The term “cybersecurity” has long been a comically ubiquitous utterance in Washington. But recent proposals from Congress, the White House and the intelligence community are straining the word’s meaning to dubious ends.
For most Americans, cybersecurity is the protection we desperately need in response to the dwindling separation between our physical and digital lives. Two-thirds of Americans now carry pocket-size computers full of intimate data that are connected to the Internet at all times, and cars, refrigerators and thermostats are not far behind. After a year of high-profile hacks — from the crippling compromise of Sony Pictures to major intrusions at Target, Home Depot and most recently the health insurance giant Anthem — who would say no to cybersecurity?
But D.C.’s cybersecurity rhetoric is a political smokescreen. Though based on real threats, its purpose is to rally support for sweeping policies such as the Cyber Information Sharing Act (CISA), Congress’ latest attempt at cybersecurity legislation, that merely enable more surveillance.
Redundant and ineffective
What CISA proposes is nothing new; in fact, it’s the same controversial plan that members of Congress have been pushing for years. Rather than protect average Americans’ data by creating liability for companies that fail to follow standards or investing in better security technologies, the bill would establish a system in which private companies share threat information with the government, including personal information collected from users.
The many previous versions of this sharing program have been called a privacy nightmare, and the current iteration is pretty much a carbon copy. It allows private companies to share any information deemed to be an indicator of a cyberthreat (called a signature) — free of liability and without any guarantee that a review process has taken reasonable steps to remove personal information beforehand.
Once shared, the National Security Agency will be able to access all the data in real time, and law enforcement agencies will be allowed to retain and use it for a broad set of purposes, not just imminent threats to life and limb. The bill even gives companies permission to retaliate against hackers, as long as they don’t intentionally damage another U.S. entity’s computer systems in the process. (Foreign systems are fair game.)
How, exactly, would this improve cybersecurity? Perhaps unsurprisingly, the logic is almost identical to that of the U.S. government’s counterterrorism strategy. The thinking goes that if the government and the private sector were able to more quickly and easily share cyberthreat information, they could learn about the attackers’ tools and techniques, respond to breaches faster and perhaps even deter attacks.
But experts overwhelmingly agree that such information sharing would be redundant and ineffective. In a Feb. 25 Christian Science Monitor poll of top cybersecurity thinkers, 87 percent said that information sharing would not significantly reduce data breaches.
That includes Dan Geer, the chief information security officer at In-Q-Tel, the Central Intelligence Agency’s dedicated venture capital arm. Speaking with The Christian Science Monitor, he noted that cyberthreat-sharing programs already exist to such an extent that “the U.S. government has nothing to add unless it wants to just give all the [companies’] chief information security officers a clearance — which, incidentally, they have largely done for the bigs but not for the littles.”
“This is why government threat signature sharing initiatives are such a nothing-burger,” one Silicon Valley executive told CNBC last week. “The signatures are of limited value and only a few select companies with clearances can actually use them.”
Jeff Moss, a member of the White House’s Homeland Security Advisory Council and the founder of the hacker conference Def Con, had a similar response to the poll, saying, “Information sharing allows better and faster Band-Aids but doesn’t address the core problem.” Geer said, “The big data breaches are so often the result of not paying attention by the victim.”
We’re not going to become more secure simply by letting the FBI and NSA spy on everything.
Which raises the question, If the U.S. government really wants to protect Americans from security breaches, why does it coddle giant corporations when they are hacked instead of enforce stricter security practices and hold companies liable when they unnecessarily put their customers at risk?
The Sony Pictures hack, which the FBI controversially claimed was perpetrated by North Korea, was immediately politicized in Washington as an attack on free speech. Yet individuals and civil society organizations that regularly face state-sponsored attacks, including refugees escaping oppressive governments, receive no such support. Meanwhile, companies use terms of service and license agreements to absolve themselves of any responsibility when customer data they are entrusted with is stolen, even when the breach could have been prevented or mitigated by taking simple precautions.
Privacy at risk
So far, the only proposal in Washington that puts corporations on the line is found in a separate cybersecurity plan, presented by President Barack Obama during the State of the Union, that would establish a mandatory 30-day disclosure deadline for announcing data breaches, ensuring customers will be informed promptly if their information is compromised. That plan also puts forth new rules protecting the data of students using apps and online services in classrooms.
These are good first steps. But it’s hard to believe that Obama is really committed to improving cybersecurity when parts of his administration are working to undermine it.
Last Tuesday, Obama blasted the Chinese government for a new counterterrorism bill that would force tech companies to insert backdoors into their products, giving Chinese authorities the means to access private data and conversations. And yet just the previous week at a cybersecurity conference in D.C., NSA Director Adm. Mike Rogers joined a long-running campaign that advocates for the exact same thing for U.S. law enforcement and intelligence agencies. When asked by Alex Stamos, Yahoo’s chief information security officer, whether under that logic his company would be expected to insert backdoors for the Chinese, Russian or Saudi Arabian governments, Rogers dodged the question.
Security experts have warned again and again that you can’t implement backdoors (or “golden keys,” as the FBI prefers to call them) for only the good guys. Doing so necessarily creates security flaws that anyone, from criminals to hostile nation-states, can find and exploit.
This isn’t merely theoretical: Just last week, researchers discovered a critical bug in commonly used Web encryption that is a direct result of the U.S. government’s intentionally weakening encryption in the 1990s. The bug allows attackers to decrypt communications by fooling websites into using a purposely flawed encryption scheme originally implemented for international versions of some Web browsers before U.S. export laws were loosened; it was created so that intelligence agencies could more easily eavesdrop on foreign targets. (Ironically, sites that were affected by the vulnerability included NSA.gov, WhiteHouse.gov and the FBI’s tip-reporting site.)
Let’s not be fooled: “Cybersecurity” measures such as CISA and mandatory backdoors are about surveillance, not security. We’re not going to become more secure simply by letting the FBI and NSA spy on everything. If the government wants to get serious about cybersecurity, it should be funding security researchers, establishing best practices and cracking down on companies that leave their customers vulnerable. Creating more methods for collecting data only puts our privacy and security at risk.