Normally I don’t write too much about political affairs because I don’t care to get too involved with them. However, Obama’s message in January concerns me in regard to the state of security. Let us look at what it means for us as professionals and citizens of the United States of America.
Part of Obama’s cyber security plan has an opt-in option for digital information sharing, and the benefit for the company in doing this is that the government will be granting a certain degree of “due care” to those companies that take advantage of this. This means the companies may be partially protected from lawsuits related to security breaches or privacy complaints from consumers if they opt-in.
“Cyber security threat indicators” will be formulated for the companies to help them define what type of information would be shared. The plan goes on to define this as many things including “Malicious Reconnaissance” or a “Technical Vulnerability“. This would include meta data about the companies networks such as Internet Protocol (IP) addresses, date-time stamps, routing information, including other things that will basically map out the companies entire network to the government.
The bad thing is terms like “malicious reconnaissance,” for an example, is defined as “communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat.” If this passes, how would we protect our companies without raising the brow of the government?
This means people trying to perform “due diligence” (aka security research) for the place that they work may actually rise up on the Cyber Security Threat Indicator for trying to protect their company. Hopefully, this allows us to observe the dual sword that Obama is wielding in this policy… he’ll be complicating things for the ethical researchers as well… thus making our defenses weaker by slowing us down and driving up the costs.
If you want to see security done poorly, simply slow down all offensive behavior legally by ethical attackers and have security professionals focus entirely on defenses only. This way the good guys will never know if they did security properly, because they won’t be able to find any holes in their defenses before the unethical attacker does.
The good thing here is it’s an opt in approach, some claim the other bad thing here is the government doesn’t spell out what type of protection is afforded to the companies. This doesn’t surprise me, because due to the wide array of how a company may be breached and how well “due care” may have been exercised by the company… the protection will most certainly vary. However, having a clearly defined maximum level of protection defined as well as a minimum level may help to aid companies in understanding what this may mean for them. In addition, there are no restrictions put on this policy to limit how the government may actually utilize this information to protect the users of the Internet.
In the end, it will be up for the companies to decide if they want to opt into this policy or not. There would be a certain level of risk and reward here, but it is a marginal improvement over past plans that made it mandatory for businesses to actually provide this data.
The policy also looks to name a 30 day standard for companies in the United States (US) to disclose any information in regard to a loss of Personally Identifiable Information (PII) data. Many companies support this because it helps to standardize expectations. Currently, expectations may vary from the 30 days Florida gives for disclosure (+15 day extension), while other states like Alaska is on the other end of the spectrum. Alaska law states “disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of (Alaska), the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach.” 20 Alaska Stat. §45.48.010.
This basically means notification may be mandatory or not even occur based off of where you live in our blessed union currently. This standardization is a good thing for these companies that support it as it means there is less room for misinterpretation of the various laws from state to state. Click here for a complete list Computer Security Breach Notification laws.
Obama has also proposed to update the Computer Fraud and Abuse Act (CFAA), and this is where the proposal takes a strange twist to a yet another surreal paradigm in which Washington lives in – in regard to computer or cyber security. What really gets my goat here is that with most of these plans there seems to be a lot of good in, kind of like a cup cake… it looks good and promises some a good taste, but if you’re not careful to examine it further you’ll find there was some blarney in the center instead of the creamy filling you would expect to enjoy.
The entire PDF of the law enforcement tools can be found here if you want to read it (and you should as it concerns you). Also here is the Fear Uncertainty and Doubt (FUD) Obama spread back in January, and I quote:
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.”
Really? Our Children? OK, my friends in the United States or anywhere… when you see a politician actually use “children” in a statement you should know they are attempting to play on our emotions to persuade our logical self outside the window and down into a street 15 stories below. This is a ploy by the man to mislead his sheep from thinking logical into a doing something illogical by playing on our emotions. Let us examine why…
New laws baked into the CFAA extend the maximum penalty for computer crimes from 10 to 20 years. Remember the security threat indicators above… and malicious research? For security to be performed properly you have to perform due diligence and research the ever changing threat landscape, and it’s even more critical now than ever in the age of “Internet of Things (IoT).”
The IoT basically includes things that are not considered a normal computer you sit in front of, but are also Internet enabled things like thermostats, fridges, smart phones, software, car stereos, sensors, and more. These things usually run older, outdated operating systems on them and pose a threat to our networks both at home and work. Without getting into it too much, how would we ever be able to test and find out how horrible the security may be on these devices or better yet, how to fix them if we are painted as felons and threatened by ever increasing fines? The government basically is punishing the good and cutting us off at our knees at this point by making it harder for us to do our jobs and protect our companies via the new proposed CFAA.
More bothersome is the “modernizing” of the CFAA:
(6) knowingly and willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;
This means if you have a subscription to a service that you use for streaming movies, music, or whatever… and you share that password and username with someone you know… that you can get up to 10 years for sharing that username and password. So basically if I give my kid the password for my Netflix to watch a video and that somehow leaks out to someone else, I would be held up to 10 years in jail because I am responsible for my child’s actions legally. This may not be far fetched as crazier things have happened.
In September 2014, 5 million Google accounts were leaked to a Russian cyber security internet forum. The new CFAA would make anyone accessing this file a criminal and you would potentially get up to 20 years for simply clicking on or accessing this file. However, who is this keeping honest here? This law would not stop the unethical attackers from accessing it, however it would prevent the ethical people and potential victims from finding out if their information was disclosed in this leak. This leak is beneficial to the good to know because if they possessed this already leaked file to the web they can search the file for their email address to see if they were part of the breach.
Having such information is huge part of defending ourselves, family, and friends. The damage was already done by the initial leak and the unethical already had this information before the leak. So why should this be considered bad? One word… ignorance (the lack of knowing how this is actually helpful). This ignorance is what is driving this policy and will most certainly rob security professionals of the freedoms we need to defend ourselves.
Then there is the “racketeering” section:
“racketeering activity” means … (B) any act which is indictable under any of the following provisions of title 18, United States Code: … section 1028 (relating to fraud and related activity in connection with identification documents), section 1029 (relating to fraud and related activity in connection with access devices), section 1030 (relating to fraud and related activity in connection with computers) if the act indictable under section 1030 is felonious, section 1084 (relating to the transmission of gambling information), section 1341 (relating to mail fraud), section 1343 (relating to wire fraud), …
Let’s look at this… So simply being there during a conversation in a chat room that discusses fraud makes you guilty. If this passes make sure you don’t leave your chat rooms open and walk away from your computer… because you never know what people may start to talk about when you’re away from the keyboard (AFK).
I’m not opposed to legislation, however the legislation needs to be fair and balanced into “we the people’s” best interest. The fact that the administration is trying to push this policy along utilizing FUD is concerning to me, and as a security professional that believes wholeheartedly in offensive security to improve our defensive strategies, this proposal is a step in the wrong direction for us all – even our children.
The freedoms we lose, will put us at a greater loss defensively if this passes.