State of the Union

Here's What Concerns Experts About Obama's State of the Union Cybersecurity Goals

Harsher penalties and more government involvement won't help protect privacy.

|

Hacking stock photos remain the best stock photos ever.
Credit: dustball / photo on flickr

In the wake of the whole Sony hacking scandal (and a number of mass retail consumer account breaches) President Barack Obama probably couldn't avoid talking about cybersecurity in the State of the Union address. Here's part of his comments:

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

Cybersecurity experts, though, have concerns with what the Obama administration is proposing. The Electronic Frontier Foundation notes that many legislative ideas to push for more information sharing about breaches don't accomplish much and could invade Americans' privacy even further:

New cybersecurity legislation isn't needed and it wouldn't have stopped the Sony hack. Instead of proposing unnecessary privacy-invasive bills, we should be collectively tackling the low-hanging fruit. This includes encouraging companies to use the current information sharing regimes immediately after discovering a threat.

It also includes two other solutions. First, companies must persistently educate end users since it's well known that many security breaches are due to uneducated employees downloading malware. The second is to follow basic security precautions. The New York Times recently reported that the hackers at JP Morgan obtained inside access due to an un-updated server. Sony hasn't released how the breach originally occurred, but new reports on the Sony hack are increasingly pointing to an inside job.

EFF also points out that there's already a number of legal ways for businesses to share information about data breaches with each other and with the government.

That leads us to how the Obama Administration wants to fight hacking. It actually wants to beef up the Computer Fraud and Abuse Act (CFAA). This vague, abuseable legislation already poses serious problems. This is the law that essentially makes it a federal crime to violate a website's term of use. This is the law that federal prosecutors threw at Aaron Swartz for downloading tons of academic studies from the Massachusetts Institute of Technology, trying to intimidate him with the possibility of decades in prison in order to coax a plea agreement out of him. Instead he committed suicide. So the administration want to make it even stronger, increasing some penalties and fleshing out both criminal and civil forfeiture programs for those who run afoul of the law. You can read the proposed changes here (pdf). Here's what concerns Thomas Fox-Brewster, who writes about cybertechnology issues at Forbes:

Central to the problems with the recommended updates to the Computer Fraud and Abuse Act (CFAA) are vague terms that could easily be interpreted to prosecute innocents, no matter how weak their links to actual criminal activity. Anyone who "intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer" could be charged. That sounds acceptable on first inspection, but the definition of  "exceeds authorized access" includes using a computer with proper authorization "to obtain or alter information" the relevant party is not entitled to look at, "or for a purpose that the accesser knows is not authorized by the computer owner".

This muddled legalese would seemingly allow for very broad application by lawyers. Rob Graham, from Errata Security, suggested anyone clicking on a link to leaked data would be deemed in breach of the law. If this was applied to those who rummaged through Sony Pictures' data, leaked after a catastrophic attack in November, thousands could have been arrested, including your reporter.

Orin Kerr at The Volokh Conspiracy (via The Washington Post) dives deeply into the proposed changes and worries that adding even more laws regarding cybercrime will allow the Department of Justice to pile on even more charges for what is fundamentally the same infraction:

Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, "unless such violation would be based solely on obtaining the information without authorization or in excess of authorization." On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?

But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three.

And there's the final reminder that the Obama Administration is really fundamentally only concerned about protecting your data from a whole host of private actors, be they hackers or advertisers, but not the federal government. The president has declared support for mandatory "back doors" in the encryption for apps and social media platforms so that the feds and law enforcement agencies can access anybody's data they say they need to perpetuate our dual wars on terror and drugs. Mandating back doors on encryption necessarily weakens the security of users' private data and exposes them to increased risk of hacking or fraud. The administration's demand to have access to our data makes it very difficult, if not impossible, to treat its concerns for our privacy seriously. Not helping matters: After saying he wants to stop education companies from sharing student data with advertisers, we find out today HealthCare.gov is doing the exact same thing to its users.  

NEXT: Obama to Call for Cybersecurity Legislation on Same Day It's Revealed that HealthCare.gov Shares Personal Information With Outside Marketers

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. This is an important article. Except for the part where there aren’t any quotes by cybersecurity experts.

  2. So, from what I’ve read, the internal audits suggested the Sony hack came from inside, possibly a disgruntled employee.

    Yet Obama keeps harping on this NK connection. Is there a long game here that suggests that Obama wants to keep “cyberterrorism” alive so he can get his agenda through?

  3. And there’s the final reminder that the Obama Administration is really fundamentally only concerned about protecting your data from a whole host of private actors, be they hackers or advertisers, but not the federal government.

    At some point, Obama, vis-a-vis the Feds are going to start suggesting that to be “secure” from hax0res, everyone must use “THIS” particular encryption method, which has been reviewed as “A1 Secure” by an international board of security experts.

    I wonder *scratches chin* what might be special about “THIS” particular encryption method that makes the Feds want everyone to adopt.

  4. I’m not sure it’s anywhere near that elegant. Attribution is hard. Really hard. My gut says that if the USG is willing to go out on a limb like that, there are other data in the mix that led them to that conclusion, but that’s speculation on my part. I know many who certainly weren’t leaping to the same one.

    1. I’m not sure it’s anywhere near that elegant. Attribution is hard

      Depends on the attack. Unfortunately, I only know what I read and I have zero knowledge on the technical details or why it was thought. But I also have really zero data on why it was NK, other than what the administration keeps saying. An administration that admits it keeps emails of national importance in PST files stored on local hard drives which aren’t backed up.

  5. Heh. Paul, I lived through that pitch once already, in 1994. For all the flack people give IT product vendors, you won’t see Google, Apple, or Microsoft rush to that bandwagon without a fight.

  6. It seems to me that the right place to get decent cybersecurity would be from the market. But I suggest a couple of tweaks to the law that would make this work better.

    (1) Add a provision to the Uniform Commercial Code allowing software vendors, and vendors of “cloud services” and the like, to issue a new type of guarantee against breach (data theft), where they would be required to pay the entire loss, including consequential damages, if a breach occurs. They would be allowed to insure against this (maybe with a large minimum deductible), but the corporate veil would not protect them against it. Thus their management, at least, would have a serious personal incentive to get it right.

    (2) After two or three years (so these businesses have time to develop truly reliable code), the law should require that all businesses storing important confidential data about their customers (banks, brokers, title companies, attorneys, doctors offices, insurance companies, accountants, etc.) MUST provide a similar guarantee to their clients. Which would probably mean they would use a product or service that carries that guarantee to store their data.

  7. So the good news is that there are insurers who are beginning to actually take this class of risk seriously. I’d argue that many of the products to date have been gestures to show participation in the market, or perhaps had so many exclusions so as to make divination of the actual coverage a challenge.

    Interestingly, certain USG departments are seeing the value of that as well. I think we know that in many spheres of human endeavor, insurers wield a certain moral suasion that encourages people to avoid negligence and sometimes stupidity.

    Strict liability is tough. The problem with your (1) is that someone will write a bill that basically looks like the SAFETY Act. That law is interesting and perhaps a good thing, but if someone can game the criteria, it winds up being another Government bailout.

    I think some vendors are already getting it right, but customers have the ability to use appropriately-built products in inappropriate ways.

  8. I don’t put a lot of faith in Orin Kerr. His Volokh writings lead me to the conclusion that he gets his kicks from legal quibbling and hates clear definitive decisions and laws. He was upset that Apple and Android were both going to default encrypt the entire phone; his reasoning was that this precludes legal warrants from searching them.

    He’s just another damned statist. As long as it follows some court ruling, he’s happy surrendering everybody’s freedom.

Please to post comments

Comments are closed.