Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
The White House’s New Executive Order On Cyber Crime is (Unfortunately) No Joke
The White Houses New Executive Order On Cyber Crime is (Unfortunately) No Joke
by Nadia Kayyali, Kurt Opsahl
http://www.commondreams.org/views/2015/04/08/white-houses-new-executive-order-cyber-crime-unfortunately-no-joke
(Image: Free Press/cc/flickr)
On the morning of April 1st, the White House issued a new executive order (EO) that asserts that malicious cyber-enabled activities are a national threat, declares a national emergency, and establishes sanctions and other consequences for individuals and entities. While computer and information security is certainly very important, this EO could dangerously backfire, and chill the very security research that is necessary to protect people from malicious attacks.
We wish we could say it was a very well-orchestrated April Fools joke, it appears the White House was serious. The order is yet another example of bad responses to very real security concerns. It comes at the same time as Congress is considering the White Houses proposal for fundamentally flawed cybersecurity legislation.
That perhaps shouldnt be surprising, since so far, D.C.s approach to cybersecurity hasnt encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary). Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.
The most pernicious provision, Section 1(ii)(B), allows the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to make a determination that an person or entity has materially provided technological support for, or goods or services in support of any of these malicious attacks.
While that may sound good on its face, the fact is that the order is dangerously overbroad. Thats because tools that can be used for malicious attacks are also vital for defense. For example, penetration testing is the process of attempting to gain access to computer systems, without credentials like a username. Its a vital step in finding system vulnerabilities and fixing them before malicious attackers do. Security researchers often publish tools, and provide support for them, to help with this testing. Could the eo be used to issue sanctions against security researchers who make and distribute these tools? On its face, the answer is maybe.
To be sure, President Obama has said that this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity. But assurances like this are not enough. Essentially, with these words, Obama asks us to trust the Executive, without substantial oversight, to be able to make decisions about the property and rights of people who may not have much recourse once that decision has been made, and who may well not get prior notice before the hammer comes down. Unfortunately, the Department of Justice has used anti-hacking laws far too aggressively to gain that trust.
As several security researchers who spoke up against similarly problematic terms in the Computer Fraud and Abuse Act recently pointed out in an amicus brief:
There are relatively few sources of pressure to fix design defects, whether they be in wiring, websites, or cars. The government is not set up to test every possible product or website for defects before its release, nor should it be; in addition, those defects in electronic systems that might be uncovered by the government (for instance, during an unrelated investigation) are often not released, due to internal policies. Findings by industry groups are often kept quiet, under the assumption that such defects will never come to lightjust as in Grimshaw (the Ford Pinto case). The part of society that consistently serves the public interest by finding and publicizing defects that will harm consumers is the external consumer safety research community, whether those defects be in consumer products or consumer websites.
Its clear that security researchers play an essential function. It was researchers (not the government) who discovered and conscientiously spread the news about Heartbleed, Shellshock, and POODLE, three major vulnerabilities discovered in 2014. Those researchers should not have to question whether or not they will be subject to sanctions.
To make matters worse, while most of the provisions specify that they apply to activity taking place outside of or mostly outside of the US, Section 1(ii)(B) has no such limitation. We have concerns about how the order applies to everyone. But this section also brings up constitutional due process concerns. That is, if it were to apply to people protected by the U.S. Constitution, it could violate the Fifth Amendment right to due process.
As weve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime.
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
Nadia Kayyali is a member of the activism team at the Electronic Frontier Foundation.
Kurt Opsahl is the Deputy General Counsel of the Electronic Frontier Foundation.
InfoView thread info, including edit history
TrashPut this thread in your Trash Can (My DU » Trash Can)
BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks)
2 replies, 1598 views
ShareGet links to this post and/or share on social media
AlertAlert this post for a rule violation
PowersThere are no powers you can use on this post
EditCannot edit other people's posts
ReplyReply to this post
EditCannot edit other people's posts
Rec (13)
ReplyReply to this post
2 replies
= new reply since forum marked as read
Highlight:
NoneDon't highlight anything
5 newestHighlight 5 most recent replies
The White House’s New Executive Order On Cyber Crime is (Unfortunately) No Joke (Original Post)
newthinking
Apr 2015
OP
DeSwiss
(27,137 posts)1. Another national emergency?
- How many is that now, I've lost my scorecard.
Ha-ha! No one ever thought Big Brother would be black........
Ha-ha! No one ever thought Big Brother would be black........
Demeter
(85,373 posts)2. That's not a bug, it's a feature
Nothing is too over broad when fascism is the motivation.