by Mike Masnick
Mon, Sep 16th 2013 11:29am
by Mike Masnick
Tue, May 8th 2012 1:33pm
from the say-what-now dept
Here's the existing text:
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.However, the House Armed Services Committee is getting ready to do a markup on the NDAA that includes a change to that section (section 954), which expands the powers of the Defense Department, and basically gives it broad powers to conduct any military actions online -- with it specifically calling out clandestine operations online. Here's the text they want to substitute:
Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to—(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).
SEC. 954. MILITARY ACTIVITIES IN CYBERSPACE.Note a bunch of slightly sneaky things going on here. First, it gives blanket powers to the DoD, rather than saying it can only take actions on the President's direction. While we may not have much faith that the President wouldn't let the DoD do such things, giving such blanket approval upfront, rather than requiring specific direction is a pretty big change.
‘‘(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.
‘‘(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—‘‘(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107-40) against a target located outside of the United States; or‘‘(c) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.’"
‘‘(2) to defend against a cyber attack against an asset of the Department of Defense.
Second, and perhaps more important, the new language specifically grants the DOD (and the NSA, which is a part of DOD) the power to conduct "clandestine operations." This is (on purpose) left basically undefined. Combine this with the fact that the "Authorization of Use of Military Force" is so broadly defined in the current government, this then grants the DOD/NSA extremely broad powers to conduct "clandestine" operations with little oversight. Related to this is that it removes the restriction that the DOD must take actions that are "subject to the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflicts." Instead it lets them use such powers, without these restrictions, against anyone declared an enemy under the AUMF (lots and lots of people) or in any effort to stop a cyberattack against the DOD -- which again you can bet would be defined broadly. This is a pretty big expansion of online "war" powers for the Defense Department, with what appears to be less oversight. And all done while people are looking the other way...
by Mike Masnick
Thu, Mar 8th 2012 3:11pm
Slow Down, Homeland Security: Does Everyone Really Agree That We Need Cybersecurity Legislation Now?
from the why-the-rush,-sparky? dept
So why can't we hit pause and ask for some actual evidence?
Yes, there's a turf war between DHS and the NSA/DoD over who gets to control the purse strings and have more control, but no one seems to be asking for the actual evidence. Instead, they're just trying to push forward as fast as possible. Witness this blog post from Mark Weatherford, Homeland Security's Deputy Undersecretary for Cybersecurity, in which he insists that everyone agrees that we need a cybersecurity law and we need it now:
We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.I agree that we're not always keeping intruders out -- though I think it should be admitted that we'll never "always" keep intruders out. That's an impossible goal. And I agree that sharing information to build up better defenses could be a good thing. But how do we then take the logical leap that this "requires a fast, unified response" from the government? The operators of these networks already are working hard to keep intruders out and have tremendous incentive to keep improving their defenses. Why do we need regulations to continue that process? That's the part that's never been clearly explained, and it seems like a pretty big gap, which all this talk about the necessary "rush" is designed to paper over.
by Mike Masnick
Thu, Mar 1st 2012 4:20am
from the doesn't-pass-the-laugh-test dept
McCain is positioning his version of the bill as one that focuses on "a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations." However, reports are that McCain's version involves a plan that the NSA has been aggressively lobbying for to give it access to networks deemed "critical." The NSA says that it wants to monitor these networks in case of attack so it can spring into action.
However, given the NSA's other mandates (spying!) this certainly has raised some fairly significant concerns. Should every private company running a network deemed critical automatically be required to install a special NSA spying box? Even the White House and the Justice Department (no strangers to over aggressive monitoring) have pushed back that this would be "unprecedented government" intrusion into the civilian internet. It's apparently gotten so bad, that the Obama administration has privately slapped down NSA boss General Keith Alexander (last heard talking about how Anonymous was going to shut down powerlines) for "advocating for something beyond that, that is undermining the commander in chief."
Of course, the administration can't stop former NSA boss Mike McConnell from running around spreading fear mongering stories about how the entire internet is at risk if we don't give the NSA unprecedented spying powers. Left out of his talks on this matter is that, not only has he been making these claims about how the internet is on the verge of collapse if the NSA doesn't get these powers for many, many years (without any evidence to show that it's true), but he's also now employed by Booz, Allen as a VP -- which is relevant, because Booz is already profiting massively from all this fear mongering, by getting hundreds of millions of dollars in federal contracts to "help" the government deal with the scary threats of the internet.
Jim Dempsey, over at CDT has a discussion of just how ridiculous this NSA powergrab is, in that it makes some key assumptions that just don't seem supported by reality:
The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.Dempsey goes on to say that the NSA has already been helping Tier 1 providers by sharing its "secret sauce" to protect them against attack without having to have full access to the networks, and it seems silly that a process like that can't continue and be quite effective without giving up all privacy. Similarly, Jerry Brito, who has been following all of this very closely, notes that it's somewhat crazy to think that we can't just continue with the NSA assisting at arms-length without giving them full access to private networks.
The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.
Brito further highlights that there's a reason why we have civilian law enforcement for domestic issues, not military officials -- noting that (while they don't always succeed), civilian law enforcement is used to working within "an environment where constitutional rights apply and to use force only as a last resort." That is simply not true of the military or the NSA, whose operations usually involve issues outside the US, where the Constitution does not apply. And yes, they've certainly blurred that domestic/foreign line over the years, but that's no reason to go even further and give the military more power of the private domestic internet.
by Mike Masnick
Fri, Feb 17th 2012 7:40am
from the and-of-course dept
In this case, Senator John McCain is urging caution, and pushing back at claims that because totally different cybersecurity bills have been introduced in the past, this one can be rushed:
To suggest that this bill should move directly to the Senate Floor because it has ‘been around’ since 2009 is outrageous," McCain said. "First, the bill was introduced two days ago. Secondly, where do Senate Rules state that a bill’s progress in a previous congress can supplant the necessary work on that bill in the present one?"Of course, it isn't that McCain is "the voice of reason" here. He's actually pushing for a different bill that will give NSA broad spying powers over the internet. The dispute between McCain and Lieberman is really a long-running territorial dispute -- concerning whether Homeland Security or the Defense Department get to control the "cybersecurity" budget. The Lieberman bill gives the power to Homeland Security. McCain wants to give it to the DoD. Neither seem to want to bother with evidence of the actual need here.
Of course, backers of the bill are falling back on their typical doomsday scenarios to explain why they have to rush and avoid any sort of discussion or evidence:
Sen. Jay Rockefeller (D-W. Va.), Sen. Dianne Feinstein (D-Calif.) and Homeland Security Secretary Janet Napolitano warned the committee there could be grave consequences if Congress does not act to protect cybersecurity.Yes, and think about how life would suck if someone hacked the road system in West Virginia and turned all roads into cabbage patches? I mean, if we're talking about total hypotheticals with no actual likelihood of happening, that seems just as reasonable a scenario as Rockefeller's. It's pure, insane, unsupported hypothetical fear mongering. Is our air traffic system connected to the internet? I sure hope not. If it is, that's the problem -- not the lack of some cybersecurity bill. We've seen no evidence that the air traffic or rail switching are subject to attack, so creating Hollywood-style scenarios is pretty ridiculous. Is Rockefeller honestly suggesting that the folks who run these systems aren't doing everything they can to secure those systems and that there would be any significant differences if this cybersecurity bill is passed? Somehow I don't think the folks who maintain our air traffic control system are sitting around thinking there's nothing they can do until a cybersecurity bill is in place.
"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Rockefeller said. "Or if rail switching networks were hacked—causing trains carrying people—or hazardous materials—to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."
So how about we take a step back, and rather than passing a broad bill based on fear mongering, folks like Rockefeller and Feinstein (hell, or even McCain) produce some actual evidence of a threat? Or is that too hard?