President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems

from the not-the-public's dept

On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday, and they don’t look very good. There are a lot of different pieces, but we’ll just highlight the two that concern us the most.

First up: information sharing/”cybersecurity.” The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity “information sharing” bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not “endorsing CISPA.” The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn’t wonderful, but it’s better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won’t get full immunity from lawsuits if they do.

But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren’t written yet, and they’re fairly important here. Instead, there’s just a plan to make them:

The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.

Yes, it promises that those guidelines will limit the “acquisition, interception, retention, use and disclosure” of information, but it’s still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need “information sharing” because of “cyberthreats,” but no one argues why that information sharing can’t happen today, or points out what regulations today get in the way. That’s because they don’t. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.

The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused “anti-hacking” law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as “hacking.” While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would “enhance [the CFAA’s] effectiveness against attacks on computers and computer networks.”

But that’s not the problem with the CFAA. The problem is that it’s already seriously overbroad and used in dangerous ways. That’s barely addressed. The main “fix” is that if you “intentionally exceed authorized access,” there are conditions necessary to meet to trip the CFAA wire — and a key one is that the value of the information obtained must “exceed $5,000.” But, of course, with the way the gov’t inflates the value of information… that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to “exceeds authorized access.” This is the whole bit that’s been used as evidence of “terms of service” violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access:

for a purpose that the accesser knows is not authorized by the computer owner;

This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have “knowledge” and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you’ve broken the law. It is also possible to read this section to mean that using someone else’s Netflix or HBO GO password… could violate the law. Yikes!

Of course, one hopes that law enforcement wouldn’t go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it “knows [it] is not authorized by the computer owner.” Basically, it requires the government to argue that whoever they’re going after should have known that the computer owner “wouldn’t like” it. That… opens up a big can of worms that the DOJ will abuse like crazy.

The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it’s an “organized crime group.” It also ups the penalties for things that might be considered “actual hacking” (i.e., getting around technological barriers to access a computer) — making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you’re violating the CFAA. Looks like law enforcement can now go “shopping” for computers.

Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.

That’s really unfortunate. A massive missed opportunity to actually do something productive here.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

What you are saying is why I defended Ted Cruz’s comments.

Cruz does not have to be a politician you like to be right about it.

In fact I would not trust either part at this time not to do just exactly what you wrote (say one thing but do another)… the citizens will be screwed one way or another, and anyone willing to still trust someone like Obama just deserves to be lied to.

Rich Kulawiec (profile) says:

There's no help coming here

Whatever the answers are to our current set of security issues, they’re most definitely not coming via legislation and regulation.

Of course that won’t stop those seeking to grandstand for political gain or to inflate the already-expansive powers of law enforcement or spy agencies: in fact, it will encourage them, because less security is a boon to both.

My best advice — which certainly won’t be accepted — to all three branches of government is:

1. Sit down.
2. Shut up.
3. Read everything written by Spafford, Appelbaum, Felten, Boyd, Robbins, Landau, Ranum, Forno, Schneier, Bellovin, Cheswick, Halderman, Kamnisky, Soghoian, Vixie, Weinstein &etc.
4. Stop doing the things they say are bad ideas.
5. Start doing the things they say are good ideas.
6. Return to step 1.

Anonymous Coward says:

Granting a corporations exemptions from liability means theres something to be liable for……and since governments are the catalyst to this libility, they are culpable in this too

So basically what there saying, if we do something bad, we’re protected by the laws WE create…………….tell me again we live in these supposed free societies

Anonymous Coward says:

Re: Really?

Well, according to this new proposal the value of a hack must be $5000 and we all know that the government consider us to be worth less than ¢1… and the lawheads at the NSA would come up with some BS excuse that every person only counts as one hack… to them only, of course, so they would never reach the limit.

Anonymous Coward says:

“exceeds authorized access.”

If this worked both ways ,It maybe a good thing. The companies asked to give information over violate my rights and “exceed authorized access.” use a stingray device is to “exceed authorized access.” and my spying on my communications email and such will surely “exceed authorized access.”

Anonymous Coward says:

Bit by bit is their approach……give it time, more tragedies to exploit, and our fears become a reality………the whole system is suspect, thats what history is trying to tell u……..their already past the point debating whther they should have the authority to spy on their subjects, everything after that is a moot point

I dont even think they should have the system built to give this exploitive tool, but they have it, and they built it in secret, if snowden had’nt interrupted their drive, when would we have found out, HOW integrated would it of been THEN

The more they implement, the harder its gonna be, with any reasonable assurances, to completely shut it down, if it becomes the perfect tool for corruptable folks

Anonymous Coward says:

“The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it’s an “organized crime group.” It also ups the penalties for things that might be considered “actual hacking”

Firstly, hackers who “hack” to improve security should not be in this category, as a user, i think they are doing a service to us users

Secondly, i’d classify all intelligence services as criminal hackers, DEFFINATLY in the group of “organized crime”

Im interested to know who put the quotes for “actual hacking” techdirt, or the gov

Anonymous Coward says:

Here a REAL cybersecurity law, all commercial companies must be able to provide a method of easy to implement continous security/privacy update throughout the entirety of a service or product, either internally, or externallly…….or some such

Instead of a law that would upset business, we get a law that upsets users, who do they represent again

Anonymous Coward says:

Aaron Swartz died because of CFAA abuses and for a brief moment I thought reform might come. However, this is just pathetic. The community has a duty to raise its’ voice loudly and protest against this disgusting and disrespectful proposal.

We need another Internet blackout. Imagine if instead of simply changing a few colors, companies actually shut down for a day. Our government and law enforcement all need a “time out”; like a little child standing in the corner.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...