White House looks for CISPA to address cyber crime reporting

Yesterday, the White House released a Statement of Administration Policy in which the Administration informed the House Permanent Select Committee on Intelligence, and the public, “if [H.R. 624 Cyber Information Sharing and Protection Act (CISPA)], as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.” While many of the White House’s suggestions to improve privacy protections in the Bill have been making headlines, one line in particular caught my attention. In its recommendations on how CISPA should be improved, the White House made the following statement

Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.

If Congress takes the President’s above recommendation seriously, it will be interesting to see what kind of language could be added to the bill that would “explicitly ensure” that “victims continue to report” cyber crimes to Federal law enforcement agencies. For more context, I have the entire paragraph below, or feel free to read the entire statement.

H.R. 624 appropriately requires the Federal Government to protect privacy when handling cybersecurity information. Importantly, the Committee removed the broad national security exemption, which significantly weakened the restrictions on how this information could be used by the government. The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable--and not granted immunity--for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law  enforcement agencies, and continue to receive the same protections that they do today.

Read More

Reddit AMA focuses on CFAA reform and CISPA

Cyber legislation has been a hot topic lately. At the center of the discussion are reforms to the Computer Fraud and Abuse Act, 18 U.S.C § 1030, and the pending House proposal related to cybersecurity, H.R 624: Cyber Intelligence Sharing and Protection Act. Recently, a group of scholars, not-for-profit organizations, and Internet activists hosted two “Ask Me Anything” (AMA) events on Reddit to inform users of the CFAA and CISPA.

The CFAA AMA, which occurred on April 9th, included questions concerning some of the substantive provisions of the CFAA, a recent “discussion draft” of the CFAA making its way around Congress, and some recent high profile CFAA cases. The group conducting the AMA included:

• Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington University
• Mark Jaycox, Policy Analyst and Legislative Assistant at Electronic Frontier Foundation
• Cindy Cohn, Legal Director at Electronic Frontier Foundation
• Trevor Timm, Activist and Blogger at Electronic Frontier Foundation
• David Segal, Executive Director at Demand Progress
• Josh Levy, Internet Campaign Director at Free Press
• Tiffiniy Cheng, Co-Founder of Fight for the Future
• Jennifer Granick, Director of Civil Liberties at Stanford Law School’s Center for Internet and Society
• Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute, and
• Tim Berners-Lee, World Wide Web inventor

Additionally, a CISPA AMA, hosted by the American Civil Liberties Union and the Electronic Frontier Foundation, occurred on April 8th. The AMA included questions concerning the current status of CISPA, the difference between CISPA and 2011’s H.R. 3261 Stop Online Piracy Act (SOPA), and the effect CISPA could have if adopted. The group conducting the AMA included:

• Michelle Richardson, Legislative Counsel at the American Civil Liberties Union 
• Mark Jaycox, Policy Analyst and Legislative Assistant at Electronic Frontier Foundation 
• Trevor Timm, Activist and Blogger at Electronic Frontier Foundation 
• Adi Kamdar, Activist at Electronic Frontier Foundation, and
• Rainey Reitman, Activism Director at Electronic Frontier Foundation

While both are worth a look, I recommend paying particular attention to the answers provided by Professor Kerr in the CFAA AMA. Professor Kerr has written extensively on the CFAA and has developed a reputation as being one of the foremost experts on the statute.

Read More

Tidbits: Executive Order on Cybersecurity; CISPA redux; NPR discussion of "hacking back"

President Obama's Executive Order on Cybersecurity

President Obama, in his SOTU speech last night, explicitly mentioned cybersecurity and the need for more action on protecting the nation on that front (through information sharing, etc.). The President's Executive Order can be found here: Executive Order -- Improving Critical Infrastructure Cybersecurity. The Presidential Policy Directive associated with the Executive Order (PPD-21) can be found here: PRESIDENTIAL POLICY DIRECTIVE/PPD-21.

I think it is too early to tell the impact that the Executive Order will have, but overall, I do not think it is close to an overreach. Jody Westby at Forbes disagrees: Obama's Cybersecurity Action Reaches Too Far. For another take on the EO (from Information Week), see: White House Cybersecurity Executive Order: What It Means

The Re-introduction of the Cyber Intelligence Sharing and Protection Act

As expected:

Chairman Mike Rogers and Ranking Member C.A. Dutch Ruppersberger re-introduced H.R. 624, the Cyber Intelligence and Sharing Protection Act, their bipartisan cyber threat information sharing legislation, to help American businesses better protect their computer networks and corporate trade secrets from advanced cyber attacks.   The bill that was introduced today is identical to the “Cyber Intelligence Sharing and Protection Act” (H.R. 3523) that passed the House by a strong bipartisan vote of 248-168 in April 2012.

The full text of the bill can be found here: CISPA 2013 - H.R. 624

For some varying perspectives on CISPA, see:

Controversial cyber bill CISPA returns to Congress for debate, same as before - The Verge

Lawmakers: CISPA Will Help Battle Cyber Attacks From China, Iran - PC Magazine

Congress Is Trying to Kill Internet Privacy Again - Rolling Stone

NPR Discusses Hacking Back

NPR recently had a discussion about "hacking back," or more euphemistically, "proactive response" to cyberattacks; the story can be found here (with a link to the audio): Victims Of Cyberattacks Get Proactive Against Intruders 

I found a particular section in the article about hacking back to be telling of the legal implications of such tactics:

A turn toward more aggressive actions against cyberattackers, however, could be risky. Because the source of a cyberattack is often hard to identify, counterattacking is not always well-advised. 

"I will guarantee you there will be lots of mistakes made," said Rep. Mike Rogers of Michigan, chairman of the House Permanent Select Committee on Intelligence, speaking at a recent cybersecurity conference at George Washington University. "I worry about the private sector engaging in offensive [activities] ... because a lot of things are going to go wrong." 

Companies that want to go on the offense against their cyber-adversaries need to consider the legal risks such actions would involve. 

"I have only found one or two lawyers ... who have said, 'Let's consider pursuing some kind of offensive response,' " says Richard Bejtlich, chief security officer at Mandiant, a cyber-consultancy. "The corporate legal structure is very conservative when it comes to what we can allow someone to do."

My previous summation/aggregation of articles regarding the legality of hacking back can be found here: Hacking Back: are you authorized?

Read More