EFF Says Cyber Security Bills Open Door To Government, Corporate Abuse

The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.

The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.

EFF looked at two bills making their way through Congress: The Cybersecurity Act of 2012 (S. 2105), sponsored by Senator Joseph Lieberman (I-CT) of Connecticut and the Secure IT Act (S. 2151), sponsored by Senator John McCain (R-AZ) . The digital rights group claims that the quality of both bills ranges from “downright terrible” to “appropriately intentioned.” Each, however, is conceptually similar and flawed, EFF said. 

With public awareness about cyber legislation high after the dramatic failure of Stop Online Piracy Act (SOPA), interest in- and skepticism of new cybersecurity legislation is on the rise.

All three bills seek to facilitate cooperation among branches of the U.S. government and between the government and the private sector. Their failing, according to a blog post written by EFF Staff Technologist, Dan Auerbach and EFF Senior Staff Attorney, Lee Tien is in failing to define “the threats which are being defended against and the countermeasures that can be taken against those threats.”

A lack of concrete definitions and transparency could give way to expansive interpretations of any bill that passes, leading to government and corporate abuses, which, in turn, could impinge upon civil liberties, EFF warned.

As an example, Auerbach and Tien note that the Lieberman bill defines a “cyber security threat indicator” as any action that might be construed as “a method of defeating a technical [or operational] control.” That overly broad definition, EFF notes, could apply to anything from a DDoS attack to a port scan to the use of encryption or an anonymization service like ToR to protect the privacy of online activity and communications. Everything would depend on how the government and law enforcement chose to interpret it.

In an e-mail conversation with Threatpost, Auerbach of EFF characterized the bills as “alarming.” Of particular concern: a section in both the Lieberman bill and the McCain bills that authorizes monitoring by private firms of any traffic that transits their networks. Ostensibly intended to facilitate private-public information sharing, the passage would grant complete private sector immunity for data monitoring and sharing practices. Private entities would be unbound from the Wiretap Act and other legal limits and immunized against a swath of questionable monitoring practices, EFF claims.

Furthermore, Auerbach and Tien worry that the bills’ definition of a “cyber security threat” is too broad, and could cover everything from stealing passwords from a secure government server to scanning a network for software vulnerabilities. Similarly, the bills calls for more ISP traffic analysis and monitoring could bring about more civil liberties violations. For example, ISPs could simply block Tor, cryptographic protocols, or traffic on certain ports under the guise of defensive countermeasures, the EFF speculated.

The two online privacy experts also worry that the bills do too little to balance the public interest against the government’s need to secure the Internet.

“The cyber security bills completely skirt the issue of the intelligence community stockpiling so-called “zero-days” — new and unknown software vulnerabilities — for offensive cyber attack purposes,” Auerbach said via email. “Allowing the intelligence community to hold on to these vulnerabilities without patching them makes all of us less safe, and a good cyber security bill would explicitly disallow this practice.”

That’s a potent concern these days, after the security firm Vupen raised the ire of a number of security experts for their controversial business model which allegedly involves the buying and selling of these zero-days to the highest bidder, malicious or otherwise.

Rather than scrap the bills altogether, the EFF is calling on Senators to open up the conversation about the pending bills as they refine them. To create a better bill, the EFF believes specificity is key. Detractors will say that specificity limits the life-span of such bills, but the EFF sees this as an advantage. A short-living bill would force legislators to revisit it and make modifications necessary to address a rapidly changing and dynamic security ecosystem.

Suggested articles

Discussion

  • Anonymous on

    Why doesn't the EFF draft an appropriate bill and then we can support it with the same fervor that got SOPA killed?

  • Anonymous on

    Here is a thought.   Kill the bills, do nothing. There is no need for them.

     

     

  • Anonymous on

    "after the dramatic failure of Stop Online Privacy Act (SOPA)". Was that a deliberate mistake?

  • Anonymous on

    Agreed, these bills aren't needed. Harden your own systems if you must. Stop sticking your nose in everyone else's business. Obviously, these bills have nothing to do with "cyber-security".

  • Michael on

    How about we start talking about a new amendment to the constitution?

    Part one: No government agency can do the bidding of an individual or corporation.

    Part two: Corporations cannot be defined as a person (individual).

    Part three: The internet (online information including text/music/video) is the right of every living person. The United States government is required to allow all parts of the internet to be displayed to everyone living in the country or within its territories, and cannot remove or try to remove any part of it; doing so is a willful act of treason by whatever branch of the government is violating said rights of the individual.

    Part four:  The US government shall not be allowed to attempt or succeed in accessing information that is private to an individual (note statement above that re-defines a corporation as a business, NOT an individual).

    Part five: This amendment continues your right not to incriminate yourself with any information you may access on the internet (in any form), as it is NOT the right of the US government to access said information/data.

    I guess I'll end at that, as a start... and yes, I am serious.

  • Anonymous on

    Interesting, we have a bunch of people that barely know how to turn on a computer nevermind being able to configure a firewall or tunnel data through various ports, tyring to come up with legislation to improve security. Does anyone else see anything wrong with this picture?

    They should spend a little bit of time to understand the internet... understand how threats come about and the general workflows to mitigating this risks/threats.

     

  • Bubba Nurth on

    Where did all the National Socialists in Congress (and in most governments in the former democracies, for that matter) come from?  These guys are so afraid of the power of ordinary people to expose their greed and stupidities, and their utter lack of respect for democratic liberties, that they are in a frenzy to destroy the internet.  I support whatever legal, humane ways can be used to further expose them and to defeat them at the polls.

    There is not a lot to differentiate the bases of their attacks on civil liberties, particularly freedoms of speech and association, from the attitudes and actions of the Chinese Communist monsters, the Taliban, the Ayatollahs of Iran and other similar scum of the earth against their own people.

  • Anonymous on

    Government should not be in this business period. Government should lead by example by securing their own systems. If anything, they can set penalties for people who leak PPI. Again, epic fail.
  • Anonymous on

    kill em all and let God sort it out

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.