Monday, April 27, 2009

The Cybersecurity Act of 2009 and possible privacy casualties

For those of you who don't know about the Rockefeller/Snowe Cybersecurity Act of 2009 - and based on the complete lack of attention it has received it should be assumed most haven't - let me provide a basic outline of why it has raised some serious privacy concerns.

A good article in Computerworld this week entitled "Cyberwar's first casualty: Your privacy" offers us a useful e big picture framework for which to view this legislation and the growing threats to privacy that advances in technology necessarily are accompanied by. As I've discussed quite often here, these threats come from both the public and private sectors, particularly with the advent of a host of Google technologies - each with their own set of privacy threats - and the growing security threats our government faces from cyber attacks.

Computerworld notes this "melding" of interests and threats:

And unlike in past wars, the government itself may not do the snooping. Instead, it will most likely let private industry do the dirty work, essentially outsourcing cyber intelligence gathering.


As we've seen, though, intelligence gathering is frequently subject to abuse. During the Cold War, the CIA and FBI regularly violated the rights of citizens. More recently, the Patriot Act gave legal cover to government prying, and the National Security Agency carried out covert wiretapping without seeking the proper warrants.

The intelligence that will be gathered in the coming generation of cyberwarfare will dwarf anything that came before, in the breadth of information acquired, the ease with which it is gathered, and the number of people caught in the net. In past wars, a fair number of innocent people had their privacy invaded. In tomorrow's cyberwar, it'll be virtually everyone.

Cyberwarfare is fought online; its geography is virtual, and you're part of it. In physical wars, armies scout the countryside. In cyberwars, they'll scout the Internet.
The Internet is made up not just of wires, routers and servers; it's made up of the data crossing it. Those who fight cyberwars will mine vast amounts of data in an attempt to find nuggets of information. They'll look for patterns of use and relationships that otherwise would escape notice.

That's why you'll see government outsourcing its intelligence gathering to companies that already do the work legally -- and primarily that means Google. I'm not saying that Google will purposefully gather information for the federal government. Instead, the government will legally tap into Google's already in-place information gathering, by issuing subpoenas on a regular basis.

Why Google? Google already gathers vast amounts of information about people's browsing and search habits, and it regularly responds to subpoenas for that data.

And the information that Google gathers is about to grow exponentially, when Google Voice launches to widespread use. Google Voice can route all of your calls through a single number, lets you record and store calls online, and offers transcripts of voice mail. At some point, it will probably offer transcripts of all calls recorded. It can do that for your normal voice calls, not just calls made to or from a computer.

You can be sure that the government will want to get its hands on that vast treasure trove of information. Why go through the difficult process of getting a phone tap when it's so much easier to simply issue a subpoena to Google? Google isn't alone, of course, and many other private companies -- particularly ISPs and big telecom providers -- gather information about people online.

It is for this reason - the government's growing access to personal information of all kinds - that products marketed by companies like Google must include ironclad safeguards that at least offer some protection against government abuse and unconstitutional assaults on privacy.

With all that in mind, let's get to the 2009 CyberSecurity Act - which seems to seek to almost codify this ever expanding power of the government to infiltrate cyberspace and violate individual privacy. An article in WebProNews entitled "Time to Put the Brakes On the Cybersecurity Act of 2009" states:

What is essentially a federal government power grab combined with a giant money grab for industry is a real and perhaps unnecessary threat to your privacy and personal security. On top of that hole in your privacy, the Cybersecurity Act of 2009 plants a big, potentially exploitable hole on the network.


But when the CSIS (Center for Strategic and International Studies) issued its report it was both jaw-dropping for the collective might behind it and appalling for the tone of demand it carried directed toward the newly elected President and Congress. If you or I had written up the same report and signed our relatively puny names to it, we’d have been laughed and pshawed out of the room for our delusions of grandeur and audacity to think we could boss the government around.

Just a few months later, there it is in Congress, giving the President the power to shut down the Internet at his discretion, and the Commerce Secretary backdoor access to all of it without the slightest bit of oversight or restriction. (These guys like lack of oversight and accountability, just ask Hank Paulson.)


The obvious need for better cybersecurity at the federal level does not necessarily include the unprecedented granting of power to the government. It especially doesn’t necessitate that a few major companies dictate how security is to be implemented. The proposed legislation would require anyone with access to the network to be licensed.

Of course, before anyone thinks I'm getting into tinfoil hat territory here, let me provide a few choice clips from a recent statement by the Electronic Frontier Foundation - a leading opponent of this legislation:

The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.

Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response...the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review.

The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations. Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well.

If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does...Whether the bill is amended or rejected, the question remains what kind of actions would help cybersecurity, and what role the federal government has to play.

As security expert Bruce Schneier has pointed out, the true causes of government cyber-insecurity are rather mundane: GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.

I'll be following this bill as it progresses...and will be back with more information in the coming days and weeks (i.e. what are its chances of passage?, does Obama support it?, etc.).

No comments: