President Barack Obama delivers his State of the Union address to a joint session of Congress on Capitol Hill on Tuesday, Jan. 20, 2015, in Washington, D.C.

President Barack Obama delivers his State of the Union address to a joint session of Congress on Capitol Hill on Tuesday, Jan. 20, 2015, in Washington, D.C. AP / MANDEL NGAN

Science & Tech

What the Cyber Language in the State of the Union Means to You

The president’s proposal to better ’integrate‘ cyber intelligence may not make us safer. By Patrick Tucker

Patrick Tucker

|
Patrick Tucker
By Patrick Tucker
Science & Technology Editor, Defense One

On Tuesday night, President Barack Obama appeared before the American people and again acknowledged digital data theft and data destruction as one of the most important issues facing the nation. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.”

It was a rallying cry for greater "cyber security.” But according to many security experts, “security” and the specific cyber-security proposal the president unveiled last week could be a pretext for expanded, unchecked surveillance that may not actually make the nation safer. The ideas in the proposal face no strong political resistance especially since the information collection organism would not be the government itself but rather private companies reporting user information to the government.

The Post-Snowden Era

What prompted the inclusion of cyber security in the address? The president has been restrained in his discussions of what some consider to be the most significant cyber attack on a U.S. entity in recent memory, the Sony hack. (Sony Pictures is a sub unit of Sony America and is still ultimately part of the Sony parent company, which is Japanese.) Obama called the hack an act of “cyber vandalism” not tantamount to war. 

But in the days leading up to the State of the Union address, the Obama administration released a cyber security proposal, which will be sent to Congress, that speaks directly to the Sony incident. The key component of the proposal is, indeed, “integration.” Specifically, it affords private companies liability protection to share information with the Homeland Security Department’s National Cybersecurity and Communications Integration Center.

We had seen cyber attacks but we’ve never seen a nation-state...destroy data.
Former Rep. Mike Rogers, R-Mich.

The chief of the NSA's Tailored Access Division Robert Joyce, has described the Sony hack as a key moment that will fundamentally change the way the United States deals with the murky threat posed by shadowy enemies with laptops.  It was, in popular if clichéd Washington, D.C. parlance, “a game changer.” Joyce was not alone in that assessment.

“We had seen cyber attacks but we’ve never seen a nation-state...destroy data,” former Rep. Michael Rogers, R-Mich., told a group at the Bipartisan Policy Center in Washington, D.C. last week. It was that willful destruction of data, as opposed to simply theft, that elevated the Sony hack to an incident more urgent than any of the recent high profile attacks that had affected major corporations, which were aimed primarily at the theft of data for narrow, mercantile purposes.

Rogers, a seven-term congressman, has indicated he would be leaving the House for greener (sounding) pastures in radio. But during his tenure, where he served as the head of the House Intelligence Committee, he earned a reputation as one the National Security Agency’s most stalwart allies at the agency's moment of greatest shame.

The bill that perhaps best characterized that reputation, H.R. 3523, the Cyber Intelligence Sharing and Protection Act, or CISPA, never actually became law, having stalled in the Senate after passing the House. It would have granted liability protections to corporations that would then be able to share that information with the government, specifically the Department of Homeland Security, DHS.

It was an idea that predates Rogers and CISPA—in 2008, the Bush White House put out National Security Presidential Directive – 54 that outlined the U.S. interest in information sharing in the name of cybersecurity. But it was Rogers who refined it and pushed to enshrine it in legislation.

CISPA would give companies the freedom to share user data with DHS where the info could then go to virtually any other law enforcement agency for use in any investigation related to crimes from drug trafficking to copyright infringement. It sent a clear message to some of America’s biggest companies: “We need you to do our spying for us.” 

Privacy advocates argued that the bill’s language was too broad. It would allow every company from Google to Apple to Facebook to share information on their users with the government outside of the parameters of the Electronics Communications Privacy Act as well as the Wiretap Act.

In April 2012, the president vowed that if the bill made it to his desk, he would veto it: “Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.”

Anonymous…Or Something Like It

Last week, Americans watched much of that resolve whither away. The proposal that the president rolled out shares a lot in common with CISPA with one exception, it purports to anonymize data. But the White House proposal would still allow for the sharing of user data with the government outside of privacy laws.

The White House proposal relies heavily on privacy guidelines that are currently unwritten. 
Harley Geiger, senior counsel, Center for Democracy and Technology

What sort of information does the new proposal promise to share, or rather integrate? In a call with reporters, a White House official said that the information would “primarily” not be content. 

Shareable information does include anything that falls under the category of cyber threat indicator, which includes any data relating to “malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat,” which could mean everything from attempting to access restricted files to—possibly—asking fairly routine questions about how a site runs or what a company does with user data.

“The White House proposal relies heavily on privacy guidelines that are currently unwritten. What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs,” Harley Geiger, the senior counsel for the Center for Democracy and Technology said in a press release following the announcement.

Other privacy advocates were quick to call the proposal unnecessary, as companies can already share information related to threats with the government (but within the parameters of the Privacy Act). More disturbing for many in the technology community was a provision in the legislation to amend RICO laws in a way that could charge hackers, computer scientists, or just curious users with felonies just for finding—or searching for—security errors in web sites or services.

Jeff Moss, the founder of the famous Black Hat and DEF CON conference, expressed such concern to Defense One. Every year Black Hat and DEF CON bring together thousands of hackers from around the world to showcase their research into cyber vulnerabilities. The events together comprise the one of the best forums to expose such vulnerabilities.

“I do worry about its chilling effects if enacted into law. Unless there is a carve out for research, the liability for clicking on links to security tools alone is worrying…even more so if RICO style laws are applied due to their broad nature and potential for abuse by aggressive prosecutors. We have had many decades to get used to prosecuting organized crime, but prosecuting technical computer crime is newer and harder to explain to juries. In that regard clear and easy to understand ‘red lines’ while more simplistic might be a better place to start,” said Moss.

In other words, the legislation could actually make the Internet less secure by criminalizing research into vulnerabilities.

Mark Jaycox, of the Electronic Frontier Foundation, concurred that provisions in the legislation may “chill the computer security research that is a central part of our best defense against computer crime.” Jaycox writes that the legislation could make you a felon for “sharing your HBO GO password.” He adds that “the expansion of the definition may impact researchers who commonly scan public websites to detect potential vulnerabilities. These researchers should not have to face a felony charge if a prosecutor thinks they should have known the site prohibited scanning.”

The single section that makes the White House proposal somewhat more palatable than CISPA is the provision demanding that user data “establish a process to anonymize and safeguard information.”

But anonymization may offer false reassurance. In fact, researchers have shown that anonymization is data is something of a joke. In a 2013 paper published in the Nature Scientific Reports, MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo, discuss an experiment where they took a random sample of 1.5 million cell users over 15 months and found that, when locational cell phone data is anonymized, just four data points—information created by the anonymous user—was enough to effectively reveal the users' identity 95 percent of the time.

“I agree, 100 percent. The way the data comes in, there isn’t a whole lot of benefit. Why make a law that says anonymize it,” said Robert Twitchell, CEO of Dispersive Technologies. 

One of the key benefits of sharing cyber information with other investigative bodies is affixing attribution, which permanent anonymization would undermine.

Moreover, the information that the public shares with DHS, if it is in fact related to some future cybersecurity event, would likely be shared with the NSA. According to the White House, that sharing, or integration, would be “as close to real time as possible.”

How do we know that the NSA would be one ofif not themain recipient? Remember when the Federal Bureau of Investigation expressed a high degree of confidence that the attack could be attributed to North Korea? You could be forgiven for thinking that it was, in fact, the FBI that reached that conclusion. But according to recently revealed documents, the NSA did the work. 

As David Sanger and Martin Fackler report in The New York Times, the NSA was accessing North Korean networks, communications and cyber operations for years prior to the Sony hack. That’s what allowed the United States to so quickly attribute the attacks to North Korea, though many still claim the U.S. is overlooking evidence of an inside job. But it wasn’t enough to allow them to actually stop the attack.

Not every law maker agrees that the Sony hack serves as justification for an information sharing bill, especially one that could put people’s privacy in danger. Rep. Zoe Lofgren, D-Calif., who represents parts of San Jose (Silicon Valley) told The Hill: “I fear we may have taken the wrong lesson from these recent high-profile attacks. These attacks were not the result of a missed opportunity to share information, but rather caused by substantial and obvious security failures and a culture of treating cyber security as an afterthought.”

At the Bipartisan Policy Center event, former Central Intelligence Agency director Michael Hayden bullishly predicted that some form of information sharing would pass this year. Both political and public concerns about privacy and overreaching agencies have given way to worries about lost data and remotely hijacked infrastructure. “We are entering the post-Snowden era,” he claimed.

Rogers himself was more cautious but he acknowledged that the involvement of the president in passing cyber-sharing legislation was a “significant change,” possibly enough to push something through.

Rep. Will Hurd, R-Texas, told Defense One that the president’s comments during the State of the Union suggest a softening on CISPA.  “I‘m hoping that the president’s comments suggest he’s not going to veto CISPA. I think this is an area that the President and Congress can work together.” Hurd, a former CIA operative, is considered a rising star specifically on issues related to cyber security.

Hurd, however, has also expressed some hesitation about some of the more hawkish elements of the proposal. In discussing the potential changes in RICO law, he was dim on any proposal that might harm cyber security research. “We don’t want to limit that. I think Black Hat is a very helpful forum where you have all of this research, they’re looking at the cutting edge procedures in this space. It’s a great forum for understanding where it’s going on. This is one of those areas where reasonable people can be reasonable people."

Following the event at the Bipartisan Policy Center, Rogers loitered for a bit to glad-hand friends and fans who wished him well in his new career. As he got on to an elevator, Defense One asked him if he felt at all validated that the president’s proposal so closely resembled Rogers’s bill, the one that the president had vowed to veto. Rogers looked off into the distance and smiled wistfully. “Success has many fathers,” he said as the doors closed in front of him.

NEXT STORY: US, UK Establish a Joint Hacker A-Team To Conduct Cyber War Games

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.