Mr President, is this a war on hackers – or a war on people stopping hackers?
New cybersecurity proposals hit wrong targets, say experts
Analysis This week, President Obama unveiled three new fronts in his war on scary computer hackers – but so far very few people are impressed, and a lot of folks are very worried about the direction he is taking.
Obama outlined three areas he is looking to concentrate on in the coming legislative session: better information sharing between business and government about online threats; tougher sentences for hackers by classifying some computer crimes as racketeering; and a national security breach notification law.
The first resolution looks a lot like an attempt to reintroduce the zombie CISPA legislation Obama tried to push early in his second term in office. Under his new plans, companies and government must share information about possible computer security vulnerabilities to help make us all more secure.
Sounds great, right? The kicker to that is the companies taking part will also pass on customer information to law enforcement, after taking "reasonable" steps to anonymize it. In return, they get threat intelligence from the Feds and limited immunity from being sued by citizens should they suffer a Sony Pictures-style ransacking.
Online rights campaigners the EFF said these measures simply aren't good enough. "Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit," said the foundation's technical team. "This includes strengthening the current information sharing hubs and encouraging companies to use them immediately after discovering a threat."
Getting 'tough' on hackers
Obama's plans to be tougher on hackers when it comes to sentencing by bundling them in with organized crime statutes has also come in for strong criticism from the security research community.
Under the proposed new rules, anyone having contact with illegally-obtained material find themselves facing stiff sentences. Opening a Pastebin link to find leaked passwords, finding a flaw in software and telling another researcher to check it out, even retweeting a link to leaked information, will land you in deep trouble.
"The most important innovators this law would affect are the cybersecurity professionals that protect the internet," said Rob Graham, CEO of Errata Security.
"We do innocent things that look to outsiders like 'hacking'. Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals."
Not that the Feds would be conducting mass arrests; these laws are most likely going to be used to threaten hackers and researchers to accepting plea bargains rather than risk going to trial and facing 20 years and the confiscation of all assets if the jury doesn't side with them.
Paranoid, you might think. But that's exactly what happened in the case of Aaron Swartz, a talented youngster who was caught slurping academic papers from servers. His university didn't want to press charges but federal prosecutors hit him with 13 separate allegations that could have seen him put away for more than 30 years. Swartz took his own life before the case came to court.
Show and tell: Not even rules on admitting hack attacks are any good
Obama's third cybersecurity idea is a data breach law that would require all companies to tell their customers if they have suffered a hacking attack that saw personal information accessed or stolen.
Such laws are popular and necessary, and already on the books in the majority of US states. But Obama's plans would nullify those state laws with a weaker national standard.
"Federal regulation should set minimum standards for data protection but allow states to enact stricter standards if they so choose," said Gabe Rottman, legislative counsel at the ACLU.
"In other words, federal standards should be the floor, not the ceiling. Yet the president's data breach proposal would preempt stronger state notification laws, which would actually weaken the notification requirements across the country."
Yet more political posturing
It's unlikely that any of Obama's proposals will get through in the form he proposes.
The Democratic president is on the last two-year stretch of his term and is facing a Republican-led Congress that hates his guts and will do their absolute best to frustrate any attempts he makes to get his way on the matter.
But that's not to say these flawed proposals couldn't be adapted during debates in Congress to become even more troublesome. In fact, it would be in the Republican's interest for them to do so.
After all, Obama's put his name on it and therefore he would have to share the responsibility of legislation is passed. Putting this out here, especially in his weakened political state, could be one of the worst mistakes Obama has yet made. ®