President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.
This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.
One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy. Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”
If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.
In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.
The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.
Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”
The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.
Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests that eventually helped defeat the bills.
The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.
The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.
Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.
In recent testimony before the Senate Judiciary Committee, Pablo Martinez, the Secret Service’s Deputy Special Agent in Charge, testified regarding recent trends in cybercrime and the efforts of the Secret Service to combat those emerging threats.
That’s right, besides its responsibility to protect the President and other VIP’s, the Secret Service plays a little-known role in combating cybercrime. In fact, the Secret Service currently has nearly 1,400 special agents in its Electronic Crimes Special Agent Program.
The Secret Service was the original guardian of our financial systems. That authority has been reinforced by various acts of Congress, which expanded the Secret Service’s responsibility to include access device fraud, as well as concurrent jurisdiction over identity theft, computer fraud, and bank fraud.
Martinez touched upon three timely issues: the current porous legal framework, the emerging threat of syndicated cyber-criminal organizations, and the trend of criminals to focus their efforts on smaller businesses and individuals.
The current regulatory framework consists of a patchwork of overlapping and interwoven state laws, a regime with many gaps. Therefore, the Obama administration has proposed additional measures to protect consumers from identity theft and to simplify the current framework to permit easy and efficient reporting and investigations of data breaches.
Similarly, speaking in November 2011 at a conference sponsored by the Economic Crime Institute of Utica College, Keith Prewitt, the Secret Service’s Deputy Director, said the Secret Services “has observed a marked increase in the quality, quantity, and complexity of cybercrimes.”
“While many cybercriminals steal money and information,” Prewitt said, “there are those who also seek to destroy, disrupt, and threaten the delivery of critical services.”
Martinez noted in his testimony that “Secret Service investigations have shown that complex and sophisticated electronic crimes are rarely perpetrated by a lone individual.”
Rather, online criminals gather in organized networks and use clearly defined roles, much like an online Mafia, in planning their criminal enterprises that predominantly consist of stealing data and selling it for a profit. In an effort to combat these online criminal syndicates, the Obama administration has proposed that computer fraud should be added as a predicate offense under the Racketeering Influenced Corrupt Organizations Act (RICO).
The existence of organized syndicates in the cyber crime world increases both the complexity of investigating these cases and the potential damages caused to businesses and individuals. For instance, there are now illicit Internet carding portals, or “carding forums,” that allow criminals to trade their stolen personal financial data and to traffic their stolen information internationally.
Originally, cyber criminals would attempt to steal information from larger companies because they could obtain a tremendous amount of information with a single breach of the security system. However, as larger companies have adopted more sophisticated protections against cyber crimes, cyber criminals have likewise adapted and are now more focused on small and medium-sized businesses.
These smaller businesses often lack the resources to employ the sophisticated protections deployed by larger businesses. This makes them easier targets. For example, a study of trends of cyber crime has shown that cyber criminals are now focused on Point of Sale (POS) systems and compromising financial accounts, which later leads to subsequent fraudulent transactions on those accounts.
While there were more data breaches in 2010 than in recent years, the amount of compromised data actually decreased because the average size of the compromised databases was smaller. The Secret Service and other agencies are continuing to try to adapt as the criminals and their behavior are changing.
There is also the possibility that an amendment providing a private right action to pursue relief for victims of computer fraud will be added to existing federal law on computer fraud. We will continue to monitor these developments.
Federal Criminal (Other)
The Wall Street Journal has just reported that the National Security Agency is planning to deploy electronic “sensors” in the private computer networks of major companies around the nation. The idea is to detect cyber-attacks by outside forces against companies involved in critical infrastructure like electric or nuclear plants.
Cyber-terrorism is a real threat, and the NSA is the only government agency, probably the only entity of any sort in the nation, that is truly equipped to monitor it. According to the article, national security officials are concerned about possible Chinese and Russian surveillance of our crucial computer networks.
However, the “Big Brother” aspect of this program is inescapable. Like many such programs, it began with a piecemeal effort and with the establishment by the government of co-operative relationships with private industry. But where will the program end? Conceivably, the government will soon routinely gain access to the private data of dozens of companies. Although it will surely pledge not to misuse this information, these pledges can’t always be trusted.
And the article notes that while the government can’t force any company to permit “sensors” to be introduced, it “can provide incentives to urge them to cooperate, particularly if the government already buys services from that company.” That would include pretty much every government contractor – or in other words, every major company.
A few days ago, we noted in this blog that the FBI is now investigating possible instances of white-collar crime by deploying its massive electronic surveillance capacity.
Now, with the NSA’s involvement in cyber-defense, we are again seeing the tentacles of government in the private sector, in the name of a good cause. This is troubling indeed.
At a blue-ribbon Worldwide Cybersecurity Conference in Dallas from May 3 to May 5, 2010, media reports noted that some discussion focused on the use of the term ”cyberwar,” which is often used to refer to the activities of hackers and others who steal online secrets, disrupt computer systems and other infrastructure, and engage in financial fraud online.
Some security specialists think that the term “cyberwar” is simply the wrong word for illegal activities that amount to out-and-out theft and don’t have anything to do with governments or armies. The White House’s cybersecurity coordinator, Howard Schmidt, is one of them. He says “cyberwar” is an inaccurate metaphor. These people aren’t engaged in a war any more than bank robbers are.
The term “cyberwar” is actually defined in online dictionaries as “an assault on electronic communication networks,” and it should be limited to that meaning. As author Jeffrey Carr wrote in Forbes in March, “If everything is considered a war, then you lose the ability to respond appropriately.”