Cybersecurity

Andrea Castillo and I have a new paper out from the Mercatus Center entitled “Why the Cybersecurity Framework Will Make Us Less Secure.” We contrast emergent, decentralized, dynamic provision of security with centralized, technocratic cybersecurity plans. Money quote:

The Cybersecurity Framework attempts to promote the outcomes of dynamic cybersecurity provision without the critical incentives, experimentation, and processes that undergird dynamism. The framework would replace this creative process with one rigid incentive toward compliance with recommended federal standards. The Cybersecurity Framework primarily seeks to establish defined roles through the Framework Profiles and assign them to specific groups. This is the wrong approach. Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts. What’s more, an assessment of DHS critical infrastructure categorizations by the Government Accountability Office (GAO) finds that the DHS itself has failed to adequately communicate its internal categories with other government bodies. Adding to the confusion is the proliferating amalgam of committees, agencies, and councils that are necessarily invited to the table as the number of “critical” infrastructures increases. By blindly beating the drums of cyber war and allowing unfocused anxieties to clumsily force a rigid structure onto a complex system, policymakers lose sight of the “far broader range of potentially dangerous occurrences involving cyber-means and targets, including failure due to human error, technical problems, and market failure apart from malicious attacks.” When most infrastructures are considered “critical,” then none of them really are.

We argue that instead of adopting a technocratic approach, the government should take steps to improve the existing emergent security apparatus. This means declassifying information about potential vulnerabilities and kickstarting the cybersecurity insurance market by buying insurance for federal agencies, which experienced 22,000 breaches in 2012. Read the whole thing, as they say.

Jack Schinasi discusses his recent working paper, Practicing Privacy Online: Examining Data Protection Regulations Through Google’s Global Expansion published in the Columbia Journal of Transnational Law. Schinasi takes an in-depth look at how online privacy laws differ across the world’s biggest Internet markets — specifically the United States, the European Union and China. Schinasi discusses how we exchange data for services and whether users are aware they’re making this exchange. And, if not, should intermediaries like Google be mandated to make its data tracking more apparent? Or should we better educate Internet users about data sharing and privacy? Schinasi also covers whether privacy laws currently in place in the US and EU are effective, what types of privacy concerns necessitate regulation in these markets, and whether we’ll see China take online privacy more seriously in the future.

Download

Related Links

Thomas Rid on cyber war

by on September 3, 2013 · 0 comments

Thomas Rid, author of the new book Cyber War Will Not Take Place discusses whether so-called “cyber war” is a legitimate threat or not. Since the early 1990s, talk of cyber war has caused undue panic and worry and, despite major differences, the military treats the protection of cyberspace much in the same way as protection of land or sea. Rid also covers whether a cyber attack should be considered an act of war; whether it’s correct to classify a cyber attack as “war” considering no violence takes place; how sabotage, espionage and subversion come into play; and offers a positive way to view cyber attacks — have such attacks actually saved millions of lives?

Download

Related Links

Today the Heartland Institute is publishing my policy brief, U.S. Cybersecurity Policy: Problems and Principles, which examines the proper role of government in defending U.S. citizens, organizations and infrastructure from cyberattacks, that is, criminal theft, vandalism or outright death and destruction through the use of global interconnected computer networks.

The hype around the idea of cyberterrorism and cybercrime is fast reaching a point where any skepticism risks being shouted down as willful ignorance of the scope of the problem. So let’s begin by admitting that cybersecurity is a genuine existential challenge. Last year, in what is believed to be the most damaging cyberattack against U.S. interests to date, a large-scale hack of some 30,000 Saudi Arabia-based ARAMCO personal computers erased all data on their hard drives. A militant Islamic group called the Sword of Justice took credit, although U.S. Defense Department analysts believe the government of Iran provided support.

This year, the New York Times and Wall Street Journal have had computer systems hacked, allegedly by agents of the Chinese government looking for information on the newspapers’ China sources. In February, the loose-knit hacker group Anonymous claimed credit for a series of hacks of the Federal Reserve Bank, Bank of America, and American Express, targeting documents about salaries and corporate financial policies in an effort to embarrass the institutions. Meanwhile, organized crime rings are testing cybersecurity at banks, universities, government organizations and any other enterprise that maintains databases containing names, addresses, social security and credit card numbers of millions of Americans.

These and other reports, aided by popular entertainment that often depicts social breakdown in the face of massive cyberattack, have the White House and Congress scrambling to “do something.” This year alone has seen Congressional proposals such as Cyber Intelligence Sharing and Protection Act (CISPA), the Cybersecurity Act and a Presidential Executive Order all aimed at cybersecurity. Common to all three is a drastic increase the authority and control the federal government would have over the Internet and the information that resides in it should there be any vaguely defined attack on any vaguely defined critical U.S. information assets.

Continue reading →

In June, The Guardian ran a groundbreaking story that divulged a top secret court order forcing Verizon to hand over to the National Security Agency (NSA) all of its subscribers’ telephony metadata—including the phone numbers of both parties to any call involving a person in the United States and the time and duration of each call—on a daily basis. Although media outlets have published several articles in recent years disclosing various aspects the NSA’s domestic surveillance, the leaked court order obtained by The Guardian revealed hard evidence that NSA snooping goes far beyond suspected terrorists and foreign intelligence agents—instead, the agency routinely and indiscriminately targets private information about all Americans who use a major U.S. phone company.

It was only a matter of time before the NSA’s surveillance program—which is purportedly authorized by Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861)—faced a challenge in federal court. The Electronic Privacy Information Center fired the first salvo on July 8, when the group filed a petition urging the U.S. Supreme Court to issue a writ of mandamus nullifying the court orders authorizing the NSA to coerce customer data from phone companies. But as Tim Lee of The Washington Post pointed out in a recent essay, the nation’s highest Court has never before reviewed a decision of the Foreign Intelligence Surveillance Act (FISA) court, which is responsible for issuing the top secret court order authorizing the NSA’s surveillance program.130606-NSA-headquarters-tight-730a-590x400

Today, another crucial lawsuit challenging the NSA’s domestic surveillance program was brought by a diverse coalition of nineteen public interest groups, religious organizations, and other associations. The coalition, represented by the Electronic Frontier Foundation, includes TechFreedom, Human Rights Watch, Greenpeace, the Bill of Rights Defense Committee, among many other groups. The lawsuit, brought in the U.S. district court in northern California, argues that the NSA’s program—aptly described as the “Assocational Tracking Program” in the complaint—violates the First, Fourth, and Fifth Amendments to the Constitution, along with the Foreign Intelligence Surveillance Act.

Continue reading →

Black Code coverRonald J. Deibert is the director of The Citizen Lab at the University of Toronto’s Munk School of Global Affairs and the author of an important new book, Black Code: Inside the Battle for Cyberspace, an in-depth look at the growing insecurity of the Internet. Specifically, Deibert’s book is a meticulous examination of the “malicious threats that are growing from the inside out” and which “threaten to destroy the fragile ecosystem we have come to take for granted.” (p. 14) It is also a remarkably timely book in light of the recent revelations about NSA surveillance and how it is being facilitated with the assistance of various tech and telecom giants.

The clear and colloquial tone that Deibert employs in the text helps make arcane Internet security issues interesting and accessible. Indeed, some chapters of the book almost feel like they were pulled from the pages of techno-thriller, complete with villainous characters, unexpected plot twists, and shocking conclusions. “Cyber crime has become one of the world’s largest growth businesses,” Deibert notes (p. 144) and his chapters focus on many prominent recent examples, including cyber-crime syndicates like Koobface, government cyber-spying schemes like GhostNet, state-sanctioned sabotage like Stuxnet, and the vexing issue of zero-day exploit sales.

Deibert is uniquely qualified to narrate this tale not just because he is a gifted story-teller but also because he has had a front row seat in the unfolding play that we might refer to as “How Cyberspace Grew Less Secure.” Continue reading →

Patrick Ruffini, political strategist, author, and President of Engage, a digital agency in Washington, DC, discusses his latest book with coauthors David Segal and David Moon: Hacking Politics: How Geeks, Progressives, the Tea Party, Gamers, Anarchists, and Suits Teamed Up to Defeat SOPA and Save the Internet. Ruffini covers the history behind SOPA, its implications for Internet freedom, the “Internet blackout” in January of 2012, and how the threat of SOPA united activists, technology companies, and the broader Internet community.

Download

Related Links

 

 

Washington Post columnist Robert J. Samuelson published an astonishing essay today entitled, “Beware the Internet and the Danger of Cyberattacks.” In the print edition of today’s Post, the essay actually carries a different title: “Is the Internet Worth It?” Samuelson’s answer is clear: It isn’t. He begins his breathless attack on the Internet by proclaiming:

If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it. I grant its astonishing capabilities: the instant access to vast amounts of information, the pleasures of YouTube and iTunes, the convenience of GPS and much more. But the Internet’s benefits are relatively modest compared with previous transformative technologies, and it brings with it a terrifying danger: cyberwar.

And then, after walking through a couple of worst-case hypothetical scenarios, he concludes the piece by saying:

the Internet’s social impact is shallow. Imagine life without it. Would the loss of e-mail, Facebook or Wikipedia inflict fundamental change? Now imagine life without some earlier breakthroughs: electricity, cars, antibiotics. Life would be radically different. The Internet’s virtues are overstated, its vices understated. It’s a mixed blessing — and the mix may be moving against us.

What I found most troubling about this is that Samuelson has serious intellectual chops and usually sweats the details in his analysis of other issues. He understands economic and social trade-offs and usually does a nice job weighing the facts on the ground instead of engaging in the sort of shallow navel-gazing and anecdotal reasoning that many other weekly newspaper columnist engage in on a regular basis.

But that’s not what he does here. His essay comes across as a poorly researched, angry-old-man-shouting-at-the-sky sort of rant. There’s no serious cost-benefit analysis at work here; just the banal assertion that a new technology has created new vulnerabilities.  Really, that’s the extent of the logic at work here. Samuelson could have just as well substituted the automobile, airplanes, or any other modern technology for the Internet and drawn the same conclusion: It opens the door to new vulnerabilities (especially national security vulnerabilities) and, therefore, we would be better off without it in our lives. Continue reading →

Declan McCullagh, chief political correspondent for CNET and former Washington bureau chief for Wired News, discusses recent leaks of NSA surveillance programs. What do we know so far, and what more might be unveiled in the coming weeks? McCullagh covers legal challenges to the programs, the Patriot Act, the fourth amendment, email encryption, the media and public response, and broader implications for privacy and reform.

Download

Related Links

 

 

***Cross-posted from Forbes.com***

It was, to paraphrase Yogi Berra, déjà vu all over again.  Fielding calls last week from journalists about reports the NSA had been engaged in massive and secret data mining of phone records and Internet traffic, I couldn’t help but wonder why anyone was surprised by the so-called revelations.

Not only had the surveillance been going on for years, the activity had been reported all along—at least outside the mainstream media.  The programs involved have been the subject of longstanding concern and vocal criticism by advocacy groups on both the right and the left.

For those of us who had been following the story for a decade, this was no “bombshell.”  No “leak” was required.  There was no need for an “expose” of what had long since been exposed.

As the Cato Institute’s Julian Sanchez and others reminded us, the NSA’s surveillance activities, and many of the details breathlessly reported last week, weren’t even secret.  They come up regularly in Congress, during hearings, for example, about renewal of the USA Patriot Act and the Foreign Intelligence Surveillance Act, the principal laws that govern the activity.

In those hearings, civil libertarians (Republicans and Democrats) show up to complain about the scope of the law and its secret enforcement, and are shot down as being soft on terrorism.  The laws are renewed and even extended, and the story goes back to sleep.

But for whatever reason, the mainstream media, like the corrupt Captain Renault in “Casablanca,” collectively found itself last week “shocked, shocked” to discover widespread, warrantless electronic surveillance by the U.S. government.  Surveillance they’ve known about for years.

Let me be clear.  As one of the long-standing critics of these programs, and especially their lack of oversight and transparency, I have no objection to renewed interest in the story, even if the drama with which it is being reported smells more than a little sensational with a healthy whiff of opportunism. Continue reading →