Tag Archives: cyber

CISA is a terrible cybersecurity law

In what has become an annual tradition, Congress has renewed their efforts to pass some type of cybersecurity legislation. For the past four years, privacy advocates and security experts have consistently opposed these bills due to inadequate protections of American civil liberties, and this year’s offering, the Cybersecurity Information Sharing Act (CISA), is no exception.

CISA greatly expands the scope of government surveillance at the expense of American civil liberties. The bill would allow private companies to share any data they’ve created and collected with the government, who could then use it for their own purposes.

Data sharing can be useful, of course. To combat cyberthreats, private companies already share data with each other, and refer to this type of sharing as “threat intelligence.” Threat intelligence isn’t perfect, but helps companies identify dangers online in order to mitigate risks and secure their networks.

But this bill goes much further than that. CISA makes all information-sharing easier between the private sector and the government, not just for information relating to threats. For example, the federal government could use data collected from Google or Facebook during a criminal investigation. This violates the principle of due process, which suggests that courts should have oversight into how government agencies conduct investigations.

In this sense, CISA provides a clear way for the government to get around warrant requirements.

In exchange for providing this information, the bill grants legal immunity to private companies who break the law or who have poor network security. Thanks to this provision, it’s no surprise that industry groups like the Chamber of Commerce and the Financial Services Roundtable have been lobbying for this bill. CISA would also create a new exemption to Freedom of Information laws, preventing Americans from discovering what data about them is being shared with the government.

This immunity means that the government will be unable to prosecute companies who do not adequately protect their customers’ data. This is likely to lead to fewer resources being dedicated to cybersecurity threats, as the threat of a fine or lawsuit is reduced.

The growing volume of data that private companies gather on Americans makes this legislation more problematic. Google knows the contents of your email, as well as your search history, videos you’ve watched, and even where you’ve been. Facebook knows who your friends are, what type of articles you like, and whose profile you’re most likely to click on. To grant the government access to this information with no oversight on how it is used is not only unconstitutional, but also morally objectionable.

CISA advocates claim that there are adequate privacy protections to “scrub” personal data before it reaches the FBI or NSA. But included in the bill are loopholes which allow for unfettered access to this personal data at the discretion of these same government agencies.

If Congress is serious about addressing the evolving threats posed by criminals online, there are a number of proactive steps that should be taken. The Computer Fraud and Abuse Act of 1986 is in need of an overhaul. It’s ridiculous that our primary law written to stop computer crimes was written when the chief threat to the United States was the Soviet Union. As currently written, the law prevents security researchers from doing their jobs, such as building tools that help mitigate threats before the bad guys exploit them.

Second, Congress needs to get serious about the threat posed by the ‘Internet of Things. We know that Volkswagen intentionally evaded emissions testing by writing a few extra lines of computer code. We need to know that our self-driving cars, voting machines, and medical devices are working properly and securely, and cannot do so without being able to audit the code that powers them. We shouldn’t wait until a criminal takes control of these devices to begin properly securing our infrastructure.

We need legislation that addresses current and future threats. There are few, if any, cybersecurity experts that believe this bill will improve overall security. Nothing in the bill would have prevented major data breaches like what occurred at the Office of Personnel Management, which exposed the personal details of millions of innocent Americans, some at the highest levels of government. To the contrary, this bill would put even more data on the same insecure government servers that have already been exploited by criminals.

PostScript

I was hoping to have an edited version of the above published somewhere, but with the vote being likely to happen tomorrow, there isn’t enough time. That said, below are some accompanying notes for those who want to dig a bit deeper.

The first glaring hole with this bill are the lack of cybersecurity professionals who support this bill. I actually scoured the Internet to find someone respected within the industry who thought this was a good bill, and was unable to find a single one. On most other security-related issues, such as the potential regulation of 0day markets, there are a few different camps that security experts fall into. There is no such pro-CISA camp.

While I often side with the EFF on Internet-related issues, even experts that I usually disagree with politically are opposed to this. This letter in opposition to CISA features many respected information security experts (including Bruce Schneier), and Brian Krebs has also commented on why the bill is misguided:

So when experts are opposed to such a bill, who exactly is supporting it? As I mentioned above, the Chamber of Commerce and Financial Services Roundtable are two of the industry groups that support it, and the reasoning is obvious. Companies and banks that have poor information security practices become immune to cybersecurity-related lawsuits, provided they share their data with the government.

This incentive also makes data-sharing for companies less than the “voluntary” proposition that advocates claim. Instead of securing their networks, CISA creates a perverse incentive to reduce the impact of network security when doing a cost-benefit analysis. If this bill passes, there are two important ways to reduce the risk of a cybersecurity-related lawsuit: secure your network OR share your data with the government. While some companies like Facebook and Google will never share *all* their data with the government, they would be foolish to not share *just enough* data to keep themselves immune from lawsuits.

While often the backing of the financial industry is enough to pass legislation, they have a powerful ally in the intelligence community. Here’s some good reading on the intelligence community‘s potentially changed role if CISA passes.

But to me, the key reason I dislike this bill is deception. I don’t like that this is called a “cybersecurity” bill. It’s a surveillance bill. Snowden’s revelations have shifted the political landscape to largely oppose state surveillance, which makes it amazing that a bill which hands over large amounts of data to the state is close to passage.

As I briefly mentioned at the outset of my initial piece some of this has to do with issue fatigue. After witnessing the eventual passage of this bill (I consider it the successor of CISPA, first introduced in 2011), I am much more pessimistic about the future of American politics. The voice of industry professionals and civil liberties groups will never be as loud and sustained as those of industry groups who represent clients who all stand to benefit.

But the other reason I hate this bill is that it confuses real security with a false sense of security. The classic misdirectional dialogue applies:

“The situation is bleak, something must be done.”

“This is something, therefore this must be done!”

The Internet of Things presents an entirely new, and more immediate problem. We’re living in a world where new devices are not only running more code than ever, but are also reliant upon internet connections in new ways. Why does my thermostat need to be connected to the internet in order to keep my house’s temperature steady? Dick Cheney’s doctor disabled the WiFi on his patient’s pacemaker due to the threat posed by hackers, so why do the rest of American citizens accept such a risk?

They don’t, they’re just unaware of the reality of the threat. These threats will only increase as we push towards “modernization” without any thought for the consequences. I’ll write a bit more on the problems with the security of the Internet of Things in the coming months on my blog.

And finally, I’ve linked to her blog multiple times in this post, but there was another good post over at emptywheel which sums up why this is a bad bill.

New York Times on Iran: Now With “Cyber”!

Today the Newspaper of Record published a front-page article about the recent “hacking” of banks in the United States. I usually like articles from NY Times technology writer Nicole Perlroth, but this article had a couple of serious flaws that I think should be addressed.

I knew this article was going to be problematic when my first impression was made:

nytimesHacking

I’m pretty sure it’s the editor (or web editor) who makes the call on summary text, but apparently elite hacking skills are clear-cut evidence of Iranian involvement.  The language also gently suggests to the reader that this is a state-sponsored group, rather than non-state actors – after all, only a nation-state could be this powerful!

Of course, I immediately think of Moxie Marlinspike’s 2011 Black Hat talk, specifically where he discusses the Iranian attack on Comodo (the video is worth a watch – the part on Comodo starts at 5:00).  Comodo went on and on about how the attacker had “clinical accuracy” and eventually came to the erroneous conclusion that this was a “state-driven attack.” The attacker landed on Moxie’s own site after watching a Hak5 entry-level tutorial on man-in-the-middle attacks, giving a strong indication that this person was not quite as talented as Comodo’s CEO asserted.

I don’t like critiquing writing style to start this off, but the cringe-worthy end to the second paragraph cannot be bargained with:

Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

I get that the Times’ readership may not always fully grasp technical issues (and that’s okay!) but the Chihuahuas-into-Godzillas analogy is not helping anyone. Maybe explain why data centers are a more useful target than run-of-the-mill PCs and laptops?

The next couple of paragraphs underscore the Iran angle by quoting a former official, but then the article moves on to drop this bombshell:

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

So there’s no “technical evidence” yet (unless you count the “level of sophistication” as evidence). And despite this lack of evidence, apparently it’s already been determined that disruption is the goal rather than profit. And to take that a step further, that’s also an earmark of state-sponsored attacks! Except when it’s not, which is pretty much every Anonymous action ever (with a few exceptions). Say what you will about Anonymous, but if there’s one thing you wouldn’t call them, it’s state-sponsored.

Finally, in paragraph 15, mention is made of the group claiming responsibility for the attacks. And in paragraph 17, mention is made of the cyberweapons deployed by (presumably) the United States – Stuxnet, Duqu, and Flame. To be fair, there was mention earlier in the article that these recent attacks were retaliation for “online attacks” waged by the United States, but it does not mention these by name, which I think is an important fact to make readers aware of.  If you believe that the state of Iran is behind this (definitely a possibility, though not as foregone a conclusion as this article implies), then this is retaliation, pure and simple – the banks are essentially paying for the cyberattacks waged against Iran.

As the article draws to a close, some additional insight is made as to why these are being called state-sponsored attacks: because they can’t easily find the command-and-control centers!

In an amateur botnet, the command and control center can be easily identified, but Mr. Herberger said it had been nearly impossible to do so in this case, suggesting to him that “the campaign may be state-sponsored versus amateur malware.”

In conclusion, writing this article without technical evidence of a crime (i.e. basing it off of what US officials are saying) is ridiculous, and reminds me of the same non-fact-based cheerleading done in the lead-up to a different war several years ago.