Cybersecurity

Two Years on the Internet is an Eternity

by on February 8, 2011 · 1 comment

Video is now available for all of the excellent programming at this year’s State of The Net 2011 conference. (Programming will also be available over time on C-SPAN’s video library.) The Conference, organized by the Advisory Committee to the Congressional Internet Caucus, featured Members of Congress, leading academics, Administration, agency, and Congressional staff and other provocateurs. Topics this year ranged from social networking, Wikileaks, COICA, copyright, privacy, security, broadband policy and, of course, the end-of-the-year vote by the FCC to approve new rules for network management by broadband providers, aka net neutrality. Continue reading →

SHARE: 1 comment

Egyptian Government Attacks Egypt’s Internet

by on January 28, 2011 · 3 comments

In response to civil unrest, the Egyptian government appears to have ordered service providers to shut down all international connections to the Internet. According to the blog post at the link just above, Egypt’s four main ISPs have cut off their connections to the outside world. Specifically, their “BGP routes were withdrawn.” The Border Gateway Protocol is what most Internet service providers use to establish routing between one another, so that Internet traffic flows among them. I anticipate we might have comments here that dig deeper into specifics.

An attack on BGP is one of few potential sources of global shock cited by an OECD report I noted recently. The report almost certainly imagined a technical attack by rogue actors but, assuming current reporting to be true, the source of this attack is a government exercising coercion over Internet service providers within its jurisdiction.

That is far from an impossibility in the United States. The U.S. government has proposed both directly and indirectly to centralize control over U.S. Internet service providers. C|Net’s Declan McCullagh reports that an “Internet kill switch” proposal championed by by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) will be reintroduced in the new Congress very soon. The idea is to give “kill switch” authority to the government for use in responding to some kind of “cyberemergency.” We see here that a government with use “kill switch” power will use it when the “emergency” is a challenge to its authority.

When done in good faith, flipping an Internet “kill switch” would be stupid and self-destructive, tantamount to an auto-immune reaction that compounds the damage from a cybersecurity incident. The more likely use of “kill switch” authority would be bad faith, as the Egyptian government illustrates, to suppress speech and assembly rights.

In the person of the Federal Communications Commission, the U.S. government has also proposed to bring Internet service providers under a regulatory umbrella that it could turn to censorship or protest suppression in the future. Larry Downes has a five-part analysis of the government’s regulatory plan here on TLF (1, 2, 3, 4, 5). The intention of its proponents is in no way to give the government this kind of authority, but government power is not always used as intended, and there is plenty of scholarship to show that government agencies use their power to achieve goals that are non-statutory and even unconstitutional.

The D.C. area’s surfeit of recent weather caused the cancellation yesterday of a book event I was to participate in, discussing Evgeny Morozov’s The Net Delusion: The Dark Side of Internet Freedom. I don’t know that he makes the case overwhelmingly, but Morozov argues that governments are ably using the Internet to stifle freedom movements. (See Adam’s review, hear Jerry’s podcast.)

Events going on here in the United States right now could position the U.S. government to exercise the kind of authority we might look down our noses at Egypt for practicing. The lesson from the Egypt story—what we know of it so far—is that eternal vigilance is the price of freedom.

SHARE: 3 comments

Congress’s Tech Agenda: Something Old, Something Older

by on January 20, 2011

I reported for CNET yesterday on highlights from the State of The Net 2011 conference.  Though I didn’t attend last year’s event, I suspect much of the conversation hasn’t changed.

For an event that took place nearly a month after the FCC’s “final” vote on net neutrality, the issue seems not to have quieted down in the least.  A fiery speech from Congresswoman Martha Blackburn promised a “Congressional hurricane” in response to the FCC’s perceived ultra vires decision to regulate where Congress has refused to give it authority, a view supported by House and Senate counsel who spoke later in the day. Continue reading →

SHARE:

Why you should always encrypt your smartphone

by on January 17, 2011 · 4 comments

The smartphone is arguably one of the most empowering and revolutionary technologies of the modern era. By putting the processing power of a personal computer and the speed of a broadband connection into a device that fits in a pocket, smartphones have revolutionized how we communicate, travel, learn, game, shop, and more.

Yet smartphones have an oft-overlooked downside: when they end up in the wrong hands, they offer overreaching agents of the state, thieves, hackers, and other wrongdoers an unparalleled avenue for uncovering and abusing the volumes of sensitive personal information we increasingly store on our mobile phones.

Over on Ars Technica, I have a long feature story that examines the constitutional and technical issues surrounding police searches of mobile phones:

Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF), holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

California’s opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it’s not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest. In this article, we will discuss the rationale for allowing police to conduct warrantless searches of arrestees, your right to remain silent during police interrogation, and the state of mobile phone security.

Continue reading →

SHARE: 4 comments

Some thoughts on Cablegate

by on December 6, 2010 · 8 comments

It’s been surprising to me that none of my TLF colleagues has yet ventured a post about this latest WikiLeaks controversy. But perhaps it shouldn’t be so surprising because the Cablegate case presents some very hard questions to which there are no easy answers. I’m not sure that I know myself exactly how I feel about every issue related to leaks. But to try to get some conversation going, and to try to pin down my own feelings, I thought I’d take a stab at writing down some thoughts.

Is it legitimate for states to keep secrets from their citizens? It’s a good question, but not one I’m interested in addressing here. The fact is that they do keep secrets.

Should the disclosure of classified information be a criminal offense? Given state secrets, this is a bit of a moot question because a state’s ability to keep a secret depends on it’s ability to punish disclosure by anyone entrusted with secrets. If nothing else, someone so entrusted has likely made a promise not to disclose. (There should, of course, be whistleblower protections in place that make exceptions to the rule.)

Therefore, the interesting question is this: Should there be liability for third parties who publish disclosed information? Continue reading →

SHARE: 8 comments

Yet another cybersecurity bill

by on November 18, 2010 · 0 comments

Another day, [another cybersecurity bill](http://thehill.com/blogs/hillicon-valley/technology/129879-house-bill-would-give-dhs-authority-over-private-sector-networks). The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 has been introduced by House Homeland Security chairman Bennie Thompson along with Reps. Jane Harman and Yvette Clark. According to the [one-pager](https://docs.google.com/viewer?url=http://hsc.house.gov/SiteDocuments/20101117171905-26851.pdf) they’ve put out (I can’t find the bill) the Act would:

– Require DHS to determine which private assets should be designated “covered critical infrastructure” although there would be a reconsideration process for a firm to challenge such a designation.

– Require DHS to develop cyber security standards that would be enforceable on private sector networks determined to be critical infrastructure.

– Authorize DHS to recommend (Safety Act) liability protection for firms that comply with the standards.

Some questions come to mind: Is there any limit to what can be designated “critical infrastructure”? What evidence is there that the private sector is under-providing security for its networks? What exactly are the performance metrics that would be used to measure compliance? And what is the evidence that federal standards will be more effective than those developed by industry individually or collaboratively in industry groups? Again, as far as I can tell the bill is not cyber available yet, but if other bills in the House and Senate are any indication, these questions haven’t really been considered.

One thing that I think is new in this bill is liability protection for firms that comply with DHS security regulations. I’m afraid this can’t be good for firms’ incentives to innovate.

SHARE: 0 comments

Next Entries →