage to one of the key features of the internet that has made it so successful and so useful: its openness:

The dangers of this digital special-ops saber-rattling are breathtaking. Secretary of State Hillary Clinton has been valiantly advocating for Internet freedom, strategic multilateralism, engagement and “smart power” around the world. The White House has said its objective is to work with other nations to “encourage responsible behavior and oppose those who would seek to disrupt networks and systems.”

Purveyors of cyberfear are going in the opposite direction. They are not interested in engaging with other countries to come up with codes of online conduct or to translate the Geneva Conventions for cyberspace -- so as to avoid collateral damage and protect hospitals, electrical grids, and so on. They want to be able to change ones to zeros on servers around the globe, whatever that means for speech and commerce at home and worldwide.

Given the undeniable benefits that the open global Internet has brought to the U.S., building moats around our networks and subjecting them to constant, unaccountable audits and other restraints -- all in the service of an immense online warfighting machine staffed by military contractors -- would be burning the village in order to save it

Plenty of people have argued that SOPA was quite different from CISPA, because SOPA did attack fundamental principles of the internet, while CISPA was just an attack on privacy. So it's interesting to see Crawford's opinion suggesting that CISPA, and other bills like it, also put some aspects of the traditional internet at risk, though in a more indirect manner.

At this point, it's impossible to deny that the people behind both bills have written them with little understanding of the internet, or how it reacts to attempts to take away openness or lock things up. Such moves will have significant unintended consequences. I wouldn't go so far as to say that CISPA itself is an attack on the internet, but it does seem reasonable to say that the theories behind it are a significant departure from the openness that the internet has thrived on in the past.

Filed Under: cispa, cybersecurity, cyberwar, open internet, sopa

Microsoft Slowly Backing Away From CISPA Support; Worries About Privacy Issues

from the take-a-stand dept

One of the key points that backers of CISPA had made throughout the debate on the bill was that it had the support of the "tech industry" -- with Facebook and Microsoft being the key supporters of the bill. Of course, a few weeks ago, Facebook re-pledged its support for the bill... but also stated that it was aware of the privacy concerns and that it would work with lawmakers to fix the bill. Seeing as it's not clear that much was really done to fix the bill, does that mean Facebook may drop its support?

Similarly, Microsoft is now admitting that there are some privacy concerns with CISPA and has softened its stance on it slightly, while not completely pulling its support. Declan McCullagh at CNET reports:

In response to queries from CNET, Microsoft, which has long been viewed as a supporter of the Cyber Intelligence Sharing and Protection Act, said this evening that any law must allow "us to honor the privacy and security promises we make to our customers."

Microsoft added that it wants to "ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy."

This sounds similar to what Facebook was saying. Of course, what's not clear is why they're unwilling to pull support from the bills until such changes are made. Either way, combined with the fact that a few CISPA sponsors even voted against the bill suggests that -- even though it may have passed the House -- support for the overall bill is eroding. That's important, as the fight now moves to the Senate, where the existing cybersecurity proposals are quite different.

Filed Under: cispa, cybersecurity
Companies: facebook, microsoft

Law Enforcement Already Has A Way To Share 'Cybersecurity' Info With Companies; Why Do We Need CISPA?

from the this-makes-no-sense dept

The whole CISPA situation keeps looking more and more questionable. For months, we've been raising the question of why we needed such a law in the first place, because the evidence of any online threat that required such a law seemed hyperbolic at best, and perhaps naively anecdotal, at worst. However, there's another dimension to the "why" question. It's not just that the actual risk hasn't been quantified, it's not clear that the government and companies actually need a new law to share such security info in the first place. As we stated, the "right" way to do this would be to look at where the actual roadblocks are today in sharing such info. And there's some evidence that such roadblocks don't even exist.

Kashmir Hill has a great post showing how the FBI and companies already share the kind of info that the bill's sponsors claim the bill is needed to allow.

The FBI has been information-sharing with private industry for over a decade without a bill like CISPA in place.

In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that “functions as a conduit between private industry and law enforcement.” Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA’s office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.

In other words, if sharing info was important, we already had a perfectly functional model that's been in place for 15 years. This means, either that the Congressional authors and supporters of this bill were completely ignorant of this or CISPA is really meant to sneak through something worse. Neither makes CISPA or its supporters look very good. I'm actually hoping that the truth is that they're just ignorant and passing laws on issues they don't understand, because the other choice is even more depressing.

Filed Under: cispa, cybersecurity, fbi, information sharing

Did CISPA Actually Get Better Before Passing? Not Really

from the depends-on-how-you-define-"better" dept

Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don't see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.

Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn't initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad "any lawful purpose" language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it's a good amendment.

But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a "cybersecurity" bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday's debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can't, and even if it can, it won't be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.

Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.

Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government's power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don't want or plan to use the bill for anything except shoring up network security, but we're supposed to see the addition of these brand new applications as limiting CISPA's target? To me, that sounds like they're saying: "Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we'll change the bill."

So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a "cybersecurity" bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.

Of course, it's not as though everyone trusted what supporters were saying about the bill's purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It's accurate to say that the amendment has limited the government's power under CISPA by changing the language, but it's also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that's an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it's not exactly something that the House deserves any praise for.

Filed Under: cispa, congress, cybersecurity