The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.
EFF looked at two bills making their way through Congress: The Cybersecurity Act of 2012 (S. 2105), sponsored by Senator Joseph Lieberman (I-CT) of Connecticut and the Secure IT Act (S. 2151), sponsored by Senator John McCain (R-AZ) . The digital rights group claims that the quality of both bills ranges from “downright terrible” to “appropriately intentioned.” Each, however, is conceptually similar and flawed, EFF said.
With public awareness about cyber legislation high after the dramatic failure of Stop Online Piracy Act (SOPA), interest in- and skepticism of new cybersecurity legislation is on the rise.
All three bills seek to facilitate cooperation among branches of the U.S. government and between the government and the private sector. Their failing, according to a blog post written by EFF Staff Technologist, Dan Auerbach and EFF Senior Staff Attorney, Lee Tien is in failing to define “the threats which are being defended against and the countermeasures that can be taken against those threats.”
A lack of concrete definitions and transparency could give way to expansive interpretations of any bill that passes, leading to government and corporate abuses, which, in turn, could impinge upon civil liberties, EFF warned.
As an example, Auerbach and Tien note that the Lieberman bill defines a “cyber security threat indicator” as any action that might be construed as “a method of defeating a technical [or operational] control.” That overly broad definition, EFF notes, could apply to anything from a DDoS attack to a port scan to the use of encryption or an anonymization service like ToR to protect the privacy of online activity and communications. Everything would depend on how the government and law enforcement chose to interpret it.
In an e-mail conversation with Threatpost, Auerbach of EFF characterized the bills as “alarming.” Of particular concern: a section in both the Lieberman bill and the McCain bills that authorizes monitoring by private firms of any traffic that transits their networks. Ostensibly intended to facilitate private-public information sharing, the passage would grant complete private sector immunity for data monitoring and sharing practices. Private entities would be unbound from the Wiretap Act and other legal limits and immunized against a swath of questionable monitoring practices, EFF claims.
Furthermore, Auerbach and Tien worry that the bills’ definition of a “cyber security threat” is too broad, and could cover everything from stealing passwords from a secure government server to scanning a network for software vulnerabilities. Similarly, the bills calls for more ISP traffic analysis and monitoring could bring about more civil liberties violations. For example, ISPs could simply block Tor, cryptographic protocols, or traffic on certain ports under the guise of defensive countermeasures, the EFF speculated.
The two online privacy experts also worry that the bills do too little to balance the public interest against the government’s need to secure the Internet.
“The cyber security bills completely skirt the issue of the intelligence community stockpiling so-called “zero-days” — new and unknown software vulnerabilities — for offensive cyber attack purposes,” Auerbach said via email. “Allowing the intelligence community to hold on to these vulnerabilities without patching them makes all of us less safe, and a good cyber security bill would explicitly disallow this practice.”
That’s a potent concern these days, after the security firm Vupen raised the ire of a number of security experts for their controversial business model which allegedly involves the buying and selling of these zero-days to the highest bidder, malicious or otherwise.
Rather than scrap the bills altogether, the EFF is calling on Senators to open up the conversation about the pending bills as they refine them. To create a better bill, the EFF believes specificity is key. Detractors will say that specificity limits the life-span of such bills, but the EFF sees this as an advantage. A short-living bill would force legislators to revisit it and make modifications necessary to address a rapidly changing and dynamic security ecosystem.
