Tag - law

US Government Proposes Classifying Cyber Security Tools as Weapons of War
Why the Current Section 215 Reform Debate Means Virtually Nothing
Ron Wyden and Rand Paul Sorta-Kinda Killed the Patriot Act
If an Ex-NSA Chief and ACLU Adviser Agree on Surveillance Reform, Why Can’t Congress?
Potential Cyber Gains in National Defense Authorization Act but Obama Threatens Veto
Congress Wants U.S. Companies Facing Cyber Attacks to Share Data
US Tech Companies Urge Obama to Reject Government Proposals Requiring Software Backdoors for Encrypted Communications
NSA Apologst Burr Preps Backup Spying Plan As House Threatens Defunding
National Defense Authorization Act Passes the House with Cyber Amendments

US Government Proposes Classifying Cyber Security Tools as Weapons of War

BetaNews reports about a meeting between where the US government is proposing to classify cyber security tools as weapons of war in an attempt to control the distribution of such capabilities from, well, just about anyone it does not want to have them:

Until now only when someone possessed a chemical, biological or nuclear weapon, it was considered to be a weapon of mass destruction in the eyes of the law. But we could have an interesting — and equally controversial — addition to this list soon. The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology has proposed tighter export rules for computer security tools — first brought up in the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013. This proposal could potentially revise an international agreement aimed at controlling weapons technology as well as hinder the work of security researchers.

At the meeting, a group of 41 like-minded states discussed ways to bring cybersecurity tools under the umbrella of law, just as any other global arms trade. This includes guidelines on export rules for licensing technology and software as it crosses an international border. Currently, these tools are controlled based on their cryptographic functionality. While BIS is yet to clarify things, the new proposed rule could disallow encryption license exceptions.

The new proposal is irking security researchers, who find exporting controls on vulnerability research a regulation of the flow of information. You see, these folks need to use tools and scripts that intrude into a protected system. If the proposal becomes a law, it will force these researchers to find a new mechanism to beat the bad guys.

Some policy wonk in the United States government obviously has no practical knowledge of how the internet functions. Just because the United States may classify such tools as weapons of war will not make their acquisition difficult. The internet is global, and thus such tools will merely become available in nations without the same controls as the United States.

This is not to mention that cyber security – aka hacking – tools do not cause physical damage unlike, you know, actual weapons. Bombs, assault rifles, tanks, biological weapons, and whatnot all cause actual kinetic devastation, and can kill people. Hacking tools not so much. Even though industrial control systems may be compromised, it is doubtful their being breached can cause real harm, Stuxnet notwithstanding.

It is no surprise the US government would like to control the distribution of tools potentially capable of attacking the nation. However, this is sure to harm security research on attack techniques, which ultimately leads to new and unique defense mechanisms. We need the ability to conduct cyber security research inside the US, so shoring up these tools will surely have disastrous effects on academia and cyber defense research in general.

Why the Current Section 215 Reform Debate Means Virtually Nothing

From one eye-opening read to another. Bruce Schneier writes that Chris Soghoian of the ACLU explains why the current Patriot Act section 215 reform debate means virtually nothing thanks to countless other authorities and methodologies the intelligence community uses to spy on American citizens:

There were 180 orders authorized last year by the FISA Court under Section 215 — 180 orders issued by this court. Only five of those orders relate to the telephony metadata program. There are 175 orders about completely separate things. In six weeks, Congress will either reauthorize this statute or let it expire, and we’re having a debate — to the extent we’re even having a debate — but the debate that’s taking place is focused on five of the 180, and there’s no debate at all about the other 175 orders.

Now, Senator Wyden has said there are other bulk collection programs targeted at Americans that the public would be shocked to learn about. We don’t know, for example, how the government collects records from Internet providers. We don’t know how they get bulk metadata from tech companies about Americans. We don’t know how the American government gets calling card records.

If we take General Hayden at face value — and I think you’re an honest guy — if the purpose of the 215 program is to identify people who are calling Yemen and Pakistan and Somalia, where one end is in the United States, your average Somali-American is not calling Somalia from their land line phone or their cell phone for the simple reason that AT&T will charge them $7.00 a minute in long distance fees. The way that people in the diaspora call home — the way that people in the Somali or Yemeni community call their family and friends back home — they walk into convenience stores and they buy prepaid calling cards. That is how regular people make international long distance calls.

So the 215 program that has been disclosed publicly, the 215 program that is being debated publicly, is about records to major carriers like AT&T and Verizon. We have not had a debate about surveillance requests, bulk orders to calling card companies, to Skype, to voice over Internet protocol companies. Now, if NSA isn’t collecting those records, they’re not doing their job. I actually think that that’s where the most useful data is. But why are we having this debate about these records that don’t contain a lot of calls to Somalia when we should be having a debate about the records that do contain calls to Somalia and do contain records of e-mails and instant messages and searches and people posting inflammatory videos to YouTube?

Certainly the government is collecting that data, but we don’t know how they’re doing it, we don’t know at what scale they’re doing it, and we don’t know with which authority they’re doing it. And I think it is a farce to say that we’re having a debate about the surveillance authority when really, we’re just debating this very narrow usage of the statute.

People like Chris are highly important to the work being done to prevent further violations of American freedoms and privacy. Although al Qaeda and Osama bin Laden lost the battle, it seems they have won the war against the American way of life.

Americans have been brainwashed into believing this surveillance is helping catch terrorists when it fact it has had virtually zero impact on thwarting any tangible terror plots.

Ron Wyden and Rand Paul Sorta-Kinda Killed the Patriot Act

BoingBoing reports Senators Ron Wyden and Rand Paul sorta-kinda killed the Patriot Act section 215 renewal after leaving Senate Majority Leader Mitch McConnell without any compromise:

After an all-night session, Rand Paul [R-KY] and Ron Wyden [D-OR] tag-teamed majority leader Mitch McConnell [R-KY] and beat him to the mat — he has abandoned the current legislative effort to extend section 215 of the Patriot Act, which authorizes mass surveillance and is set to expire on June 1.

This was not what we expected — political handicappers had put safe money on some kind of compromise emerging from today’s session. With no such compromise in sight, McConnell will have to start over, twisting arms and knocking heads to get Congress to re-authorize another long stretch of unaccountable, secret mass surveillance. He’s got his work cut out for him as the Senate has adjourned until May 31 — 24 hours before the deadline.

The fight is not yet over as the better-than-nothing-but-not-so-good USA Freedom Act was more or less defeated in the Senate as well.

If an Ex-NSA Chief and ACLU Adviser Agree on Surveillance Reform, Why Can’t Congress?

Well here is an interesting opinion piece over at The Christian Science Monitor. Former NSA Chief, Retired General Keith Alexander and law professor Geoffrey Stone ask what, on the surface, seems like a fairly provocative question in the post-Snowden era: If an ex-NSA chief and ACLU adviser can agree on surveillance reform, why can’t Congress?:

As Americans, we share these bedrock principles: that freedom, privacy, and individual liberty are fundamental American values; that a core responsibility of our government is to keep our nation and our people safe; that the collection of intelligence is essential in the modern world to protect our nation’s security; and that, at present, the trust of the American people has been eroded and needs to be reestablished with new safeguards that ensure that the agencies charged with carrying out the collection of intelligence do so in a manner that is consistent with our deepest national values.

That is not to say that the nation’s intelligence agencies have abused their authority. To the contrary, the NSA and other intelligence agencies have worked conscientiously to operate within the express authorities that Congress, the White House, and the Foreign Intelligence Surveillance (FISA) Court have given them. Indeed, the men and women who work at NSA and other national security agencies deserve our admiration and support. Although intelligence agencies often operate out of necessity in secret, in our experience they adhere to the rule of law and comply with multiple layers of effective oversight.

I am not sure “NSA and other intelligence agencies have worked conscientiously to operate within the express authorities that Congress, the White House, and the Foreign Intelligence Surveillance (FISA) Court” is an entirely forthcoming admission. It has been exposed time and time again that either the NSA has outright lied to the FISA court, fails to disclose information, or has been found by FISA to be operating outside their authorities.

The whole opinion piece smells funny and reads like a word-game.

As mentioned in the article, it has been fifteen years since the terrorist attacks of 9/11, but what good have all the terrorism-related intelligence laws afforded the American public? The country is no safer because of so-called operational effectiveness of the counterterrorism tools Congress has provided to the intelligence community. Quite the contrary.

The only reason America is safer today is because there was an attack on American soil, killing American lives, and this opened our eyes to the very real possibility that we need to be more vigilant. American intelligence agencies have yet to prevent a single real terror plot thanks to these tools. Fifteen years of pointless mass surveillance and other authorities granted to the intelligence community have proven these tools unnecessary.

This is why it is time for reform – because things like section 215 of the Patriot Act, and section 702 of the Foreign Intelligence Surveillance Act do nothing to make the country safe. Besides, because of how the intelligence community works, all these capabilities will ultimately fall back on the Reagan era Executive Order 12333 – what amounts to a catch-all intelligence community authority allowing for just about any type of spying, including surveillance of American citizens.

Now that is something in need of reform.

Potential Cyber Gains in National Defense Authorization Act but Obama Threatens Veto

Stephanie Kanowitz of FierceGovernmentTI on the potential cyber gains in the National Defense Authorization Act of 2015, and the very real possibility President Obama may veto the bill (for very good reason):

To help bolster U.S. cyber defense, the bill calls for authorizing the president to use military cyber action in response to an attack on the nation, $400 million in additional funding to the Defense Innovation Initiative for increased investment in various technologies, and another $75 million for cyber procurement, Politico reports in a May 14 article.

“The bill also requires biennial exercises to simulate responses to cyberattacks on critical infrastructure, docks the executive office support budget until the president submits a deterrence policy asked for in the 2014 NDAA, mandates an independent assessment and war games test of [Cyber Command] forces in response to estimates of Chinese, Russian, Iranian and North Korean capabilities in 2020 and 2025 and boosts the Defense secretary’s hiring powers for civilian cyber support staff,” the article states.

DoD’s cyber workforce would also get an infusion of talent. Rep. Will Hurd (R-Texas) introduced an amendment that would allow the department to pay for cyber certifications and training for its cyber professionals, the National Law Review reports in a May 18 article.

Some of the additions, such as the amendment to pay for cyber training and certifications for DoD cyber professionals, are wonderful additions. However, as a whole, it seems like Congress is playing politics as usual, and using the NDAA as a way to sneak in cyber security line items they cannot get passed in their own bills.

Congress Wants U.S. Companies Facing Cyber Attacks to Share Data

Paul Kurtz of Quartz on how Congress wants companies facing cyber attacks to share data, with this desire coming at just the right time considering the amount of breached American businesses:

Congress has recently taken significant action to minimize the legal risks for companies voluntarily sharing cyber incident information with the passage of the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731). These bills provide liability protection for companies that share cyber threat indicators and defensive measures to combat a threat among one another and, should they choose, with the government. It is important to note that unlike past efforts, taken together these bills are not solely aimed at encouraging companies to share cyber threat information with the government, but rather, at breaking down the barriers that often stop them from sharing even among themselves.

These bills follow closely on the Executive Order president Obama signed in February promoting private sector sharing of cyber threat information, and mirror similar proposals currently under debate in the Senate. With these actions, the U.S. government is sending a clear signal that it recognizes the vital role of information sharing in our efforts to stay ahead of our adversaries. We know that the bad guys are collaborating and yet, the defenders often have had to go it alone. This disadvantage will continue until we eliminate corporate reluctance to share information on cyber incidents.

US Tech Companies Urge Obama to Reject Government Proposals Requiring Software Backdoors for Encrypted Communications

Ellen Nakashima of The Washington Post reports how Apple, Google, and leading cryptographers are among a group of US tech companies urging President Obama to reject government proposals requiring software backdoors for encrypted communications:

FBI and Justice Department officials say they support the use of encryption but want a way for officials to get the lawful access they need.

Many technologists say there is no way to do so without building a separate key to unlock the data — often called a “backdoor,” which they say amounts to a vulnerability that can be exploited by hackers and foreign governments.

The letter is signed by three of the five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden. The signatories urge Obama to follow the group’s unanimous recommendation that the government should “fully support and not undermine efforts to create encryption standards” and not “in any way subvert, undermine, weaken or make vulnerable” commercial software.

Here is the crux of the issue:

The issue is not simply national, said Rivest, a computer science professor at MIT who signed the letter. “Once you make exceptions for U.S. law enforcement, you’re also making exceptions for the British, the French, the Israelis and the Chinese, and eventually it’ll be the North Koreans.”

The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: “If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that’s just not reality.”

Rosenzweig said that “there are other capabilities” that law enforcement can deploy. They will be “less satisfying,” he said, but “they will make do.”

What it boils down to is convenience: US law enforcement agencies want the quickest and easiest method of obtaining access to encrypted data. Thankfully, Congress seems uninterested in such legislation so its doubtful there is much to worry about. However, being armed with the knowledge this capability is being peddled as a potential law is something we all need to be abreast of so we can take the necessary actions to stop such stupidity should it become necessary.

NSA Apologst Burr Preps Backup Spying Plan As House Threatens Defunding

The National Journal on Senate Intelligence Chairman Richard Burr working on a “backup” plan to extend the Patriot Act’s surveillance authorities before they expire at the end of the month, even as House leaders threaten to jam the Senate with their spying-reform bill:

House Majority Leader Kevin McCarthy on Monday pushed the Senate to pass a House bill reauthorizing parts of the National Security Agency’s bulk phone-records program and said his chamber will not remain in session to wait for the Senate despite the end-of-May deadline.

But even as McCarthy made his threat, senators supportive of the NSA’s bulk collection of U.S. call data indicated that they aren’t concerned about the House using the calendar against them. And the time crunch won’t prevent them from seeking other alternatives.

“It’s not like they’re going to jam us on Thursday and leave town and make us believe we can’t send them something else,” Burr, one of the chief defenders of the NSA-spying status quo, told reporters. “We can.”

Although there are quite a few people in Congress who are finally coming to terms with the pointlessness of the current NSA spying, there remains a strong legion of staunch defenders of such unabated powers. This is going to be a fight worth paying close attention to as it affects every single person in the United States.

National Defense Authorization Act Passes the House with Cyber Amendments

The National Law Review on the National Defense Authorization Act passing in the House with cyber security-related amendments:

During the floor debate, a number of amendments related to cybersecurity were added to the bill. Rep. Mark Walker (R-NC) offered two amendments that both were included in the final bill – one regarding how defense contractors share information on cyber threat indicators with the federal government and a second amendment related to cyber acquisition standards. In addition, Rep. Will Hurd (R-TX) also introduced a successful amendment that would allow the Department of Defense to pay for cyber certifications and training for its cyber professionals.

The Senate Armed Services Committee also marked up its NDAA bill last week. The bill is expected to be considered on the Senate floor this summer. As international relations with Russia and China continue to be contentious and concerns about terrorism continue, we expect the Senate to seek to add additional cybersecurity amendments on the Senate floor.

The latter amendment is highly important to ensure the Department of Defense is capable of retaining its cyber professionals. Since DoD requires people in cyber security positions to hold certifications, it only makes sense for DoD to pay for the certifications and training. DoD has actually done this for quite some time, but recently cut the funding due to a lagging budget.

I found the following quite interesting about the Defense Industrial Base (emphasis added):

Last week, the Defense Security Information Exchange officially announced that it would be rebranded as the Defense Industrial Base Information Sharing and Analysis Organization (ISAO). This is the first official ISAO that has been named since President Obama issued his Executive Order in February calling for the creation of a network of ISAOs to share cyber threat information between a variety of public and private sector entities. Other groups, such as the American Bar Association and the state of Virginia, have indicated their interest in creating an ISAO as well.

The U.S. Department of Homeland Security (DHS) will hold a workshop on June 9 in Cambridge, Massachusetts to discuss ISAO engagements and how to form an ISAO. In addition, DHS is working to identify an organization that will set up and manage the ISAO Standards Organization, which is charged with drafting a set of voluntary guidelines for the creation and function of ISAOs. The Department is expected to announce the organization this summer so that it will be fully functioning by this fall.

Copyright © 2015, Scott Jarkoff, & all respective content owners.