CISPA cybersecurity bill backers hope second time’s a charm

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

May 172013

CISPA cybersecurity bill backers hope second time’s a charm

NBC News
by Alina Selyukh & Deborah Charles (Reuters)
May 16, 2013

WASHINGTON (Reuters) –

Six months after a U.S. cybersecurity bill died in the Senate, some Obama administration officials and lawmakers are optimistic they can get a new law passed amid heightened public awareness of hacking attacks and cyber espionage.

With top intelligence officials warning that cyber attacks have replaced terrorism as the leading threat against the United States, the White House and lawmakers have spent months discussing how to improve the flow of information between the government and the private sector.

A second go-around for the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the Republican-controlled House of Representatives in a bipartisan vote on April 18, though the White House has again threatened to veto the bill unless more protections for privacy and civil liberties are added.

Still, senior Obama administration officials say behind-the-scenes talks with lawmakers this time around are constant, more serious and more productive.

“I actually think that the outlook is significantly better than it was last year,” the White House cybersecurity policy coordinator, Michael Daniel, told the Reuters Cybersecurity Summit in Washington this week. “What has impressed me has been the willingness of everybody involved to actually continue having those discussions and to continue that extensive level of dialogue trying to find some solutions.”

While Daniel cautioned that it is never easy to get the divided House and Senate to agree to anything, he predicted that final cyber legislation might be seen by the fall.

“A lot of us are concerned about getting a good piece of cybersecurity legislation before something really bad happens. As a general rule, legislation that is produced immediately after a crisis is not as good as the stuff that can be done when it’s more thought-out,” he said.

Last year, the Senate failed to pass a comprehensive cybersecurity bill that combined information-sharing provisions similar to those in the current CISPA with voluntary cybersecurity standards for businesses that control critical U.S. infrastructure.

Since then, President Barack Obama has signed an executive order that directs government officials to set voluntary standards to reduce cybersecurity risk and offer incentives to private companies to adopt them.

A series of high-profile cyber attacks — such as repeated disruptions of the online banking sites of major U.S. banks, or markets plunging on a fake message on the AP Twitter feed about a White House bombing that never happened — have built momentum behind cyber legislation.

* Separate bills

The Senate does not plan to vote on CISPA, but is expected instead to take up its own cyber-related bills. On Wednesday, Senate Intelligence Committee Chairman Dianne Feinstein, a California Democrat, said her panel was drafting a version of an information-sharing bill.

Congressional aides said staff and lawmakers from both sides of the aisle are constantly meeting on the issue. One Senate aide said it was a collaborative process to agree on multiple key elements to make the overall law stronger.

Representative Mike Rogers, chairman of the House intelligence committee and CISPA co-author, said key senators including Feinstein were “completely all in” on the need to pass a cybersecurity law. The Michigan Republican predicted that House and Senate lawmakers could work out an agreement on at least an information-sharing bill.

“I think we’re finally coming to the consensus here that hey, let’s pass what we can pass and take another bite. This isn’t the end-all cure-all,” Rogers told the summit.

He said a meeting was scheduled this week — with more to come — between the House and the Senate to discuss in detail the elements of cyber legislation and see where compromise could be reached, without starting completely from scratch.

Rogers predicted that if a bill could pass through both houses of Congress, Obama would sign it despite the veto threat.

* Urgent need

Top administration officials have underscored the urgent need for laws that would complement Obama’s executive order and help ensure the government and the private sector are on the same page when it comes to threats posed to critical U.S. infrastructure.

Homeland Security Secretary Janet Napolitano said many lawmakers received classified briefings last year on cyber threats, and better education on cyber risks means “we’re starting from a much better base” on legislation.

“There’s a lot of work going on behind the scenes,” Napolitano told the summit. “There are many fewer concerns than there were last time around.”

But officials acknowledge that hurdles remain. For example, some senators, like Homeland Security Committee Chairman Tom Carper, prefer a more comprehensive bill.

“While information sharing is an important part of our efforts, it is only one of many elements needed to properly bolster our cyber defenses,” Carper, a Delaware Democrat, said in a statement.

Other issues he says he would like to address in legislation include protections for critical infrastructure, security of federal agency networks, cyber workforce development and notification of data breaches.

Some private industry security experts were skeptical about the prospects for broad legislation, as well as the effectiveness of such laws in preventing cyber attacks. Shane Shook, chief knowledge officer at cybersecurity services company Cylance Inc, suggested the private sector should organize information sharing itself.

“Comprehensive legislation is never going to happen that can be effective over all 18 sectors,” Shook told the summit.

Ira Winkler, president of the Information Systems Security Association, said he was skeptical that any meaningful legislation would pass this year, barring a major cyber attack that damaged U.S. infrastructure.

“We hear about wake-up calls, but people keep hitting the snooze button,” he said.

— Additional reporting by Andrea Shalal-Esa and Thomas Ferraro

Direct Link: http://www.nbcnews.com/technology/cispa-cybersecurity-bill-backers-hope-second-times-charm-1C9948195#cispa-cybersecurity-bill-backers-hope-second-times-charm-1C9948195

Draft bill would make CFAA even worse

Mar 272013

Draft bill would make CFAA even worse

The dangerously broad cybercrimes legislation needs changing, but in the opposite direction to new House proposals

Salon
by Natasha Lennard
March 25, 2013

Aaron Swartz (Credit: Wikipedia)

In recent months, especially in light of Aaron Swartz’s suicide and Andrew ‘Weev’ Aurnheimer’s prison sentencing, calls for reform to or disposal of the Computer Fraud and Abuses Act (CFAA) have amplified to a fever pitch. If a draft cybersecurity bill from the House Judiciary Committee is anything to go by, however, these cries for change have fallen on deaf ears.

As noted here, following Swartz’s death, Rep. Zoe Lofgren proposed legislation, “Aaron’s law,” which aims to stop the government bringing disproportionate charges in cases like Swartz’s. The draft cybersecurity bill circulating on Capitol Hill since last weekend, unlike Lofgren’s, appears to expand the CFAA, not limit it. TechDirt called the proposed bill “so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA.”

TechDirt highlights one of the most perturbing suggested amendments includes changing the law such that “conspiring” to commit what might be crimes under the CFAA would amount to actually committing the actual acts:

Section 103 of the proposed bill makes a bunch of “changes” to the CFAA, almost all of which expand the CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030(the CFAA) such that it will now read:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

All they did was add the “for the completed offense,” to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something (“conspires to commit”) that violates the CFAA shall now be punished the same as if they had “completed” the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.

TechDirt also notes that the proposed bill ratchets up the penalties one can receive for CFAA infractions and makes it easier for the government to seize goods.

The amended legislation would, however, adjust what it means to break the law by “exceeding authorized access” to a computer — this is a small step in the right direction. Via TechDirt:

Under the old CFAA, “accessing a computer without authorization” and “exceeding authorized access” were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the “crime” of exceeding authorized access… While it’s good to see them ever so slightly roll back the issue of “exceeding authorized access,” it still seems broad enough that all sorts of activities that shouldn’t be seen as criminal would easily get lumped in here by aggressive prosecutors.

Demand Progress, an advocacy group founded by Aaron Swartz, was swift to condemn the content of the draft bill. “This proposal is a giant leap in the wrong direction and demonstrates a disturbing lack of understanding about computers, the internet and the modern economy. Already the outdated Consumer Fraud and Abuse Act is used by overzealous lawyers to prosecute routine computer activity. If enacted this proposal could end computer security research in the United States and drive innovation and creativity overseas,” said executive director David Segal.

Direct Link: http://www.salon.com/2013/03/25/draft_bill_would_make_cfaa_even_worse/

#CISPA, #SOPA, #PIPA and #BigLobbying

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Apr 282012

#CISPA, #SOPA, #PIPA and #BigLobbying

Center for Responsive Politics

OpenSecrets.org

By Russ Choma

April 27, 2012

In an era when Republicans and Democrats can agree on almost nothing, one issue in the last three months has been providing common ground: rewriting the rules of the Internet. Privacy and free speech advocates have unleashed a groundswell of outrage as they’ve rushed to rally the public against the measures. But corporate backers of the proposals have fought back hard.

According to an OpenSecrets.org analysis of the most recent lobbying disclosure information, five of the top ten bills that have been lobbied the most intensely so far this year are Internet-related, and most have bipartisan and industry backing. Major cash is being laid out to push their passage.

The most recent bill to stir things up is the Cyber Intelligence and Sharing Protection Act (CISPA), which would allow private companies to share far more data on users with the federal government in what backers say is an effort to improve cybersecurity. Opponents claim it would severely undermine the privacy rights of many Americans. The bill was passed by the House last night and now faces a tougher battle in the Senate (and the threat of a veto by President Obama).

A list of companies and organizations that have sent letters of support for the bill to the House Intelligence Committee, where the legislation was created, meshes closely with the list of top lobbying groups so far this year — not to mention groups that lobbied on SOPA and PIPA.

For example, AT&T, which sent this letter, spent more money lobbying in the first three months of 2012 than any other single corporation ($7 million, second only to the mega-trade organization Chamber of Commerce, which also lobbied on CISPA though to a lesser extent). The telephone utilities industry as a whole, which includes AT&T and Verizon (which sent this letter) spent $15.3 million in the first quarter of this year, increasing its lobbying expenditures by 35 percent over the previous three months. The total laid out for lobbying by the computer/Internet industry, which includes some of the biggest backers of CISPA, SOPA and PIPA, fell 6 percent in the first quarter — but at $32.1 million, the industry was still the sixth-largest spender on lobbying amont all industries so far in 2012.

It’s hard to assess how much each of these companies spent lobbying Congress specifically on CISPA — or other hot-button Internet bills — because many of these companies have a variety of issues they’re pursuing on Capitol Hill, but are required to report just one dollar amount covering everything. AT&T, for instance, spent its $7 million talking to lawmakers about 121 separate pieces of legislation.

But it’s clear that the lobbying firepower on the other side of the issue is a fraction of what supporters have. One of the most vocal opponents of CISPA is the American Civil Liberties Union – which has spent $507,000 lobbying so far this year, a 28 percent increase from the last three months of 2011. But the group used that money to lobby on 109 different bills, almost as many as AT&T. Another group that has taken a prominent stand against CISPA is the American Library Association, which has spent $54,000 so far this year, spread over 56 different pieces of legislation.

Another indication of the collective influence of backers of CISPA is the amount of money individuals or PACs affiliated with the organizations have given to key lawmakers on the issue. Last week we reported that the bill’s original sponsor, Mike Rogers (R-Mich.), had received $104,000 from groups that lobbied on the bill. With new campaign finance reports filed since that story, OpenSecrets.org data now shows that Rogers has received at least $175,000 from organizations that have lobbied on the bill. That’s about 15 percent of the total $1.1 million he has reported raising this election cycle. The top two groups: defense contractor SAIC (whose PAC has given Rogers $20,000 this election cycle) and Koch Industries (whose PAC has given Rogers over $14,500.)

Check out all of the donations Rogers has received on our profile of him here, and the entire list of organizations that have lobbied on CISPA here on our profile of the legislation.

Direct Link: http://www.opensecrets.org/news/2012/04/cispa-sopa-pipa-and-biglobbying.html

House Approves Controversial CISPA Cyber-Security Bill

Apr 282012

House Approves Controversial CISPA Cyber-Security Bill

P.C. MAGAZINE

By Chloe Albanesius

April 26, 2012

Though the House was not expected to vote on the controversial CISPA legislation until tomorrow, lawmakers approved the bill late on Thursday by a vote of 248 to 168.

206 Republicans voted in favor of CISPA, as did 42 Democrats, while 28 Republicans and 140 Democrats voted against it. Fifteen members did not vote. The full vote tally is available on House.gov.

CISPA now moves to the Senate. The White House has already threatened to veto the bill.

Privacy groups swiftly condemned the move, but bill sponsor Mike Rogers said “America will be a little safer and our economy better protected from foreign cyber predators” thanks to the the Cyber Information Sharing & Protection Act.

CISPA would allow for voluntary information-sharing between private companies and the government in the event of a cyber attack. Backers argue that it’s necessary to protect the U.S. against cyber attacks from countries like China and Iran, but opponents say that it would allow companies to easily hand over users’ private information to the government.

House members debated the bill for several hours on Thursday, and offered up amendments that dealt with things like Freedom of Information (FOIA) requests, details about which agencies receive private cyber-security information, clarification on certain terms, and more.

During the debate, Rep. Jared Polis argued that the immunity clauses in CISPA would incentivize companies to hand over users’ personal information, which could land in the hands of the military and the NSA.

Rep. Mac Thornberry, however, argued that the number of cyber threats have grown rapidly in recent years, but legislation has not kept pace. CISPA tries “to close that gap between the growing threat and laws and policies, [and is] a step in the right direction,” he said.

Hurting or Helping?
Not everyone agreed. The ACLU said that “CISPA goes too far for little reason.” Security should not result in the “abdication of Americans’ online privacy,” said Michelle Richardson, ACLU legislative counsel. “As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity.”

The Center for Democracy and Technology (CDT), whose initial opposition prompted CISPA sponsors to alter the bill earlier this week, said it was pleased with those changes, but was still concerned with two issues: “the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity.”

CTIA, the wireless industry trade association, however, applauded “the members of Congress who voted on this important piece of legislation that will help protect our nation’s communications networks from cyber threats.”

Co-sponsor Dutch Ruppersberger, meanwhile, said CISPA is a “victory for America. Our nation is one step closer to making a real difference protecting our country from a catastrophic cyber attack.”

Direct Link: http://www.pcmag.com/article2/0,2817,2403641,00.asp

The FBI Workaround For Private Companies To Share Information With Law Enforcement Without CISPA

Apr 282012

The FBI Workaround For Private Companies To Share Information With Law Enforcement Without CISPA

FORBES

Kashmir Hill, Forbes Staff

April 26, 2012

A debate is currently raging in Washington, D.C. and various politically-engaged spots on the Internet over CISPA, a bill that promises to increase cybersecurity by giving private companies carte blanche to hand over information about cyberthreats they see on their networks. Lawmakers have seemingly decided the best way to fight cybercriminals is to deputize private industry and let companies with unfettered access to the evidence do the bulk of the detective work involved in outing hackers and breaking up botnet rings. That saves the government the trouble of getting pesky subpoenas and warrants as required by the Constitution and privacy laws.

Opponents worry about all kinds of sensitive information being served up to the government on a silver platter given the legal immunity granted to companies in the bill and the murky definitions of what constitutes a “cyber threat.” What has been left out of the debate thus far, though, is the model that CISPA appears in many ways to be based upon. The FBI has been information-sharing with private industry for over a decade without a bill like CISPA in place.

The NCFTA “functions as a conduit between private industry and law enforcement.”

(Art from the site)

In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that “functions as a conduit between private industry and law enforcement.” Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA’s office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.

“We can bring the pieces of intelligence together so we can see what it really is,” says Larkin of the advantage of bringing security specialists from different sectors together.

NCFTA director Ron Plesco lists off his organization’s purpose rotely: “We do information sharing with three goals: ID the cybercrime threat, share toward mitigation, share toward neutralization of threat.”

As part of a non-profit, Plesco could not comment specifically on CISPA, which would, as currently drafted, allow companies to share much richer and more individualized data directly with the government. “We get network data,” says Plesco. “Not PII (personally identifiable information).”

That means the NCFTA can pass along information, for example, about suspicious servers or IP addresses and content from spear-phishing emails that companies are seeing in their networks, but not the names or addresses of those who appear to be affiliated with the schemes.

“We can share what we see and hear with the government,” said Ron Plesco. “We can share in aggregate, but law enforcement has to develop their cases separately and independently.”

“An FBI agent works with [an NCFTA] analyst to get up to speed,” said agent Eric Strom who has been with the embedded FBI unit since 2006 when it was installed in the NCFTA office.

Inhabiting one floor of a building in Pittsburgh and with just 15 permanent employees, the NCFTA is little-known outside of information security circles, though they have been involved in some controversial operations in the past, including Dark Market. Despite the current uproar over how and why information should be shared with the government, most civil liberty groups I spoke with had never heard of the FBI’s on-going collaboration with private industry.

“We’re not in DC. We’re in Pittsburgh. We’re off the Beltway radar,” says Plesco. “Since we’re a non-profit, we don’t get called in to do briefings on the Hill. We don’t have marketing and PR though we do occasionally get thanked in FBI press releases.”

This happened most recently after Operation Ghost Click, the FBI’s takedown of a $14-million botnet ring run by six Estonians. The Estonians had infected over four million computers with DNS-changing malware that routed their computers to rogue DNS servers allowing the cybercriminals to display ads and send traffic to sites that profited them.

Several FBI agents involved in Ghost Click spoke with me about how information sharing through the NCFTA facilitated that investigation.

In 2009, an Internet security company, which the FBI prefers not to have named, saw malware affecting a customer and passed it along to the NCFTA. Soon, they got similar reports from another security researcher and an Internet payments company. “Some researcher sees malware or spam, then it leads to something bigger,” said FBI agent Eric Strom. “It generates intelligence and reporting.”

“For a year before the case started, we were seeing spam emanating from networks that they were able to track back to a company called Rove Digital,” said FBI agent Tom Grasso in a separate interview.

The embedded FBI unit builds an initial case with intelligence from the NCFTA and then refers it out to a field office. Strom says they generated 80 cases in 2011, including Ghost Click and Coreflood (another server seizure case). New York agreed to take the Ghost Click case in 2010.

“Historically, businesses would come to FBI a month or two later, which is a lifetime in the cyberworld, and reveal they’d had a problem,” said Strom. With NCFTA, they’re more likely to pass info along in real time. “This gets the fraud investigators from the different companies talking to each other.”

One of the advantages offered by both CISPA and the NCFTA is that private companies don’t just send information into a governmental black hole; they can get information back from the government about ongoing investigations, because they become partners with them.

Grasso started a mailing list with all the folks who had been tracking the malware activity, so they could continue to share information about what they were seeing on their networks.

“We had bimonthly teleconferences with FBI and private industry folks who would come into the office,” says Grasso. He said they had about 25-30 people at each meeting, including fraud and abuse researchers from private companies. ~~and importantly from ISPs such as Cox, Century Link, Qwest, and Verizon~~ (Correction: Representatives from ISPs were involved at a later stage, during meetings to discuss how to keep victims online after rogue DNS servers were seized). “It was the first time we brought private industry people in like that. These folks were giving up so much intel. We wanted them to know it wasn’t going into a black hole.”

As the New York office got close to taking the ring down through working with law enforcement in Estonia, they realized that people with infected computers would lose Internet access when the FBI seized the rogue servers that were operating out of New York and Chicago. The NCFTA collaboration came in handy again.

“We needed a solution to keep people online,” said Grasso. The malware had changed IP addresses to redirect infected computers to the DNS servers that were about to be seized. “We knew we couldn’t get on people’s computers and change the IP addresses back.”

So the FBI had to arrange for temporary servers so that 500,000 people in the U.S. wouldn’t suddenly lose their Internet service. “Running DNS servers is tricky because you see browser activity,” said Grasso. So they decided the FBI shouldn’t run the servers directly. Instead they had a third party ISP, ICS, run them. “The servers are recording the IP addresses of infected computers and those are being given to ISPs so they can notify users.”

(That ends soon, though, so make sure your computer isn’t infected or you lose service come July.)

Operation Ghost Click earned the NCFTA quiet raves. And quiet is how they like it to be.

It’s worth paying some attention now, though, to highlight that CISPA and the idea of information sharing are not a novel approach to cybersecurity.

“Information sharing is already going on,” said Allan Friedman, a technology fellow at the Brookings Institute, who pointed also to ISAC — a sector specific information sharing program set up by Bill Clinton in the 90s. “As we expand it, we need to understand what has failed and what has been successful.”

And to understand that, we perhaps need closer looks and more exposure of information sharing that’s already happening. It’s rather shocking that Congress has not called anyone from the NCFTA to the Hill to testify about how they function and how CISPA would change what they can do, or even make the need for a non-profit to facilitate information handovers obsolete.

MORE STORIES:

FBI: Disinfect Your Computer Or Risk Losing Internet Access Come July

Adrian Kingsley-Hughes / Contributor

Web Inventor Tim Berners-Lee Speaks Out Against CISPA

Dave Thier / Contributor

Why CISPA Can’t be Fixed

Larry Downes / Contributor

Direct Link: http://www.forbes.com/sites/kashmirhill/2012/04/26/the-fbi-workaround-for-private-companies-to-share-information-with-law-enforcement-without-cispa/