On Wednesday, the president delivered a straight-talking, impassioned address detailing ambitious plans to improve and reform just about everything. In 378 words he explained how America’s energy infrastructure needed to move towards more efficient and greener technologies. With 443 words he discussed the importance of a higher minimum wage and bringing technology-related manufacturing jobs back to the domestic labor market. 606 words explained new plans to improve secondary education with job preparation, STEM-focused curricula, and a new initiative to incentivize tuition reductions in higher education. Among all his new proposals, the mere 133 words on a new legislative push for enhanced “cyber-defenses” was probably the most vague, and the most disturbing. Under legislation like the PATRIOT Act, federal law enforcement wields disturbingly broad authority not only to survey, collect information on, and prosecute Americans, but also to share this information between agencies. Citing a “rapidly growing threat from cyber-attacks”, the president hopes to push Congress for new laws to strengthen the national digital defenses, but is this power the federal government actually needs?
What Is And Isn’t Legal
Current computer security law is set primarily by Title 18 U.S.C Sections 1029 & 1030 which outline computer crimes and, in part, sentencing for offenses. Section 1030 defines a “protected computer” as any computer used by a financial institution or government agency for the purposes of interstate commerce, foreign commerce, or communication. Any unauthorized access to, collection of, and damage or corruption to data on a protected computer is prohibited and constitutes a felony. Section 1029 deals with so called access devices (AD) and makes it illegal to:
- Produce, use, or sell counterfeit access devices
- Obtain anything of value with a counterfeit AD
- Have more than 15 in your possession
- Own equipment that allows you to produce your own AD
- Alter or modify “telecommunication equipment” to gain unauthorized acess to communication services
- Owning devices that can intercept a wire or other form of electronic communication.
- Using/owning hardware or software that modifies the identity of a telecom. device.
Here, access devices are any card, plate, code, account number, electronic serial number, mobile identification number, PIN number, or any other device that can be used to access accounts for anything of value.
In addition to Sections 1029 and 1030, the Cyber Security Enhancement (CSEA) and USA PATRIOT Acts play a role in federal information security law by laying the groundwork for anti-cyberterrorism legislation. The CSEA allows Internet Service Providers to disclose information about subscriber activities to government agencies, without a “reasonable belief” that there is an immediate danger of another’s death or serious injury. Title VIII of the PATRIOT Act amends Section 1030 of Title 18 to include the “damage or gain unauthorized access to” language regarding protected computers, and expands punishable offenses to include disrupting medical practices, healthcare, and national security.
But the question remains, do federal law enforcement agencies really need greater leverage in the fight against hacktivists and cyberterrorists? In his address, the president made it clear that his administration believes so, but upon closer examination of computer security enforcement laws, his case becomes progressively less convincing.
It’s More A Question Of What Can’t They Do
While CSEA and the PATRIOT Act play a background role in defining computer crimes, they’re the centerpiece of the federal government’s exceptional enforcement capabilities. In conjuction with the Federal Information Security Management Act (FISMA), federal law enforcement has the ability to: survey and collect information on American citizens, share collected intelligence between agencies, and is required to perform regular audits on its secured networks. To explain how this all works, I’ll start with the PATRIOT Act.
Title I of the Act called for the expansion of the U.S. Secret Service’s National Electronic Crime Task Force (NECTF) charged with preventing, detecting, and investigating electronic crimes. “Electronic Crimes” applies not solely to hacking attempts on protected computers under Title 18 U.S.C. Sec. 1030, but also to potential acts of terrorism against national infrastructure and financial payment systems. Title V reinforces Title I by conferring the FBI’s enforcement authority under Section 1030 to the Secret Service, and these are further supported by Title VII, which authorizes the Justice Department to create “secure information sharing systems” between federal, state, and local law enforcement.
Title II includes most of the provisions that allow federal agencies to conduct surveillance operations on American citizens. Under this title, law enforcement can: intercept internet communications, record telephone conversations without a wiretap warrant, collect identification information from electronic devices (i.e. MAC Addresses), access subscriber records from cable/internet service providers (ISP) and can preempt disclosure of the rationale behind a judge granting a warrant in a federal investigation of suspected terrorist activity. Title VIII of the Act authorizes the Attorney General to create regional computer forensic labs to examine intercepted computer evidence and facilitate more efficient information sharing between federal, state, and local authorities.
The CSEA opens the information gathering door even wider by amending the regulations around how often and to whom ISPs can release subscriber information. Under this act, an ISP doesn’t need a “reasonable belief” to divulge either records of internet communications or the content of the communication itself. An ISP only needs to act in “good faith” instead of legitimate suspicions that there’s an immediate danger. In addition, ISPs can release this information to any federal, state, or local “government entitiy” as opposed to a law enforcement agency.
Lastly, FISMA requires federal agencies and substations to regularly test their networks for vulnerabilities and perform risk assessments on successful breaches from outside attackers. Under this law, Certified Ethical Hackers and Licensed Penetration Testers can be employed to conduct penetration tests, develop, document, and implement agency-wide security programs, including inter-agency systems.
Bringing It Full Fractal
So let’s recap what we know. The PATRIOT Act mandates the expansion of federal law enforcement, permits the gathering/storage of data without the usual warrants, and instructs government officials to create centers for data sharing and analysis. The CSEA allows ISPs to send client data to any government agency, where it can be distributed and shared at the local, state, and federal level. To top it off, FISMA requires federal agencies to audit themselves for security risks, develop countermeasures, and implement policies that have to be followed throughout the agency. Even if we disregard Title 28 U.S.C Sec. 534 (which authorizes the FBI’s fingerprinting and facial recognition database programs) what additional power could the Obama administration want from Congress?
Current legislation allows the federal government either passively to collect information on Americans via ISPs or actively collect it as a part of an investigation into acts of terrorism which its agents retain the sole authority to define. Also keep in mind that the CSEA and Title II of the PATRIOT Act allow ISPs to collect and send the electronic identification numbers of the devices used in their surveillance operations. Every personal computer, smartphone, and tablet computer contains and uses identification information that can be uncovered with network mapping tools and used to monitor activity on the device itself. In effect, the federal government could monitor the movements or activities of anyone possessing an internet-capable device and such action could be conducted, if federal law enforcement felt it appropriate to protecting national security.
There were several proposals the president outlined that are more than worthwhile uses of time and government capital, but on the matter of information security the government needs no greater authority from Congress. If anything, Congress should endeavor to dismantle sections of the PATRIOT Act and CSEA that enable clandestine, intrusive surveillance of American citizens and devise safeguards against information gathering without probable cause.