Archives: 04/2012

CISPA and the Right Way to Do Cybersecurity Information Sharing

The White House has issued a threat to veto the Cyber Intelligence Information Sharing Protection Act (CISPA) in its current form, despite recent amendments aimed at assuaging the concerns of privacy and civil liberties advocates:

H.R. 3523 fails to provide authorities to ensure that the Nation’s core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards.  For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information.  Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.

The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes.  Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately.  The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.

Unfortunately, as Paul Rosenzweig notes, the other main reason for the administration’s opposition is that the bill doesn’t grant the government enough regulatory power over “critical infrastructure” computer networks. Still, this seems like an opportunity to pause and consider what an acceptable cybersecurity information sharing bill might look like. Because notwithstanding all the hype, there are genuine risks and vulnerabilities that might be mitigated by better information sharing—and that may indeed require Congressional action. But a narrowly tailored approach that respects privacy and civil liberties will look very different from CISPA.

As I explained in a post last year, CISPA worked by creating a sweeping exception to all other privacy and surveillance laws, granting blanket immunity to any “entity” that chose to share vaguely defined “cyber threat information”—potentially including the contents of e-mails or other online communications—with both private actors and the government. When civil liberties advocates cried foul at the prospect of such vast quantities of private data being handed over to government on a silver platter, the bill’s supporters tried to placate them by tacking on an array of after-the-fact anonymization requirements and use restrictions—forbidding the use of the data except for a “cybersecurity purpose” or for “the protection of the national security of the United States.”

That wasn’t much consolation to anyone who’s watched how the government has tried to interpret similar “purpose” restrictions in the past. In 2002, for example, then–Solicitor General Ted Olson argued for a highly expansive view of the “foreign intelligence purposes” for which information obtained through national security wiretaps could be used, including using evidence of misconduct unrelated to terrorism or espionage to force people to become informants. If a wiretap turned up evidence of tax evasion or rape, for instance, Olson suggested the government “could go to that individual and say we’ve got this information and we’re prosecuting and you might be able to help us. I don’t want to foreclose that.”  It’s no great leap to imagine a future solicitor general arguing that extorting the cooperation of hackers, penetration testers, or other tech professionals would similarly serve a “cybersecurity purpose.”

Yet it shouldn’t be that hard to craft legislation that would allow sharing of the broad categories of information that are most useful for improving security but don’t raise privacy or civil liberties concerns. Here’s a crazy idea: Instead of indiscriminately adding a cybersecurity loophole to every statute on the books, why not figure out which specific kinds of information are useful to security professionals without compromising privacy, figure out which laws raise obstacles to that sharing,  and then craft appropriately narrow exemptions?  (One assumes the intelligence agencies can be afforded more discretion about when to share the information already in their own possession—whatever else one might say about it, “oversharing” is not among the NSA’s problems.)

The exceptions could be appropriately narrowly tailored depending on the sensitivity of the information involved.  For instance, different sections of the Electronic Communications Privacy Act deal with different kinds of data. Subsections (1) and (2) of 18 USC §2702 deal with the contents of communications in transit through or stored by a communications provider, generally prohibiting use or disclosure of that information without specific consent. Subsection (3) covers subscriber information and transactional data about those communications, and generally permits voluntary sharing, but specifically prohibits sharing with governmental entities.  Since that transactional information is typically less sensitive than communications themselves, an exemption there might allow providers a fair amount of discretion to determine what constitutes “cyber threat information” and permit sharing with government also, subject to the appropriate anonymization and use requirements.  For the more sensitive contents, the exception might be limited to a relatively specific laundry list of kinds of data that are both unquestionably security-related and limited in their implications for privacy, such as malware signatures and attack payloads.Those who worship at the altar of “tech neutrality“  complain that this would limit the flexibility of the law over time, requiring Congress to revisit and revise the list as technology and the nature of the threat evolve. But if the alternative is barely-constrained permission to start shoveling sensitive private information into the government’s maw—precisely the kind of large scale “data breach” that “cybersecurity” is supposed to prevent—having to tweak the language once or twice a decade seems like a reasonable price to pay.

Justice Sotomayor: “[Mr. Solicitor] General, I’m Terribly Confused by Your Answer”

Yesterday’s argument in Arizona v. United States (my preview here), which in a non-Obamacare world would be the case of the decade, revealed among other things yet another bizarre legal position taken by the Obama Justice Department.  That is, the solicitor general stood there and straight-facedly made the claims that: (1) local law enforcement could make ”ad hoc” judgments to apprehend illegal aliens but state governments (the bosses of said local officials) could not “systematize” such policies by legislation; and (2) state laws like Arizona’s were unconstitutional because they interfere with federal policy decisions on how to allocate enforcement resources.

It was the first point that caused Justice Sotomayor’s (understandable) confusion.

Solicitor General Verrilli apparently resolved that confusion in an unsatisfactory manner, because Sotomayor later asked him for other arguments because “you can see [that this one is] not selling very well.”

The second point was met with similar skepticism by the Court, with Justice Alito asking whether, if “the federal government changed its [enforcement] priorities tomorrow … .  Would the Arizona law be un-preempted?”

These colloquies don’t necessarily mean that the DOJ is headed towards a precipitous defeat – here’s a transcript and summary of the whole argument so you can judge for yourself – but it does show how far off the reservation this administration goes to assert political stances (and controversial ones at that) in place of sound legal reasoning.

Most visibly in the health care case, where it failed even to articulate a plausible limiting principle to its Commerce Clause power, but generally across wide swaths of law, the government has advanced arguments that can most charitably be described as a stretch (and uncharitably as disingenuous and dangerous).  For example, see the Supreme Court’s unanimous rulings against the government regarding property rights/EPA abuses, GPS surveillance, and religious libertyAnd that’s just this term! 

If there’s anything systematic here, it’s the DOJ’s imaginative interpretation of individual rights and government powers.

As to how this particular case will end up, it’s actually a hard one to predict because the issues are so technical – much more so than Obamacare, which involves competing legal philosophies rather than methods of statutory interpretation – but I’m sticking with my earlier analysis that three of the four SB 1070 provisions at issue are not preempted (that is, the Court will reverse the Ninth Circuit, in Arizona’s favor):

  • Section 2(B), which requires police to check the immigration status of anyone they have lawfully detained whom they have reasonable suspicion to believe may be in the country illegally;

 

  • Section 3, which makes it a state crime to violate federal alien registration laws (though this one could really go either way); and

 

  • Section 6, which permits permitting warrantless arrests where the police have probable cause to believe that a suspect has committed a crime that makes him subject to deportation.

 

And one provision looks to be in trouble:

  • Section 5(C)(1), which makes it a state crime for illegal aliens to apply for work, solicit work in a public place, or work as an independent contractor.

 

I could be wrong on one or more of these, but in any event it will likely be a split decision – which still means that almost all of Arizona’s law will be in effect because the government didn’t challenge most of it and declined to appeal the district court’s ruling allowing two other provisions to stand: Section 5(C), which criminalizes the transportation and harboring of illegal aliens; and Section 10, which permits the impoundment of vehicles used to transport or harbor them. (Note that the district court in a different case enjoined Sections 5(A) and (B), which criminalize stopping to pick up day laborers when it impedes traffic – on First Amendment grounds(!), so stay tuned to see what happens there.)

Finally, remember that racial profiling is not at issue here at all, as Chief Justice Roberts had the solicitor general re-confirm at the start of his presentation.  SB 1070 bends over backwards to make clear that it does not allow (let alone require) any use of race not permitted under federal law – which is why the federal government declined to join the (dismissed/stalled) lawsuits brought by various so-called civil rights groups.

It would be better if the federal government enacted comprehensive national immigration reform, or at least allowed greater state experimentation in this area.  For more on these sorts of positive proposals, tune into (or attend!) Cato’s conference today.

Greece Is Imploding

Money matters.  That’s why I have kept my eye on Greece’s money supply (M3).  It’s been contracting in an increasing rate since February 2010.  Since March 2010, I have concluded that the writing was on the wall and that all the debt sustainability numbers calculated by the International Monetary Fund, the European Union and the Greek government could be thrown in their respective bureaucratic trash cans.  Well, even though the Bank of Greece is still behind the curve, it’s catching up.  The Bank has just revised its forecast of Greece’s 2012 growth – down from -4.5% to -5.0%.  The current annual rate of contraction (-19%) of the Greek money supply guarantees many more eruptions from that Balkan nation.

Incentives for Unauthorized Immigration Remain

Michael Barone had an excellent piece in today’s Examiner where he wrote that the Mexican unauthorized immigration problem is going away because net Mexican migration is around zero for the first time since the Great Depression.  Barone points out many reasons for this change: the size of the Mexican emigration cohort is remaining steady (Mexican women are about 1/3 as fertile in recent years as they were in 1970), U.S. economic growth is sluggish, sectors of the U.S. economy that employ unauthorized workers were some of the hardest hit in recent years, and Mexican economic growth is rapidly increasing incomes South of the border.  All right so far.

But Barone is wrong to assume that just because Mexican unauthorized migration is abating that the problem will go away.  For hundreds of millions of the world’s poor, the incentives to migrate remain. 

Immigration is mostly driven by economics.  The cost of moving here (ignoring the cost of dealing with the U.S.government) is going to continue to fall while the benefits will remain high.  Since 40 to 50 percent of unauthorized immigrants entered the U.S. legally and overstayed their visas, some unauthorized migrants don’t need to cross a harsh desert anymore.  Migrant source countries are changing again but the flow won’t stop.    

Very poor countries don’t send many immigrants because the people there can’t afford to move.  That’s why there aren’t many immigrants from the poorest nations of the world.  People have to reach a certain level of prosperity before they can afford to migrate.  After that point is reached, immigration continues until the gains from doing so shrink.  The income gap between Mexico and the U.S. has narrowed so migration is slowing down on its own accord.

Other Central Americans still feel the economic pressure to migrate even if U.S. law doesn’t cooperate.  This trend is reflected in the estimates of the unauthorized population compiled by the Department of Homeland Security.  From 2000 to 2011 the unauthorized Mexican population increased by 45 percent.  Over the same time the number of unauthorized Guatemalans increased by 82 percent and Hondurans by a whopping 132 percent. 

Human smugglers have many informal routes into the U.S.  Until recently they’ve mostly been serving Mexicans but they are diversifying into other countries and finding migrants who will pay more.  Smuggling prices are hard to come by since it’s illegal but anecdotal evidence suggests Chinese pay $75,000 per person and Indians pay around $20,000 to come to the U.S. illegally.        

The lack of a legal route for most potential migrants combined with a strict enforcement mechanism increases the costs and diminishes the benefits of migrating.  But for millions the benefits of coming illegally still outweigh the costs of working in the informal economy.  When economic growth in the U.S. recovers unauthorized immigration will also recover.  The source countries for these immigrants may shift but at long as our immigration laws are restrictive and the benefits of coming here are greater than the costs, unauthorized immigration will persist.

We Don’t Want the Cybersmoking Cybergun to Be a Cybermushroom Cybercloud

The House Committee on Homeland Security held a hearing today bearing the unsubtle title: “America is Under Cyber Attack: Why Urgent Action is Needed.” With the conclusion fixed in advance of the testimony—which, as promised, uniformly prophesied imminent cybercataclysm—you’d think the real question would be why a hearing was needed. The answer, of course, is to frighten off any second thoughts about cybersecurity legislation due for consideration this Friday, to which opposition has been mounting among some techies and civil libertarians.

Jim Harper has already done plenty of excellent work puncturing the more apocalyptic hype around cybersecurity—a favorite at this hearing was “Cyber Pearl Harbor”—which I need not rehash here. Even bracketing the question of how realistic some of the threat scenarios are, however, what struck me was that “cyber attack” is really something of a category error, at least as used at this hearing, where “attack” carries the grim overtones of a national security threat, and “America” as a whole is the target.  In reality, you have a range of security problems facing a diverse array of public and private entities. Some are analogous to conventional state or terror-group sponsored attacks or espionage.  Most are the digital equivalents of what we’d normally label “crime”: theft, vandalism, corporate espionage, and so on.

At the extreme end, you have largely hypothetical attacks on the SCADA control systems that operate critical infrastructure like power plants or transportation networks. These have the potential to inflict the kind of damage we’d associate with a physical attack, but we’ve only got one known real-world instance of this, and experts agree that it was almost certainly born in the USA. Such attacks are rare because they’re very difficult to carry off, involve identifying and exploiting vulnerabilities in uncommon task-specific software systems, and would most likely require insider complicity—which means they’re probably best conceived as one aspect of the more general problem of hardening critical infrastructure targets. Ditto for attempts to compromise systems with sensitive government data—a hard problem for government IT departments, but not one Congress has an obvious role in beyond appropriating the necessary funds.

Then you have the vast majority of actual successful “cyber attacks,” which target ordinary private systems, and range from sophisticated spear-phishing efforts aimed at exfiltrating valuable corporate commercial data to simple DDOS attacks launched by “script kiddies.” Some of these are serious and costly—but the costs are primarily borne by the targeted entities, which will more likely have the incentive, responsibility, and local knowledge required to respond appropriately.

These aren’t entirely unrelated problems: A malware-infected private computer may be conscripted into a botnet or serve as a staging ground for an attack on a more critical target. But it hardly seems conducive to sober policy making to lump them together under the general heading of “cybersecurity.” First, because resources aren’t going to be prioritized well if officials in the grip of apocalyptic mass-casualty scenarios start throwing money at programs that are primarily about making it harder for Anonymous to crash websites. Second, because the nature and scope of (for instance) the information sharing that might facilitate security improvements, and the privacy interests implicated by such sharing, may be quite different for these different types of cases, and be better dealt with under separate rubrics to the extent government has a role to play at all.

Great Gaming Russia in Central Asia

For the sake of Afghanistan, U.S. officials routinely invoke the importance of nurturing economic growth across South and Central Asia. But when it comes to advancing policies meant to increase regional trade, Washington has shown little effort to ease the geopolitical differences between itself and one of Afghanistan’s key neighbors: Russia.

Secretary of State Hillary Clinton proclaimed late last year in Dushanbe, “we want Afghanistan to be at the crossroads of economic opportunities going north and south and east and west, which is why it’s so critical to more fully integrate the economies of the countries in this region in South and Central Asia.”

That sounds promising. So what is the problem? As George Washington University Research Professor Marlene Laruelle writes, present U.S. policies, like the “New Silk Road” initiative that Clinton hints at above, reflect an underlying economic rationale “to exclude Moscow from new geopolitical configurations.”

Echoing this interpretation is Joshua Kucera, a Washington-based freelance writer and frequent contributor to Slate and ForeignPolicy.com. He points to Washington’s call to tie together the electrical grids of Tajikistan, Kyrgyzstan, Afghanistan, and Pakistan as well as Washington’s placement of the Central Asian states in a new State Department bureau. He writes, “What these all have in common is that they attempt to weaken the economic (and as a result, political) monopoly that Russia, by dint of the centralized Soviet infrastructure, has on these countries.”

Moscow already thinks that Washington’s promotion of NATO’s eastward expansion is a U.S.-led containment strategy. As we have seen in that part of the world, however, Washington’s attempts to marginalize Russia in its Central Asian post-Soviet sphere will bump up against the region’s deep historical ties, cultural influence, and geographic contiguity with the Kremlin. This all might seem obvious, but apparently not, as it would require foreign policy planners to appreciate the overriding interests of neighboring great powers as they pertain to Afghanistan, even the ones we abhore. That will be difficult, and it is important to illuminate why.

Too many in Washington equate a less confrontational approach as a sign of weakness, and militant internationalism as a sign of strength. But in South and Central Asia, U.S. officials must understand that what they perceive to be in America’s interest does not always line up with the prospect of regional connectivity. Washington’s pursuit of primacy in this region is erecting hurdles to the very liberal-internationalist goals that it claims to promote. If economic growth is to have any reliable chance of success, then the U.S. should not be attempting to foreclose constructive avenues for increased integration.

Pursuing policies that place the region’s general interest before America’s does not convey weakness. Rather, it is a recognition that some countries are better positioned to be key players in the region, especially in light of the last 11 years, which have amply demonstrated the limits of Washington’s ability to impose lasting change in Afghanistan.

As my colleague Doug Bandow alluded to the other day, Russia is not America’s “number one geopolitical foe”—it is a declining power with nukes. Whether officials in Washington are willing to countenance such thoughts is anyone’s guess. However, given the disproportionate power of foreign policy hawks inside the Beltway—from the liberal and conservative persuasion—I wouldn’t bet on it.

Cross-posted from the Skeptics at the National Interest.

Graffiti Problem … So Call in the SWAT Team!?

From today’s Washington Post:

Hethmon had an up-close and unpleasant experience with the same kind of local police he had done so much to empower.The problem began with graffiti on a highway overpass in Bowie. Police there suspected that Hethmon’s teenage son might be involved and obtained a search warrant. They arrived at 7 a.m. on March 9 with a heavily armed team of county officers.

“Come in with masks, guns, screaming. You know, knocking everybody down,” Hethmon recalled. “I tried to explain to them, you know: ‘Look, I’m a lawyer, this is outrageous.’ [The reply was:] ‘Shut up and lie down on the floor.’ ”

Police said they found 2.5 grams of marijuana in the house. They filed charges against Hethmon, his son and his wife — all for the same drugs. The charges against Hethmon will be dropped, prosecutors said last week.

Hethmon said the experience has not changed his work.

“The fact that a law is legitimate and serving a purpose doesn’t mean that it can’t be abused,” he said. “Human beings are flawed people.”

And so, for the lesser-known of this duo, there has been a personal test. After he did so much to place greater trust in local police officers nationwide, police in Prince George’s County sent a SWAT team to his house to look for . . . spray paint.

It would be comical if it were not so serious.  Once the paramilitary unit arrives, heavy-handed methods are often employed to ensure ‘officer safety,’ i.e. break windows to distract occupants from the doorway and flashbang grenades. The militarization of police tactics is out of control, but policymakers do nothing focus on expanding the power of the government.

More background here,  here and here.