The president’s proposal to better ’integrate‘ cyber intelligence may not make us safer. By Patrick Tucker
On Tuesday night, President Barack Obama appeared before the American people and again acknowledged digital data theft and data destruction as one of the most important issues facing the nation. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.”
It was a rallying cry for greater "cyber security.” But according to many security experts, “security” and the specific cyber-security proposal the president unveiled last week could be a pretext for expanded, unchecked surveillance that may not actually make the nation safer. The ideas in the proposal face no strong political resistance especially since the information collection organism would not be the government itself but rather private companies reporting user information to the government.
The Post-Snowden Era
What prompted the inclusion of cyber security in the address? The president has been restrained in his discussions of what some consider to be the most significant cyber attack on a U.S. entity in recent memory, the Sony hack. (Sony Pictures is a sub unit of Sony America and is still ultimately part of the Sony parent company, which is Japanese.) Obama called the hack an act of “cyber vandalism” not tantamount to war.
But in the days leading up to the State of the Union address, the Obama administration released a cyber security proposal, which will be sent to Congress, that speaks directly to the Sony incident. The key component of the proposal is, indeed, “integration.” Specifically, it affords private companies liability protection to share information with the Homeland Security Department’s National Cybersecurity and Communications Integration Center.
The chief of the NSA's Tailored Access Division Robert Joyce, has described the Sony hack as a key moment that will fundamentally change the way the United States deals with the murky threat posed by shadowy enemies with laptops. It was, in popular if clichéd Washington, D.C. parlance, “a game changer.” Joyce was not alone in that assessment.
“We had seen cyber attacks but we’ve never seen a nation-state...destroy data,” former Rep. Michael Rogers, R-Mich., told a group at the Bipartisan Policy Center in Washington, D.C. last week. It was that willful destruction of data, as opposed to simply theft, that elevated the Sony hack to an incident more urgent than any of the recent high profile attacks that had affected major corporations, which were aimed primarily at the theft of data for narrow, mercantile purposes.
Rogers, a seven-term congressman, has indicated he would be leaving the House for greener (sounding) pastures in radio. But during his tenure, where he served as the head of the House Intelligence Committee, he earned a reputation as one the National Security Agency’s most stalwart allies at the agency's moment of greatest shame.
The bill that perhaps best characterized that reputation, H.R. 3523, the Cyber Intelligence Sharing and Protection Act, or CISPA, never actually became law, having stalled in the Senate after passing the House. It would have granted liability protections to corporations that would then be able to share that information with the government, specifically the Department of Homeland Security, DHS.
It was an idea that predates Rogers and CISPA—in 2008, the Bush White House put out National Security Presidential Directive – 54 that outlined the U.S. interest in information sharing in the name of cybersecurity. But it was Rogers who refined it and pushed to enshrine it in legislation.
CISPA would give companies the freedom to share user data with DHS where the info could then go to virtually any other law enforcement agency for use in any investigation related to crimes from drug trafficking to copyright infringement. It sent a clear message to some of America’s biggest companies: “We need you to do our spying for us.”
Privacy advocates argued that the bill’s language was too broad. It would allow every company from Google to Apple to Facebook to share information on their users with the government outside of the parameters of the Electronics Communications Privacy Act as well as the Wiretap Act.
In April 2012, the president vowed that if the bill made it to his desk, he would veto it: “Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.”
Anonymous…Or Something Like It
Last week, Americans watched much of that resolve whither away. The proposal that the president rolled out shares a lot in common with CISPA with one exception, it purports to anonymize data. But the White House proposal would still allow for the sharing of user data with the government outside of privacy laws.
What sort of information does the new proposal promise to share, or rather integrate? In a call with reporters, a White House official said that the information would “primarily” not be content.
Shareable information does include anything that falls under the category of cyber threat indicator, which includes any data relating to “malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat,” which could mean everything from attempting to access restricted files to—possibly—asking fairly routine questions about how a site runs or what a company does with user data.
“The White House proposal relies heavily on privacy guidelines that are currently unwritten. What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs,” Harley Geiger, the senior counsel for the Center for Democracy and Technology said in a press release following the announcement.
Other privacy advocates were quick to call the proposal unnecessary, as companies can already share information related to threats with the government (but within the parameters of the Privacy Act). More disturbing for many in the technology community was a provision in the legislation to amend RICO laws in a way that could charge hackers, computer scientists, or just curious users with felonies just for finding—or searching for—security errors in web sites or services.
Jeff Moss, the founder of the famous Black Hat and DEF CON conference, expressed such concern to Defense One. Every year Black Hat and DEF CON bring together thousands of hackers from around the world to showcase their research into cyber vulnerabilities. The events together comprise the one of the best forums to expose such vulnerabilities.
“I do worry about its chilling effects if enacted into law. Unless there is a carve out for research, the liability for clicking on links to security tools alone is worrying…even more so if RICO style laws are applied due to their broad nature and potential for abuse by aggressive prosecutors. We have had many decades to get used to prosecuting organized crime, but prosecuting technical computer crime is newer and harder to explain to juries. In that regard clear and easy to understand ‘red lines’ while more simplistic might be a better place to start,” said Moss.
In other words, the legislation could actually make the Internet less secure by criminalizing research into vulnerabilities.
Mark Jaycox, of the Electronic Frontier Foundation, concurred that provisions in the legislation may “chill the computer security research that is a central part of our best defense against computer crime.” Jaycox writes that the legislation could make you a felon for “sharing your HBO GO password.” He adds that “the expansion of the definition may impact researchers who commonly scan public websites to detect potential vulnerabilities. These researchers should not have to face a felony charge if a prosecutor thinks they should have known the site prohibited scanning.”
The single section that makes the White House proposal somewhat more palatable than CISPA is the provision demanding that user data “establish a process to anonymize and safeguard information.”
But anonymization may offer false reassurance. In fact, researchers have shown that anonymization is data is something of a joke. In a 2013 paper published in the Nature Scientific Reports, MIT researchers Yves-Alexandre de Montjoye and César A. Hidalgo, discuss an experiment where they took a random sample of 1.5 million cell users over 15 months and found that, when locational cell phone data is anonymized, just four data points—information created by the anonymous user—was enough to effectively reveal the users' identity 95 percent of the time.
“I agree, 100 percent. The way the data comes in, there isn’t a whole lot of benefit. Why make a law that says anonymize it,” said Robert Twitchell, CEO of Dispersive Technologies.
One of the key benefits of sharing cyber information with other investigative bodies is affixing attribution, which permanent anonymization would undermine.
Moreover, the information that the public shares with DHS, if it is in fact related to some future cybersecurity event, would likely be shared with the NSA. According to the White House, that sharing, or integration, would be “as close to real time as possible.”
How do we know that the NSA would be one of—if not the—main recipient? Remember when the Federal Bureau of Investigation expressed a high degree of confidence that the attack could be attributed to North Korea? You could be forgiven for thinking that it was, in fact, the FBI that reached that conclusion. But according to recently revealed documents, the NSA did the work.
As David Sanger and Martin Fackler report in The New York Times, the NSA was accessing North Korean networks, communications and cyber operations for years prior to the Sony hack. That’s what allowed the United States to so quickly attribute the attacks to North Korea, though many still claim the U.S. is overlooking evidence of an inside job. But it wasn’t enough to allow them to actually stop the attack.
Not every law maker agrees that the Sony hack serves as justification for an information sharing bill, especially one that could put people’s privacy in danger. Rep. Zoe Lofgren, D-Calif., who represents parts of San Jose (Silicon Valley) told The Hill: “I fear we may have taken the wrong lesson from these recent high-profile attacks. These attacks were not the result of a missed opportunity to share information, but rather caused by substantial and obvious security failures and a culture of treating cyber security as an afterthought.”
At the Bipartisan Policy Center event, former Central Intelligence Agency director Michael Hayden bullishly predicted that some form of information sharing would pass this year. Both political and public concerns about privacy and overreaching agencies have given way to worries about lost data and remotely hijacked infrastructure. “We are entering the post-Snowden era,” he claimed.
Rogers himself was more cautious but he acknowledged that the involvement of the president in passing cyber-sharing legislation was a “significant change,” possibly enough to push something through.
Rep. Will Hurd, R-Texas, told Defense One that the president’s comments during the State of the Union suggest a softening on CISPA. “I‘m hoping that the president’s comments suggest he’s not going to veto CISPA. I think this is an area that the President and Congress can work together.” Hurd, a former CIA operative, is considered a rising star specifically on issues related to cyber security.
Hurd, however, has also expressed some hesitation about some of the more hawkish elements of the proposal. In discussing the potential changes in RICO law, he was dim on any proposal that might harm cyber security research. “We don’t want to limit that. I think Black Hat is a very helpful forum where you have all of this research, they’re looking at the cutting edge procedures in this space. It’s a great forum for understanding where it’s going on. This is one of those areas where reasonable people can be reasonable people."
Following the event at the Bipartisan Policy Center, Rogers loitered for a bit to glad-hand friends and fans who wished him well in his new career. As he got on to an elevator, Defense One asked him if he felt at all validated that the president’s proposal so closely resembled Rogers’s bill, the one that the president had vowed to veto. Rogers looked off into the distance and smiled wistfully. “Success has many fathers,” he said as the doors closed in front of him.