Today on Blogcritics
Home » Culture and Society » Mum’s the Word on Cyber Security

Mum’s the Word on Cyber Security

Please Share...Tweet about this on Twitter0Share on Facebook0Share on Google+0Share on LinkedIn0Pin on Pinterest0Share on TumblrShare on StumbleUpon0Share on Reddit0Email this to someone

On Wednesday, the president delivered a straight-talking, impassioned address detailing ambitious plans to improve and reform just about everything. In 378 words he explained how America’s energy infrastructure needed to move towards more efficient and greener technologies. With 443 words he discussed the importance of a higher minimum wage and bringing technology-related manufacturing jobs back to the domestic labor market. 606 words explained new plans to improve secondary education with job preparation, STEM-focused curricula, and a new initiative to incentivize tuition reductions in higher education. Among all his new proposals, the mere 133 words on a new legislative push for enhanced “cyber-defenses” was probably the most vague, and the most disturbing. Under legislation like the PATRIOT Act, federal law enforcement wields disturbingly broad authority not only to survey, collect information on, and prosecute Americans, but also to share this information between agencies. Citing a “rapidly growing threat from cyber-attacks”, the president hopes to push Congress for new laws to strengthen the national digital defenses, but is this power the federal government actually needs? 

What Is And Isn’t Legal

Current computer security law is set primarily by Title 18 U.S.C Sections 1029 & 1030 which outline computer crimes and, in part, sentencing for offenses. Section 1030 defines a “protected computer” as any computer used by a financial institution or government agency for the purposes of interstate commerce, foreign commerce, or communication. Any unauthorized access to, collection of, and damage or corruption to data on a protected computer is prohibited and constitutes a felony. Section 1029 deals with so called access devices (AD) and makes it illegal to:

  1. Produce, use, or sell counterfeit access devices
  2. Obtain anything of value with a counterfeit AD
  3. Have more than 15 in your possession
  4. Own equipment that allows you to produce your own AD
  5. Alter or modify “telecommunication equipment” to gain unauthorized acess to communication services
  6. Owning devices that can intercept a wire or other form of electronic communication. 
  7. Using/owning hardware or software that modifies the identity of a telecom. device. 

Here, access devices are any card, plate, code, account number, electronic serial number, mobile identification number, PIN number, or any other device that can be used to access accounts for anything of value. 

In addition to Sections 1029 and 1030, the Cyber Security Enhancement (CSEA) and USA PATRIOT Acts play a role in federal information security law by laying the groundwork for anti-cyberterrorism legislation. The CSEA allows Internet Service Providers to disclose information about subscriber activities to government agencies, without a “reasonable belief” that there is an immediate danger of another’s death or serious injury. Title VIII of the PATRIOT Act amends Section 1030 of Title 18 to include the “damage or gain unauthorized access to” language regarding protected computers, and expands punishable offenses to include disrupting medical practices, healthcare, and national security. 

But the question remains, do federal law enforcement agencies really need greater leverage in the fight against hacktivists and cyberterrorists? In his address, the president made it clear that his administration believes so, but upon closer examination of computer security enforcement laws, his case becomes progressively less convincing. 

It’s More A Question Of What Can’t They Do

While CSEA and the PATRIOT Act play a background role in defining computer crimes, they’re the centerpiece of the federal government’s exceptional enforcement capabilities. In conjuction with the Federal Information Security Management Act (FISMA), federal law enforcement has the ability to: survey and collect information on American citizens, share collected intelligence between agencies, and is required to perform regular audits on its secured networks. To explain how this all works, I’ll start with the PATRIOT Act. 

Title I of the Act called for the expansion of the U.S. Secret Service’s National Electronic Crime Task Force (NECTF) charged with preventing, detecting, and investigating electronic crimes. “Electronic Crimes” applies not solely to hacking attempts on protected computers under Title 18 U.S.C. Sec. 1030, but also to potential acts of terrorism against national infrastructure and financial payment systems. Title V reinforces Title I by conferring the FBI’s enforcement authority under Section 1030 to the Secret Service, and these are further supported by Title VII, which authorizes the Justice Department to create “secure information sharing systems” between federal, state, and local law enforcement. 

Title II includes most of the provisions that allow federal agencies to conduct surveillance operations on American citizens. Under this title, law enforcement can: intercept internet communications, record telephone conversations without a wiretap warrant, collect identification information from electronic devices (i.e. MAC Addresses), access subscriber records from cable/internet service providers (ISP) and can preempt disclosure of the rationale behind a judge granting a warrant in a federal investigation of suspected terrorist activity. Title VIII of the  Act authorizes the Attorney General to create regional computer forensic labs to examine intercepted computer evidence and facilitate more efficient information sharing between federal, state, and local authorities. 

The CSEA opens the information gathering door even wider by amending the regulations around how often and to whom ISPs can release subscriber information. Under this act, an ISP doesn’t need a “reasonable belief” to divulge either records of internet communications or the content of the communication itself. An ISP only needs to act in “good faith” instead of legitimate suspicions that there’s an immediate danger. In addition, ISPs can release this information to any federal, state, or local “government entitiy” as opposed to a law enforcement agency. 

Lastly, FISMA requires federal agencies and substations to regularly test their networks for vulnerabilities and perform risk assessments on successful breaches from outside attackers. Under this law, Certified Ethical Hackers and Licensed Penetration Testers can be employed to conduct penetration tests, develop, document, and implement agency-wide security programs, including inter-agency systems.   

Bringing It Full Fractal

So let’s recap what we know. The PATRIOT Act mandates the expansion of federal law enforcement, permits the gathering/storage of data without the usual warrants, and instructs government officials to create centers for data sharing and analysis. The CSEA allows ISPs to send client data to any government agency, where it can be distributed and shared at the local, state, and federal level. To top it off, FISMA requires federal agencies to audit themselves for security risks, develop countermeasures, and implement policies that have to be followed throughout the agency. Even if we disregard Title 28 U.S.C Sec. 534 (which authorizes the FBI’s fingerprinting and facial recognition database programs) what additional power could the Obama administration want from Congress?

Current legislation allows the federal government either passively to collect information on Americans via ISPs or actively collect it as a part of an investigation into acts of terrorism which its agents retain the sole authority to define. Also keep in mind that the CSEA and Title II of the PATRIOT Act allow ISPs to collect and send the electronic identification numbers of the devices used in their surveillance operations. Every personal computer, smartphone, and tablet computer contains and uses identification information that can be uncovered with network mapping tools and used to monitor activity on the device itself. In effect, the federal government could monitor the movements or activities of anyone possessing an internet-capable device and such action could be conducted, if federal law enforcement felt it appropriate to protecting national security. 

Last Words

There were several proposals the president outlined that are more than worthwhile uses of time and government capital, but on the matter of information security the government needs no greater authority from Congress. If anything, Congress should endeavor to dismantle sections of the PATRIOT Act and CSEA that enable clandestine, intrusive surveillance of American citizens and devise safeguards against information gathering without probable cause.  

Powered by

About Alexander J Smith III

  • pablo

    You might have mentioned Alexander that all of the legislation that you cited is unconstitutional on its face as per the fourth amendment. I am not surprised however that you omitted that trivial fact.

  • Alexander J Smith III

    The Constitutionality of the legislation wasn’t the focus of the piece, though I do agree that much of the PATRIOT Act is in violation of several Constitutional Amendments.

  • pablo

    Well that’s great Alexander. I just don’t see the point in writing about legislation that is unlawful on its face, other than to point that out.

  • Igor

    IMO the point of discussing unlawful legislation is to try to rescind it. But that may be impossible, given the political proclivities.

    Fortunately, an astute person can devise sufficient personal security with easily available tools.

  • Alexander J Smith III

    -Pablo,

    Unfortunately for us, those laws are the law, and they won’t be unlawful until we (and our court system) step up to challenge them. While they’re still around we have to talk about the powers they grant, even if we don’t agree that they should be there in the first place.

  • pablo

    Igor and Alexander,

    Then the thrust of the discussion should be about their unlawfulness, which I did not see in your article Alexander.

    I’m RACIST? for criticizing Obama.

    TERRORIST because I’m not with Bush.

    ANTISEMITIC for not supporting Rothschild Zionism.

    TEABAGGER for supporting the Constitution.

    TRUTH-ER for asking unanswered questions.

    TRAITOR for whistle-blowing on my corrupt Government.

    CONSPIRACY THEORIST for presenting documented facts.

    TROLL for uploading news, videos, quotes and U.S.Atrocities.

  • Dr Dreadful

    Then the thrust of the discussion should be about their unlawfulness, which I did not see in your article Alexander.

    Hmm.

    So the sub-heading “What Is and Isn’t Legal” didn’t clue you in?

  • Alexander J Smith III

    -Dr. Dreadful

    LOL. I mean that section was there just to spell out what the current laws say. I can understand where Pablo is coming from, but I felt that discussing why the current laws are overstepping, or unconstitutional would have been slightly off topic and could really use an entire piece to cover that.

  • Dr Dreadful

    Yes, Alexander, your article can indeed be the jumping-off point for a discussion on the illegality (or otherwise) of the legislation. But Pablo isn’t interested in having a discussion. He has already decided that the laws are unconstitutional and will merely scoff at anything anybody says to the contrary. Hence my ironic comment.

  • pablo

    It is ok Dread I know you like to take a swipe at me anytime you get the chance.

  • pablo

    And Dread yes I will scoff at anyone who says the contrary regarding the Patriot Act, who claims that it does not violate the Constitution, as it clearly does, it is not debatable, however that probably will not stoop the esteemed Supreme Court from saying otherwise.

    As to discussion, I spent several years on this site discussing the issues of the day, now I prefer sniping. And snipe away I will when I choose to Dread, and I know each and every time that I do, you will be there to point your finger at me. Enjoy. :)

  • Dr Dreadful

    Fair enough, Pablo, although as I said, if all you’re interested in is sniping about the unlawfulness of the Patriot Act then you can’t really complain that Alexander isn’t discussing it.