Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged Cybersecurity

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

A Zombie Bill Comes Back to Life: A Look at The Senate's Cybersecurity Information Shar... - 0 views

www.eff.org/...y-information-sharing-act-2014

surveillance state NSA legislation Cybersecurity Bill Feinstein

shared by Paul Merrell on 12 Jul 14 - No Cached
  • The Senate Intelligence Committee recently introduced the Cybersecurity Information Sharing Act of 2014. It’s the fourth time in four years that Congress has tried to pass "cybersecurity" legislation. Unfortunately, the newest Senate bill is one of the worst yet. Cybersecurity bills aim to facilitate information sharing between companies and the government, but they always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers. Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year. What is a surprise is that the bills keep coming back from the dead. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs that are far more privacy protective than anything seen in recent cybersecurity bills. Despite this, members of Congress like Rep. Mike Rogers and Senator Dianne Feinstein keep on introducing bills that would destroy these privacy protections and grant new spying powers to companies.
  • Aside from its redundancy, the Senate's bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user. Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
  • Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies like the NSA—"in real-time and simultaneous[ly]." DHS is even barred from "delay[ing]" or "interfer[ing]" with the information, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing. This leads to a question: What stops your sensitive personal information from being shared by companies to the government? Almost nothing. Companies must only remove personally identifiable information if the information is known to be US person information and not directly related to the threat. Such a willful blindness approach is inappropriate. Further, the bill does not even impose this weak minimization requirement on information shared by, and within, the government (including federal, state, local, and tribal governments) thereby allowing the government to share information containing personally identifiable information. The bill should require deletion of all information not directly related to a threat.
  • ...2 more annotations...
  • Once the information is sent to a government agency, it can use the information for reasons other than for cybersecurity purposes. One clause even allows the information to be used to prosecute violations of the Espionage Act—a World War I era law that was meant to prosecute spies but has been used in recent years primarily to go after journalists’ sources. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes. The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.
  • The bill also retains near-blanket immunity for companies to monitor information systems, to share information, and to use countermeasures. The high bar immunizes an incredible amount of activity, including negligent damage to property and may deprive private entities of legal recourse if a computer security contractor is at fault for destruction of property. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It's also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports and privately.
Paul Merrell

CISA Cybersecurity Bill Advances Despite Privacy Concerns | WIRED - 0 views

www.wired.com/...nces-despite-privacy-critiques

surveillance state NSA cybersecurity legislation CISA privacy-loophole

shared by Paul Merrell on 13 Mar 15 - No Cached
  • For months, privacy advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law. The Senate Intelligence Committee passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to one Thursday afternoon. The bill, like the failed Cybersecurity Information Sharing and Protection Act that proceeded it, is designed to encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats. But privacy critics have protested that CISA would create a legal framework for companies to more closely monitor internet users and share that data with government agencies.
  • After Thursday’s vote, Senator Ron Wyden—the only member of the Senate’s intelligence committee to vote against the bill—repeated those privacy concerns in a public statement. “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” he wrote. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”
  • Looking at the most recently revealed public version of CISA, privacy advocates have pointed out that it would allow sharing of personal data that goes beyond cybersecurity threats. It also allows the sharing of private sector data with the government that could prevent “terrorism” or an “imminent threat of death or serious bodily harm.” That language, Open Technology Institute privacy counsel Robyn Greene has argued, means CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.” “If that weren’t worrisome enough, the bill would also let law enforcement and other government agencies use information it receives to investigate, without a requirement for imminence or any connection to computer crime, even more crimes like carjacking, robbery, possession or use of firearms, ID fraud, and espionage,” Greene wrote in February. “While some of these are terrible crimes, and law enforcement should take reasonable steps to investigate them, they should not do so with information that was shared under the guise of enhancing cybersecurity.”
Paul Merrell

Beware the Dangers of Congress' Latest Cybersecurity Bill | American Civil Liberties Union - 0 views

www.aclu.org/...ress-latest-cybersecurity-bill

surveillance state legislation ACLU cybersecurity

shared by Paul Merrell on 01 Jul 14 - No Cached
  • A new cybersecurity bill poses serious threats to our privacy, gives the government extraordinary powers to silence potential whistleblowers, and exempts these dangerous new powers from transparency laws. The Cybersecurity Information Sharing Act of 2014 ("CISA") was scheduled to be marked up by the Senate Intelligence Committee yesterday but has been delayed until after next week's congressional recess. The response to the proposed legislation from the privacy, civil liberties, tech, and open government communities was quick and unequivocal – this bill must not go through. The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for "voluntary" cooperation in sharing information, including the content of our communications, for cybersecurity purposes. But the definition they are using for the so-called "cybersecurity information" is so broad it could sweep up huge amounts of innocent Americans' personal data. The Fourth Amendment protects Americans' personal data and communications from undue government access and monitoring without suspicion of criminal activity. The point of a warrant is to guard that protection. CISA would circumvent the warrant requirement by allowing the government to approach companies directly to collect personal information, including telephonic or internet communications, based on the new broadly drawn definition of "cybersecurity information."
  • While we hope many companies would jealously guard their customers' information, there is a provision in the bill that would excuse sharers from any liability if they act in "good faith" that the sharing was lawful. Collected information could then be used in criminal proceedings, creating a dangerous end-run around laws like the Electronic Communications Privacy Act, which contain warrant requirements. In addition to the threats to every American's privacy, the bill clearly targets potential government whistleblowers. Instead of limiting the use of data collection to protect against actual cybersecurity threats, the bill allows the government to use the data in the investigation and prosecution of people for economic espionage and trade secret violations, and under various provisions of the Espionage Act. It's clear that the law is an attempt to give the government more power to crack down on whistleblowers, or "insider threats," in popular bureaucratic parlance. The Obama Administration has brought more "leaks" prosecutions against government whistleblowers and members of the press than all previous administrations combined. If misused by this or future administrations, CISA could eliminate due process protections for such investigations, which already favor the prosecution.
  • While actively stripping Americans' privacy protections, the bill also cloaks "cybersecurity"-sharing in secrecy by exempting it from critical government transparency protections. It unnecessarily and dangerously provides exemptions from state and local sunshine laws as well as the federal Freedom of Information Act. These are both powerful tools that allow citizens to check government activities and guard against abuse. Edward Snowden's revelations from the past year, of invasive spying programs like PRSIM and Stellar Wind, have left Americans shocked and demanding more transparency by government agencies. CISA, however, flies in the face of what the public clearly wants. (Two coalition letters, here and here, sent to key members of the Senate yesterday detail the concerns of a broad coalition of organizations, including the ACLU.)
  • Paul Merrell on 01 Jul 14
     
    Text of the bill is on Sen. Diane Feinstein's site, http://goo.gl/2cdsSA It is truly a bummer.
Paul Merrell

CISA Security Bill: An F for Security But an A+ for Spying | WIRED - 0 views

www.wired.com/...ty-bill-gets-f-security-spying

surveillance state legislation CISA

shared by Paul Merrell on 23 Mar 15 - No Cached
  • When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users’ personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won’t actually boost security. And second, the “information sharing” it describes sounds more than ever like a backchannel for surveillance.
  • On Tuesday the bill’s authors released the full, updated text of the CISA legislation passed last week, and critics say the changes have done little to assuage their fears about wanton sharing of Americans’ private data. In fact, legal analysts say the changes actually widen the backdoor leading from private firms to intelligence agencies. “It’s a complete failure to strengthen the privacy protections of the bill,” says Robyn Greene, a policy lawyer for the Open Technology Institute, which joined a coalition of dozens of non-profits and cybersecurity experts criticizing the bill in an open letter earlier this month. “None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed.” The central concern of that letter was how the same data sharing meant to bolster cybersecurity for companies and the government opens massive surveillance loopholes. The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat “notwithstanding any other provision of law.” That means CISA trumps privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, which restrict eavesdropping and sharing of users’ communications. And once the DHS obtains the information, it would automatically be shared with the NSA, the Department of Defense (including Cyber Command), and the Office of the Director of National Intelligence.
  • In a statement posted to his website yesterday, Senator Burr wrote that “Information sharing is purely voluntary and companies can only share cyber-threat information and the government may only use shared data for cybersecurity purposes.” But in fact, the bill’s data sharing isn’t limited to cybersecurity “threat indicators”—warnings of incoming hacker attacks, which is the central data CISA is meant to disseminate among companies and three-letter agencies. OTI’s Greene says it also gives companies a mandate to share with the government any data related to imminent terrorist attacks, weapons of mass destruction, or even other information related to violent crimes like robbery and carjacking. 
  • ...2 more annotations...
  • The latest update to the bill tacks on yet another kind of information, anything related to impending “serious economic harm.” All of those vague terms, Greene argues, widen the pipe of data that companies can send the government, expanding CISA into a surveillance system for the intelligence community and domestic law enforcement. If information-sharing legislation does not include adequate privacy protections, then...It’s a surveillance bill by another name. Senator Ron Wyden
  • “CISA goes far beyond [cybersecurity], and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force,” reads the letter from the coalition opposing CISA. “The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans—including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles.”
  • Paul Merrell on 23 Mar 15
     
    I read the legislation. It's as bad for privacy as described in the aritcle. And its drafting is incredibly sloppy.
Paul Merrell

Canadian Spies Collect Domestic Emails in Secret Security Sweep - The Intercept - 0 views

firstlook.org/...ony-express-email-surveillance

surveillance state Canada CSE bulk-collection email

shared by Paul Merrell on 27 Feb 15 - No Cached
  • Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents. The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years. The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden. The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.
  • Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained. Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public. Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails. The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.
  • Chris Parsons, an internet security expert with the Toronto-based internet think tank Citizen Lab, told CBC News that “you should be able to communicate with your government without the fear that what you say … could come back to haunt you in unexpected ways.” Parsons said that there are legitimate cybersecurity purposes for the agency to keep tabs on communications with the government, but he added: “When we collect huge volumes, it’s not just used to track bad guys. It goes into data stores for years or months at a time and then it can be used at any point in the future.” In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.” The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)
  • ...1 more annotation...
  • The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.” The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic. Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”
  • Paul Merrell on 27 Feb 15
     
    " CANADIAN SPIES COLLECT DOMESTIC EMAILS IN SECRET SECURITY SWEEP BY RYAN GALLAGHER AND GLENN GREENWALD @rj_gallagher@ggreenwald YESTERDAY AT 2:02 AM SHARE TWITTER FACEBOOK GOOGLE EMAIL PRINT POPULAR EXCLUSIVE: TSA ISSUES SECRET WARNING ON 'CATASTROPHIC' THREAT TO AVIATION CHICAGO'S "BLACK SITE" DETAINEES SPEAK OUT WHY DOES THE FBI HAVE TO MANUFACTURE ITS OWN PLOTS IF TERRORISM AND ISIS ARE SUCH GRAVE THREATS? NET NEUTRALITY IS HERE - THANKS TO AN UNPRECEDENTED GUERRILLA ACTIVISM CAMPAIGN HOW SPIES STOLE THE KEYS TO THE ENCRYPTION CASTLE Canada's electronic surveillance agency is covertly monitoring vast amounts of Canadians' emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents. The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years. The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada's equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden. The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats. Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained. Now, the Snowden documents shine a light for the first time on the huge scope of the operation - exposing the controversial details the government withheld from the public. Under Canada's criminal code, CSE is no
Paul Merrell

Cybersecurity Information Sharing: A Legal Morass, Says CRS - 0 views

fas.org/...info-sharing-crs

cybersecurity legislation CRS nuclear-weapons

shared by Paul Merrell on 25 Mar 15 - No Cached
  • Several pending bills would promote increased sharing of cybersecurity-related information — such as threat intelligence and system vulnerabilities — in order to combat the perceived rise in the frequency and intensity of cyber attacks against private and government entities. But such information sharing is easier said than done, according to a new report from the Congressional Research Service, because it involves a thicket of conflicting and perhaps incompatible laws and policy objectives. “The legal issues surrounding cybersecurity information sharing… are complex and have few certain resolutions.” A copy of the CRS report was obtained by Secrecy News. See Cybersecurity and Information Sharing: Legal Challenges and Solutions, March 16, 2015. Cyber information sharing takes at least three different forms: the release of cyber intelligence from government to the private sector, information sharing among private entities, and the transfer of threat information from private entities to government agencies.
  • “While collectively these three variants on the concept of cyber-information sharing have some commonalities, each also raises separate legal challenges that may impede cyber-intelligence dissemination more generally,” said the CRS report, which examines the legal ramifications of each category in turn. Among the concerns at issue are: the potential for liability associate with disclosure of cybersecurity information, inappropriate release of private information through open government laws, loss of intellectual property, and potential compromise of personal privacy rights. All of these create a legal morass that may be unreconcilable. “A fundamental question lawmakers may need to contemplate is how restrictions that require close government scrutiny and control over shared cyber-information can be squared with other goals of cyber-information sharing legislation, like requirements that received information be disseminated in an almost instantaneous fashion,” the CRS report said.
  • “Ultimately, because the goals of cyber-information legislation are often diametrically opposed, it may simply be impossible for information sharing legislation to simultaneously promote the rapid and robust collection and dissemination of cyber-intelligence by the federal government, while also ensuring that the government respects the property and privacy interests implicated by such information sharing,” the report said. Other new or newly updated CRS reports that Congress has withheld from public distribution include the following. Cybersecurity: Authoritative Reports and Resources, by Topic, March 13, 2015
  • ...1 more annotation...
  • U.S. Strategic Nuclear Forces: Background, Developments, and Issues, March 18, 2015
Paul Merrell

U.S. gives big, secret push to Internet surveillance - CNET - 0 views

www.cnet.com/...-push-to-internet-surveillance

surveillance state ISP-wiretap-immunity DHS NSA DoJ

shared by Paul Merrell on 03 Apr 14 - No Cached
  • Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws. The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12. "The Justice Department is helping private companies evade federal wiretap laws," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which obtained over 1,000 pages of internal government documents and provided them to CNET this week. "Alarm bells should be going off." Those documents show the National Security Agency and the Defense Department were deeply involved in pressing for the secret legal authorization, with NSA director Keith Alexander participating in some of the discussions personally. Despite initial reservations, including from industry participants, Justice Department attorneys eventually signed off on the project.
  • The Justice Department agreed to grant legal immunity to the participating network providers in the form of what participants in the confidential discussions refer to as "2511 letters," a reference to the Wiretap Act codified at 18 USC 2511 in the federal statute books. The Wiretap Act limits the ability of Internet providers to eavesdrop on network traffic except when monitoring is a "necessary incident" to providing the service or it takes place with a user's "lawful consent." An industry representative told CNET the 2511 letters provided legal immunity to the providers by agreeing not to prosecute for criminal violations of the Wiretap Act. It's not clear how many 2511 letters were issued by the Justice Department. In 2011, Deputy Secretary of Defense William Lynn publicly disclosed the existence of the original project, called the DIB Cyber Pilot, which used login banners to inform network users that monitoring was taking place. In May 2012, the pilot was turned into an ongoing program -- broader but still voluntary -- by the name of Joint Cybersecurity Services Pilot, with the Department of Homeland Security becoming involved for the first time. It was renamed again to Enhanced Cybersecurity Services program in January, and is currently being expanded to all types of companies operating critical infrastructure.
  • Another e-mail message from a Justice Department attorney wondered: "Will the program cover all parts of the company network -- including say day care centers (as mentioned as a question in a [deputies committee meeting]) and what are the policy implications of this?" The deputies committee includes the deputy secretary of defense, the deputy director of national intelligence, the deputy attorney general, and the vice chairman of the Joint Chiefs of Staff. "These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks," says EPIC staff attorney Amie Stepanovich, who filed a lawsuit against Homeland Security in March 2012 seeking documents relating to the program under the Freedom of Information Act. "If this program was broadly deployed, it would raise serious questions about government cybersecurity practices." In January, the Department of Homeland Security's privacy office published a privacy analysis (PDF) of the program saying that users of the networks of companies participating in the program will see "an electronic login banner [saying] information and data on the network may be monitored or disclosed to third parties, and/or that the network users' communications on the network are not private."
  • ...2 more annotations...
  • Paul Rosenzweig, a former Homeland Security official and founder of Red Branch Consulting, compared the NSA and DOD asking the Justice Department for 2511 letters to the CIA asking the Justice Department for the so-called torture memos a decade ago. (They were written by Justice Department official John Yoo, who reached the controversial conclusion that waterboarding was not torture.) "If you think of it poorly, it's a CYA function," Rosenzweig says. "If you think well of it, it's an effort to secure advance authorization for an action that may not be clearly legal." A report (PDF) published last month by the Congressional Research Service, a non-partisan arm of Congress, says the executive branch likely does not have the legal authority to authorize more widespread monitoring of communications unless Congress rewrites the law. "Such an executive action would contravene current federal laws protecting electronic communications," the report says.
  • An internal Defense Department presentation cites as possible legal authority a classified presidential directive called NSPD 54 that President Bush signed in January 2008. Obama's own executive order , signed in February 2013, says Homeland Security must establish procedures to expand the data-sharing program "to all critical infrastructure sectors" by mid-June. Those are defined as any companies providing services that, if disrupted, would harm national economic security or "national public health or safety."
  • Paul Merrell on 03 Apr 14
     
    Article is from April 2013, before the Snowden disclosures. 
Paul Merrell

Senate majority whip: Cyber bill will have to wait until fall | TheHill - 0 views

thehill.com/...l-will-have-to-wait-until-fall

surveillance state CISA legislation digital-privacy

shared by Paul Merrell on 30 Jul 15 - No Cached
  • Senate Majority Whip John Cornyn (R-Texas) on Tuesday said the upper chamber is unlikely to move on a stalled cybersecurity bill before the August recess.Senate Republican leaders, including Cornyn, had been angling to get the bill — known as the Cybersecurity Information Sharing Act (CISA) — to the floor this month.ADVERTISEMENTBut Cornyn said that there is simply too much of a time crunch in the remaining legislative days to get to the measure, intended to boost the public-private exchange of data on hackers.  “I’m sad to say I don’t think that’s going to happen,” he told reporters off the Senate floor. “The timing of this is unfortunate.”“I think we’re just running out time,” he added.An aide for Senate Majority Leader Mitch McConnell (R-Ky.) said he had not committed to a specific schedule after the upper chamber wraps up work in the coming days on a highway funding bill.Cornyn said Senate leadership will look to move on the bill sometime after the legislature returns in September from its month-long break.
  • The move would delay yet again what’s expected to be a bruising floor fight about government surveillance and digital privacy rights.“[CISA] needs a lot of work,” Sen. Patrick Leahy (D-Vt.), who currently opposes the bill, told The Hill on Tuesday. “And when it comes up, there’s going to have to be a lot of amendments otherwise it won’t pass.”Despite industry support, broad bipartisan backing, and potentially even White House support, CISA has been mired in the Senate for months over privacy concerns.Civil liberties advocates worry the bill would create another venue for the government’s intelligence wing to collect sensitive data on Americans only months after Congress voted to rein in surveillance powers.But industry groups and many lawmakers insist a bolstered data exchange is necessary to better understand and counter the growing cyber threat. Inaction will leave government and commercial networks exposed to increasingly dangerous hackers, they say.Sen. Ron Wyden (D-Ore.), who has been leading the chorus opposing the bill, rejoiced Tuesday after hearing of the likely delay.
  • “I really want to commend the advocates for the tremendous grassroots effort to highlight the fact that this bill was badly flawed from a privacy standpoint,” he told The Hill.Digital rights and privacy groups are blanketing senators’ offices this week with faxes and letters in an attempt to raise awareness of bill’s flaws.“Our side has picked up an enormous amount of support,” Wyden said.Wyden was the only senator to vote against CISA in the Senate Intelligence Committee. The panel approved the measure in March by a 14-1 vote and it looked like CISA was barrelling toward the Senate floor.After the House easily passed its companion pieces of legislation, CISA’s odds only seemed better.But the measure got tied up in the vicious debate over the National Security Agency's (NSA) spying powers that played out throughout April and May.“It’s like a number of these issues, in the committee the vote was 14-1, everyone says, ‘oh, Ron Wyden opposes another bipartisan bill,’” Wyden said Tuesday. “And I said, ‘People are going to see that this is a badly flawed bill.’”
  • ...2 more annotations...
  • CISA backers hoped that the ultimate vote to curb the NSA’s surveillance authority might quell some of the privacy fears surrounding CISA, clearing a path to passage. But numerous budget debates and the Iranian nuclear deal have chewed up much of the Senate’s floor time throughout June and July.  Following the devastating hacks at the Office of Personnel Management (OPM), Senate Republican leaders tried to jump CISA in the congressional queue by offering its language as an amendment to a defense authorization bill.Democrats — including the bill’s original co-sponsor Sen. Dianne Feinstein (D-Calif.) — revolted, angry they could not offer amendments to CISA’s language before it was attached to the defense bill.Cornyn on Tuesday chastised Democrats for stalling a bill that many of them favor.“As you know, Senate Democrats blocked that before on the defense authorization bill,” Cornyn said. “So we had an opportunity to do it then.”Now it’s unclear when the Senate will have another opportunity.When it does, however, CISA could have the votes to get through.
  • There will be vocal opposition from senators like Wyden and Leahy, and potentially from anti-surveillance advocates like Sens. Rand Paul (R-Ky.), Mike Lee (R-Utah) and Dean Heller (R-Nev.).But finding 40 votes to block the bill completely will be a difficult task.Wyden said he wouldn’t “get into speculation” about whether he could gather the support to stop CISA altogether.“I’m pleased about the progress that we’ve made,” he said.
  • Paul Merrell on 30 Jul 15
     
    NSA and crew decide to delay and try later with CISA. The Internet strikes back again.
Paul Merrell

Victory Over Cyber Spying | Electronic Frontier Foundation - 0 views

www.eff.org/...victory-over-cyber-spying

surveillance state Cybersecurity Bill internet politics

shared by Paul Merrell on 03 Aug 12 - No Cached
  • This morning, the US Senate defeated the Cybersecurity Act of 2012, a bill that would have given companies new rights to monitor our private communications and pass that data to the government. The bill sponsors were 8 votes short of the 60 votes necessary to end debate on the bill (vote breakdown here). This is a victory for Internet freedom advocates everywhere. Hundreds of thousands of individuals emailed, tweeted, called, and sent Facebook messages to Senators asking them to defend privacy in the cybersecurity debate. Those voices were heard loud and clear in the halls of Congress today. EFF extends our heartfelt thanks to everyone who fought with us on this issue. We can all be proud today that there was no law enacted on our watch that would have compromised the online privacy rights of Internet users in the name of cybersecurity.  
  • Internet users also found they had powerful friends in the Senate. Senators Al Franken, Richard Durbin, Chris Coons, Bernie Sanders, Daniel Akaka, Ron Wyden and Richard Blumenthal championed civil liberties fixes to the bill. Senator Wyden, in particular, opposed the bill on privacy grounds, stating:  Today’s vote was one in which Senators were asked to sacrifice Internet users’ privacy and civil liberties for weak proposals to improve cyber security; I voted no. And Senators Al Franken and Rand Paul sponsored an amendment that would have removed the most privacy-invasive provisions of the bill. These champions of online rights helped us in the cybersecurity fight – and will hopefully stand with us again in defending civil liberties the next time this issue arises.
Paul Merrell

Senate committee adopts cybersecurity bill opposed by NSA critics | World news | thegua... - 0 views

www.theguardian.com/...ty-bill-opposed-by-nsa-critics

surveillance state NSA legislation cyberwar vulnerabilities

shared by Paul Merrell on 10 Jul 14 - No Cached
  • The Senate intelligence committee voted Tuesday to adopt a major cybersecurity bill that critics fear will give the National Security Agency even wider access to American data than it already has.Observers said the bill, approved by a 12 to 3 vote in a meeting closed to the public, would face a difficult time passing the full Senate, considering both the shortened legislative calendar in an election year and the controversy surrounding surveillance.But the bill is a priority of current and former NSA directors, who warn that private companies’ vulnerability to digital sabotage and economic data exfiltration will get worse without it.Pushed by Dianne Feinstein and Saxby Chambliss, the California Democrat and Georgia Republican who lead the committee, the bill would remove legal obstacles that block firms from sharing information "in real time" about cyber-attacks and prevention or mitigation measures with one another and with the US government.
  • Worrying civil libertarians is that the NSA and its twin military command, US Cyber Command, would receive access to vast amounts of data, and privacy guidelines for the handling of that data are yet to be developed.A draft of the bill released in mid-June would permit government agencies to share, retain and use the information for "a cybersecurity purpose" – defined as "the purpose of protecting an information system or information that is stored on, processed by or transiting an information system from a cybersecurity threat or security vulnerability" – raising the prospect of the NSA stockpiling a catalogue of weaknesses in digital security, as a recent White House data-assurance policy permits.It would also prevent participating companies from being sued for sharing data with each other and the government, even though many companies offer contract terms of service prohibiting the sharing of client or customer information without explicit consent.
  • But digital rights advocates warn that the measure will give the government, including the NSA, access to more information than just that relating to cyberthreats, potentially creating a new avenue for broad governmental access to US data even as Congress and the Obama administration contemplate restricting the NSA's domestic collection.The bill contains "catch-all provisions that would allow for the inclusion of a lot more than malicious code. It could include the content of communications. That's one of the biggest concerns," said Gabriel Rottman, an attorney with the American Civil Liberties Union.Provisions in the bill are intended to protect American privacy on the front end by having participating companies strike "indicators … known to be personal information of or identifying a United States person" before the government sees it, but the draft version leaves specific guidelines for privacy protection up to the attorney general."Nobody knows whether the flow from the private sector will be a trickle or a river or an ocean. The bill contemplates an ocean, and that's what worries us," said Greg Nojeim of the Center for Democracy and Technology.
Paul Merrell

Secrecy News - from the FAS Project on Government Secrecy - 0 views

blogs.fas.org/secrecy

surveillance state Cybersecurity research-resources Cloud-Computing

shared by Paul Merrell on 31 Oct 13 - No Cached
  • New or newly updated reports from the Congressional Research Service that Congress has withheld from online public distribution include the following.
  • Cybersecurity: Authoritative Reports and Resources, October 25, 2013
  • “The President… recognizes that U.S. citizens and institutions should have a reasonable expectation of privacy from foreign or domestic intercept when using the public telephone system,” according to National Security Decision Memorandum 338 of September 1, 1976 (document 180).
  • ...2 more annotations...
  • The Central Intelligence Agency today asked a court to allow more time to declassify its response to the Senate Select Committee on Intelligence report on CIA rendition, detention and interrogation (RDI) activities, which itself is undergoing a time-consuming declassification review. “This complex process requires the careful review of over 500 pages of highly classified material. In addition, sufficient time must be allowed not only for coordination with other agencies, but — after completion of declassification review — for implementation of security measures to ensure the safety of U.S. personnel and facilities overseas,” according to a May 15 motion filed by the government in a FOIA lawsuit brought by the ACLU. “Due to the fluid nature of this process, aspects of which are beyond the CIA’s control, the Agency does not yet have a firm date by which it can complete the processing of the CIA Response [to the SSCI report] and the so-called Panetta Report, although it hopes the declassification review and accompanying processing of those documents can be completed this summer.” The CIA therefore requested an extension of time to respond, to which the ACLU plaintiffs did not consent.
  • With respect to the Senate Intelligence Committee report itself, the government promised an “expeditious” declassification review of the executive summary, findings, and conclusions. “While all declassification decisions are guided by the need to protect national security interests, the President has expressed a clear intent to declassify as much of the executive summary, findings, and conclusions of the SSCI Report as possible, and intends the declassification process to be expeditious,” the government motion said. According to an April 18 letter from then-White House counsel Katherine Ruemmler, appended to the new motion, “The President supports making public the Committee’s important review of the historical RDI program, as he believes that public scrutiny and debate will help to inform the public understanding of the program and to ensure that such a program will not be contemplated by a future administration.
  • Paul Merrell on 31 Oct 13
     
    Congress in its wisdom does not publish all Congressional Research Service reports online. The Federation of American Scientists Project on Government Secrecy fills that gap. The report linked in this bookmark is an amazing compendium of research resources on the topic of cybersecurity, with a heavy emphasis on cloud computing. 
Paul Merrell

Sloppy Cyber Threat Sharing Is Surveillance by Another Name | Just Security - 0 views

justsecurity.org/...er-threat-sharing-surveillance

surveillance state legislation CISA cyberthreat-reporting emails

shared by Paul Merrell on 06 Jul 15 - No Cached
  • Imagine you are the target of a phishing attack: Someone sends you an email attachment containing malware. Your email service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your email company please share all your emails with the government? Knowing more about you, investigators might better understand the attack. Normally, your email provider wouldn’t be allowed to give this information over without your consent or a search warrant. But that could soon change. The Senate may soon make another attempt at passing the Cybersecurity Information Sharing Act, a bill that would waive privacy laws in the name of cybersecurity. In April, the US House of Representatives passed by strong majorities two similar “cyber threat” information sharing bills. These bills grant companies immunity for giving DHS information about network attacks, attackers, and online crimes.
  • Sharing information about security vulnerabilities is a good idea. Shared vulnerability data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future. I’ve spent most of my career fighting for researchers’ rights to share this kind of information against threats from companies that didn’t want their customers to know their products were flawed. But, these bills gut legal protections against government fishing expeditions exactly at a time when individuals and Internet companies need privacy laws to get stronger, not weaker. 
  • Worse, the bills aren’t needed. Private companies share threat data with each other, and even with the government, all the time. The threat data that security professionals use to protect networks from future attacks is a far more narrow category of information than those included in the bills being considered by Congress, and will only rarely contain private information. And none of the recent cyberattacks — not Sony, not Target, and not the devastating grab of sensitive background check interviews on government employees at the Office of Personnel Management — would have been mitigated by these bills.
Paul Merrell

Activists send the Senate 6 million faxes to oppose cyber bill - CBS News - 0 views

www.cbsnews.com/...ion-faxes-to-oppose-cyber-bill

surveillance state CISA legislation faxes Obama

shared by Paul Merrell on 06 Aug 15 - No Cached
  • Activists worried about online privacy are sending Congress a message with some old-school technology: They're sending faxes -- more than 6.2 million, they claim -- to express opposition to the Cybersecurity Information Sharing Act (CISA).Why faxes? "Congress is stuck in 1984 and doesn't understand modern technology," according to the campaign Fax Big Brother. The week-long campaign was organized by the nonpartisan Electronic Frontier Foundation, the group Access and Fight for the Future, the activist group behind the major Internet protests that helped derail a pair of anti-piracy bills in 2012. It also has the backing of a dozen groups like the ACLU, the American Library Association, National Association of Criminal Defense Lawyers and others.
  • CISA aims to facilitate information sharing regarding cyberthreats between the government and the private sector. The bill gained more attention following the massive hack in which the records of nearly 22 million people were stolen from government computers."The ability to easily and quickly share cyber attack information, along with ways to counter attacks, is a key method to stop them from happening in the first place," Sen. Dianne Feinstein, D-California, who helped introduce CISA, said in a statement after the hack. Senate leadership had planned to vote on CISA this week before leaving for its August recess. However, the bill may be sidelined for the time being as the Republican-led Senate puts precedent on a legislative effort to defund Planned Parenthood.Even as the bill was put on the backburner, the grassroots campaign to stop it gained steam. Fight for the Future started sending faxes to all 100 Senate offices on Monday, but the campaign really took off after it garnered attention on the website Reddit and on social media. The faxed messages are generated by Internet users who visit faxbigbrother.com or stopcyberspying.com -- or who simply send a message via Twitter with the hashtag #faxbigbrother. To send all those faxes, Fight for the Future set up a dedicated server and a dozen phone lines and modems they say are capable of sending tens of thousands of faxes a day.
  • Fight for the Future told CBS News that it has so many faxes queued up at this point, that it may take months for Senate offices to receive them all, though the group is working on scaling up its capability to send them faster. They're also limited by the speed at which Senate offices can receive them.
  • Paul Merrell on 06 Aug 15
     
    From an Fight For the Future mailing: "Here's the deal: yesterday the Senate delayed its expected vote on CISA, the Cybersecurity Information Sharing Act that would let companies share your private information--like emails and medical records--with the government. "The delay is good news; but it's a delay, not a victory. "We just bought some precious extra time to fight CISA, but we need to use it to go big like we did with SOPA or this bill will still pass. Even if we stop it in September, they'll try again after that. "The truth is that right now, things are looking pretty grim. Democrats and Republicans have been holding closed-door meetings to work out a deal to pass CISA quickly when they return from recess. "Right before the expected Senate vote on CISA, the Obama Administration endorsed the bill, which means if Congress passes it, the White House will definitely sign it.  "We've stalled and delayed CISA and bills like it nearly half a dozen times, but this month could be our last chance to stop it for good." See also http://tumblr.fightforthefuture.org/post/125953876003/senate-fails-to-advance-cisa-before-recess-amid (;) http://www.cbsnews.com/news/activists-send-the-senate-6-million-faxes-to-oppose-cyber-bill/ (;) http://www.npr.org/2015/08/04/429386027/privacy-advocates-to-senate-cyber-security-bill (.)
Paul Merrell

Distrust of US surveillance threatens data deal | TheHill - 0 views

thehill.com/...rveillance-threatens-data-deal

surveillance state EU NSA safe-harbor negotiations Congress

shared by Paul Merrell on 08 Feb 16 - No Cached
  • European privacy regulators are putting U.S. surveillance practices under the microscope, this time with a crucial transatlantic data deal hanging in the balance.Legal and privacy advocates say European nations are poised to strike down the deal if they decide the U.S. hasn't done enough to reform its spying programs.The new test comes after the European Commission and the Commerce Department — after months of tense negotiations — reached a deal this week permitting Facebook, Google and thousands of other companies to continue legally handling Europeans’ personal data.ADVERTISEMENTCritics though have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European court, where privacy is considered a fundamental right under the EU Charter.A working group of 28 EU nations’ data protection authorities — domestic entities separate from the Commission that will be in charge of enforcing the new agreement — may now cast the deciding vote.The group is spending the next few months picking through the so-called Privacy Shield agreement to determine if it adequately protects the personal data of European citizens.
  • “The Commission has said, ‘We’re satisfied. We believe them. We believe the U.S. has substantially changed its practices,’ and they are no longer going off the [Edward] Snowden revelations in the media,” said Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.“Whether the working group will go along with it is another question.”The privacy advocate whose complaint against Facebook brought down the Privacy Shield’s 15-year-old predecessor agreement is already questioning the new deal’s validity.“With all due respect ... a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit U.S. law allowing mass surveillance,” Max Schrems of Austria said in a statement Tuesday.The United States has been fighting against the perception that it tramples on civil liberties after ex-National Security Agency contractor Edward Snowden revealed the breadth of the agency’s snooping.One sticking point in the Privacy Shield negotiations was over the scope of an exception allowing surveillance for national security purposes.
  • In announcing the deal, Commission officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations.“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Andrus Ansip, Vice President for the Digital Single Market on the European Commission, said Tuesday.The U.S. has also agreed to create an office in the State Department, to address complaints from EU citizens who feel their data has been inappropriately accessed by intelligence authorities.Complicating the working group’s approval of the deal is the hodgepodge of competing regulators in Europe. Each nation has an agency in charge of its own country’s regulation. Some countries — such as Germany — are seen as tougher on privacy than others, like France or the U.K.While some countries consider U.S. privacy protections to be satisfactory, in others they are seen as woefully inadequate.
  • ...2 more annotations...
  • Defenders of U.S. intelligence practices often point to France and the U.K., arguing they are equally intrusive with their citizens' data.A recent public report “pretty clearly documented that the protections are patchy, vary hugely and are nonexistent in some of the countries,” Foster noted.Privacy advocates dismiss those arguments.“You cannot pick the worst member state, like the U.K., and claim you are ‘equivalent’ to that,” Schrems said Tuesday. “First, this is not a price [sic] you want to win, secondly you have to meet the standards of the European Court of Justice, EU law and the EU Charter of Fundamental Rights — not the standard of the worst member state.”The U.S. has made significant reforms to federal spying powers under the Obama administration.The Privacy and Civil Liberties Oversight Board — a small bipartisan watchdog — on Friday said the government has begun addressing each of the nearly two-dozen recommendations it made following Snowden's revelations.“[I]mportant measures have been taken to enhance the protection of Americans’ privacy and civil liberties and to strengthen the transparency of the government’s surveillance efforts, without jeopardizing our counterterrorism efforts,” the five-member board said.
  • But whether European countries believe those changes are sufficient to sign off on the Privacy Shield is uncertain. Each of the EU’s 28 member states must approve the deal before it can be finalized.“A lot of this is going to come down to whether the data protection authorities are persuaded by the U.S.’s portrayal of the cumulative protections given to European citizens and the cumulative carving back on the NSA surveillance programs,” Foster said.If the European working group is not satisfied with the assurances from the Commerce Department, the consequences could be dire. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014.The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply.Legislative changes in the U.S. seem unlikely. Congress is close to passing a privacy law considered crucial to getting seeing the Privacy Shield approved. But the bill — which gives EU citizens the right to sue in U.S. courts over the misuse of personal data — has sparked controversy on Capitol Hill.Some lawmakers are expressing frustration that the EU has used the threat of enforcement action against U.S. companies to push Congress to make more concessions.“It’s been hard enough to get the Judicial Redress Act passed — if they’re going to make more demands on Congress, there won’t be a lot of willing listeners here,” Sen. Chris Murphy (D-Conn.) told The Hill on Thursday.
Paul Merrell

Dr. Joseph Bonneau Wins NSA Award, Criticizes NSA | Electronic Frontier Foundation - 0 views

www.eff.org/...ins-nsa-award-criticizes-nsa-0

surveillance state NSA Bonneau NSA-blowback

shared by Paul Merrell on 27 Nov 13 - No Cached
  • "Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path." -- Bonneau On July 18th, Dr. Joseph Bonneau, a software engineer at Google, received the National Security Agency’s award for the best scientific cybersecurity paper.  According to its stated mission, the competition was created to help broaden the scientific foundations of cybersecurity needed in the development of systems that are resilient to cyber attacks. But Bonneau was deeply conflicted about receiving the award, noting on his blog that even though he was flattered to receive the award he didn’t condone the mass surveillance programs run by the NSA:  “Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form." Bonneau elaborated on his feelings in a Twitter discussion as well as in an interview with Animal during which he said: "I’d rather have it [the NSA] abolished than persist in its current form. I think there’s a question about whether it’s possible to reform the NSA into something that’s more reasonable."
  • Engineers and researchers like Bonneau have a unique and important role to play in fighting back against NSA oversteps. As Michael Hirsh noted in the Atlantic last month, "The government's massive data collection and surveillance system was largely built not by professional spies or Washington bureaucrats but by Silicon Valley and private defense contractors."  As Hirsh explained, tech companies have contributed enormously to wiring up Big Brother -- companies like Palantir Technologies, Eagle Alliance (of Computer Sciences Corp. and Northrup Grumman) and Booz Allen Hamilton. The only way the government gets to spy on everyone is when people who are intelligent and innovative enough to build scalable surveillance technologies decide to help them.
  • Paul Merrell on 27 Nov 13
     
    A courageous stand.
Paul Merrell

CISPA is back! - 0 views

www.faxbigbrother.com

surveillance state legislation CISA digital-privacy

shared by Paul Merrell on 28 Jul 15 - No Cached
  • OPERATION: Fax Big Brother Congress is rushing toward a vote on CISA, the worst spying bill yet. CISA would grant sweeping legal immunity to giant companies like Facebook and Google, allowing them to do almost anything they want with your data. In exchange, they'll share even more of your personal information with the government, all in the name of "cybersecurity." CISA won't stop hackers — Congress is stuck in 1984 and doesn't understand modern technology. So this week we're sending them thousands of faxes — technology that is hopefully old enough for them to understand. Stop CISA. Send a fax now!
  • (Any tweet w/ #faxbigbrother will get faxed too!) Your email is only shown in your fax to Congress. We won't add you to any mailing lists.
  • CISA: the dirty deal between government and corporate giants. It's the dirty deal that lets much of government from the NSA to local police get your private data from your favorite websites and lets them use it without due process. The government is proposing a massive bribe—they will give corporations immunity for breaking virtually any law if they do so while providing the NSA, DHS, DEA, and local police surveillance access to everyone's data in exchange for getting away with crimes, like fraud, money laundering, or illegal wiretapping. Specifically it incentivizes companies to automatically and simultaneously transfer your data to the DHS, NSA, FBI, and local police with all of your personally-indentifying information by giving companies legal immunity (notwithstanding any law), and on top of that, you can't use the Freedom of Information Act to find out what has been shared.
  • ...1 more annotation...
  • The NSA and members of Congress want to pass a "cybersecurity" bill so badly, they’re using the recent hack of the Office of Personnel Management as justification for bringing CISA back up and rushing it through. In reality, the OPM hack just shows that the government has not been a good steward of sensitive data and they need to institute real security measures to fix their problems. The truth is that CISA could not have prevented the OPM hack, and no Senator could explain how it could have. Congress and the NSA are using irrational hysteria to turn the Internet into a place where the government has overly broad, unchecked powers. Why Faxes? Since 2012, online and civil liberties groups and 30,000+ sites have driven more than 2.6 million emails and hundreds of thousands of calls, tweets and more to Congress opposing overly broad cybersecurity legislation. Congress has tried to pass CISA in one form or another 4 times, and they were beat back every time by people like you. It's clear Congress is completely out of touch with modern technology, so this week, as Congress rushes toward a vote on CISA, we are going to send them thousands of faxes, a technology from the 1980s that is hopefully antiquated enough for them to understand. Sending a fax is super easy — you can use this page to send a fax. Any tweet with the hashtag #faxbigbrother will get turned into a fax to Congress too, so what are you waiting for? Click here to send a fax now!
Paul Merrell

FBI Director: Sony's 'Sloppy' North Korean Hackers Revealed Their IP Addresses | WIRED - 0 views

www.wired.com/...s-failed-use-proxies-sony-hack

war & peace cyberwar North-Korea Sony-hack FBI Comey

shared by Paul Merrell on 08 Jan 15 - No Cached
  • The Obama administration has been tightlipped about its controversial naming of the North Korean government as the definitive source of the hack that eviscerated Sony Pictures Entertainment late last year. But FBI director James Comey is standing by the bureau’s conclusion, and has offered up a few tiny breadcrumbs of the evidence that led to it. Those crumbs include the claim that Sony hackers sometimes failed to use the proxy servers that masked the origin of their attack, revealing IP addresses that the FBI says were used exclusively by North Korea. Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioral analysis unit” of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.
  • “In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.” “They shut it off very quickly once they saw the mistake,” he added. “But not before we saw where it was coming from.” Comey’s brief and cryptic remarks—with no opportunity for followup questions from reporters—respond to skepticism and calls for more evidence from cybersecurity experts unsatisfied with the FBI’s vague statements tying the hack to North Korean government. In a previous public announcement the FBI had said only that it found “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” as well as IP addresses that matched prior attacks it knows to have originated in North Korea. At that time, the FBI also said it had further evidence matching the tools used in the attack to a North Korean hacking attack that hit South Korean banks and media outlets.
  • Following those elliptical statements, the cybersecurity community demanded more information be released to prove North Korea’s involvement. Some have even signed a petition on the White House website calling for more transparency in the investigation. Well-known security blogger and author Bruce Schneier has compared the FBI’s “trust us” mentality to the claims of the Bush administration about Saddam Hussein’s nonexistent weapons of mass destruction in the run-up to the Iraq War. Without more information, security experts themselves have remained deeply divided in their conclusions about who hacked Sony.
  • ...1 more annotation...
  • That pseudo-explanation will likely do little to quell the security community’s doubts. Even if the hackers appeared to fail to use proxies on some occasions, it could still be very difficult to be sure those “real” IP addresses weren’t proxies themselves designed to serve as further misdirection. And a nagging loose thread remains that the Guardians of Peace hackers in their initial statements to Sony tried to extort money from the company before making any political demands. Sony’s Kim Jong-un assassination comedy “The Interview,” the suppression of which is believed by many to be the North Korean government’s motive in the hack, wasn’t even mentioned by the hackers until long after the intrusion was underway. Comey didn’t address that plot hole in the North Korean explanation in his speech.
Paul Merrell

Secret US cybersecurity report: encryption vital to protect private data | US news | Th... - 0 views

www.theguardian.com/...ect-data-cameron-paris-attacks

surveillance-state NSA GCHQ encryption hypocrisy

shared by Paul Merrell on 17 Jan 15 - No Cached
  • A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough. The advice, in a newly uncovered five-year forecast written in 2009, contrasts with the pledge made by David Cameron this week to crack down on encryption use by technology companies.
  • In the wake of the Paris terror attacks, the prime minister said there should be no “safe spaces for terrorists to communicate” or that British authorites could not access. Cameron, who landed in the US on Thursday night, is expected to urge Barack Obama to apply more pressure to tech giants, such as Apple, Google and Facebook, which have been expanding encrypted messaging for their millions of users since the revelations of mass NSA surveillance by the whistleblower Edward Snowden.
  • Cameron said the companies “need to work with us. They need also to demonstrate, which they do, that they have a social responsibility to fight the battle against terrorism. We shouldn’t allow safe spaces for terrorists to communicate. That’s a huge challenge but that’s certainly the right principle”. But the document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data. Part of the cache given to the Guardian by Snowden was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.
  • ...6 more annotations...
  • An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA. The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.” It further noted that the “scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries”.
  • The report had some cause for optimism, especially in the light of Google and other US tech giants having in the months prior greatly increased their use of encryption efforts. “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions,” it concluded. Official UK government security advice still recommends encryption among a range of other tools for effective network and information defence. However, end-to-end encryption – which means only the two people communicating with each other, and not the company carrying the message, can decode it – is problematic for intelligence agencies as it makes even warranted collection much more difficult.
  • The previous week, a day after the attack on the Charlie Hebdo office in Paris, the MI5 chief, Andrew Parker, called for new powers and warned that new technologies were making it harder to track extremists. In November, the head of GCHQ, Robert Hannigan, said US social media giants had become the “networks of choice” for terrorists. Chris Soghoian, principal senior policy analyst at the American Civil Liberties Union, said attempts by the British government to force US companies to weaken encryption faced many hurdles.
  • The Guardian, New York Times and ProPublica have previously reported the intelligence agencies’ broad efforts to undermine encryption and exploit rather than reveal vulnerabilities. This prompted Obama’s NSA review panel to warn that the agency’s conflicting missions caused problems, and so recommend that its cyber-security responsibilities be removed to prevent future issues.
  • The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world. The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”. GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.
  • Michael Beckerman, president and CEO of the Internet Association, a lobby group that represents Facebook, Google, Reddit, Twitter, Yahoo and other tech companies, said: “Just as governments have a duty to protect to the public from threats, internet services have a duty to our users to ensure the security and privacy of their data. That’s why internet services have been increasing encryption security.”
Paul Merrell

Obama to propose legislation to protect firms that share cyberthreat data - The Washing... - 0 views

www.washingtonpost.com/...4-bcfb-059ec7a93ddc_story.html

surveillance state U.S. digital-privacy legislation

shared by Paul Merrell on 19 Jan 15 - No Cached
  • President Obama plans to announce legislation Tuesday that would shield companies from lawsuits for sharing computer threat data with the government in an effort to prevent cyber­attacks. On the heels of a destructive attack at Sony Pictures Entertainment and major breaches at JPMorgan Chase and retail chains, Obama is intent on capitalizing on the heightened sense of urgency to improve the security of the nation’s networks, officials said. “He’s been doing everything he can within his executive authority to move the ball on this,” said a senior administration official who spoke on the condition of anonymity to discuss legislation that has not yet been released. “We’ve got to get something in place that allows both industry and government to work more closely together.”
  • The legislation is part of a broader package, to be sent to Capitol Hill on Tuesday, that includes measures to help protect consumers and students against ­cyberattacks and to give law enforcement greater authority to combat cybercrime. The provision’s goal is to “enshrine in law liability protection for the private sector for them to share specific information — cyberthreat indicators — with the government,” the official said. Some analysts questioned the need for such legislation, saying there are adequate measures in place to enable sharing between companies and the government and among companies.
  • “We think the current information-sharing regime is adequate,” said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, a privacy group. “More companies need to use it, but the idea of broad legal immunity isn’t needed right now.” The administration official disagreed. The lack of such immunity is what prevents many companies from greater sharing of data with the government, the official said. “We have heard that time and time again,” the official said. The proposal, which builds on a 2011 administration bill, grants liability protection to companies that provide indicators of cyberattacks and threats to the Department of Homeland Security.
  • ...5 more annotations...
  • But in a provision likely to raise concerns from privacy advocates, the administration wants to require DHS to share that information “in as near real time as possible” with other government agencies that have a cybersecurity mission, the official said. Those include the National Security Agency, the Pentagon’s ­Cyber Command, the FBI and the Secret Service. “DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities,” Jaycox said. The debates over government surveillance prompted by disclosures from former NSA contractor Edward Snowden have shown that “the agencies already have a tremendous amount of unnecessary information,” he said.
  • The administration official stressed that the legislation will require companies to remove unnecessary personal information before furnishing it to the government in order to qualify for liability protection. It also will impose limits on the use of the data for cybersecurity crimes and instances in which there is a threat of death or bodily harm, such as kidnapping, the official said. And it will require DHS and the attorney general to develop guidelines for the federal government’s use and retention of the data. It will not authorize a company to take offensive cyber-measures to defend itself, such as “hacking back” into a server or computer outside its own network to track a breach. The bill also will provide liability protection to companies that share data with private-sector-developed organizations set up specifically for that purpose. Called information sharing and analysis organizations, these groups often are set up by particular industries, such as banking, to facilitate the exchange of data and best practices.
  • Efforts to pass information-sharing legislation have stalled in the past five years, blocked primarily by privacy concerns. The package also contains provisions that would allow prosecution for the sale of botnets or access to armies of compromised computers that can be used to spread malware, would criminalize the overseas sale of stolen U.S. credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk people or commit identity theft, and would give courts the authority to shut down botnets being used for criminal activity, such as denial-of-service attacks.
  • It would reaffirm that federal racketeering law applies to cybercrimes and amends the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute. A third element of the package is legislation Obama proposed Monday to help protect consumers and students against cyberattacks. The theft of personal financial information “is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said. The plan, unveiled in a speech at the Federal Trade Commission, would require companies to notify customers within 30 days after the theft of personal information is discovered. Right now, data breaches are handled under a patchwork of state laws that the president said are confusing and costly to enforce. Obama’s plan would streamline those into one clear federal standard and bolster requirements for companies to notify customers. Obama is proposing closing loopholes to make it easier to track down cybercriminals overseas who steal and sell identities. “The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” he said.
  • In October, Obama signed an order to protect consumers from identity theft by strengthening security features in credit cards and the terminals that process them. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said there is concern that a federal standard would “preempt stronger state laws” about how and when companies have to notify consumers. The Student Digital Privacy Act would ensure that data entered would be used only for educational purposes. It would prohibit companies from selling student data to third-party companies for purposes other than education. Obama also plans to introduce a Consumer Privacy Bill of Rights. And the White House will host a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University.
Paul Merrell

Cy Vance's Proposal to Backdoor Encrypted Devices Is Riddled With Vulnerabilities | Jus... - 0 views

www.justsecurity.org/...evices-riddled-vulnerabilities

surveillance state encryption-backdoors Vance tyranny right-to-whisper

shared by Paul Merrell on 11 Dec 15 - No Cached
  • Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones. Though Comey seized on Apple’s and Google’s decisions to encrypt their devices by default, his concerns are primarily related to end-to-end encryption, which protects communications that are in transit. Vance’s proposal, on the other hand, is only concerned with device encryption, which protects data stored on phones. It is still unclear whether encryption played any role in the Paris attacks, though we do know that the attackers were using unencrypted SMS text messages on the night of the attack, and that some of them were even known to intelligence agencies and had previously been under surveillance. But regardless of whether encryption was used at some point during the planning of the attacks, as I lay out below, prohibiting companies from selling encrypted devices would not prevent criminals or terrorists from being able to access unbreakable encryption. Vance’s primary complaint is that Apple’s and Google’s decisions to provide their customers with more secure devices through encryption interferes with criminal investigations. He claims encryption prevents law enforcement from accessing stored data like iMessages, photos and videos, Internet search histories, and third party app data. He makes several arguments to justify his proposal to build backdoors into encrypted smartphones, but none of them hold water.
  • Before addressing the major privacy, security, and implementation concerns that his proposal raises, it is worth noting that while an increase in use of fully encrypted devices could interfere with some law enforcement investigations, it will help prevent far more crimes — especially smartphone theft, and the consequent potential for identity theft. According to Consumer Reports, in 2014 there were more than two million victims of smartphone theft, and nearly two-thirds of all smartphone users either took no steps to secure their phones or their data or failed to implement passcode access for their phones. Default encryption could reduce instances of theft because perpetrators would no longer be able to break into the phone to steal the data.
  • Vance argues that creating a weakness in encryption to allow law enforcement to access data stored on devices does not raise serious concerns for security and privacy, since in order to exploit the vulnerability one would need access to the actual device. He considers this an acceptable risk, claiming it would not be the same as creating a widespread vulnerability in encryption protecting communications in transit (like emails), and that it would be cheap and easy for companies to implement. But Vance seems to be underestimating the risks involved with his plan. It is increasingly important that smartphones and other devices are protected by the strongest encryption possible. Our devices and the apps on them contain astonishing amounts of personal information, so much that an unprecedented level of harm could be caused if a smartphone or device with an exploitable vulnerability is stolen, not least in the forms of identity fraud and credit card theft. We bank on our phones, and have access to credit card payments with services like Apple Pay. Our contact lists are stored on our phones, including phone numbers, emails, social media accounts, and addresses. Passwords are often stored on people’s phones. And phones and apps are often full of personal details about their lives, from food diaries to logs of favorite places to personal photographs. Symantec conducted a study, where the company spread 50 “lost” phones in public to see what people who picked up the phones would do with them. The company found that 95 percent of those people tried to access the phone, and while nearly 90 percent tried to access private information stored on the phone or in other private accounts such as banking services and email, only 50 percent attempted contacting the owner.
  • ...8 more annotations...
  • In addition to his weak reasoning for why it would be feasible to create backdoors to encrypted devices without creating undue security risks or harming privacy, Vance makes several flawed policy-based arguments in favor of his proposal. He argues that criminals benefit from devices that are protected by strong encryption. That may be true, but strong encryption is also a critical tool used by billions of average people around the world every day to protect their transactions, communications, and private information. Lawyers, doctors, and journalists rely on encryption to protect their clients, patients, and sources. Government officials, from the President to the directors of the NSA and FBI, and members of Congress, depend on strong encryption for cybersecurity and data security. There are far more innocent Americans who benefit from strong encryption than there are criminals who exploit it. Encryption is also essential to our economy. Device manufacturers could suffer major economic losses if they are prohibited from competing with foreign manufacturers who offer more secure devices. Encryption also protects major companies from corporate and nation-state espionage. As more daily business activities are done on smartphones and other devices, they may now hold highly proprietary or sensitive information. Those devices could be targeted even more than they are now if all that has to be done to access that information is to steal an employee’s smartphone and exploit a vulnerability the manufacturer was required to create.
  • Privacy is another concern that Vance dismisses too easily. Despite Vance’s arguments otherwise, building backdoors into device encryption undermines privacy. Our government does not impose a similar requirement in any other context. Police can enter homes with warrants, but there is no requirement that people record their conversations and interactions just in case they someday become useful in an investigation. The conversations that we once had through disposable letters and in-person conversations now happen over the Internet and on phones. Just because the medium has changed does not mean our right to privacy has.
  • Vance attempts to downplay this serious risk by asserting that anyone can use the “Find My Phone” or Android Device Manager services that allow owners to delete the data on their phones if stolen. However, this does not stand up to scrutiny. These services are effective only when an owner realizes their phone is missing and can take swift action on another computer or device. This delay ensures some period of vulnerability. Encryption, on the other hand, protects everyone immediately and always. Additionally, Vance argues that it is safer to build backdoors into encrypted devices than it is to do so for encrypted communications in transit. It is true that there is a difference in the threats posed by the two types of encryption backdoors that are being debated. However, some manner of widespread vulnerability will inevitably result from a backdoor to encrypted devices. Indeed, the NSA and GCHQ reportedly hacked into a database to obtain cell phone SIM card encryption keys in order defeat the security protecting users’ communications and activities and to conduct surveillance. Clearly, the reality is that the threat of such a breach, whether from a hacker or a nation state actor, is very real. Even if companies go the extra mile and create a different means of access for every phone, such as a separate access key for each phone, significant vulnerabilities will be created. It would still be possible for a malicious actor to gain access to the database containing those keys, which would enable them to defeat the encryption on any smartphone they took possession of. Additionally, the cost of implementation and maintenance of such a complex system could be high.
  • Vance also suggests that the US would be justified in creating such a requirement since other Western nations are contemplating requiring encryption backdoors as well. Regardless of whether other countries are debating similar proposals, we cannot afford a race to the bottom on cybersecurity. Heads of the intelligence community regularly warn that cybersecurity is the top threat to our national security. Strong encryption is our best defense against cyber threats, and following in the footsteps of other countries by weakening that critical tool would do incalculable harm. Furthermore, even if the US or other countries did implement such a proposal, criminals could gain access to devices with strong encryption through the black market. Thus, only innocent people would be negatively affected, and some of those innocent people might even become criminals simply by trying to protect their privacy by securing their data and devices. Finally, Vance argues that David Kaye, UN Special Rapporteur for Freedom of Expression and Opinion, supported the idea that court-ordered decryption doesn’t violate human rights, provided certain criteria are met, in his report on the topic. However, in the context of Vance’s proposal, this seems to conflate the concepts of court-ordered decryption and of government-mandated encryption backdoors. The Kaye report was unequivocal about the importance of encryption for free speech and human rights. The report concluded that:
  • States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. … States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. Additionally, the group of intelligence experts that was hand-picked by the President to issue a report and recommendations on surveillance and technology, concluded that: [R]egarding encryption, the U.S. Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
  • The clear consensus among human rights experts and several high-ranking intelligence experts, including the former directors of the NSA, Office of the Director of National Intelligence, and DHS, is that mandating encryption backdoors is dangerous. Unaddressed Concerns: Preventing Encrypted Devices from Entering the US and the Slippery Slope In addition to the significant faults in Vance’s arguments in favor of his proposal, he fails to address the question of how such a restriction would be effectively implemented. There is no effective mechanism for preventing code from becoming available for download online, even if it is illegal. One critical issue the Vance proposal fails to address is how the government would prevent, or even identify, encrypted smartphones when individuals bring them into the United States. DHS would have to train customs agents to search the contents of every person’s phone in order to identify whether it is encrypted, and then confiscate the phones that are. Legal and policy considerations aside, this kind of policy is, at the very least, impractical. Preventing strong encryption from entering the US is not like preventing guns or drugs from entering the country — encrypted phones aren’t immediately obvious as is contraband. Millions of people use encrypted devices, and tens of millions more devices are shipped to and sold in the US each year.
  • Finally, there is a real concern that if Vance’s proposal were accepted, it would be the first step down a slippery slope. Right now, his proposal only calls for access to smartphones and devices running mobile operating systems. While this policy in and of itself would cover a number of commonplace devices, it may eventually be expanded to cover laptop and desktop computers, as well as communications in transit. The expansion of this kind of policy is even more worrisome when taking into account the speed at which technology evolves and becomes widely adopted. Ten years ago, the iPhone did not even exist. Who is to say what technology will be commonplace in 10 or 20 years that is not even around today. There is a very real question about how far law enforcement will go to gain access to information. Things that once seemed like merely science fiction, such as wearable technology and artificial intelligence that could be implanted in and work with the human nervous system, are now available. If and when there comes a time when our “smart phone” is not really a device at all, but is rather an implant, surely we would not grant law enforcement access to our minds.
  • Policymakers should dismiss Vance’s proposal to prohibit the use of strong encryption to protect our smartphones and devices in order to ensure law enforcement access. Undermining encryption, regardless of whether it is protecting data in transit or at rest, would take us down a dangerous and harmful path. Instead, law enforcement and the intelligence community should be working to alter their skills and tactics in a fast-evolving technological world so that they are not so dependent on information that will increasingly be protected by encryption.
1 - 20 of 66 Next › Last »
Showing 20 items per page