President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems

from the not the public's dept

On Monday, President Obama gave a speech kicking off his big push on cybersecurity, with many of the details being released on Tuesday, and they don’t look very good. There are a lot of different pieces, but we’ll just highlight the two that concern us the most.

First up: information sharing/”cybersecurity.” The key issue here: is it the return of CISPA? CISPA, of course, is the cybersecurity “information sharing” bill that is introduced each year, but which is really about giving the NSA a tool to pressure companies into sharing their information (by granting immunity from liability to those companies). In 2012, President Obama rejected the CISPA approach as not having enough protections for privacy and civil liberties. And, indeed, contrary to what some have said, the official proposal is not “endorsing CISPA.” The approach is definitely more limited and the most major concern is addressed. Rather than giving the information to the NSA (or the FBI), Homeland Security gets it. DHS isn’t wonderful, but it’s better than the other two alternatives. Companies can still give the info to the NSA or FBI (or others), but won’t get full immunity from lawsuits if they do.

But, where the new proposal falls woefully short is in its lack of privacy protections. It basically handwaves its way through the privacy question, saying there will be guidelines, but the guidelines aren’t written yet, and they’re fairly important here. Instead, there’s just a plan to make them:


The Attorney General, in coordination with the Secretary of
Homeland Security and in consultation with the Chief Privacy and Civil Liberties Officers at the
Department of Homeland Security and Department of Justice, the Secretary of Commerce, the
Director of National Intelligence, the Secretary of Defense, the Director of the Office of
Management and Budget, the heads of sector-specific agencies and other appropriate agencies,
and the Privacy and Civil Liberties Oversight Board, shall develop and periodically review
policies and procedures governing the receipt, retention, use, and disclosure of cyber threat
indicators by a Federal entity obtained in connection with activities authorized in this Act.

Yes, it promises that those guidelines will limit the “acquisition, interception, retention, use and disclosure” of information, but it’s still not entirely clear what the final guidelines will be. The second problem, still not addressed in all of this, is explaining why this is needed. People keep saying that we need “information sharing” because of “cyberthreats,” but no one argues why that information sharing can’t happen today, or points out what regulations today get in the way. That’s because they don’t. Companies can share information today, but the focus of this bill is to try to grant them broad immunity in case they share the wrong (private) info and it gets out.

The second concerning proposal is with the update to the CFAA (the Computer Fraud and Abuse Act). The CFAA, of course, is the widely misused “anti-hacking” law that has been stretched and twisted by law enforcement and prosecutors over time to argue that merely disobeying a terms of service could be seen as “hacking.” While some courts have limited that ridiculous interpretation, the changes here seem fairly messy and could bring back that possibility. The language involves a lot of careful picking through to interpret it, and it appears that it may fix some small issues with the CFAA, but opens up other massive holes that are seriously problematic. The White House claims this fix would “enhance [the CFAA’s] effectiveness against attacks on computers and computer networks.”

But that’s not the problem with the CFAA. The problem is that it’s already seriously overbroad and used in dangerous ways. That’s barely addressed. The main “fix” is that if you “intentionally exceed authorized access,” there are conditions necessary to meet to trip the CFAA wire — and a key one is that the value of the information obtained must “exceed $5,000.” But, of course, with the way the gov’t inflates the value of information… that seems like a pretty small hurdle. The really big problem, though, comes in section (e)(6) which adds in a troubling definitional change to “exceeds authorized access.” This is the whole bit that’s been used as evidence of “terms of service” violations. The key case that rejected this theory is the Nosal case and that seems to be completely wiped out with this little addition to exceeding authorized access:


for a purpose that the accesser knows is not authorized by the computer owner;

This is likely to be interpreted to mean that if a terms of service bans a certain type of use, they have “knowledge” and thus violating that kind of use is back to being a problem under the CFAA. As Orrin Kerr argues, this could be read to mean that if your employer says you can only use a computer for work reasons, and you surf for personal reasons, you’ve broken the law. It is also possible to read this section to mean that using someone else’s Netflix or HBO GO password… could violate the law. Yikes!

Of course, one hopes that law enforcement wouldn’t go after those types of violations, but a more serious concern may be the impact on security research. Finding a hole in a website online, allowing you to access data that was publicly exposed could be seen as exceeding access, on the basis that whoever finds it “knows [it] is not authorized by the computer owner.” Basically, it requires the government to argue that whoever they’re going after should have known that the computer owner “wouldn’t like” it. That… opens up a big can of worms that the DOJ will abuse like crazy.

The new bill also says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it’s an “organized crime group.” It also ups the penalties for things that might be considered “actual hacking” (i.e., getting around technological barriers to access a computer) — making it automatically a felony with up to 10 years in jail (rather than the existing law, under which it could be a misdemeanor or a felony and the limit is 5 years in jail). And, of course, it expands civil forfeiture procedures so that law enforcement can seize (and likely keep) all your computer equipment if it thinks you’re violating the CFAA. Looks like law enforcement can now go “shopping” for computers.

Once again, we seem to be facing a situation where the administration is more focused on what law enforcement wants, while paying lip service to the protections of the public from likely law enforcement and intelligence community abuse.

That’s really unfortunate. A massive missed opportunity to actually do something productive here.









Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “President Obama's Plan For 'Securing Cyberspace' Has A Lot Of Problems”

Subscribe: RSS Leave a comment
29 Comments
Anonymoussays:

Re:

What you are saying is why I defended Ted Cruz’s comments.

Cruz does not have to be a politician you like to be right about it.

In fact I would not trust either part at this time not to do just exactly what you wrote (say one thing but do another)… the citizens will be screwed one way or another, and anyone willing to still trust someone like Obama just deserves to be lied to.

Rich Kulawiecsays:

There's no help coming here

Whatever the answers are to our current set of security issues, they’re most definitely not coming via legislation and regulation.

Of course that won’t stop those seeking to grandstand for political gain or to inflate the already-expansive powers of law enforcement or spy agencies: in fact, it will encourage them, because less security is a boon to both.

My best advice — which certainly won’t be accepted — to all three branches of government is:

1. Sit down.
2. Shut up.
3. Read everything written by Spafford, Appelbaum, Felten, Boyd, Robbins, Landau, Ranum, Forno, Schneier, Bellovin, Cheswick, Halderman, Kamnisky, Soghoian, Vixie, Weinstein &etc.
4. Stop doing the things they say are bad ideas.
5. Start doing the things they say are good ideas.
6. Return to step 1.

Anonymoussays:

Granting a corporations exemptions from liability means theres something to be liable for……and since governments are the catalyst to this libility, they are culpable in this too

So basically what there saying, if we do something bad, we’re protected by the laws WE create…………….tell me again we live in these supposed free societies

Anonymoussays:

Re: Really?

Well, according to this new proposal the value of a hack must be $5000 and we all know that the government consider us to be worth less than ?1… and the lawheads at the NSA would come up with some BS excuse that every person only counts as one hack… to them only, of course, so they would never reach the limit.

Anonymoussays:

Bit by bit is their approach……give it time, more tragedies to exploit, and our fears become a reality………the whole system is suspect, thats what history is trying to tell u……..their already past the point debating whther they should have the authority to spy on their subjects, everything after that is a moot point

I dont even think they should have the system built to give this exploitive tool, but they have it, and they built it in secret, if snowden had’nt interrupted their drive, when would we have found out, HOW integrated would it of been THEN

The more they implement, the harder its gonna be, with any reasonable assurances, to completely shut it down, if it becomes the perfect tool for corruptable folks

Anonymoussays:

“The new bill?also?says that you can be charged with racketeering related to CFAA violations, so long as the government can tie you to other people and claim that it’s an “organized crime group.” It also ups the penalties for things that might be considered “actual hacking”

Firstly, hackers who “hack” to improve security should not be in this category, as a user, i think they are doing a service to us users

Secondly, i’d classify all intelligence services as criminal hackers, DEFFINATLY in the group of “organized crime”

Im interested to know who put the quotes for “actual hacking” techdirt, or the gov

John Fendersonsays:

The value of intangibles

the value of the information obtained must “exceed $5,000.”

The monetary value of most private information is no more or less than what the information owner says it is. So, unless there is some stringent language to set out how this value can be determined, the monetary threshold is entirely without meaning.

Anonymoussays:

Here a REAL cybersecurity law, all commercial companies must be able to provide a method of easy to implement continous security/privacy update throughout the entirety of a service or product, either internally, or externallly…….or some such

Instead of a law that would upset business, we get a law that upsets users, who do they represent again

Anonymoussays:

Aaron Swartz died because of CFAA abuses and for a brief moment I thought reform might come. However, this is just pathetic. The community has a duty to raise its’ voice loudly and protest against this disgusting and disrespectful proposal.

We need another Internet blackout. Imagine if instead of simply changing a few colors, companies actually shut down for a day. Our government and law enforcement all need a “time out”; like a little child standing in the corner.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it