A Challenge To Facebook: Withdraw CISPA Support Until The Bill Is Fixed Or Replaced

from the get-off-the-fence dept

One of the more concerning aspects of CISPA that sets it apart from SOPA/PIPA is the number of technology companies that support it. Of chief concern is Facebook, which handles a lot of sensitive private data, but is standing behind the bill. Joel Kaplan, Facebook's VP of U.S. Public Policy, has now released a statement explaining their support, which basically amounts to "we promise not to abuse the gray areas in the bill".

A number of bills being considered by Congress, including the Cyber Intelligence Sharing and Protection Act (HR 3523), would make it easier for Facebook and other companies to receive critical threat data from the U.S. government. Importantly, HR 3523 would impose no new obligations on us to share data with anyone –- and ensure that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today.

That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place -- the additional information it would provide us about specific cyber threats to our systems and users.

Kaplan then goes on to say that Facebook is engaging lawmakers to see about amending the bill to address people's concerns. But that creates a pretty big question: why are they still supporting the bill if they recognize its problems? Based on this statement, Facebook wants to use cybersecurity laws the right way—to give and receive anonymized and minimized data about specific threats, to be used solely in relation to those and similar threats. But CISPA does not require any of that. It's nice that Facebook is "able to" protect private information, but why aren't they and all other companies forced to? If the authors of the bill want to tout its "strong privacy protections", then a requirement to eliminate personal user information from shared data seems like a necessity.

Moreover, while Facebook may only be worried about specific cyber-threats, they can't control what the government does with the information. As currently written, CISPA basically allows the feds to keep whatever data Facebook shares on file, and search it whenever they want, for anything they want, as long as there is a "cybersecurity" or "national security" purpose. And "cybersecurity" is very broadly described, and includes things like intellectual property. If this bill is supposed to be about protecting networks from disruptive attacks, why aren't the terms and limitations narrowly defined to ensure that's the only thing it can be used for?

If Facebook's cybersecurity motivations are good—and I'm willing to grant them the benefit of the doubt and assume that they are—then they should withdraw their support of CISPA until it is fixed to exclude the broad provisions that go well beyond what Facebook wants to use it for. If the company is so proud of its commitment to user privacy, then surely it has to acknowledge that there are other companies which are not so responsible, and which will abuse the same powers and immunities that Facebook promises to handle responsibly. Unless they can show us that they are making meaningful demands of Congress, this attempt to soften their support of CISPA is just hot air.

Filed Under: abuse, cispa, cybersecurity, pipa, privacy, sopa
Companies: facebook

CISPA Is A Really Bad Bill, And Here's Why

from the time-to-speak-up dept

Update: There is now a new draft of CISPA that has rendered some (though unfortunately not all) of this analysis obsolete.

The forces behind HR 3523, the dangerous Cyber Intelligence Sharing and Protection Act which is going to move forward in Congress at the end of the month, are beginning to get cagey about the growing backlash from the internet community. In an attempt to address some of the key concerns, the bill's authors, representatives Mike Rogers and Dutch Ruppersberger, hosted a conference call specifically geared at digital reporters. The invitation was for "Cyber Media and Cyber Bloggers" (seriously) and took place at 7am Silicon Valley time—thus demonstrating that they are totally in touch with the tech community. During the call, the representatives were intent on hammering certain points home: that the bill respects privacy and civil liberties, is not about surveillance, is targeted at actions by foreign states, and is nothing like SOPA.

Unfortunately, none of that is really true. The text of the bill, even with the two key amendments made since (all pdf links and embedded below), is still full of extremely broad definitions which fail to create the safeguards that the representatives insist are present, and which leave room for dangerous unintended consequences.

CISPA at a Glance
In broad terms, CISPA is about information sharing. It creates broad legal exemptions that allow the government to share "cyber threat intelligence" with private companies, and companies to share "cyber threat information" with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.

Is CISPA the new SOPA?
This is the notion that the reps behind the bill are most desperate to kill. Their primary response is that CISPA has nothing to do with seizing domains or censoring websites, but that's only true on the surface. The bill defines "cybersecurity systems" and "cyber threat information" as anything to do with protecting a network from:

‘(A) efforts to degrade, disrupt, or destroy such system or network; or

‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

It's easy to see how that definition could be interpreted to include things that go way beyond network security—specifically, copyright policing systems at virtually any point along a network could easily qualify. And since one of the recipients of the shared information would be Homeland Security—the department that includes ICE and its ongoing domain seizures—CISPA creates the very real possibility for this information to be used as part of a SOPA-like crusade to lock down the internet. So while the bill itself has nothing to do with domain seizures, it gives the people behind such seizures a potentially powerful new weapon.

The reps insist that when they refer to intellectual property, they are not thinking about media piracy or even counterfeiting, but about foreign-based attacks on domestic companies to steal their research and development (they tout examples like the plans for jet fighters). Unfortunately, the bill's definitions create no such restriction, leaving the door wide open for more creative interpretations.

How can the government use the information?
The original text of the bill was really bad, simply saying the government cannot use the information for "regulatory purposes." This was amended to be more restrictive, but not by much: now, the same broad "cybersecurity" definition applies to what they can use the data for, and as if that wasn't enough, they can also use it for "the protection of the national security of the United States." I don't need to tell you that the government is not exactly famous for narrowly interpreting "national security."

So is CISPA a surveillance bill?
The bill specifically prohibits the government from requiring anyone to hand over information, or offering any sort of "quid pro quo" data sharing arrangement. Sharing information is voluntary, and as far as the bill's supporters are concerned, that should end the debate. Of course, as we've seen with things like the warrantless wiretapping scandal, complicity between companies and the government, even when legally questionable, is common and widespread. But even if the safeguards work, CISPA will undoubtedly allow for invasions of privacy that amount to surveillance.

Firstly, while the reps insist that the bill only applies to companies and not individuals, that's very disingenuous. CISPA states that the entity providing the information cannot be an individual or be working for an individual, but the data they share (traffic, user activity, etc.) will absolutely include information about individuals. There is no incentive in the bill to anonymize this data—there is only a clause permitting anonymization, which is meaningless since the choice of what data to share is already voluntary. Note that any existing legal protections of user privacy will not apply: the bill clearly states that the information may be shared "notwithstanding any other provision of law".

So we've got the government collecting this data, potentially full of identifying information of users in the U.S. and elsewhere, and they are free to use it for any of those broadly defined cybersecurity or national security purposes. But, it gets worse: the government is also allowed to affirmatively search the information for those same reasons—meaning they are by no means limited to examining the data in relation to a specific threat. If, for example, a company were to provide logs of a major attack on their network, the government could then search that information for pretty much anything else they want.

Can CISPA be fixed?
Most of the new provisions currently being considered for CISPA have to do with adding oversight and liability to prevent the government from violating any of the terms—but that doesn't address the problems in the bill at all, since the terms are already so broad. CISPA would require significant new restrictions to come anywhere close to being a good bill—a fact that points to Congress' inability to effectively design internet regulation. Moreover, there isn't even clear evidence that new cybersecurity laws are necessary. This is a bill that needs to die.

The EFF has a tool to help you contact your representative about CISPA and the broader issue of cybersecurity legislation. The bill is going to the House the week of April 23rd, so now is the time to get involved. As with SOPA, this is not an issue that solely effects Americans: the data may come from U.S. companies, but it will involve people from all over the world—and, indeed, foreign entities are one of the bill's prime targets. It's once again time for the internet to speak up and send a clear message to Congress: don't mess with something you don't understand.

Filed Under: cispa, congress, cybersecurity, sopa

Did Congress Really Not Pay Attention To What Happened With SOPA? CISPA Ignorance Is Astounding

from the again-and-again dept

Update: Check out our breakdown of the reasons CISPA is a really bad bill.

We recently wrote about how HR 3523, the Cyber Intelligence Sharing and Protection Act -- or CISPA -- is an incredibly bad bill that would basically make it much, much easier for the government to spy on all sorts of private communications. The bill already has over 100 sponsors, some of whom were on the right side of SOPA, but seem to have gone astray here. The concern over CISPA has been growing rapidly and the netroots are speaking out and warning Congress that this is a bill they do not want.

And yet... Congress still appears ready to move forward with CISPA the week of April 23rd. And the amazing (no, astounding) thing is that many politicians in Congress have no idea that people are up in arms over this yet. In talking to different people on Capitol Hill, the story is along the lines of "oh, is there some controversy over this?" Like SOPA early on, it appears that Congress simply takes for granted that if you call something one thing (whether it's "stopping piracy" or "protecting cybersecurity") no one will bother looking at the details to realize just how problematic the bill actually is.

But this is a bad, bad bill, which effectively will lead to significant spying on internet usage and private communications by the government with little to no oversight -- and that includes not just domestic law enforcement, but military spying as well. The whole thing is absolutely crazy (especially when there are less onerous bills that are much more sensible).

The truly amazing part to me is the fact that politicians in Congress would simply think that there's no problem making massive internet regulatory change without actually looking at the impact on ordinary users and how they feel about it so soon after SOPA. It seems clear that many elected officials still haven't received the message that politicians should not be mucking with the internet when they clearly don't understand it.

Filed Under: cispa, congress, cybersecurity, sopa

Former Cybersecurity Czar Thinks DHS Should Spy On All Internet Traffic Crossing Our Borders... Because Of Chinese Pirates?

from the um,-no dept

Richard Clarke, the former cybersecurity czar in the White House -- and a huge, huge, huge proponent of pushing for greater legislation for spying on Americans under the guise of "cybersecurity" (it used to be "cyberwar" but that term was so laughable, it's been downgraded to "cybersecurity) -- has written one of the most ridiculous defenses of new internet spying proposals, claiming that Chinese hackers are stealing all our intellectual property by hacking into computers online. He has no evidence of this. He tells apocryphal stories of Chinese hackers somehow getting all the data from a "$1 billion research program copied by hackers in one night." The whole thing is fear-mongering in the extreme, using the specter of evil "Chinese pirates" hacking computers and stealing important US intellectual property. That's wrong for a variety of reasons that we've discussed multiple times. But where it gets downright silly is in his assertion that (1) the US could magically "stop" these mythical hackers from "stealing" data, and (2) that Homeland Security already has the authority to spy on all internet traffic as it comes over the border:

If given the proper authorization, the United States government could stop files in the process of being stolen from getting to the Chinese hackers. If government agencies were authorized to create a major program to grab stolen data leaving the country, they could drastically reduce today’s wholesale theft of American corporate secrets.

[....]

Under Customs authority, the Department of Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. And under the Intelligence Act, the president could issue a finding that would authorize agencies to scan Internet traffic outside the United States and seize sensitive files stolen from within our borders.

And this does not have to endanger citizens’ privacy rights. Indeed, Mr. Obama could build in protections like appointing an empowered privacy advocate who could stop abuses or any activity that went beyond halting the theft of important files.

Almost everything stated above is ridiculous. As law professor James Grimmelman points out, with this article "Richard Clarke disqualifies himself from participating in any serious discussion of cybersecurity."

Indeed. It's scary to think that Clarke was ever seen as an expert in cybersecurity. He seems to be under the assumption that the internet really is a series of tubes, in which customs agents can simply stop all that data at the border and inspect it. And the idea that appointing a single "privacy advocate" would magically stop abuses? You'd think he just stepped off the turnip truck, rather than having spent many years in government where privacy was regularly abused, despite much more significant safeguards in place. Who does he think he's kidding?

Will we ever have people driving policy discussions on regulating the internet who actually understand the internet?

Filed Under: customs, cybersecurity, dhs, hackers, richard clarke

Forget SOPA, You Should Be Worried About This Cybersecurity Bill

from the this-is-not-good dept

While most folks are looking elsewhere, it appears that Congress is trying to see if it can sneak an absolutely awful "cybersecurity" bill through Congress. We've discussed how there's been some fighting on the Senate side concerning which cybersecurity bill to support, but there's a similar battle going on in the House, and it appears that the Rogers-Ruppersberger bill, known as CISPA (for Cyber Intelligence Sharing and Protection Act) or HR 3523 is winning out, with a planned attempt to move it through Congress later this month. The bill is awful -- and yet has somehow already gained over 100 sponsors. In an attempt to pretend that this isn't a "SOPA-like" problem, the supporters of this bill are highlighting the fact that Facebook, Microsoft and TechAmerica are supporting this bill.

However, this is a terrible bill for a variety of reasons. Even if we accept the mantra that new cybersecurity laws are needed (despite a near total lack of evidence to support this -- and, no, fearmongering about planes falling from the sky doesn't count), this bill has serious problems. As CDT warned when this bill first came out, it's way too broad and overreaching:

However, the bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.

If it's confusing to keep track of these different cybersecurity bills, the ACLU has put together a handy dandy (scary) chart (pdf) comparing them all. And what comes through loud and clear is that the Rogers-Ruppersberger CISPA bill will allow for much greater information sharing of companies sending private communication data to the government -- including the NSA, who has been trying very, very hard to get this data, not for cybersecurity reasons, but to spy on people. CISPA has broad definitions, very few limits on who can get the data, almost no limitations on how the government can use the data (i.e. they can use it to monitor, not just for cybersecurity reasons) and (of course) no real oversight at all for how the data is (ab)used.

CDT has put together a reasonable list of 8 things that should be done if politicians don't want to turn cybersecurity into a new SOPA, but so far, Congress is ignoring nearly all of them. Similarly, EFF is asking people to speak out against CISPA, noting that it basically creates a cybersecurity exemption to all existing laws. If the government wants your data, it just needs to claim that it got it for "cybersecurity purposes" and then it can do pretty much whatever it wants.

This is a really bad bill and it looks like it's going to pass unless people speak up.

Filed Under: cispa, cybersecurity, monitoring, privacy, rogers-ruppersberger, sopa

A Terrifying Look Into The NSA's Ability To Capture And Analyze Pretty Much Every Communication

from the be-afraid dept

You may recall that we've written a few times about the "turf war" between the Department of Homeland Security and the Defense Department's NSA over who gets to run the "cybersecurity" efforts for the country. The NSA has been particularly insistent that all cybersecurity efforts should go through it, and an amazing, detailed and positively frightening article from James Bamford at Wired Magazine, which is ostensibly about the NSA's massive new spy center in Bluffdale, Utah, but is really a rather detailed (and well-sourced) account of just how much spying the NSA is doing on pretty much all communications. The article breaks some news in not just confirming the details of the infamous warrantless wiretapping that started under President Bush and has continued unabated under President Obama, but also explains how the program is more advanced and more expansive than previously thought. Basically, the NSA now collects everything, whether or not the law allows it -- and it's building massively powerful computers to break any encryption that is used on that communication.

In regards to the question of "cybersecurity," one reason why the NSA wants official control over cybersecurity is that's the curtain it tries to hide behind to explain its massive spying operations:

A short time later, [NSA deputy director Chris] Inglis arrived in Bluffdale at the site of the future data center, a flat, unpaved runway on a little-used part of Camp Williams, a National Guard training site. There, in a white tent set up for the occasion, Inglis joined Harvey Davis, the agency’s associate director for installations and logistics, and Utah senator Orrin Hatch, along with a few generals and politicians in a surreal ceremony. Standing in an odd wooden sandbox and holding gold-painted shovels, they made awkward jabs at the sand and thus officially broke ground on what the local media had simply dubbed “the spy center.” Hoping for some details on what was about to be built, reporters turned to one of the invited guests, Lane Beattie of the Salt Lake Chamber of Commerce. Did he have any idea of the purpose behind the new facility in his backyard? “Absolutely not,” he said with a self-conscious half laugh. “Nor do I want them spying on me.”

For his part, Inglis simply engaged in a bit of double-talk, emphasizing the least threatening aspect of the center: “It’s a state-of-the-art facility designed to support the intelligence community in its mission to, in turn, enable and protect the nation’s cybersecurity.” While cybersecurity will certainly be among the areas focused on in Bluffdale, what is collected, how it’s collected, and what is done with the material are far more important issues. Battling hackers makes for a nice cover—it’s easy to explain, and who could be against it? Then the reporters turned to Hatch, who proudly described the center as “a great tribute to Utah,” then added, “I can’t tell you a lot about what they’re going to be doing, because it’s highly classified.”

And then there was this anomaly: Although this was supposedly the official ground-breaking for the nation’s largest and most expensive cybersecurity project, no one from the Department of Homeland Security, the agency responsible for protecting civilian networks from cyberattack, spoke from the lectern. In fact, the official who’d originally introduced the data center, at a press conference in Salt Lake City in October 2009, had nothing to do with cybersecurity. It was Glenn A. Gaffney, deputy director of national intelligence for collection, a man who had spent almost his entire career at the CIA. As head of collection for the intelligence community, he managed the country’s human and electronic spies.

The entire article is worth reading, as it details the extent of the NSA's spying, as well as their near total lack of concern for what the law says it's allowed to do. A former NSA official who left the agency soon after all this started notes that the organization "violated the Constitution setting it up," and that "they didn't care. They were going to do it anyway and they were going to crucify anyone who stood in the way." This same officials notes multiple ways that the NSA could have set up programs that only focused on specific "targets" or those close to the targets, to stay within the framework of the law. He even suggested these to people at the NSA and elsewhere in the federal government and was completely brushed off. The temptation to collect everything is apparently just too powerful.

As the article notes, even if such an effort may be useful in getting information on those who wish to do us harm, the threat of it being massively abused is incredibly high:

But there is, of course, reason for anyone to be distressed about the practice. Once the door is open for the government to spy on US citizens, there are often great temptations to abuse that power for political purposes, as when Richard Nixon eavesdropped on his political enemies during Watergate and ordered the NSA to spy on antiwar protesters. Those and other abuses prompted Congress to enact prohibitions in the mid-1970s against domestic spying.

But it appears that things have gone very much in the other direction now, with the NSA having much more ability to spy on people today than in the past. And even the idea of strong encryption may only be a temporary way of keeping the NSA from knowing everything you've communicated. Bamford details the NSA's classified effort to build superfast supercomputers that can help in breaking even the strongest encryption being used today. It's not quite there yet, from the sound of things, but it also appears they're advancing faster than most people predicted.

The whole article is worth a read, but it's a frightening reminder of the amount of power the federal government has today and its ability to abuse it.

Filed Under: bluffdale, cybersecurity, encryption, nsa, spying, surveillance

If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem

from the oh-come-on dept

We've been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it's all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a "simulated cyberattack on New York City's power supply" to convince elected officials to move forward on the legislation.

During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.

“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.

Now that's interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:

During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.

Um, there's your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn't we take it off the internet? This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.

Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.

So, once again, can we take a step back and ask some simple questions: what's the real threat and the real risk here? If it's that the NYC power grid is accessible by a simple password over the public internet, then the problem isn't cybersecurity, it's whoever was stupid enough to connect the power grid to the internet. Let's fix that. But let's not regulate and spy on large segments of the public internet to cover for a few bad decisions.

Filed Under: cybersecurity, fear mongering, hype, nyc, phishing, power grid, terrorism, white house

Slow Down, Homeland Security: Does Everyone Really Agree That We Need Cybersecurity Legislation Now?

from the why-the-rush,-sparky? dept

We've been following the debate over the new cybersecurity bill, while still asking for detailed explanation of why it's needed that is a bit more specific than politicians screaming about airplanes falling out of the sky. To date, no one seems to be able to show any real threat -- other than a bunch of folks in a position to profit from the fear mongering, yelling "trust us! it's bad!" But we've seen this game before, and it's how a lot of money gets wasted, privacy rights are eroded, and nothing is done to deal with any real problem.

So why can't we hit pause and ask for some actual evidence?

Yes, there's a turf war between DHS and the NSA/DoD over who gets to control the purse strings and have more control, but no one seems to be asking for the actual evidence. Instead, they're just trying to push forward as fast as possible. Witness this blog post from Mark Weatherford, Homeland Security's Deputy Undersecretary for Cybersecurity, in which he insists that everyone agrees that we need a cybersecurity law and we need it now:

We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.

I agree that we're not always keeping intruders out -- though I think it should be admitted that we'll never "always" keep intruders out. That's an impossible goal. And I agree that sharing information to build up better defenses could be a good thing. But how do we then take the logical leap that this "requires a fast, unified response" from the government? The operators of these networks already are working hard to keep intruders out and have tremendous incentive to keep improving their defenses. Why do we need regulations to continue that process? That's the part that's never been clearly explained, and it seems like a pretty big gap, which all this talk about the necessary "rush" is designed to paper over.

Filed Under: cybersecurity, cyberwar, dhs, dod, evidence, mark weatherford, nsa

NSA Power Grab: New Legislation Would Give It Broad Powers To Spy On 'Critical' Private Networks

from the doesn't-pass-the-laugh-test dept

Well, we saw this one coming a mile away. Last week, in talking about the current fight in the Senate over the new cybersecurity legislation that's making the rounds, we noted that the behind-the-scenes story appeared to be that the NSA was going to make a power play to try to get responsibility for cybersecurity handed to it, rather than Homeland Security. Over the last few days, it's become clear that's exactly what's going on. While neither the NSA nor DHS inspire much confidence when it comes to heading up cybersecurity, the NSA plan is really crazy. It's expected that Senator McCain will be introducing legislation shortly that would give cybersecurity responsibility to the NSA.

McCain is positioning his version of the bill as one that focuses on "a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations." However, reports are that McCain's version involves a plan that the NSA has been aggressively lobbying for to give it access to networks deemed "critical." The NSA says that it wants to monitor these networks in case of attack so it can spring into action.

However, given the NSA's other mandates (spying!) this certainly has raised some fairly significant concerns. Should every private company running a network deemed critical automatically be required to install a special NSA spying box? Even the White House and the Justice Department (no strangers to over aggressive monitoring) have pushed back that this would be "unprecedented government" intrusion into the civilian internet. It's apparently gotten so bad, that the Obama administration has privately slapped down NSA boss General Keith Alexander (last heard talking about how Anonymous was going to shut down powerlines) for "advocating for something beyond that, that is undermining the commander in chief."

Of course, the administration can't stop former NSA boss Mike McConnell from running around spreading fear mongering stories about how the entire internet is at risk if we don't give the NSA unprecedented spying powers. Left out of his talks on this matter is that, not only has he been making these claims about how the internet is on the verge of collapse if the NSA doesn't get these powers for many, many years (without any evidence to show that it's true), but he's also now employed by Booz, Allen as a VP -- which is relevant, because Booz is already profiting massively from all this fear mongering, by getting hundreds of millions of dollars in federal contracts to "help" the government deal with the scary threats of the internet.

Jim Dempsey, over at CDT has a discussion of just how ridiculous this NSA powergrab is, in that it makes some key assumptions that just don't seem supported by reality:

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

Dempsey goes on to say that the NSA has already been helping Tier 1 providers by sharing its "secret sauce" to protect them against attack without having to have full access to the networks, and it seems silly that a process like that can't continue and be quite effective without giving up all privacy. Similarly, Jerry Brito, who has been following all of this very closely, notes that it's somewhat crazy to think that we can't just continue with the NSA assisting at arms-length without giving them full access to private networks.

Brito further highlights that there's a reason why we have civilian law enforcement for domestic issues, not military officials -- noting that (while they don't always succeed), civilian law enforcement is used to working within "an environment where constitutional rights apply and to use force only as a last resort." That is simply not true of the military or the NSA, whose operations usually involve issues outside the US, where the Constitution does not apply. And yes, they've certainly blurred that domestic/foreign line over the years, but that's no reason to go even further and give the military more power of the private domestic internet.

Filed Under: critical infrastructure, cybersecurity, dod, john mccain, nsa, spying, turf war

NSA: 'Anonymous Might One Day Hack Power Grids!' Anonymous: 'Huh?!?'

from the cyberfud dept

The fight to ramp up the fear mongering over cybersecurity has reached new and even more ridiculous levels -- in which an "anonymous" government source claims (without quotations) that the head of the NSA, Gen. Keith Alexander, recently briefed the White House claiming that the non-group Anonymous might be able to mount a cyberattack to take down parts of the power grid. The dubious sourcing already makes the story suspect, and without more context, the whole thing seems silly -- especially given that anyone who actually has any inkling of how Anonymous actually functions would question why it would ever seek to shut down a power grid. Anonymous tends to do things either for fun (i.e., for "the lulz") or (more frequently) out of a more vigilante sense of justice (sometimes misguided, but usually well meaning). The attacks are pretty carefully focused on causing temporary inconveniences, rather than lasting damage, as a sign of protest, or on revealing secret info that it feels deserves a wider airing. Attacking the power grid fits with exactly none of that -- a point that Anonymous itself made in response to this claim:

Why would Anons shut off a power grid? There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering

But, even more to the point, the WSJ piece is so ridiculous that it's hard not to laugh when you read the following part:

A stateless group like Anonymous doesn’t yet have that capability, officials say. But if the group’s members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts.

I think Jerry Brito summed this up perfectly by saying:

Shorter version: Anonymous doesn’t have the power to attack the grid, but if they were able to get it someday, then they would have it. Got it.

You could go even further. I mean, why not just start listing out other hypotheticals using those ridiculous two sentences as a basis. I'll start:

• That baseball player doesn't yet have the capability to hit a baseball thrown by a pitcher, officials say. But, if he somehow developed or acquired it, his likelihood of being able to play baseball effectively would become far more likely, according to sports experts.
• An infant doesn't yet have the capability to drive, officials say. But, if toddlers around the world develop or acquire it, automobile accidents would become far more likely, according to automotive experts.
• Prisoners don't yet have the capability to shoot each other, officials say. But, if inmates around the world developed or acquired it, gunfights in prison would become far more likely, according to anger management experts.
• Techdirt readers don't yet have the capability to make clueless government officials get transferred to jobs washing toilets, officials say. But, if the community there develops or acquires it, dumb politicians being out of work would become far more likely, according to political pundits.

In what journalistic world is it okay to write something where the entire point of the article is to fear monger about a group having a certain power, and then brush aside the fact that it doesn't have that power... and appears to have no interest or possibility of obtaining that power... but then saying, "boy, if it did have that power, that would be dangerous!" None of the hypotheticals make any sense if there's no info on the interest or likelihood of the group in acquiring or using such capabilities. There is some speculation, based solely on Anonymous' (kinda stupid) idea to try to take down the entire internet to make a statement next month, that the group is moving in "this direction," but it still seems pretty silly.

Furthermore, you have to get 10 whole paragraphs down in the article, before it's mentioned that there really isn't any real "cyberthreat" to the power grid. It seems like that sort of information belongs at the top of the article, along with a message about how the rest of the article is fear mongering about stuff that really isn't likely to happen.

Filed Under: anonymous, cybersecurity, fud, nsa, online security, power grids