President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems

from the not-the-public's dept

On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday, and they don't look very good. There are a lot of different pieces, but we'll just highlight the two that concern us the most.

First up: information sharing/"cybersecurity." The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity "information sharing" bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not "endorsing CISPA." The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn't wonderful, but it's better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won't get full immunity from lawsuits if they do.

But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren't written yet, and they're fairly important here. Instead, there's just a plan to make them:
The Attorney General, in coordination with the Secretary of Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the Department of Homeland Security and Department of Justice, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Defense, the Director of the Office of Management and Budget, the heads of sector-specific agencies and other appropriate agencies, and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review policies and procedures governing the receipt, retention, use, and disclosure of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.
Yes, it promises that those guidelines will limit the "acquisition, interception, retention, use and disclosure" of information, but it's still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need "information sharing" because of "cyberthreats," but no one argues why that information sharing can't happen today, or points out what regulations today get in the way. That's because they don't. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.

The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused "anti-hacking" law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as "hacking." While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would "enhance [the CFAA's] effectiveness against attacks on computers and computer networks."

But that's not the problem with the CFAA. The problem is that it's already seriously overbroad and used in dangerous ways. That's barely addressed. The main "fix" is that if you "intentionally exceed authorized access," there are conditions necessary to meet to trip the CFAA wire -- and a key one is that the value of the information obtained must "exceed $5,000." But, of course, with the way the gov't inflates the value of information... that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to "exceeds authorized access." This is the whole bit that's been used as evidence of "terms of service" violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access:
for a purpose that the accesser knows is not authorized by the computer owner;
This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have "knowledge" and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you've broken the law. It is also possible to read this section to mean that using someone else's Netflix or HBO GO password... could violate the law. Yikes!

Of course, one hopes that law enforcement wouldn't go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it "knows [it] is not authorized by the computer owner." Basically, it requires the government to argue that whoever they're going after should have known that the computer owner "wouldn't like" it. That... opens up a big can of worms that the DOJ will abuse like crazy.

The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking" (i.e., getting around technological barriers to access a computer) -- making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you're violating the CFAA. Looks like law enforcement can now go "shopping" for computers.

Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.

That's really unfortunate. A massive missed opportunity to actually do something productive here.






Filed Under: cfaa, cispa, cybersecurity, obama administration


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Padpaw (profile), 14 Jan 2015 @ 6:45am

    Obama tells people what they want to hear then does what he wants even if it directly contradicts what he said.

    Pointless to hold him to his word in anything. Or to even believe anything he says. Obama is his own biggest fan.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2015 @ 10:07am

      Re:

      What you are saying is why I defended Ted Cruz's comments.

      Cruz does not have to be a politician you like to be right about it.

      In fact I would not trust either part at this time not to do just exactly what you wrote (say one thing but do another)... the citizens will be screwed one way or another, and anyone willing to still trust someone like Obama just deserves to be lied to.

      reply to this | link to this | view in chronology ]

      • identicon
        Pragmatic, 15 Jan 2015 @ 5:42am

        Re: Re:

        anyone willing to still trust someone like Obama just deserves to be lied to.

        anyone willing to still trust politicians just because they're in the right party just deserves to be lied to.

        FIFY

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 6:47am

    It appears someone knowingly violated access to someone's lawn while instructed to get off it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 6:58am

    > Of course, one hopes that law enforcement wouldn't go after those types of violations,...


    Bwahahaha! Hee hee! To think that law enforcement wouldn't press any charge they think they can get away with against someone they want to punish! Best laugh I've had all morning.

    ... what? You were serious?

    reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 14 Jan 2015 @ 7:08am

    There's no help coming here

    Whatever the answers are to our current set of security issues, they're most definitely not coming via legislation and regulation.

    Of course that won't stop those seeking to grandstand for political gain or to inflate the already-expansive powers of law enforcement or spy agencies: in fact, it will encourage them, because less security is a boon to both.

    My best advice -- which certainly won't be accepted -- to all three branches of government is:

    1. Sit down.
    2. Shut up.
    3. Read everything written by Spafford, Appelbaum, Felten, Boyd, Robbins, Landau, Ranum, Forno, Schneier, Bellovin, Cheswick, Halderman, Kamnisky, Soghoian, Vixie, Weinstein &etc.
    4. Stop doing the things they say are bad ideas.
    5. Start doing the things they say are good ideas.
    6. Return to step 1.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 7:40am

    Granting a corporations exemptions from liability means theres something to be liable for......and since governments are the catalyst to this libility, they are culpable in this too

    So basically what there saying, if we do something bad, we're protected by the laws WE create................tell me again we live in these supposed free societies

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 14 Jan 2015 @ 7:45am

    Really?

    How about you quit illegally spying on us? That would be a HUGE first step in protecting "Cyberspace".

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jan 2015 @ 8:02am

      Re: Really?

      Well, according to this new proposal the value of a hack must be $5000 and we all know that the government consider us to be worth less than ¢1... and the lawheads at the NSA would come up with some BS excuse that every person only counts as one hack... to them only, of course, so they would never reach the limit.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 7:52am

    Obama still wrestling with proportional response

    to the polar vortex, currently attributed to hackers in North Korea.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 7:54am

    "exceeds authorized access."

    If this worked both ways ,It maybe a good thing. The companies asked to give information over violate my rights and "exceed authorized access." ..to use a stingray device is to "exceed authorized access." and my spying on my communications email and such will surely "exceed authorized access."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 7:55am

    Bit by bit is their approach......give it time, more tragedies to exploit, and our fears become a reality.........the whole system is suspect, thats what history is trying to tell u........their already past the point debating whther they should have the authority to spy on their subjects, everything after that is a moot point

    I dont even think they should have the system built to give this exploitive tool, but they have it, and they built it in secret, if snowden had'nt interrupted their drive, when would we have found out, HOW integrated would it of been THEN

    The more they implement, the harder its gonna be, with any reasonable assurances, to completely shut it down, if it becomes the perfect tool for corruptable folks

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 8:03am

    "The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group." It also ups the penalties for things that might be considered "actual hacking"

    Firstly, hackers who "hack" to improve security should not be in this category, as a user, i think they are doing a service to us users

    Secondly, i'd classify all intelligence services as criminal hackers, DEFFINATLY in the group of "organized crime"

    Im interested to know who put the quotes for "actual hacking" techdirt, or the gov

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 14 Jan 2015 @ 8:08am

    The value of intangibles

    the value of the information obtained must "exceed $5,000."


    The monetary value of most private information is no more or less than what the information owner says it is. So, unless there is some stringent language to set out how this value can be determined, the monetary threshold is entirely without meaning.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 8:11am

    Here a REAL cybersecurity law, all commercial companies must be able to provide a method of easy to implement continous security/privacy update throughout the entirety of a service or product, either internally, or externallly.......or some such

    Instead of a law that would upset business, we get a law that upsets users, who do they represent again

    reply to this | link to this | view in chronology ]

  • icon
    Almost Anonymous (profile), 14 Jan 2015 @ 8:46am

    Racketeering...

    The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it's an "organized crime group."
    "organized crime group" aka "bit-torrent swarm"

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 14 Jan 2015 @ 8:47am

    Diametrically Opposed Purposes

    They are trying to protect the net for us.

    We are trying to protect the net from them.

    This will not end well for either side - but guess which side will suffer the most casualties...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 9:36am

    Passing these laws while ignoring the elepant in the room.......doing what they want while ignoring us

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 11:16am

    The scam is to pass laws that say there are no laws.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jan 2015 @ 1:36pm

    Aaron Swartz died because of CFAA abuses and for a brief moment I thought reform might come. However, this is just pathetic. The community has a duty to raise its' voice loudly and protest against this disgusting and disrespectful proposal.

    We need another Internet blackout. Imagine if instead of simply changing a few colors, companies actually shut down for a day. Our government and law enforcement all need a "time out"; like a little child standing in the corner.

    reply to this | link to this | view in chronology ]

  • identicon
    Annonimus, 15 Jan 2015 @ 1:22am

    This is about control

    They do not actually want to fix these problems because to fix them they have to give up control of their voters and that means they would have to be more accountable and transparent. They don't want that to happen.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.