The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.
EFF looked at two bills making their way through Congress: The Cybersecurity Act of 2012 (S. 2105), sponsored by Senator Joseph Lieberman (I-CT) of Connecticut and the Secure IT Act (S. 2151), sponsored by Senator John McCain (R-AZ) . The digital rights group claims that the quality of both bills ranges from “downright terrible” to “appropriately intentioned.” Each, however, is conceptually similar and flawed, EFF said.
With public awareness about cyber legislation high after the dramatic failure of Stop Online Piracy Act (SOPA), interest in- and skepticism of new cybersecurity legislation is on the rise.
All three bills seek to facilitate cooperation among branches of the U.S. government and between the government and the private sector. Their failing, according to a blog post written by EFF Staff Technologist, Dan Auerbach and EFF Senior Staff Attorney, Lee Tien is in failing to define “the threats which are being defended against and the countermeasures that can be taken against those threats.”
A lack of concrete definitions and transparency could give way to expansive interpretations of any bill that passes, leading to government and corporate abuses, which, in turn, could impinge upon civil liberties, EFF warned.
As an example, Auerbach and Tien note that the Lieberman bill defines a “cyber security threat indicator” as any action that might be construed as “a method of defeating a technical [or operational] control.” That overly broad definition, EFF notes, could apply to anything from a DDoS attack to a port scan to the use of encryption or an anonymization service like ToR to protect the privacy of online activity and communications. Everything would depend on how the government and law enforcement chose to interpret it.
In an e-mail conversation with Threatpost, Auerbach of EFF characterized the bills as “alarming.” Of particular concern: a section in both the Lieberman bill and the McCain bills that authorizes monitoring by private firms of any traffic that transits their networks. Ostensibly intended to facilitate private-public information sharing, the passage would grant complete private sector immunity for data monitoring and sharing practices. Private entities would be unbound from the Wiretap Act and other legal limits and immunized against a swath of questionable monitoring practices, EFF claims.
Furthermore, Auerbach and Tien worry that the bills’ definition of a “cyber security threat” is too broad, and could cover everything from stealing passwords from a secure government server to scanning a network for software vulnerabilities. Similarly, the bills calls for more ISP traffic analysis and monitoring could bring about more civil liberties violations. For example, ISPs could simply block Tor, cryptographic protocols, or traffic on certain ports under the guise of defensive countermeasures, the EFF speculated.
The two online privacy experts also worry that the bills do too little to balance the public interest against the government’s need to secure the Internet.
“The cyber security bills completely skirt the issue of the intelligence community stockpiling so-called “zero-days” — new and unknown software vulnerabilities — for offensive cyber attack purposes,” Auerbach said via email. “Allowing the intelligence community to hold on to these vulnerabilities without patching them makes all of us less safe, and a good cyber security bill would explicitly disallow this practice.”
That’s a potent concern these days, after the security firm Vupen raised the ire of a number of security experts for their controversial business model which allegedly involves the buying and selling of these zero-days to the highest bidder, malicious or otherwise.
Rather than scrap the bills altogether, the EFF is calling on Senators to open up the conversation about the pending bills as they refine them. To create a better bill, the EFF believes specificity is key. Detractors will say that specificity limits the life-span of such bills, but the EFF sees this as an advantage. A short-living bill would force legislators to revisit it and make modifications necessary to address a rapidly changing and dynamic security ecosystem.
Why doesn’t the EFF draft an appropriate bill and then we can support it with the same fervor that got SOPA killed?
Here is a thought. Kill the bills, do nothing. There is no need for them.
“after the dramatic failure of Stop Online Privacy Act (SOPA)”. Was that a deliberate mistake?
Agreed, these bills aren’t needed. Harden your own systems if you must. Stop sticking your nose in everyone else’s business. Obviously, these bills have nothing to do with “cyber-security”.
How about we start talking about a new amendment to the constitution?
Part one: No government agency can do the bidding of an individual or corporation.
Part two: Corporations cannot be defined as a person (individual).
Part three: The internet (online information including text/music/video) is the right of every living person. The United States government is required to allow all parts of the internet to be displayed to everyone living in the country or within its territories, and cannot remove or try to remove any part of it; doing so is a willful act of treason by whatever branch of the government is violating said rights of the individual.
Part four: The US government shall not be allowed to attempt or succeed in accessing information that is private to an individual (note statement above that re-defines a corporation as a business, NOT an individual).
Part five: This amendment continues your right not to incriminate yourself with any information you may access on the internet (in any form), as it is NOT the right of the US government to access said information/data.
I guess I’ll end at that, as a start… and yes, I am serious.
Interesting, we have a bunch of people that barely know how to turn on a computer nevermind being able to configure a firewall or tunnel data through various ports, tyring to come up with legislation to improve security. Does anyone else see anything wrong with this picture?
They should spend a little bit of time to understand the internet… understand how threats come about and the general workflows to mitigating this risks/threats.
Where did all the National Socialists in Congress (and in most governments in the former democracies, for that matter) come from? These guys are so afraid of the power of ordinary people to expose their greed and stupidities, and their utter lack of respect for democratic liberties, that they are in a frenzy to destroy the internet. I support whatever legal, humane ways can be used to further expose them and to defeat them at the polls.
There is not a lot to differentiate the bases of their attacks on civil liberties, particularly freedoms of speech and association, from the attitudes and actions of the Chinese Communist monsters, the Taliban, the Ayatollahs of Iran and other similar scum of the earth against their own people.
Government should not be in this business period. Government should lead by example by securing their own systems.
If anything, they can set penalties for people who leak PPI.
Again, epic fail.
kill em all and let God sort it out
No, not intentional. An interesting slip though. Thanks for pointing this out.
Why not just leave the government out of legislating implementations of technology.
I think you mean PII
The government has been doing a ton lately to secure their systems. I can personally assure you of this. The problem with them is too many voices and a lack of understanding leads to total confusion. Their approach is fundemetally flawed if you ask me. Let say you run a convienance store and you have a problem wth robberys. The government decides that every item should be in a locked bulletproof case and the cashier should be behind bombproof glass. There should be cameras everywhere etc etc.
Well now that store really sucs to shop at and is completely inconvienent to the poit where no one will go there unless they have to. I bet for 10% of that cost, you could’ve tracked down ad arrested the criminals, punished them severly (instead of giving them jobs as “researchers”) and the problem would have gone away.
I use this as only a rough comparison because there is no bulletproof glass for day zero threats…and I doubt there ever will be.