Senate Bill 2105: Cybersecurity Act of 2012

Leave a comment

On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.

Advertisements

What are Flame and Stux-net and why should I care?

1 Comment

There has been much discussion in the popular press of late about something called Flame and something called Stux-net, especially with regard to national security. However, many people do not understand what they are and why they are so troubling. Basically both of these are “computer worms” which, like viruses, attempt to perform malicious acts to your computer. The difference between a “worm” and a “virus” really has to do with how they are propagated. Computer viruses are a type of malware that generally deletes or changes files. They must be permitted to execute code and write to memory, and so generally attach themselves to some program; when the user runs the program, he or she also runs the virus (unintentionally). A worm, on the other hand, can self-replicate and move through a network (like the Internet). Generally worms are designed not only to spread, but also to make specific changes to the computer, including taking control of all or part of the computer. The key to understand is that the worm can cause damage to the system.

First, let’s talk about Stux-net. You may have heard about this one in 2010 when it was reported that there had been a cyberattack on Iranian uranium-enrichment centrifuges. This worm had been introduced into the Iranian nuclear processing facility (people in the know think it was introduced on a thumb drive), and it took control of the control system. A control system manages and regulates the machinery under its control, so that humans (often quite far away) can read sensors and information about they system and make adjustments. In this case, facility being monitored was Iran’s nuclear processing facility. The control system sent messages to uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Obviously then the centrifuges were damaged.

You might ask how the worm could have caused that problem. Well, the programmers of the worm found vulnerabilities in the computer programs that run the control system. It is the same process of programmers exploiting bad programming the operating system so our computers can get viruses.

The worm caused so much damage to the facility that it has set back the nuclear program in Iran. At the time, there was discussion at the time that it might have originated in the United States and Israel, but there was no evidence to back up that claim.

It is beyond the scope of this blog to discuss who was behind it and their motives. However, it is important to note that malware can get into a physical facility, such as power plants, water treatment facilities and other public utilities. These are things we have taken for granted as protected and safe. However, The Washington Post, reported that:

A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely.

In fact, according to The Washington Post,

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Further, they note,

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

Last week the press identified a new worm deployed in Iran called Flame. This seems to be primarily surveillance malware that allows someone to turn on microphones, look at data, track what people are doing on a computer, and perhaps even listen to nearby cell phone conversations. This worm was deployed to the Iranian oil industry and was attaching itself to control systems for the rigs and other equipment. It was detected and the Iranian government has unplugged those facilities from accessing the Internet. It has also created its own task force to combat these attacks and claims it intends to build its own Internet. This same worm has been found in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

While the worms seem different, experts are not sure. They both move in the same fashion. In addition, computer experts say that the style of programming is similar between the two. Yes, it is true that there are styles of programming just as there are styles of writing. An expert can tell the reasons Emily Dickenson works are not confused with those of James Joyce. A computer expert can tell similarities in programming by how things are named, how they flow, and how different parts of the programs are hooked together. Worse yet, these experts claim to have found code that was apparently taken directly from Stux-net and put in Flame. All of those suggest similar authors.

What is the take-away for us? All of this mischief has put a spotlight on the fact that we, as a society, depend on computers for much beyond the business and pleasure applications we generally discuss. Everything from the car you drive to the utilities use computers to control them. And, where there are computers, there are people contemplating ways of breaking them. Most of these controllers were not visible to the average user, so they did not get attention from hackers. However, that also meant that their manufacturers often got lazy in building in the security to protect them. Now that they have the attention of the hackers, companies are scrambling to protect their controllers. Otherwise, we may be in for some rough times ahead at malicious or inadvertent attacks on our infrastrucutre.

Privacy Legislation

4 Comments

There is good news for those of us who use email, smart phones and social networking sites!  Legislation was introduced in both houses of the (U.S.) Congress today that would prohibit employers or prospective employers from forcing employees or prospective employees to divulge passwords.  The good news is that both houses think this is a problem and are acting to do something about it.  The bad news is that the bills differ.  The Senate’s version is called the Password Protection Act and is sponsored by Sen. Richard Blumenthal, D-Conn also includes smart phones, private email accounts, photo sharing sites, and any personal information that resides on computers owned by the workers.  Rep. Ed Perlmutter, D-Colorado introduced similar legislation in the House.  However, last month, Rep. Eliot Engel, D-N. Y. introduced the Social Networking Online Protection Act (SNOPA) that extended the protections to elementary, high school and college students.  The ACLU supports this inclusion of students because they are a target of much of the social media monitoring.

Rep Engel was quoted by ABC News  as saying:

There have been a number of reports about employers requiring new applicants to give their username and password as part of the hiring process. The same has occurred at some schools and universities,” Engel said in a statement. “Passwords are the gateway to many avenues containing personal and sensitive content — including email accounts, bank accounts and other information, he added.

Of course, the legislation also protects employers in that it prevents them from accidentally learning information about a candidate that is not allowed to be considered in a hiring decision.

These are positive steps to protect our civil liberties.

Meanwhile the New York Courts have asked Twitter to release data pertaining to a user involved with the Occupy Wall Street movement.  According to CNN,

Twitter, however, countered that the court would need a search warrant to get that information. It pointed to a recent Supreme Court decision which found that attaching a GPS device is considered a search under the Fourth Amendment, which prevents unreasonable searches and seizures.

“If the Fourth Amendment’s warrant requirement applies merely to surveillance of one’s location in public areas for 28 days, it also applies to the District Attorney’s effort to force Twitter to produce over three months worth of a citizen’s substantive communications, regardless of whether the government alleges those communications are public or private,” wrote Twitter in its motion.

Twitter also suggested that Harris owns his own tweets and could therefore file a motion to quash on his own, despite the prosecution’s assertion of the opposite.

The ACLU is calling Twitter’s move a ‘big deal.’

The fourth amendment should protect us from arbitrary search and seizure of our own information.  Just because it is easy to access (because it is electronic) does not make it right to do so.

ACTA, CISPA, and TPP

Leave a comment

There is more alphabet soup to concern us today — ACTA,  CISPA, and TPP.  While they are two entirely different things, they both potentially threaten our privacy on the Internet and that is bad.   Let me clearly state that I am a published author and I too worry about people stealing my intellectual property and making a profit from their own use of it.  However, I worry about rights being taken in the name of protecting intellectual property.

ACTA is the Anti-Counterfeiting Trade Agreement signed by the US, Australia, Canada, Japan, Morocco, New Zealand, Singapore, and South Korea, and expected to be signed by the European Union, Mexico, and Switzerland.  It is not “treaty” so it does not need to be approved by Congress. The goal of ACTA is to protect copyright and intellectual property, such as music and movies from pirating and counterfeiting.  I am not a lawyer and certainly not an international treaty expert, but the phrases, ” … including expeditious remedies to prevent infringements and remedies which constitute a deterrent to further infringements” and “authority to issue an order against a party to desist from an infringement, and inter alia, an order to that party or, where appropriate, to a third party over whom the relevant judicial authority exercises  jurisdiction, to prevent goods that involve the infringement of an intellectual property right from entering into the channels of commerce” sound like the government is asking ISP’s to watch over users — and such surveillance cannot be a good thing.  According to the EFF, “ACTA contains new potential obligations for Internet intermediaries, requiring them to police the Internet and their users, which in turn pose significant concerns for citizens’ privacy, freedom of expression, and fair use rights.”

TPP is the Trans Pacific Partnership Agreement.  It too is multinational and it attempts to protect intellectual property.  It states that any party that “manufactures, imports, distributes, offers to the public, provides, or otherwise traffics in devices, products, or components, or offers to the public or provides services, that: (A) are promoted, advertised, or marketed by that person, or by another person acting in concert with that person and with that person’s knowledge, for the purpose of circumvention of any  effective technological measure, (B) have only a limited commercially significant purpose or use other than to circumvent any effective technological measure, or (C) are primarily designed, produced, or performed for the purpose of enabling or facilitating the circumvention of any effective technological measure, shall be liable and subject to the remedies set out in Article [12.12].  That sounds a lot like ISPs will need to monitor all of our transmissions to be sure they are not in trouble.

CISPA is The Cyber Intelligence Sharing and Protection Act.  According to Demand Progress, CISPA “could let ISPs block your access to websites — or the whole Internet.  CISPA also encourages companies to share information about you with the government and other corporations.  That data could then be used for just about anything — from prosecuting crimes to ad placements.  And perhaps worst of all, CISPA supercedes all existing online privacy protections.”

None of these measures make clear how much authority the ISPs will have or what a citizen’s rights to argue will be.  That is the part that worries me most.  It seems perfectly possible in this era for this to be the first step to certain sites having more rights than others (such as movie sites or book publishers) because of these laws.  If they really are innocent protection of IP, then why have the discussions not been more transparent?  Why is the government determined to keep experts out of the discussion until after treaties have been signed.  Let us not allow anyone the right to evaluate the appropriateness of a site without oversight.

Individual Privacy: Is 1984 finally here?

Leave a comment

When I was in high school, everyone was required to read the book entitled 1984 by George Orwell.  According to Amazon’s description of the book, “In 1984, London is a grim city where Big Brother is always watching you and the Thought Police can practically read your mind.”  I recall there being much discussion of how horrible that would be and how it would never happen.

Yesterday I read an article on BBC.com that states, “The government will be able to monitor the calls, emails, texts and website visits of everyone in the UK under new legislation set to be announced soon.”  That sounds to me like 1984 may have arrived.  Of course, those proposing the new law state that it is critical to have access to information about terrorists and their contacts in order to protect the country.  The difference between this proposal and one that failed a few years earlier is that police will not be able to access the data without a warrant.  But, the article goes on to say that the law would “enable intelligence officers to identify who an individual or group is in contact with, how often and for how long. They would also be able to see which websites someone had visited.”

Most law-abiding citizens have no difficulty with the concept that terrorists or criminals would have their information recorded.  However, the law does not limit data collection to known criminals or terrorists, or even those under suspicion — it opens the door to collecting this information about everyone.  Once collected, will the government be able to help itself in doing more with the data than intended?  What is the difference then between the British government and that in China or Iran in modern times, or Nazi Germany and Communist Russia in more distant times?  Will the government not face the risk of taking action because of some communications that when put together look alarming?  How long will it take for the government to try to mine the data to find other “terrorists” or “criminals” who are so identified simply because they have similar surfing or communications patterns?

In addition, how will all of these data be protected from hackers?  We have recently seen hackers breech the security of Scotland Yard meetings, military data, corporate data, and, of course, credit cards.  In that same article, the author notes, “The Sunday Times quoted an industry official who warned it would be “expensive, intrusive [and] a nightmare to run legally.”  Most professionals respond to that quote as “to say the least!”

Police have always wanted this kind of information, but society has said that individual freedom is more important.  Just because it is (relatively) easy to get and keep such data now that it is electronic, does that make it right?   It is almost impossible to get privacy back once it is lost … shouldn’t we ponder this a bit more before we risk the loss of privacy forever?