HackLaw

Thursday, July 26, 2012

Controversial Cybersecurity Act Vote Coming Soon?

This week, House Majority Leader Harry Reid hopes to finally bring the long awaited Cybersecurity Act of 2012 to the floor for debate. Senator Joe Lieberman and the four co-sponsors of the Cybersecurity Act introduced a revised version last week, which they indicate incorporates extensive negotiations with the bill’s opponents. The Hill’s Technology Blog reports that Senators Rockefeller and Feinstein are reaching out to key technology CEOs to help lend their support to the bill.

This is great, because if the bill doesn’t get voted on soon, it won’t happen this year. President Obama has weighed in as well. The President wrote a rare op-ed piece in the Wall Street Journal to boost support. He writes, “The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements.”

This is in response to the bill’s critics who have stated that they would be concerned about the costs to businesses that would be imposed by the new law. John McCain’s bill, in contrast, focuses on strengthening the government’s Cybersecurity, but stops short of mandating that businesses do the same.

All this should be read in light of the larger Cyber conflict that is currently going on. New York Times writer David Sanger wrote last month that an inside source had confirmed what many had suspected, that the Obama administration had ordered a cyber attack against Iranian enrichment facilities.
Maybe this was a good thing. There was no loss of life that we know of, compared to a conventional military strike against Iranian facilities. A Cyber retaliation from the Iranians or their allies would have also been limited to computer infrastructure.

But the new Cybersecurity bill needs to be read in light of the fact that the US government dropped the most sophisticated Cyberweapon on the world that we have ever seen. It’s been analyzed and perhaps reproduced by other countries. And unlike a physical war where proximity to a conflict means greater risk, businesses are on the front lines of a Cyber conflict. At a psychological level, most businesses don’t have the same outlook that a business in a war torn country might perceive their situation.

The reality of Cybersecurity in America is that it’s not just stolen identity that businesses need to worry about. in November of 2011, for the first time, Robert Bryant, U.S. National Counterintelligence Executive released a report naming China as the world’s leading source of economic espionage, with Russia coming in a close second. The reality is that by attacking an economy is the equivalent of holding a government hostage, as the Russians did against Georgian banks in 2008.

Cybersecurity laws need to play catch up to the current state of the world where a rogue nation like Iran or North Korea with nothing to lose economically could lanuch a terrorist like attack against small or medium sized businesses with very weak defenses and wreak havoc. Unfortunately, the news today indicates that the bill is being fought on mostly partisan lines despite months of compromise that went into the new bill. Senator McCain wants to delay the bill and Heritage Action, a conservative advocacy group related to the Heritage Foundation indicated it will track lawmakers votes on their key vote scorecard.

Tuesday, June 5, 2012

What happens when a public company has your private data?

What happens when a public company has your private data? It used to be that Facebook was owned and operated by a private citizen. Sure it was fun to question his motives. Those were the days. Maybe it wouldn’t have changed if Facebook shares had started to skyrocket from the getgo, but they didn’t. And now they have shareholders to think about. So what happens to Privacy when Facebook shares drop like an anchor?

The shareholders start to yank the leash.

This week, Facebook announced they will start allowing individuals under the age of 13 to join its site. A bit of background here, most Internet companies have policies against catering to kids younger than 13, not because they care about the kids, but because they have to comply with a set of guidelines called the Children's Online Privacy Protection Act or COPPA. COPPA requires service providers to verify that they have their parent’s consent, usually by taking a credit card number or having their parents call a telephone number.

To sweeten the IPO, look at the changes they made in the final weeks before their IPO. They announced a major change to their privacy policy. They will now “retain data for as long as necessary to provide services to users and others”. This is after FB was fined $138,000 in 2011 inIreland for keeping a deleted user’s data.

Now back to children under 13. Zuckerberg was quoted in 2011 with saying that kids should be allowed on Facebook. Not for selfish reasons, of course, but because he thinks that it could help with their education. Because they can learn a lot from other students. And why not allow kids on Facebook? Lots of parents create accounts for their kids while they are still in the womb…like the Superbowl commercial for Google where the parents create an account and start emailing their child pictures and stories.

Lawmakers are highly concerned that Facebook is opening up to children under 13 to create a whole new market of potential advertises for themselves. You can already sell targeted ads by age group, so why not start targeting kids with more sugar cereals and toys and movies. Because maybe kids don’t watch so many commercials anymore. Thanks TiVo!

Of course, Facebook also announced that they will allow their users to vote on the new change. To be binding on the company, whatever the vote turns out, 30% of the users or 270 million people need to click. US National voter turnout in 2010 was only about 37% and only 90 million people voted. Only Facebook knows how many of their 900+ million users are very active on the site, my guess is that it is probably less than 50%, but it would be astounding that enough people would vote, for or against, the privacy policy changes. So one might ask...is the vote just going through the motions?

Obama ordered Stuxnet

According to an upcoming book by New York Times chief Washington correspondent, David Sanger, it was Obama who ordered the Stuxnet attack against Iran's nuclear program.

This isn't really a surprise, since most people believed the US to be behind the attack, but it does continue Obama's M.O. of preferring special forces over direct and prolonged engagements.

If true, the real motivation for the attack was to prevent further escalation of a conflict. Had the virus not been discovered, perhaps the belief was that Iran would have assumed that the failures were accidental or that the virus wasn't targeted. After all, the world had never seen such a directed cyber attack before.

Tuesday, May 8, 2012

Interesting article on NPR about whether businesses should foot the bill for a Cyber War.

The Lieberman-Collins bill before congress would help pay to secure the nation's critical infrastructure like the power grid, water treatment plants, and the financial system. Does the government have a duty to protect the rest of the country?

I think it's a great question. One reason, the first sentance of this blog post - it's not "A" cyber war that we're talking about here...we can't talk about it like it isn't already happening. It's the current cyber war. If a city was hit by a tornado or hurricane, there is always disaster assistance that is available. It's important to a country, especially during a war to help rebuild so that the country can keep on functioning.

Another reason - can a small business really protect itself from a cyber attack from a government?

On the flip side of the issue of course, is risk tolerance. Businesses don't take security seriously largely because they don't need to. The only reason some companies have security programs is so they can comply with the Payment Card Industry Data Security Standards (PCI-DSS), and even then it is largely ignored (as we saw was the case with Sony last year). People are excellent judges of risk. As identity theft grows, they will tend to get better at creating passwords. Businesses, too, need to learn from these issues. But until the WAll Street Journal is covering a story about how a fortune 500 company closed it's doors because of a security breach, businesses won't invest what they need to to protect themselves. Despite Sony's breach last year, they are still in business and their stock seems to have been barely effected.

If the government steps in, then, and prevents businesses from having to deal with the ramifications of a security threat, then businesses never will treat the issue seriously.

Monday, April 30, 2012

Facebook "Likes" Not Protected Speech?

ArsTechnica has a great summary of the case of Bland v. Roberts, which has ruled that Facebook "Likes" are not protected speech under the 1st Amendment. The case was decided in the Eastern District Court of Virginia, so it could be appealed a couple of times before hitting the Supreme Court... There have been lots of other cases where something didn't have to actually constitute speech to be protected under the 1st Amendment, so it isn't clear if this case would stand if appealed.

CISPA Defections Begin

An update on my last post, CISPA - The Government's consolation prize for not passing SOPA, it looks like the measure has already lost some of its original supporters. According to a story on TheHill.com, seven of the original cosponsors of the Cyber Information Sharing and Protection Act (CISPA) abandoned ship and voted "No" on the bill.

http://thehill.com/blogs/hillicon-valley/technology/224339-six-cosponsors-of-cispa-cybersecurity-bill-voted-against-it

Friday, April 27, 2012

CISPA - The Government's consolation prize for not passing SOPA

Yesterday, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). While the bill was introduced with bibartisan sponsors, the bill passed the house on mostly party lines...Republican "yes" votes were 206 and Democrat "No" votes were 140. Both sponsors were the ranking members of the House Intelligence Committee. 42 democrats supported the bill while 28 republicans were against it, including Republican U.S. representative and presidential candidate Ron Paul who called it "Big Brother writ large". President Obama has threatened to veto the legislation if it remains in its current form, but Obama waffled on his support of SOPA, so who know what could happen in an election year.

Some questions:

Why would this bill be fast-tracked while other data security bills or data privacy bills have been stymied for years?

Does this bill simply legalize the warrantless wiretapping that is already being done throughout the country?

Rather than being an attack on the first amendment like SOPA, CISPA attacks the fourth amendment to the constitution. The Fourth Amendment of the Constitution says:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

A good question to ask might be what is an unreasonable search? For Law Enforcement, if you see someone in public committing a crime, they can act. Why is there an expectation of privacy for communications over Facebook? Over email? It is probably very reasonable to expect that Law Enforcement can look at all publicly available information on Facebook. Is it reasonable to let them look at information that a user has expressly defined as private? Keep in mind that no one is saying that Law Enforcement can't get a warrant to access the information.

Of course, none of these questions are posed in the bill. Instead, CISPA purports to create a more secure Internet. How does it attempt to do this? One blogger site took Representatives Rogers and Ruppersberger to task over their own lack of security on their congressional web pages, including broken certificates, lack of HTTPS and broken links.

CNET has a great breakdown of how CISPA would impact an individual citizen.

When asked about whether the government could use this private information to spy on its own citizens, one Representative, Dan Boren (D-Oklahoma) said: "The government is not the enemy." I don't think this would be comforting to most Americans, given the low approval rating of Congress right now.

So why isn't there greater oposition from all the same organizations that were against SOPA? One answer might be that SOPA requred a lot of intervention on the part of search engines or payment processors (think Google, Yahoo, PayPal, etc.) They would have had to have dedicated people to respond to requests and to develop technology to help respond. CISPA would mostly impact ISPs, who in large part support the legislation.

No More Magic Wands

Support this blog by buying my book on cybersecurity for laypeople. Once upon a time there was a company that made magic wands, but when they were hacked all the magic in the world couldn’t prevent their data from being stolen. If that company had a chance for a clean start, what would they have done differently? The unlikely hero isn’t a security guy. She’s a business elf who makes it her mission to change the way her company does business from the top down. Most books on Cybersecurity are written for highly technical professionals, focus on specific compliance regulations, or are intended for reference. No More Magic Wands is different...it takes complex security concepts and puts them into practice in easy to read, relateable stories.