President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.
This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.
One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy. Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”
If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.
In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.
The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.
Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”
The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.
Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests that eventually helped defeat the bills.
The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.
The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.
Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.
One of the features of crimes committed over the Internet is that they may be committed from anywhere in the world where a defendant has access a computer. A current case in New York shows that extradition likewise can reach around the globe.
On April 19, 2012, Anton Ivanov was extradited from Estonia to face charges of conspiracy to commit wire fraud and computer intrusion, among other offenses, in the U.S. District Court for the Southern District of New York. Ivanov is one of a number of defendants accused of a technologically sophisticated scheme that used malware and other techniques to reroute Internet traffic to websites chosen by the defendants because they were paid for driving traffic to those websites. According to the government, more than four million computers located in over 100 countries were infected with the malware as part of the scheme, which allegedly netted millions of dollars for the defendants.
Victims’ computers allegedly became infected with the malware when they visited certain websites or downloaded certain software to view videos online. The malware enabled the defendants to digitally hijack internet searches by changing the DNS server settings on victims’ computers to reroute their searches to “rogue DNS servers” controlled and operated by the defendants. Victims were re-directed to unwanted websites either when they clicked on internet search links that they thought would take them to other websites (what the government refers to as “click hijacking”) or through advertisements that Ivanov and others allegedly substituted for advertisements that were supposed to appear on particular web pages (what the government calls “advertising replacement fraud”). Arrangements have been made to substitute legitimate servers for the rogue servers as a temporary remediation measure so that victims’ computers will not lose their ability to access websites.
Ivanov has not yet indicated what his defense will be to the charges. He faces a maximum sentence of 85 years in prison in the case, which is pending before U.S. District Judge Lewis A. Kaplan. His next court appearance is set for April 23, 2012. Ivanov’s co-defendants in the case include five other Estonian nationals also arrested in November 2011 who are in custody in Estonia, and one Russian national, who remains at large.
As the Internet continues to expand to include a greater portion of the global economy, the ability to reach enormous numbers of computers will create incentives for technologically savvy wrongdoers to manipulate Internet users for illegal purposes. This case shows that the scale on which Internet conduct operates will mean that affiliate marketers and others who direct traffic on the Internet will be the subject of scrutiny by federal authorities. Even companies that are engaged in legitimate Web-based businesses need to be aware of this possible scrutiny.
The two iPad hackers who obtained the personal data of approximately 120,000 iPad users by exploiting a security weakness in AT&T’s resubscription page are now facing federal charges and potential jail time.
After the hackers publicized their activities, the FBI started an investigation that ended with criminal charges against the hackers. The hackers were charged with conspiracy to access a computer without authorization and with fraud for intending to use the personal information that was collected. The charges are that they collected the usernames, e-mail addresses, billing addresses, and passwords of AT&T customers through their computer program and intended to profit from the personal data.
A review of case law under the relevant statute shows that there have been a limited number of cases with these types of charges. Further, the complaint itself alleges that the hackers used the information to e-mail board members of multiple news outlets. The e-mails noted that personal data had been taken from an unsecured AT&T server, adding, “If a journalist in your organization would like to discuss this particular issue with us, I would be happy to describe the method of theft in more detail.”
This suggests that the hackers’ goal was probably publicity rather than profit. They were interested in getting their story out — and any attempt to profit from the data was, at most, a secondary consideration, which may not satisfy the statutory requirement of unauthorized access to a computer “with intent to defraud.”
Moreover, the statute itself exempts any unauthorized access where the only thing obtained was the use of a computer and the value of such use was less than $5,000 per year. Here, although the hackers did discuss selling the information, it is still highly questionable whether their actions reached the requisite dollar threshold. The prosecutors say AT&T has spent approximately $73,000 to remedy the security breach. That cost was not caused by the hackers, however, because the security breach was always there and the hackers merely identified its existence. Either way, AT&T needed to fix the security breach and had to pay that sum in any case.
Despite any weaknesses in the prosecution’s case, the publicity given to the hackers’ feat probably encouraged the authorities to press charges and thereby reassure the public that Internet security is safe and that all violators will be held accountable.
It has been widely reported that the Obama administration will soon announce a proposal designed to strengthen consumer privacy on the Internet. The plan, calling for new laws and a new “watchdog” position to oversee the effort, is expected to be part of an upcoming Commerce Department report.
The concern about online privacy is well founded. Few consumers realize the extent to which their information is collected, bundled and sold to Internet marketers. Most websites employ tracking technologies that gather consumers’ search and spending habits to create detailed dossiers that are then sold to Internet marketers. And there is no comprehensive U.S. law that protects consumer privacy online.
But we question whether a new law is needed. As the nation’s consumer protection agency, the Federal Trade Commission has been successfully prosecuting companies accused of violating consumer privacy both on and off the Internet for many years. The FTC’s mandate against deceptive and unfair practices is broad enough to encompass any conceivable privacy violation.
Moreover, the Obama proposal faces opposition from both privacy advocates, who claim that the plan doesn’t go far enough, and from the Republican-controlled House of Representatives, which is unlikely to support legislation that could strengthen the FTC.
In addition, some privacy advocates have expressed concern that the Obama plan is based on industry self-regulation and is therefore “toothless.” While we agree that leaving the industry to regulate itself is not sufficient, there are viable ways to combine self-regulation and government enforcement. In fact, the wildly popular Do Not Call law is a good example of such a model. The FTC is expected to call on the industry to develop an Internet version, a “do-not-track” tool that people could use to remove themselves from online surveillance by marketers and others. The recommendation will be included in an upcoming FTC report on Internet privacy, expected to be released in December.
The FTC already has a number of tools to protect consumer privacy online. These include holding companies to their privacy promises about how they collect, use and secure consumers’ personal information; enforcing rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information; and ensuring consumer privacy under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. At this point, a new law and a new set of bureaucrats don’t seem necessary.
The Wall Street Journal has just reported that the National Security Agency is planning to deploy electronic “sensors” in the private computer networks of major companies around the nation. The idea is to detect cyber-attacks by outside forces against companies involved in critical infrastructure like electric or nuclear plants.
Cyber-terrorism is a real threat, and the NSA is the only government agency, probably the only entity of any sort in the nation, that is truly equipped to monitor it. According to the article, national security officials are concerned about possible Chinese and Russian surveillance of our crucial computer networks.
However, the “Big Brother” aspect of this program is inescapable. Like many such programs, it began with a piecemeal effort and with the establishment by the government of co-operative relationships with private industry. But where will the program end? Conceivably, the government will soon routinely gain access to the private data of dozens of companies. Although it will surely pledge not to misuse this information, these pledges can’t always be trusted.
And the article notes that while the government can’t force any company to permit “sensors” to be introduced, it “can provide incentives to urge them to cooperate, particularly if the government already buys services from that company.” That would include pretty much every government contractor – or in other words, every major company.
A few days ago, we noted in this blog that the FBI is now investigating possible instances of white-collar crime by deploying its massive electronic surveillance capacity.
Now, with the NSA’s involvement in cyber-defense, we are again seeing the tentacles of government in the private sector, in the name of a good cause. This is troubling indeed.
At a blue-ribbon Worldwide Cybersecurity Conference in Dallas from May 3 to May 5, 2010, media reports noted that some discussion focused on the use of the term ”cyberwar,” which is often used to refer to the activities of hackers and others who steal online secrets, disrupt computer systems and other infrastructure, and engage in financial fraud online.
Some security specialists think that the term “cyberwar” is simply the wrong word for illegal activities that amount to out-and-out theft and don’t have anything to do with governments or armies. The White House’s cybersecurity coordinator, Howard Schmidt, is one of them. He says “cyberwar” is an inaccurate metaphor. These people aren’t engaged in a war any more than bank robbers are.
The term “cyberwar” is actually defined in online dictionaries as “an assault on electronic communication networks,” and it should be limited to that meaning. As author Jeffrey Carr wrote in Forbes in March, “If everything is considered a war, then you lose the ability to respond appropriately.”