Chinese authorities today delayed implementation of the much-disparaged Green Dam-Youth Escort filtering mandate, just one day before the July 1 implementation deadline.

Since the Green Dam directive was made public, we have learned that the filtering software does not work as proposed or publicized, may create serious security vulnerabilities, may contain stolen code, and likely violates China’s WTO obligations. The filter targets far more than sexually explicit material and is capable of shutting down a variety of applications when politically sensitive keywords are triggered. Independent analysis has also revealed that security flaws in the software could make millions of PC users in China vulnerable to a variety of malicious attacks
(more…)

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week” posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

Comprehensive National Cybersecurity Initiative: Legal Authorities, Policy Considerations
#R40427
March 10th, 2009

A standing question about cybersecurity is the respective roles of the executive and legislative branches. President Obama has made cybersecurity a priority in the White House; his commitment to the issue came early when he asked for top-to-bottom governmental review of cybersecurity efforts. Another example of Obama’s interest in making cybersecurity a primary issue is his announcement to create a “Cybersecurity Czar” in the White House. Meanwhile, some in Congress have gone their own way, for example, with the introduction of the Cybersecurity Act of 2009. Although the executive branch might seem like the logical place to have cybersecurity authority, this CRS Report suggests that the President’s cybersecurity authority could be disrupted (or reaffirmed) by Congressional action.
(more…)

When the White House released its review and recommendations for the current state of cybersecurity policy, CDT applauded the Administration for showing attentiveness to the concerns of privacy and civil liberties groups by constructing the report in a collaborative and open manner. The level of transparency and knowledge sharing demonstrated in the creation of the report will need to be illustrated in the implementation of these recommendations as well. Now comes the hard part, living up to the hype and honoring the “action items� contained in that report while ensuring that a cybersecurity policy is implemented that keeps the nation safe from threats without jeopardizing the openness of the Internet or the privacy of its citizens.

To help keep the process moving, CDT has created a report tracking the progress of this “cybersecurity to-do list.�  The action items outlined in our report were derived from the Administration’s review as well as the President’s remarks on the document.  The original document is based on three broad, though essential themes.

The first of those themes is promoting the value of privacy.  As the report notes, protections for individual privacy are essential to reaping the benefits from advancements in informational technology.  The second is that privacy rights must be clearly defined and enumerated.  Clear, detailed policies are needed, as privacy rights are extremely vulnerable to advances in technology.  Lastly, making sure that any plan aimed at protecting privacy rights be the product of a coordinated effort between the technology side and the policy side.

Using the report we released today as a benchmark, CDT will continue to push the Administration to honor the pledges made in that report and to maintain the same openness and attention to privacy concerns as were shown during the information gathering phase of he report.

Today legislation was introduced in Congress to provide a much needed overhaul of the REAL ID program by Senators Akaka (D-HI), Baucus (D-MT), Carper (D-DE), Tester (D-MT), and Voinovich (R-OH) the new bill is known as the Providing for Additional Security in States’ Identification (PASS ID) Act of 2009.

Since its inception in 2005, REAL ID has long been a pariah among the states and civil rights/civil liberties groups alike. At last count this year, thirteen states have passed legislation prohibiting REAL ID implementation, and another ten have passed resolutions denouncing REAL ID’s approach. CDT has repeatedly pointed out at every step of REAL ID’s development the serious risks to privacy and security the program creates.
(more…)

CDT recently signed on to an amicus brief being spearheaded by Electronic Frontier Foundation in the second round of United States v. Warshak, a case that could have major ramifications for email privacy rights and electronic search and seizure processes. The court is deciding whether the government can evade probable cause standards through the use of mandatory data preservation requests.

The Electronic Communications Privacy Act permits the government to require an ISP to “preserve� communications in its possession pending issuance of a court order or other legal process. To require preservation, the government has to prove nothing and it need not involve a court. It just has to ask the provider to hold onto the communications.

But, under ECPA, if the government wants access to emails not yet in the possession of a provider – communications that haven’t yet occurred – it has to get a court order under the Wiretap Act and has to prove it has probable cause of crime, and then some. In this case, the government got a “back-door wiretap� by asking the ISP to “preserve� communications it hadn’t yet received. The government followed up that request much later with a subpoena, then a court order issued under a lesser standard, for the email it sought. In other words, it circumvented the requirement that it prove to a judge it has probable cause.

The lower court ruled that this is OK. If the Sixth Circuit court agrees, it would give the government a road map for collecting up email without having to prove strong evidence of criminal activity to a judge.

Internet users can clearly expect their email to be private, but the government argues that emails stored on a webmail provider or an ISP are not protected under the Fourth Amendment. CDT has long advocated for an update in the laws governing government access to communications and if the court does not make it clear that back door wiretaps are not permitted, then Congress will need to step in.

The Anti-Spyware Coalition (ASC), National Cybersecurity Alliance (NCSA), and StopBadware.org led a public workshop yesterday to launch a new collaborative effort to combat malicious software.  The “Chain of Trust� initiative is built on the fundamental principle that the only way to combat a global problem like this is to bring everyone involved to the table and create a united front against a growing threat.

The workshop featured discussion from representatives from government agencies, Internet companies, network providers, security vendors, researchers and advocacy groups.  Keynote speakers included Shawn Henry, assistant director of the FBI’s computer crime unit, Jeff Fox, editor, Consumer’s Union, and Brian Krebs, reporter, Washington Post, where he writes the Security Fix blog.   The discussion focused on how best to identify, educate and combat today’s cyber threats.
(more…)

Three of the world’s leading cybersecurity groups are launching a new initiative to combat malicious software or “malware” by establishing a “Chain of Trust” among all of the organizations and individuals that play a role in securing the Internet.

Developed by the Anti-Spyware Coalition (ASC), National Cybersecurity Alliance (NCSA) and StopBadware.org, the Chain of Trust Initiative will link together security vendors, researchers, government agencies, Internet companies, network providers, advocacy and education groups in a systemic effort to stem the rising tide of malware. Applying many of the same approaches used to bring nuisance adware under control, the Chain of Trust Initiative aims to establish a united front against a growing threat.

To help facilitate discussion around the initiative, the ASC is holding a public workshop on May 19 featuring moderated panels and keynotes from leaders in the cyber security and consumer privacy field.  The FBI’s assistant director, Shawn Henry, who oversees the bureau’s computer crime unit, will be giving a morning keynote along with CDT Vice President, Ari Schwartz and Jeff Fox of Consumer’s Union.

Those who are unable to physically attend the conference can follow along with CDT’s live twitter feed (@CDT_LIVE) using the hashtag #asc09.  There will be discussion on the feed and reaction and comments as the workshop unfolds.  Additionally, portions of the conference will be streamed through our UStream Channel, CDT TV.

More information on attending the workshop, including registration and agenda info is available here:

http://antispywarecoalition.org/events/may2009.php

The Cybersecurity Act of 2009, S. 773, introduced by Senators Rockefeller (D-WV) and Snowe (R-ME), has kicked off what promises to be an intense debate over the federal government’s cybersecurity policy.  There’s broad consensus about the goal – better security for both governmental and private sector critical infrastructure information systems – but not much agreement about how to achieve it.

The Rockefeller/Snowe bill includes some especially troubling provisions.  For starters, it would give the President the authority to limit or shut down Internet traffic to federal government and private critical infrastructure systems.  It would give the Secretary of Commerce the power to override any law, regulation, or policy – including privacy laws and laws protecting trade secrets – to obtain access to information held by private parties that might be relevant to cybersecurity threats and vulnerabilities.  Broadly read, the provision would authorize the Secretary of Commerce to override the Wiretap Act and the Electronic Communications Privacy Act to gain access to communications content. Finally, it includes provisions that would allow the government to dictate software design standards for the private sector.

CDT has prepared a detailed analysis of the Rockefeller-Snowe bill here.

Fortunately, the Rockefeller/Snowe bill isn’t the only game in town.

Senator Carper’s (D-DE) U.S. Information and Communications Enhancement (ICE) Act (S. 921) takes an entirely different, and much more appropriate, approach.  It focuses primarily on strengthening the security of governmental information systems by amending the Federal Information Security Management Act.  In contrast, many provisions of the Rockefeller-Snowe bill would apply the same measures and authorities without distinction to both private and public systems.

(more…)

Developing a set of rules that will reliably distinguish between activities that are legitimate and those that are true threats continues to vex domestic intelligence policy. In the past week, this fundamental issue cropped up in media discussion of a leaked DHS intelligence report and also during a Senate hearing on information sharing. In thinking about the problem, and recognizing that the following certainly is nowhere near a complete solution, I suggest three potential improvements:

1) intelligence reports and threat assessments that deal with ideological motivation should expressly address the need to distinguish between ideas and illegality;

2) Congressional oversight committees should review samples of domestic intelligence reports from different stages of the information collection, analysis and sharing process, and;

3) frontline law enforcement civil liberties training material should be made openly available.

Last week, Department of Homeland Security (DHS) Secretary Napolitano issued a response to the public outcry over the intelligence report that leaked earlier this month. DHS’ “Rightwing Extremism� threat assessment had identified opposition to controversial government policies such as immigration and the election of President Barack Obama as factors that may stimulate terrorism.

(To read more about the DHS intelligence report and other reports like it, please see my earlier post.)
(more…)

UPDATE: At the RSA conference in San Francisco today, NSA Director Keith Alexander disavowed any interest by his agency in directing cybersecurity efforts outside of national security systems. Whether Alexander was engaging in damage control or whether his remarks truly represent a shift in Administration policy remains to be seen. Alexander also spoke of the need for a team approach to cybersecurity, leaving open the question of exactly what position NSA will play on the team. Let’s hope the pendulum is swinging back towards the center

While we are eagerly awaiting the results of the Obama Administration’s review of cybersecurity policy, the latest Wall Street Journal story on a computer hack of systems containing national security information highlights several points on which to judge the direction being taken by the Administration.

Tomorrow (Wednesday, April 22), Melissa Hathaway will speak at the RSA Conference in San Francisco and is likely to give some indication of the conclusions and findings of her 60 day review of U.S. cybersecurity policy. Her report to the President, completed last week, probably focuses more on organizing the White House and the Executive Branch for cybersecurity than on substantive questions of mandates, standards, and incentives, but even the allocation of responsibilities within the federal government has major implications.
(more…)