It's well known that the big telcos and the federal government have an all-too-cozy relationship when it comes to handing over data on telco customers. This has included ignoring all the rules and going so far as handing over information based on a post-it note given to them by the FBI. The telcos general standpoint has been that they're happy to let the government reach deep into their data -- more or less adding a direct tap on all of us. Congress, however, gift-wrapped them immunity to any lawsuits from all of that kind of stuff. Still, these days, the telcos sure do like not being liable for coughing up their customer's private info to the government, so it should come as little surprise that they're practically shoving each other aside to support CISPA.
Two major trade groups, CTIA and US Telecom, each issued short statements saying that CISPA is a good thing. US Telecom claimed that the bill would make it more efficient to detect, deter and respond to cyberthreats. That would be nice if true, but no one's yet explained how that actually would work in practice. CTIA knows how to play the press, and started its press release by hyping up recent hack attacks. That CISPA likely would have done absolutely nothing to stop those attacks is conveniently ignored.
Meanwhile AT&T and Verizon each offered their own support for the bill, making it clear that protection from liability is the most important thing to them.
The telcos, of course, have nothing to lose and everything to gain from CISPA. It gives them even more freedom from liability in sharing your info, but doesn't present any specific regulatory burdens on them. Of course, shouldn't we be a lot more concerned about the views of the people whose privacy would be violated, than the views of those violating their privacy?
As expected, Representatives Mike Rogers and Dutch Ruppersberger have reintroduced CISPA, exactly as it was when it passed the House last year. Incredibly, we've been hearing that they've brushed off the massive privacy concerns by claiming that those were all "fixed" in the final version of the bill that got approved. This is highly disingenuous. While it is true that they made some modifications to the bill at the very end before it got approved, most privacy watchers were (and are) still very concerned. They did convince one organization to flip-flop, and they seem to think that's all they need.
But, here's the thing that no one has done yet: explain why this bill is needed. With President Obama's executive order in place, the government can more easily share threat info with companies, so really the only thing that CISPA piles on is more incentives for companies to cough up private information to the government with little in the way of oversight or restrictions on how that information can be used. And given how frequently the government likes to cry "cyberattack" when it's simply not true, it's only a matter of time before they start using claims of "cyberthreat!" to troll through private information.
And they still refuse to explain why this is needed. We hear lots of scare stories, but no explanation for how this bill helps. For example, Ruppersberger has written up an oped for the Baltimore Sun in which he lays out the reasons we need CISPA, but it's all scare stories, without a single explanation for how CISPA would help. And that's because it wouldn't.
March: Hackers allegedly steal the credit card numbers from 1.5 million Visa and MasterCard customers by breaking into the computer systems of the company's payment processor in New York. The thieves stockpiled the stolen credit card numbers for months before beginning to use them.
Payment processors already have some of the best security people in the world and have a large and widespread community of folks who do nothing but think about security issues for this industry. At what point would that lead the payment processor or Visa or Mastercard to need to hand information over to the government?
August: Cyber attackers disrupt production from Saudi Aramco, the world's largest exporter of crude oil, taking out 30,000 computers in the process, according to press reports.
Saudi Aramco is a Saudi Arabian company. Not sure why they would be sharing info with the US government or how CISPA would relate to them at all.
January: PNC Bank announces to its 5 million customers that its website is getting hit with high traffic consistent of a cyber attack meant to delay business with its online banking customers.
Again, why would PNC need to give information to the government? And, if they could alert their customers to the threat, they can also alert the government. None of that requires the ability to share customer info.
These are just three reported examples of cyber attacks in the past 12 months. Each could have had a devastating impact on the U.S. and global economies. That's more than a bad dream — that's a full-blown nightmare.
These are just three scare stories of cyber attacks in the past 12 months, none of which would have been impacted by CISPA. So why do we need it again?
Highly trained Chinese, Russian and Iranian hackers are probing, pilfering and plotting every second of every day. They're often after personal data: In November, reports suggested a hacker was able to access nearly 4 million tax returns in South Carolina with a single malicious email. And they're often after the trade secrets of our companies: The media has reported that Coca-Cola may have fallen victim to hackers from a Chinese beverage company.
Again, what does any of that have to do with CISPA?
Many believe that what is happening to American business may be the largest transfer of wealth in the history of the world. It's costing our companies billions of dollars, and it's costing our country thousands of jobs.
Many believe that's pure hogwash. It's not the largest transfer of wealth in the history of the world. It's not costing companies billions of dollars and it's certainly not costing our country thousands of jobs.
Preventing the U.S. government from sharing information about malicious computer code it detects is akin to preventing forecasters from warning citizens about a hurricane.
Except the government already could share a lot of information, and with the executive order can now share more. So why do we need CISPA?
Our legislation doesn't just protect companies. It will also protect every American citizen who, for example, uses electricity or banks online, or whose doctor compiles medical records electronically.
How? It's a serious question. You can talk about all of these hacks, and you can say "yay, cybersecurity bill!" but if you don't explain specifically how that bill does anything to actually stop those attacks or to protect Americans, you're full of it.
It's important to note that under my legislation, your private information will also be kept private from the government. Information-sharing between companies and the government will be entirely voluntary. Businesses do not have to share information with the government in order to receive information from the government. The bill does not authorize the government to monitor your computer or read your email, Tweets or Facebook posts. Nor does it authorize the government to shut down websites or require companies to turn over personal information.
The first sentence is simply not true. Your private information can be shared with the government, so to say that it absolutely will be kept private is simply wrong. The second and third sentences are misleading. Yes, the information sharing is "voluntary" but since there are broad immunity exemptions, if the government is coming to most companies and saying "share this info for cybersecurity reasons, and you can't get sued for doing so," how many companies are going to stand up to the government and say no? There may be a very small number, but for the most part, companies will hand over the info. The fourth and fifth sentences are simply meaningless, because they are unrelated to the legitimate privacy concerns raised.
Once again, we're left in the same boat as before. Lots of scare stories but no explanation of why CISPA is needed or how it actually helps. The whole thing is just way too broad, with vague justifications that simply don't make much sense when you look at the actual threats compared to what the bill would allow.
Exactly as predicted yesterday, President Obama talked about cybersecurity in last night's State of the Union address, including his plan to sign an executive order on cybersecurity. What's a bit surprising is that the executive order... is actually pretty reasonable. Unlike some earlier drafts, it appears that the White House actually took the privacy concerns fairly seriously. Most of the executive order focuses on the government sharing "threat info" with companies rather than with companies sharing info with the government. There is some support for companies sharing information back, but with some clear privacy standards. As always, how this works in practice will be more important than what's written down now.
That said, this raises a pretty big question: if this is in place, why do we need CISPA (or any other cybersecurity regulations). Well, to be clear, this doesn't raise that question -- that question has been out there all along. Our biggest concern with all of this talk about "cybersecurity" is that no one ever seems to explain why it's actually needed, other than vague threats of evil bogeymen hacking away at our computer systems. But they've never shown what current laws are a problem and what important information sharing is currently blocked because of existing laws. Furthermore, they haven't explained what the real risk we're facing is. The Hollywood inspired stories of evil hackers taking down airplanes make for nice visuals, but have little basis in truth. So now we have a document that lets the government helps companies if there is a real attack. Why do we need anything more?
CISPA, in particular, doesn't seem to add anything of value to what's already in the exec order, other than trying to free up companies from any possible liability when they hand over your info to government agencies based on vague standards concerning "threats" (and then those government agencies can then use that info for pretty much anything). So rather than focusing on legislation, why not watch how well things play out with this executive order in place?
You can, of course, understand why the sponsors would bring back the identical bill. After all, it passed (fairly easily), even with tremendous protests. Many tech companies like the bill, because it puts no specific requirements on them, and also (more importantly) frees them from liability for sharing info on their users. But that's the really problematic part. It's disappointing that tech companies have not realized that standing up for their users' privacy rights is a smart business decision on its own. Tragically, they're taking the short term view on this one.
The privacy concerns about CISPA are incredibly serious. While the Senate took a very different approach with its Cybersecurity Act (which did not pass), at the very least, amendments to the Senate bill improved the privacy problems. One would hope that the backers of CISPA would recognize that this would be an opportunity to build a bigger tent, and follow through by matching the same privacy protections. Unfortunately they did not. While the Obama administration threatened to veto CISPA last year, in part due to the privacy concerns, I'm not sure anyone is confident that the administration is serious about that.
In fact, if the rumors are correct, President Obama will mention cybersecurity sometime in the State of the Union address tonight, and then will sign the executive order the administration has put together on Wednesday morning, to coincide with the reintroduction of CISPA in the afternoon. Basically, the use of the executive order is to put pressure on Congress to do something. There is still a hurdle from the Senate, since it supports a very different approach, but there's about to be a very, very big push on cybersecurity.
Either way, it's incredibly disappointing that CISPA's supporters didn't take the time to make some rather basic changes to protect privacy. Instead, they effectively use some broad language to more or less wipe out privacy protections on very broad terms, while doing nothing to keep any data shared from being further shared with other parts of the government. In other words, it's a ticket for widespread surveillance of Americans (as if we don't already have enough of that).
Fight For the Future has set up CISPAisBack.com to try to let folks in Congress know that bringing back the same extremely flawed bill is a mistake. That's one way to contact your Representatives, though just calling their office directly would also be a good idea.
This isn't a huge surprise. After the Senate failed to pass its Cybersecurity Act last year, and the White House threatening to push out an executive order to get its "cybersecurity" agenda moving, one of the two sponsors of the House's cybersecurity bill, CISPA (which did pass), Rep. Dutch Ruppersberger, is promising that the bill will be back soon enough. Ruppersberger says that he's working with the White House to take care of any concerns it had with the bill. All of this was more or less expected. The concern, still, is what do the privacy protections look like in the bill and (more importantly) what the Senate will come up with on this front.
However, there's one big issue that no one has answered. There's plenty of talk about how cybersecurity is a big problem and we're "under siege" and all of that nonsense. But no one seems willing to explain what about current regulations are getting in the way of an effective response to any such "threats"? And that's a problem, because the proposed bills don't seem to do anything in terms of tweaking a specific issue to solve a problem. Instead, they more or less wipe out large, important rules across the board, all because someone screams "it's for cybersecurity!!!!"
Rep. Mike Rogers, who introduced CISPA, the infamous cybersecurity bill that was absolutely horrible when it came to privacy, is apparently trying to ramp up the FUD to get CISPA back on the legislative calendar, despite the Senate's decision to go in another direction (which eventually stalled out). In a new interview, he talked mysteriously about new threats from "unexpected sources" and even claimed he couldn't sleep at night because of them. But -- shh! -- he can't really talk about specifics:
"We think there might be one last shot here -- maybe I'm just an eternal optimist -- to get this thing sparked back to life."
Driving the interest, he said, has been a series of briefings for key legislators "on what appears to be a new level of threat that would target networks from -- I've got to be careful here -- an unusual source."
Rogers has been giving fellow legislators a "glimpse" of this new danger. "I figured if I can't sleep at night, why should any other member of Congress?" He declined to describe the threat, citing the highly classified nature of the information. "I look really bad in orange -- those orange jumpsuits with the numbers on the back," he said to laughter.
It really was just a few days ago that we wondered if the government was going to start using stories of "new threats" to try to ram through legislation. That's basically been the plan all along. Tell scary ghost stories, none of which have any actual facts behind them, until people feel compelled to pass the bills. What's never mentioned is whether or not any of this is effective or a reasonable response. Also missing: any discussion of what is the actual problem being solved today. Rogers' CISPA bill, for example, focuses on information sharing, but fails to explain why the necessary information sharing is being blocked today, or why the bill can't just target the few issues that block such info sharing.
Of course, at the very same time that he's telling scary ghost stories about monsters in our wires keeping him up at night, he's absolutely livid that no one in the White House came to talk to him about their own plan for a cybersecurity executive order. So, apparently, we're all going to die in the night if we don't let companies and the government spy on us more easily... but the White House's plan to do something about that is "irresponsible." Right.
Earlier this week, we wrote about how the White House was working on an executive order to act as a "stand in" for cybersecurity legislation that has so far failed to pass Congress (CISPA passed in the House, but a different effort, the Cybersecurity Act, failed in the Senate, and it would have been difficult to get the two houses aligned anyway). Last weekend Jason Miller from Federal News Radio wrote about a draft he saw... but failed to share the actual draft. We got our hands on a draft (and confirmed what it was with multiple sources) and wanted to share it, as these kinds of things deserve public scrutiny and discussion. It's embedded below. As expected, it does have elements of the Lieberman/Collins bill (to the extent that the White House actually can do things without legislation). It's also incredibly vague. The specific requirements for government agencies are left wide open to interpretation. For example, the State Dept. should engage other governments about protecting infrastructure. Well, duh. As expected, most stuff focuses on Homeland Security and its responsibilities to investigate a variety of different cybersecurity issues -- but, again, it's left pretty vague.
There is, as expected, plans concerning information sharing -- but again, they're left pretty empty on specifics. It talks about an "information exchange framework." Unfortunately, it does not appear to highlight privacy or civil liberties concerns in discussing the information sharing stuff. That seems like a pretty big problem. Homeland Security is tasked with coming up with a way to share information, pulling on some existing efforts, but nowhere do they call out how to make sure these information exchange programs don't lead to massive privacy violations, despite the President's earlier promises that any cybersecurity efforts would take into account privacy and civil liberties.
Separately, it lists out 16 critical infrastructure "sectors," but those can be interpreted really broadly, which is dangerous. We all understand how things like the electric grid, nuclear power plants, water facilities and such can be seen as critical infrastructure. But does "communications" include things like social networking? It's important that any plan be very, very specific about what sorts of things are critical infrastructure, so as to avoid sweeping up all sorts of things like internet services and opening them up to information "sharing" abuse efforts by the government. We all know there's plenty of evidence that when the government is given a loophole to spy on private communications, it figures out ways to drive fleets of trucks through that hole. Unfortunately, there's little indication that any of that has really been taken into consideration.
All that said, it is important to recognize that this is a draft, and it is not only subject to change, but there are indications that it is likely to change. But, seeing as this could have significant impact, it should be something that the public has a chance to weigh in on.
Honestly, looking this over, you get the sense that it's really designed to do one thing: scare those who fought against the various bills back to the table to compromise and get a bill out. It's no secret that the administration's overall preference is to get a law in place, rather than this executive order. That's been a failed effort so far, but you have to wonder if this is a ploy to scare those who opposed the Cybersecurity Act into thinking that if they don't approve some legislation, the exec order might be a bigger problem. There are way too many things left open ended in this draft, and while the administration can't go as far as Congress on many things, the open-ended nature of this order could certainly lead to problems for the industries who opposed previous efforts.
Either way, we'll have some more on this next week, but since we just got this and want to get it out there for comment, hopefully folks can spend some time this weekend discussing the (yes, once again, vague) particulars...
Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to "share data" with federal government agencies, including the FBI and the NSA. As we've pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you're only making it that much easier for hackers to access that info because you're putting it in more places -- some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about "protecting" from hack attacks, by increasing the sharing of data, they'd almost certainly open up new attack opportunities and make it easier for hackers to get info.
While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that -- in response to a presentation from the NSA's General Keith Alexander -- they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl, who has appeared in recruitment videos for the FBI looking to hire "cyber security experts."
...a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc.
The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: "NCFTA_iOS_devices_intel.csv" which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website, the NCFTA...
functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.
In other words, it's almost exactly what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA to ask why we needed CISPA, since something like that was already possible.
And now it seems to also be showing why CISPA or other similar legislation focused on increased "sharing" of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it's going to get hacked. These kinds of things just put a giant target on their back, and now we're seeing the harmful results of such sharing without effective privacy protections.
from the we-don't-regulate-the-internet,-except-when-we-do dept
While it's great to see Congress continue to speak out against the UN's dangerous efforts to tax and track the internet to help out governments and local telco monopolies, it's pretty ridiculous for Congress to pretend that it's declaring "hands off the internet" when it has its own hands all over the internet these days. As Jerry Brito and Adam Theirer write, over at the Atlantic, if Congress is really serious about supporting a free and open internet, it should look in the mirror first:
The fear that the ITU might be looking to exert greater control over cyberspace at the conference has led to a rare Kumbaya moment in U.S. tech politics. Everyone -- left, right, and center -- is rallying around the flag in opposition to potential UN regulation of the Internet. At a recent congressional hearing, one lawmaker after another lined up and took a turn engaging in the UN-bashing. From the tone of the hearing, and the language of the House resolution, we are being asked to believe that "the position of the United States Government has been and is to advocate for the flow of information free from government control."
If only it were true. The reality is that Congress increasingly has its paws all over the Internet. Lawmakers and regulators are busier than ever trying to expand the horizons of cyber-control across the board: copyright mandates, cybersecurity rules, privacy regulations, speech controls, and much more.
Earlier this year, Congress tried to meddle with the Internet's addressing system in order to blacklist sites that allegedly infringe copyrights -- a practice not unlike that employed by the Chinese to censor political speech. The Stop Online Piracy Act (SOPA) may have targeted pirates, but its collateral damage would have been the very "stable and secure" Internet Congress now wants "free from government control." A wave of furious protests online forced Congress to abandon the issue, at least for the moment.
It goes on to discuss other proposals to regulate parts of the internet, including CISPA and other online security laws. Of course, in each of these cases, the politicians in Congress will come out with a litany of reasons why it "makes sense" (or more accurately "we have to do something!") to pass these laws. But that pre-supposes that all those countries that Congress is now condemning for wanting more ability to spy on and control citizens don't have reasons to do so. Given the increasing evidence that the US government, via the NSA, is already spying on wide swaths of the population -- and Congress' apparent total lack of concern about this, it's incredibly hypocritical to pretend that the US government supports a free and open internet with privacy protections for citizens, when its own actions reveal something very, very different.
Back in February, we wrote up a warning to "the internet as we know it" as the UN's International Telecommunications Union (ITU) was looking to take over control of the internet, mainly at the behest of countries like Russia and China who were seeking a "more controlled" internet, rather than the very open internet we have today. The major concern was that almost no one in the US seemed to care about this or be paying much attention to it. The February call to action may not have done much, but the situation has certainly changed in the last couple of weeks.
Last week, the father of the internet, Vint Cerf, once again raised the alarm in both a NY Times op-ed and in a keynote speech at the Freedom to Connect (F2C) conference:
His concerns echo the ones we've been hearing for months. This move is about giving some countries much greater control over the internet:
Last June, then-Prime Minister Vladimir Putin stated the goal of Russia and its allies as “establishing international control over the Internet” through the I.T.U. And in September 2011, China, Russia, Tajikistan and Uzbekistan submitted a proposal for an “International Code of Conduct for Information Security” to the U.N. General Assembly, with the goal of establishing government-led “international norms and rules standardizing the behavior of countries concerning information and cyberspace.”
Word of a few other proposals from inside the I.T.U. have surfaced. Several authoritarian regimes reportedly would ban anonymity from the Web, which would make it easier to find and arrest dissidents. Others have suggested moving the privately run system that manages domain names and Internet addresses to the United Nations.
Such proposals raise the prospect of policies that enable government controls but greatly diminish the “permissionless innovation” that underlies extraordinary Internet-based economic growth to say nothing of trampling human rights.
It would guarantee moving the internet towards a model of top-down control, rather than bottom up innovation. It would give governments much more say in controlling the internet, unlike the hands-off system we have now, where no government truly has full regulatory control over the internet. It would almost certainly lead to more global restriction on the internet, including serious potential impact on aspects of free expression and anonymous speech. It might also make the internet much more expensive, as the whole ITU setup is about protecting old national telco monopolies, and many would see this as an opportunity to try to put tollbooths on internet data.
The ITU is holding a meeting in December in Dubai about all of this, and it appears that US officials are finally waking up to why this is a true threat to the open internet.
But it needs to go beyond that. The positioning of this discussion from ITU supporters is that the US government has "too much control" over the internet today. And one could argue that's true at the margins, though it's an exaggeration. For the most part the US government does not have much ability to control the internet directly. Now, I think plenty of people agree that the setup of ICANN and IETF are hardly ideal. In fact, they've got significant problems. But moving from that setup to one where the ITU is in charge would be a massive step backwards.
And, certainly, there is significant irony in the fact that Congress is suddenly acting so concerned about fundamental attacks on an open internet -- when many of the same officials were more than happy to toss out key principles of an open and free internet in the past few months with SOPA/PIPA/CISPA/etc. But, in this case, worrying about political consistency is a lot less important than stopping the ITU proposal from going forward.
When the US government started seizing domains, there was significant criticism of ICANN and calls for a more decentralized solution that no one could control. The move towards ITU oversight is a move in the opposite direction. It would make things significantly worse and not better.
For those in the US, we need to speak up and keep the pressure on our elected officials to fight this move in the ITU. While they're saying the right things now, we need to be vigilant and ensure it continues. Trust me, the "irony" of their own attacks on internet freedom and openness have not gone unnoticed by supporters of this ITU takeover plan. Expect them to offer "deals" to the US, by which the ITU gets control over the internet, in exchange for allowing the US to use that process to move forward with efforts to censor the internet for copyright reasons, as well as to get better backdoors to data for snooping.
For those outside of the US, it's also time to speak up. Don't fall for the easy story that this is just about wresting the control from US interests. If you believe in the value of a free and open internet, the ITU is not the answer. You, too, will inevitably be significantly worse off with what results.
The folks over at Access have put together a petition to tell the UN that the internet belongs to us, the people, not to the UN or the governments of the world. While the UN is not as subject to public opinion, if the world speaks out loudly enough against this effort to capture and control the internet, it won't be able to move forward. But people have to speak out to make this happen.