As a Barely Repentant Tech Idiot, cybersecurity is pretty far out of my wheelhouse, so I’d like to present this as an Open Thread, hoping some of you can bring some light to this subject. Please excuse my clumsiness with the subject. That I haven’t read much about the threats I see in all of this may just be down to my ignorance on the subject. Feel free to talk me down…or not, and I suspect…not.
I hadn’t seen television news for at least a year or two, and just happened upon this part of the PBS The News Hour. In what was billed as a major cyber-policy announcement at a Business Executives for National Security forum in New York on Oct. 12, the Secretary of Defense had this to say in part:
The truth is, it’s been leaked everywhere that Iran is suspected of being the authors of the attacks on Saudi Arabia’s state oil company Aramco and Qatari natural gas producer RasGas, as well as suspicions that the DOS attacks on the banks (JP Morgan, Wells Fargo, BAC, USB, etc.) might be coming from China and Russia, or organized crime working as agents, or with/for, the state governments.
According to a number of sources, Panetta issued a warning to Iran especially, and According to CBS News:
“A former U.S. government official says American authorities firmly believe that Iranian hackers, likely supported by the Tehran government, were responsible for recent cyberattacks against oil and gas companies in the Persian Gulf and that they appeared to be in retaliation for the latest round of U.S. sanctions against the country.”
Nice strategic leak of classified info by an anonymous but Weighty Insider Notable. The financial pages are full of insider knowledge as well.
From the Army Times:
“The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack,” he said. “Over the last two years, DoD has made significant investments in forensics to address this problem of attribution, and we’re seeing the returns on that investment. Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.”
Once targets are identified, the U.S. must be able to respond, and will, he said. Panetta referenced both offensive capabilities as well as a willingness to act not only against attacks, but also against threats of attacks.
“We won’t succeed in preventing a cyber attack through improved defenses alone,” he said. “If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president. For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
That verbiage concerning ‘actions’ seems to imply ‘cyber actions’ yes? Or does it imply more? Various reports of Panetta’s remarks interpret his declaration that the DoD is in the process of establishing ‘military rules of engagement on cybersecurity’ differently. Fox News indicates that Panetta must have declassified some documents in order to bring some new information to light:
“Panetta spoke out about the potential need for the U.S. to retaliate or deter a future cyber attack.
“In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well,” he said. Panetta warned that “this is a pre-9/11 moment” and said “the attackers are plotting.”
The Defense Secretary also appeared to declassify some new information, warning that intruders infiltrated computer control systems that “operate chemical, electricity and water plants and those that guide transportation throughout the country.” It’s not clear who was behind this attack.”
So what are the issues involved with and around Panetta’s announced cyber policy? I see a few.
First is the declaration to punish or wage preemptive strikes against aggressors or potential aggressors who have been identified as threats ‘to infrastructure that would cause physical destruction and the loss of life’. Does he agree with cyber-expert Michael Leiter in the video that in this country, American Power equals American financial institutions, thus see those as aggressive assaults on life?
Second, of course is the fact that the Lieberman/Snow Cybersecurity bill has been stalled in Congress since summer. One of the main groups opposing it has be (tada!) the Chamber of Commerce, citing onerous costs and regulations as their reasons; ergo: Panetta’s speech to the business group, hoping to change their minds. No mention was made of the:
“Privacy activists like the American Civil Liberties Union  and the Electronic Frontier Foundation  contend CISPA isn’t specific enough about just what constitutes a “cyber threat.” They say it enables Internet companies and service providers to hand over sensitive user information to intelligence agencies without enough oversight from the civilian side of government. Finally, they say it does not explicitly require Internet companies to remove identifying information about users before sharing. Opponents contend, for instance, that Facebook or Twitter could share user messages with the NSA or FBI without redacting the user’s name or personal details.”
CISPA also protects the private sector from liability even if they share private user information, as long as that information is deemed to have been shared for cybersecurity or national security purposes. Even though sharing is voluntary and not required under the law, privacy activists say the legal immunity CISPA provides would make it easy for the government to pressure Internet companies to give up user data.” [more from Pro Publica here]
Nor do they mention the compromise Wyden-Issa Internet Bill of Rights. But moving along, the day after Panetta spoke, Harry Reid vowed to pass S3414 in November. On the other hand, the shiver-inducing Joe Lieberman, assuming that Congress won’t even touch the CIPSA bill in a lame duck session, has been calling on Obama to issue an executive order cyber-bill with mandatory standards that will fill the vacuum he perceives.
But tada! It turns out that Harry Reid’s promise may be cover for the fact that the OBomba administration, in partnership with DHS, has been writing one.
“While renewing the legislative push, Reid also defended White House plans to beef up cybersecurity with an executive order, which has drawn concerns from a number of Republicans. Reid noted that “Secretary Panetta has made clear that inaction is not an option.
“Cybersecurity is an issue that should be handled by Congress, but with Republicans engaging in Tea Party-motivated obstruction, I believe that President Obama is right to examine all means at his disposal for confronting this urgent national security threat,” Reid said.
A group of House and Senate Republicans, including House Energy and Commerce Committee Chairman Fred Upton (R-Mich.), offered a number of criticisms of the planned executive order in a letter to President Obama Thursday.”
Open Congress says that the copy of OBomba’s version that Jason Miller at Federal News Radio got hold of is much like the House’s CIPSA, and the Lieberman-Snowe bill. (my bold)
“According to reports, the executive order would establish a voluntary cyberthreat exchange for companies to share information with the government and it would put the Department of Homeland Security in charge of conducting privacy assessments of the information that the government collects. Unlike the stalled cybersecurity bills in Congress that would have provided broad legal immunity for companies that violate privacy laws in the process of sharing their users’ information with the government, the executive order does not directly grant such immunity because the Administration is not confident that the legal authority currently exists for them to do so. Instead, the executive order calls for a report to examine possibilities for instituting immunity from privacy laws as a way to encourage companies to share more data. This inclusion of this report is significant because it suggests that the Administration may believe there is a potential work-around for the privacy laws that they previously insisted would take an act of Congress to be bypassed, as noted by former Homeland Security agent Stewart Baker.
On process, this is a basically complete abdication of the principals of transparency, accountability, and public-participation in government. The cybersecurity legislation did not stall in Congress simply because of dysfunction or disregard. Rather, it was the target of a massive grassroots effort that drove tens of thousands of calls to Congress and dozens of in-person meetings urging lawmakers to either add privacy safeguards to the bill, or vote it down. That action, which coincided with an industry-led attack on regulations in the bill, is what caused its demise. The executive order is a way for the Obama Administration to enact a bill that the public has clearly demonstrated they do not want. What’s worse, it is being drafted in secret by unaccountable government bureaucrats, and, unless leaked, it will not be available for public review before it goes into effect. The Administration is essentially taking all the worst qualities of how the legislative branch operates these days, turning them up to an extreme level, and using them to enact legislation that’s so unpopular even our corrupt and out-of-touch Congress can’t pass it.”
The update says that according to Mike Masnick at TechDirt, some of the EO on voluntary info sharing may actually be worse:
“While the President cannot grant liability protections for companies who share info with the government (a major concern we had), it sounds like this executive order will put tremendous pressure on companies to share info — noting that it will begin a sort of “name and shame” program for companies who fail to take part. That seems like a recipe for a privacy disaster.”
Do you trust this President, or any President, to safeguard your internet rights when issuing Cybersecurity rules by Executive Order? I most sincerely don’t, though I might not like what Congress would come up with, either. Call the White House, alert your friends if it flips your Zoris right off yer feet. What else can we do? And…why aren’t more people freaking out about this, and organizing against it. Or are they, and I’m simply unaware of it?
The ‘Contact the White House‘ link.
(It seems Karen Greenberg has a post up about it; too long for me to read for now.)