Making the world safe for Sony
With the stroke of a pen Wednesday, President Barack Obama christened his country’s latest national emergency, issuing an Executive Order he said was necessary to address “an unusual and extraordinary threat” from malicious hackers abroad.
"Starting today,” wrote the president in his, uh, blog post on the order, “we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit."
The action has been termed unprecedented. The Department of the Treasury is directed to impose sanctions on anyone judged to be involved in these cyber attacks, but the criteria for who or what could be subject to those sanctions is incredibly broad. The order states the government can target nations or individuals involved — directly or indirectly — in “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” That includes, but is not limited to, anyone “causing a significant disruption to the availability of a computer” that supports critical infrastructure; “causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain”; or even simply using, receiving or otherwise benefiting from “trade secrets misappropriated through cyber-enabled means.”
Apart from dams and nuclear power plants, a 2013 administration order designated “commercial facilities” — including movie studios, casinos, hotels and shopping malls — as one of those “critical infrastructure” sectors recognized by the Department of Homeland Security.
That's a big set of crosshairs. One can imagine a whole host of scenarios where cyber sanctions seem almost destined to be misused.
What about activists engaged in online civil disobedience, like how members of Anonymous flooded PayPal with phony web requests to protest its refusal to process donations for Wikileaks in 2010?
Could whistleblowers or foreign journalists who release internal documents from some U.S. corporation be described as “misappropriating trade secrets for commercial or competitive advantage?”
And how about a security researcher who publishes information about a critical bug that a software company refuses to fix? Could warning customers about the vulnerability be construed as utilizing “trade secrets misappropriated through cyber-enabled means?”
The order comes at a time of heightened cyber hysteria in Washington, with controversial bills in the Senate and House proposing “cybersecurity” measures that would give corporations a green light to share data about online threats (and consequently, U.S. citizens) with the government. Privacy advocates have heavily criticized the proposals, calling them a ploy to enable more surveillance, and security experts overwhelmingly agree that information sharing won't significantly reduce security breaches.
The panic began in earnest last December after the devastating hack of Sony Pictures, which the FBI controversially attributed to North Korea. The Department of Homeland Security described the hack as an “attack on free speech” after Sony briefly decided to cancel the theatrical release of “The Interview,” a comedy film about a bumbling CIA attempt to assassinate North Korean leader Kim Jong-un. But the DHS decree looked more like a reassuring wink to Hollywood and corporate America than a stirring defense of the First Amendment.
That high-profile breach inevitably set the tone for the cybersecurity debates in Congress, and could provide a window on what Obama's executive order is really about. Public interest organizations and political refugee groups in the U.S. are hacked by foreign governments all the time — but when a multi-million dollar Seth Rogan buddy comedy is the target, that’s where the government draws the line.
Perhaps the most unsettling aspect of the order is that it's dressed as a “national emergency,” much like the one that paved the way for the Authorization for the Use of Military Force and other anti-terrorism measures shortly after 9/11 (emergency laws which, you may recall, are still on the books more than a decade later).
With the U.S. routinely launching its own cyber attacks and economic espionage against foreign allies, that “emergency” might be here to stay.