In the wake of the whole Sony hacking scandal (and a number of mass retail consumer account breaches) President Barack Obama probably couldn't avoid talking about cybersecurity in the State of the Union address. Here's part of his comments:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
Cybersecurity experts, though, have concerns with what the Obama administration is proposing. The Electronic Frontier Foundation notes that many legislative ideas to push for more information sharing about breaches don't accomplish much and could invade Americans' privacy even further:
New cybersecurity legislation isn't needed and it wouldn't have stopped the Sony hack. Instead of proposing unnecessary privacy-invasive bills, we should be collectively tackling the low-hanging fruit. This includes encouraging companies to use the current information sharing regimes immediately after discovering a threat.
It also includes two other solutions. First, companies must persistently educate end users since it's well known that many security breaches are due to uneducated employees downloading malware. The second is to follow basic security precautions. The New York Times recently reported that the hackers at JP Morgan obtained inside access due to an un-updated server. Sony hasn't released how the breach originally occurred, but new reports on the Sony hack are increasingly pointing to an inside job.
EFF also points out that there's already a number of legal ways for businesses to share information about data breaches with each other and with the government.
That leads us to how the Obama Administration wants to fight hacking. It actually wants to beef up the Computer Fraud and Abuse Act (CFAA). This vague, abuseable legislation already poses serious problems. This is the law that essentially makes it a federal crime to violate a website's term of use. This is the law that federal prosecutors threw at Aaron Swartz for downloading tons of academic studies from the Massachusetts Institute of Technology, trying to intimidate him with the possibility of decades in prison in order to coax a plea agreement out of him. Instead he committed suicide. So the administration want to make it even stronger, increasing some penalties and fleshing out both criminal and civil forfeiture programs for those who run afoul of the law. You can read the proposed changes here (pdf). Here's what concerns Thomas Fox-Brewster, who writes about cybertechnology issues at Forbes:
Central to the problems with the recommended updates to the Computer Fraud and Abuse Act (CFAA) are vague terms that could easily be interpreted to prosecute innocents, no matter how weak their links to actual criminal activity. Anyone who "intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer" could be charged. That sounds acceptable on first inspection, but the definition of "exceeds authorized access" includes using a computer with proper authorization "to obtain or alter information" the relevant party is not entitled to look at, "or for a purpose that the accesser knows is not authorized by the computer owner".
This muddled legalese would seemingly allow for very broad application by lawyers. Rob Graham, from Errata Security, suggested anyone clicking on a link to leaked data would be deemed in breach of the law. If this was applied to those who rummaged through Sony Pictures' data, leaked after a catastrophic attack in November, thousands could have been arrested, including your reporter.
Orin Kerr at The Volokh Conspiracy (via The Washington Post) dives deeply into the proposed changes and worries that adding even more laws regarding cybercrime will allow the Department of Justice to pile on even more charges for what is fundamentally the same infraction:
Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, "unless such violation would be based solely on obtaining the information without authorization or in excess of authorization." On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?
But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three.
And there's the final reminder that the Obama Administration is really fundamentally only concerned about protecting your data from a whole host of private actors, be they hackers or advertisers, but not the federal government. The president has declared support for mandatory "back doors" in the encryption for apps and social media platforms so that the feds and law enforcement agencies can access anybody's data they say they need to perpetuate our dual wars on terror and drugs. Mandating back doors on encryption necessarily weakens the security of users' private data and exposes them to increased risk of hacking or fraud. The administration's demand to have access to our data makes it very difficult, if not impossible, to treat its concerns for our privacy seriously. Not helping matters: After saying he wants to stop education companies from sharing student data with advertisers, we find out today HealthCare.gov is doing the exact same thing to its users.