A Response to Obama on the Cybersecurity Act of 2012

Last week, US president Barack Obama penned an opinion piece in the Wall Street Journal about why lawmakers should pass what is known as the Cybersecurity Act of 2012. Drew Wilson decided to issue his response on why the reasoning behind Obama’s piece is flawed.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

One of the things I was thinking of when reading president Obama’s op-ed on cybersecurity was how often in many different countries the debate so frequently revolves around how there is somehow this imminent threat to the security of a nation and that only through whatever surveillance bill can the nation ever hope to be secure. I’ve seen this in Canada with the latest example being supposed new and emerging threats:

The Labor government has entrenched all the police state-style powers imposed in the supposed “war on terrorism”—already broad enough to cover many forms of political dissent and social unrest—and widened them even further. The discussion paper speaks sweepingly of combating “threats to our well-being”, “agents of espionage” and “other emerging threats”.

Of course, in the US, we’ve seen this scenario played out more often than we can count. We’ve seen it in the previous administration thanks to the infamous warrantless wiretapping, we’ve seen it in years before then and we’re seeing it being played out now. Perhaps the only good thing about this is that we aren’t stuck on the same old, “stopping the terrorist” government meme this time around – a tidbit of nonsense I thought would never go away whenever we end up discussing the privacy of civilians. At least this is a rare example of being able to discuss things in a more intelligent level than somehow suggesting that if you don’t support an intrusion of people’s privacy and basic civil rights, you are somehow supporting the terrorists. While this has changed, the playbook seems to have remained the same – stopping some sort of threat to society by asking society to fork over more rights and it must be done today.

Before even getting into the privacy debate, it has always bothered me whenever lawmakers demand to have certain rule changes made as quickly as possible. Whenever any sort of discussion about the issues at hand is seen as little more than an obstacle that needs to just be run over to the goal of passing certain laws, that is always a legitimate reason to be concerned. That is not to say that there is never an example where laws need to be passed quickly, but I am not convinced something like broad and vague surveillance legislation is one of those examples. Keeping that in mind, ask yourself this: when was the last time a broadening of surveillance was subject to a lengthy open and public review prior to such legislation becoming law? I honestly can’t think of an example and even if there was an example, it would be an exception and not the rule whereas I think it should be the rule and not the exception.

The Legislation in question Today

When I was reading this op-ed, I personally thought we were still talking about CISPA (Cyber Intelligence Sharing and Protection Act) which is a piece of legislation that we covered in the past. It turns out, the legislation in question is actually the Cybersecurity Act of 2012. So, before launching into this article, I did some looking around (as I always do) and found a quick review of the legislation on the EFF’s website. It turns out, the legislation has a lot of problems with regards to basic civil rights and only recently have there been attempts to make critical changes to the legislation. The EFF specifically addressed the problems that remained:

Of course, the bill has its shortcomings. The most significant problem remaining has to do with the language around monitoring and countermeasures. Currently, the bill specifically authorizes companies to use cybsersecurity as an excuse for engaging in nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets). We’ve argued that this language is overly broad and could be interpreted by an overzealous ISP to let them block privacy-protective technologies like Tor. When the bill goes to the floor next week, we’re going to be throwing our weight behind amendments to address these ongoing flaws.

This new bill patches a whole bunch of significant privacy problems with the prior proposals, and so we’re grateful for the Senators who responded to the Internet community’s concerns and championed these protections. Now it’s up to us: we need to speak out and tell Senators not to undermine these hard-won privacy protections, and hopefully tell them to go one step further and fix the problems remaining with monitoring and countermeasures. Our contacts in Washington tell us it’s likely that opponents will try to strip out these protections by hyping up fears of catastrophic cyberattacks and calling for stronger national security provisions. We need to organize now to stop any Floor amendments that would undermine these major privacy wins.

The Use of Fearful “Cyber-Attacks” Become Reality

All you had to do was read the first three paragraphs of Obama’s Op-Ed and you’ll get those fears being proposed from the president himself. I’m not sure which came first, the EFF’s warning or Obama’s piece showing that those warnings are very real as they are both coincidentally published on the same day.

One writer from Vice did point out that incidents similar to what Obama described did occur:

This cyberwar scenario wouldn’t be so scary if it weren’t basically accurate. In fact, a water treatment plant in Texas actually did have to shut down after some a twentysomething hacker with a Guy Fawkes mask cracked into the system. While this was going on, a network of vigilantes were busy breaking into natural gas pipelines, perhaps to disrupt the flow and manipulate markets. Thankfully, we’ve not yet seen the trains derailing and toxic cloud spreading scenario, though train systems in the Pacific Northwest were recently targeted.

Still, the writer did admit that what Obama did write was still hyperbole – something I wholeheartedly agree with.

So, if we are talking about major facilities and vital infrastructure here, the real question then becomes how best to protect them. There’s a very old and very effective way to protect any sort of computing system – don’t connect it to the Internet. If a computer system is not WiFi capable and does not have any connection to the Internet, then the only way to break into it is to physically be there at the computer. At that point, it becomes a question of how to humanly protect that computer. There’s no fears of people half way around the world hacking into that computer, no DDOS attacks from multiple computers around the web destroying the system, nothing. If a system has to have some sort of network up and running, make it an intranet system instead of exposing it to the wider Internet.

I agree that the Internet can be critical and very useful and that increased connectivity is a great thing, but there are certain things that should not be on the Internet – that includes critical infrastructure. If you connect critical infrastructure to the Internet, that is basically asking criminals to break in and wreak havoc. Even if there is some convenience to be gained by connecting something like critical infrastructure to the Internet, the risks make any convenience not worth it. If you can shut down a power grid by breaking into the right computer network from hundreds of miles away, you’re doing security wrong.

I’d like to take this a step further. There was something that happened to the electric grid in several states. Power went out for many people. While people were waiting for the power to turn on, a heatwave came in and caused several medical problems for some while forcing others to suffer. This outage lasted for a lengthened period of time. Was this an act of cyber-espionage? A massive cyberattack? A foreign country breaking into critical infrastructure? The answer to all of the above was no. the answer was weather. The debate with Pepco and it’s handling of the outage is a debate that has continued to rage to this day. While it was weather related, there were things the company could have done to help prevent the chaos that ensued from the power outage. It seriously makes me wonder how many problems happen to critical infrastructure that has nothing to do with cyber security and more to do with things like weather, the shifting of the land, flooding, etc. I also wonder if it’s possible to compare that to the priorities of the government when it comes to critical infrastructure.

The Disconnect Between Proposed Provisions and What They’re Suppose to Stop

As I’ve seen so many times before, when it comes to a claim of what kind of disaster such laws would guard against and the contents of the bill in question, that’s when disconnects begin to appear. The EFF points out that this is what the bill would do:

Data collected under the Cybersecurity Act can be shared with law enforcement for non-cybersecurity purposes if it “appears to relate to a crime” either past, present, or near future. This is overbroad and contrary to the spirit of our Constitution. Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same “future crime” flaw.

If the purpose was to stop cyber security threats, then why have a provision like this in here at all? Shouldn’t legislation that is sold as a specifically targeted at a specific threat also have very specific provisions?

In another post, the EFF made this note:

Of course, the bill has its shortcomings. The most significant problem remaining has to do with the language around monitoring and countermeasures. Currently, the bill specifically authorizes companies to use cybsersecurity as an excuse for engaging in nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets)

How is the monitoring of every person going to guard against any supposed cyber attacks? When domestic users are monitored 24/7, why would someone who resides outside the US even care? The more intelligent people will find a way to conceal their tracks domestic or abroad should they choose to engage in any form of attack on anything. Monitoring everyone who hasn’t concealed their tracks won’t solve much when defending against something like a DDOS attack.

Some Final Thoughts

When looking at this legislation in general and what its supporters are saying it would solve, this is ultimately a square peg in round hole problem. The simplest of measures can easily be infinitely more effective at guarding against any sort of attack of this nature, yet this proposal takes a completely different and much more inefficient rout. It unnecessarily tramples on basic civil rights and it stops people from using useful tools like proxies and Tor. Yes, there are legitimate reasons to use either one.

If you want to totally guard against hacking, pull the plug on Internet access for that facility. It’s substantially harder to hack into a computer that isn’t connected to the Internet. It’ll be substantially more efficient to keep critical infrastructure operations off the Internet than compromising the privacy of millions of American’s.

(Via /.)

Drew Wilson on Twitter: @icecube85 and Google+.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: