April 30, 2012
CISPA Clears The House, What’s Next And What It Means
Michael Harper for RedOrbit.com
It´s an ever-connected world in which we live. To pretend otherwise is nothing more than a pipe dream.
At the risk of sounding like a Doomsday Prophet, this isn´t the beginning of the end of those innocent days of yesteryear. We´re already in the thickest part of the weeds, rubbing the sleep from our eyes and trying our best to part the brush in this new and exotic jungle.
We became distracted, you see, by every benefit of this new age of information and convenience that we largely ignored the potential ramifications, ticking the boxes of every Terms of Service and End User License Agreement without a second thought.
Minor details, those agreements. After all, what we really wanted to do was get in contact with our old college buddies or enjoy the latest in smartphone technology, forgetting that the details are often where the devil and his traps lay in wait.
On the surface, these connections seem ridiculously simple: Everyone agrees to share their thoughts, photos and updates with one another in a public forum. But these kind of fantasies can only exist in a sphere devoid of gray, where black and white are clearly defined.
In an ever-connected world, the fringe characters who want to take advantage of a black and white world have to look no further than the power of the internet. Hackers, both foreign and domestic alike, are becoming the thugs. Call them hacktivists, cyber-criminals or just plain terrorists, those who avow to take down the system within the system accomplish more than network destruction, they strike fear into the hearts of those who don´t know any better.
Much has been made of the Cyber Intelligence Sharing and Protection Act (CISPA) lately, and last week (April 26), it passed through the House of Representatives. Like other cyber-security bills, CISPA is likely to be stalled in the Senate for a while. After that, President Obama has said he will veto the bill, shooting it down and protecting our privacy. Or will he?
The very name of the bill is as fuzzy as the contents within. The Cyber Intelligence Sharing and Protection Act sounds like a good thing, right? I mean, maybe? There´s nothing wrong with sharing, and we do like to be protected, after all. But what´s being shared and what´s being protected?
Not known to be a techie crowd, the government has become afraid of hacktivists and cyber-criminals such as Anonymous, LulzSec and others, and they have good reason to be. We´ve made a move to run much of our country on a grid, and if that grid is to be tampered with or destroyed, nothing less than chaos will ensue.
It´s not just the government that doesn´t like to be hacked, either. Large companies, especially banking industries, prefer not to have their entire digital infrastructure come crashing down at their feet.
So, with a “let´s all pull together and beat those no-good sonsabitches together” attitude, large businesses and corporations have decided to hide behind a government-owned digital drawbridge. Together, these companies and the government will be able to stand up against the next cyber-terrorism attack.
The gray area here, of course, is what happens with all this data? And how can the government use this data to pursue any ne´er-do-wells? And what if the government decides to come for us instead?
CISPA uses some very vague and very broad terminology. The most controversial of which is the word “Notwithstanding.” As in this bill would supersede all other laws, practices and policies, giving the government the precious data they need without the messy to-do of legal red tape. Meaning, of course, the free flow of private data between government and corporations.
For example, if your cell phone carrier notices you are making several calls a month to a certain country. Claiming matters of national security, they could hand over your information and have the government investigate you.
Earlier this month, a shocking new app for iPhone was pulled from the App store by its makers, i-Free. The aptly titled “Girls Around Me” (GAM) had come underneath some serious scrutiny for being more than just questionable; it was plain creepy.
Rather, what someone could potentially do with the app was creepy.
A non-discriminatory app, Girls Around Me simply collected guys´ and girls´ public information from the social media sites like Facebook, Foursquare and Twitter and shared it with others.
A regular guy at a regular bar decides he is in need of some “companionship.” He decides to go hit the bars, but doesn´t know which bar in his neighborhood would have a greater girl to guy ratio. Regular guy opens the GAM app on his iPhone, allows the app to use his location data, and presto: Regular Guy is presented with sheer data. A map appears on his phone showing how many girls have checked into which bars that night, and at what time. If these girls have unlocked Facebook profiles, Regular Guy can begin to peruse, checking out which girl he´d most like to talk to that night. Facebook profiles, you remember, have all sorts of information, such as the name of the high school you attended, names of family members, place of employment, stuff like that. Regular Guy can also scan through some pictures to see how this girl has looked through the years, who she hangs out with, and what her favorite haunts are.
Regular Guy is now prepared to head to the local bar and find his new friend, and once there, he already has plenty of topics for conversation.
Such a scenario is frightening, and hopefully never happened. What´s concerning, however, is the fact that Girls Around Me did not break any laws; It simply created a pipeline to collect public and free data, serving it up to those who wanted it.
There are plenty of warnings out there about our private data and each should be heeded. A troubling concern, however, is how we got to the point where an app such as GAM could even exist.
As the world moves and changes at an ever quickening pace, we´ve become much too eager to be a part and have forgotten to stop and think about our actions. We´ve become the proverbial frog, realizing the water around us is suddenly boiling a few seconds too late.
That´s why, when bills such as SOPA and the most recent CISPA top headlines, we become surprised. How could anyone other than ourselves handle our personal data? The truth is, every time we´ve absent-mindedly ticked a privacy commitment box or agreed to a EULA just to get to the good stuff, we´ve signed away little chunks of our privacy.
Simply put, CISPA is a bill birthed in fear and sold in fear.
Hackers such as Anonymous, LulzSec and others have become more than a nuisance for large corporations and the US government alike. For whatever reason, these “hacktivists” believe they are making a point by trying to take down our systems and networks, ironically forgetting that they, too, rely on the same networks and systems. These actions aren´t limited to inside the United States. International Hackers, specifically from China and Russia, also want to read our mail and cause our digital infrastructure to fall at our feet.
These threats are quite real and should be dealt with accordingly. The US government and several corporations and organizations believe the best way to address these threats is to ban together, freely sharing whatever info they can in the name of national security. This means, should your cellular carrier suspect you to be harboring terrorists or a attitude of ill-will towards our government, they can hand over your information to the officials, all other laws and due process notwithstanding. Alternatively, should the government feel your actions are particularly non-American, they can have access to your phone calls, emails, etc.
This sounds like an extreme example, right? Hyperbolic scare tactics to get you up in arms about a new bill? Maybe.
The fact is, this bill uses some awfully vague language until the word “notwithstanding” appears. This phrase is what would allow the free-flow of information between the private and public sectors. Any other laws or policies could be trumped in the name of “National Security.”
But who gets the job of deciding what constitutes a threat to National Security? Who gets to decide if a hacker is a threat or just a nuisance? And who gets to decide if someone´s actions are posing a “cyber threat?”
Herein lies the debate. Loathe as we are to admit it, the world exists in shades of gray. If everything were black and white, bills such as CISPA would have no reason to exist.
In a world of black and white, the good guys and bad guys are easily distinguished. People either commit crimes or they don´t, and those who do are given appropriate punishments. Unfortunately, our world is full of gray.
And so far, life has been good! Photos of grandkids and beaches are sent to loved ones and jealous co-workers in a flash. We´re able to reconnect and catch up with old friends without the rigmarole of actually having to do it in person. We can snap a picture of our paychecks and have them show up in our back accounts. What is common place now was hare-brained 30 years ago.
But the Devil, they say, is in the details, and as we haphazardly scribbled our name on the dotted line, we never realized he was staring us in the face the entire time.
So, when a bill like CISPA is passed through the House, we become a little creeped out, if not enraged. We´ve seen our phones, our email, our social media sites and our televisions as friends first, forgetting that the data we´ve created about our lives has to be stored somewhere. We´ve been living in a dream, but now the dream has ended and we´re stuck in a crowded room in our underwear; no secrets, completely vulnerable, no unknowns. The private companies know more about us than we thought and now, they may be able to share this information with the government. In fact, some government agencies have been watching all along, as the DEA and IRS record and collect data from our own backyard and sites like Facebook and Twitter.
For those unaware, CISPA is a bill which essentially removes any legal roadblock between the federal government and your data. Inside the bill lurks the ever-gray word “notwithstanding,” meaning all other laws, bills or processes can now be bypassed if the government deems it necessary. Should the government perceive a potential threat to “cyber-security,” they can get their hands on whatever data they need to ward off said threat.
As per the bill:
The term cyber threat information´ means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information.
What´s more, any information gathered can then be used to obtain even more information in these five instances:
2. Investigation and prosecution of cybersecurity crimes
3. Protection of individuals from the danger of death or physical injury
4. Protection of minors from physical or psychological harm
5. Protection of the national security of the United States
A new kind of attack
The government has a lot to be worried about, as far as cyber-security threats are concerned. Chinese and Russian hackers are attacking government websites and networks every day. We heard news last week of Chinese hackers breaking into our networks and stealing the plans for a new fighter plane. Rep. Michael McCaul and others have used rhetoric like “cyber war military units” and “logic bombs” to describe these attacks.
“Make no mistake, America' is under attack by digital bombs,” McCaul said according to CNSNews.com. “There are several things the American public should understand about these attacks. They are real, stealth and persistent and can devastate our nation.”
According to Larry Wortzel of the United States-China Economic and Security Review Commission, these Chinese attacks aren´t likely to slow down anytime soon. “At the same time, the report concludes, during peacetime, computer network exploitation has likely become a cornerstone of PLA and civilian intelligence collection operations supporting national military and civilian strategic goals.”
What will these hackers do with all this information once they have it? So far, it appears they only want to spy on what we´re up to, rather than bring us down from the inside. As in the case with the stolen plans for a new fighter plane, some experts are saying these outside hackers simply want to take our designs and use them as their own. This doesn´t negate the very real threat of having our network compromised, of course. Even if these hackers are just poking around, the fact that they´re there means that we´ve already slipped.
Private companies are also worried about cyber-attacks and therefore, are more than willing to sign on with CISPA. The worrisome part, however, is watching the public and private sectors get in bed with one another, vowing to keep each other safe against the hackers turned potential terrorists. With this sort of cooperation, wiretaps and government eavesdropping could become more common than they are today. Lee Tien, an attorney at the Electronic Frontier Foundation told CNET, “I worry that you can get a version of cybersecurity warrantless wiretapping out of this.”
Those who oppose CISPA have found a new friend in the President. Obama has openly said he would veto the bill once it came across his desk. The White House put it this way: “Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation´s core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form.”
Is the cure worth the symptoms?
CISPA, in its current form, is set up to be a proverbial “one ring to bind them.” With its vast power and vague language, any company or federal agency could claim CISPA to gather information, press charges or even persecute. According to the Sunlight Foundation, CISPA even trumps the Freedom of Information Act, making it “terrible for transparency.”
In their blog post about CISPA, John Wonderlich puts it succinctly. “If you're carelessly creating whole new exemptions to FOIA without hearings on the question, that suggests that the public interest isn't being considered in this legislation. I suspect that (again) government officials have been at the table with industry, and (again) think that the interests of the public at large can be swept aside.
CISPA is meant to stop hackers, plain and simple. Where it becomes troublesome is in how it stops hackers, what methods it uses, and what safeguards are demolished in the process. For those who believe their information is safe with their cellular carrier, email and internet providers, CISPA probably won´t matter.
Should CISPA pass, we will only be able to wait and see what kind of world we will be thrust into. For now, CISPA is good for one thing: awareness. There are issues brought to light in this case that are terrifying, and yet largely unknown. Perhaps now is the time to pay attention to what is going on around us, what data we create, and how it is being used. After all, should CISPA pass, it may already be too late.