Topic: Telecom, Internet & Information Policy

Our New Cybersecurity Strategy: An Acronym Firewall

A couple weeks ago, I had a brief tour of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which probably isn’t quite as snazzy as U.S. Cyber Command’s Star Trek–inspired bridge, but looks more or less like the movies have programmed you to expect: A long wall filled with enormous screens displaying maps with each state’s self-assessed “cyber threat level”; the volume of traffic to various government networks, and even one for NCCIC’s Twitter feed. It’s not clear that this setup serves much functional purpose given that the analysts working there are already using three-monitor workstations, but let’s face it, taking tour groups reared on Hollywood’s version through a non-descript office would be a little anticlimactic.  Which is to say, while the folks there are clearly doing some useful work, there’s an element of theater involved.

So too, it seems to me, with our political approach to cybersecurity more generally. The Washington Post reported Tuesday that the Obama administration plans to create a new Cyber Threat Intelligence Integration Center (CTIIC) within the Office of the Director of National Intelligence, which will join NCCIC and USCYBERCOM, as well as an array of private ISACs (Information Sharing and Analysis Centers) and CERTs (Computer Emergency Response Teams) on the digital front lines.  If firewalls made of acronyms could keep malware out, we’d be in fantastic shape.

The immediate reaction from both policy and security experts could best be described as “puzzled.”  After all, for several years we’ve been told that the Department of Homeland Security plays the lead role in coordinating the government’s cybersecurity efforts, and isn’t information sharing and integration pretty much what the NCCIC is supposed to be doing? That’s what it says on the tin, at any rate.  What, exactly, is supposed to be the advantage of spinning up an entirely new agency from scratch to share that mission?  Why would you house it in ODNI if your primary goal is to coax more information out of a wary and skeptical private sector?  Is there even good evidence that inadequate information “integration” is significantly to blame for the poor state of American cybersecurity? Our intelligence agencies, to be sure, could be doing a better job of sharing threat information with the private sector—but their own notorious culture of secrecy seems to be the limiting factor there. Even the White House’s own former cybersecurity coordinator, Melissa Hathaway, told the Post that “creating more organizations and bureaucracy” was unlikely to do much good.

My slightly cynical suspicion: Cybersecurity is just fundamentally hard, and given that it depends on the complex practices of many thousands of private network owners, there’s just not a whole lot the government can do to drastically improve matters—beyond, of course, being more willing to share their own intel and hardening the government’s own networks, which they don’t seem to be terribly good at. But cybersecurity is a Serious Problem about which Something Must Be Done, and so like the drunk in the old joke—who lost his keys in the dark, but is searching for them under a streetlamp because the light’s better there—we make a great show of doing the things government is able to do. And since internal tweaks designed to make existing agencies do those things more effectively won’t make headlines, thereby assuring the public that someone is on top of the problem, we get another spoonful of alphabet soup and another Hollywood command center to do the same thing with even bigger and more impressive wall monitors.  But as Amie Stepanovich of Access aptly told The Hill: “You don’t necessarily get your house in order by building new houses.”

Bitcoin Regulation: “Assume the Existence of Public Interest Benefits!”

You’ve probably heard some version of the joke about the chemist, the physicist, and the economist stranded on a desert island. With a can of food but nothing to open it, the first two set to work on ingenious technical methods of accessing nutrition. The economist declares his solution: “Assume the existence of a can opener!”…

There are parallels to this in some U.S. state regulators’ approaches to Bitcoin. Beginning with the New York Department of Financial Services six months ago, regulators have put proposals forward without articulating how their ideas would protect Bitcoin users. “Assume the existence of public interest benefits!” they seem to be saying.

When it issued its “BitLicense” proposal last August, the New York DFS claimed “[e]xtensive research and analysis” that it said “made clear the need for a new and comprehensive set of regulations that address the novel aspects and risks of virtual currency.” Yet, six months later, despite promises to do so under New York’s Freedom of Information Law, the NYDFS has not released that analysis, even while it has published a new “BitLicense” draft.

Yesterday, I filed comments with the Conference of State Bank Supervisors (CSBS) regarding their draft regulatory framework for digital currencies such as Bitcoin. CSBS is to be congratulated for taking a more methodical approach than New York. They’ve issued an outline and have called for discussion before coming up with regulatory language. But the CSBS proposal lacks an articulation of how it addresses unique challenges in the digital currency space. It simply contains a large batch of regulations similar to what is already found in the financial services world.

FCC’s Net Neutrality Nuclear Option

Proponents of network neutrality regulation are cheering the announcement this week that the Federal Communications Commission will seek to reclassify Internet Service Providers as “common carriers” under Title II of the Telecommunications Act. The move would trigger broad regulatory powers over Internet providers—some of which, such as authority to impose price controls, the FCC has said it will “forbear” from asserting—in the name of “preserving the open internet.”

Two initial thoughts:

First, the scope of the move reminds us that “net neutrality” has always been somewhat nebulously defined and therefore open to mission creep. To the extent there was any consensus definition, net neutrality was originally understood as being fundamentally about how ISPs like Comcast or Verizon treat data packets being sent to users, and whether the companies deliberately configured their routers to speed up or slow down certain traffic. Other factors that might affect the speed or quality of service—such as peering and interconnection agreements between ISPs and large content providers or backbone intermediaries—were understood to be a separate issue. In other words, net neutrality was satisfied so long as Comcast was treating packets equally once they’d reached Comcast’s network. Disputes over who should bear the cost of upgrading the connections between networks—though obviously relevant to the broader question of how quickly end-users could reach different services—were another matter.

Now the FCC will also concern itself with these contracts between corporations, giving content providers a fairly large cudgel to brandish against ISPs if they’re not happy with the peering terms on offer. In practice, even a “treat all packets equally” rule was going to be more complicated than it sounds on face, because the FCC would still have to distinguish between permitted “reasonable network management practices” and impermissible “packet discrimination.” But that’s simplicity itself next to the problem of determining, on a case by case basis, when the terms of a complex interconnection contract between two large corporations are “unfair” or “unreasonable.”

Second, it remains pretty incredible to me that we’re moving toward a broad preemptive regulatory intervention before we’ve even seen what deviations from neutrality look like in practice. Nobody, myself included, wants to see the “nightmare scenario” where ISPs attempt to turn the Internet into a “walled garden” whose users can only access the sites of their ISP’s corporate partners at usable speeds, or where ISPs act to throttle businesses that might interfere with their revenue streams from (say) cable television or voice services. There are certainly hypothetical scenarios that could play out where I’d agree intervention was justified—though I’d also expect targeted interventions by agencies like the Federal Trade Commission to be the most sensible first resort in those cases.

Does the Government Require Your Hotel to Spy on You?

If you’re a privacy conscious traveler, you may have wondered from time to time why hotels ask for ID when you check in, or why they ask you to give them the make and model of your car and other information that isn’t essential to the transaction. What’s the ID-checking for? There’s never been a problem with fraudsters checking into hotels under others’ reservations, paying for the privilege to do so…

Well, in many jurisdictions around the country, that information-gathering is mandated by law. Local ordinances require hotels, motels, and other lodgers (such as AirBnB hosts), to collect this information and keep it on hand. These laws also require that the information be made available to the police on request, for any reason or no reason, without a warrant.

That’s the case in Los Angeles, which not only requires this data retention about hotel guests for law enforcement to access at will or whim. It also requires hoteliers to check a government-issued ID from guests that pay cash.

Open access to hotel records may have been innocuous enough in the early years of travel and lodging. Reading through hotel registers was a social sport among the wealthy, who could afford long-distance travel and lodging. Today, tourism is available to the masses, and hotel records enjoy tighter privacy protections. Most people would quit a hotel that left their information open to the public, and many would be surprised that hoteliers’ records are open to law enforcement collection and review without any legal process.

Bandying “Terrorism”

George Clooney has now joined North Korea’s United Nations ambassador Ja Song Nam in bandying charges of “terrorism” against a foe. North Korea’s emissary in New York complained in July that the production of Sony’s film, The Interview, was “the most undisguised sponsoring of terrorism as well as an act of war.”

So, too, according to Clooney, was the threat leveled by unknown persons against theaters that might show the film: “Then, to turn around and threaten to blow people up and kill people, and just by that threat alone we change what we do for a living, that’s the actual definition of terrorism,” he said.

We don’t know more about the definition, but the ambassador and Mr. Clooney do teach us about usage. “Terrorism” is a debased, all-purpose charge anyone can use against anyone. There is a special variant of the word in which the results of an action provide conclusive evidence of the motive behind it. Because U.S. theaters yanked The Interview from their Christmas Day schedules, Clooney can plausibly call the threat “terrorism.” Had most people, like me, assumed the threat to be an idle prank, it would not have been terrorism.

I remain unpersuaded of a North Korean connection or anyone’s meaningful capacity or willingness to attack theaters. The most proximate cause of The Interview’s cancellation, it seems to me, is risk aversion on the part of theater owners’ lawyers. They apparently concluded that an attack could be a foreseeable cause of death and injury, for which owners could be liable. (Go ahead, reformers. Call trial lawyers “terrorists.”)

Subject matter expert Paddy Hillyard, a professor of sociology at Queen’s University, Belfast, eschews the term “terrorism” for reasons he articulated in a 2010 Cato Unbound. He participated in Cato’s study of terrorism and counterterrorism (conference, forum, book). I’m one of many who don’t believe that “cyberterrorism” even exists.

The greatest risk in all this is that loose talk of terrorism and “cyberwar” lead nations closer to actual war. Having failed to secure its systems, Sony has certainly lost a lot of money and reputation, but for actual damage to life and limb, you ain’t seen nothing like real war. It is not within well-drawn boundaries of U.S. national security interests to avenge wrongs to U.S. subsidiaries of Japanese corporations. Governments in the United States should respond to the Sony hack with nothing more than ordinary policing and diplomacy.

NOBODY Expects the Spanish Press Contrition!

Back in October, Spain’s parliament passed a horribly ill-advised law at the behest of the Spanish news publishing lobby, the AEDE. Struggling to adapt to the information age in one of Europe’s more troubled economies, the AEDE thought it had hit on a brilliant new revenue source: They got a provision inserted in a new intellectual property law that, starting in January, will force news aggregation sites to pay newspapers for the privilege of linking to their stories.

This never made much sense: News aggregators are a massive source of traffic (and therefore ad revenue) for news sites.  In effect, the law seeks to make it more difficult and costly for anyone to give those sites free advertising.  Indeed, it’s hard to see the point of posting stories online unless you expect people to link to them, and it’s simple enough to automatically prevent search engines from indexing your site’s content if, for some obscure reason, you don’t want people to have an easy means of discovering your content.  But never mind the logic; the law seemed like a foolproof way for ailing news companies to milk a few euros from big tech corporations flush with cash. What could go wrong?

You know how the story ends, right?  Everyone but the newspapers themselves seems to have seen it coming, since something similar had just played out in Germany: Google News, the largest of the aggregators, announced last week that they would be shutting down operations in Spain. Since the company didn’t even show ads on its news site, keeping it open under the new regulations would be an unsustainable, money-losing proposition.

The hilarious coda to the story: The AEDE, which previously complained that news aggregators were “stealing” their work by publishing headlines and tiny snippets of stories, is now begging Spanish regulators to stop Google News from closing. The site’s shuttering, the group complained without irony, “would undoubtedly have a negative impact on citizens and Spanish businesses.” Give them points for chutzpah if nothing else: They’re not even waiting for the blood to dry on the hatchet before bemoaning the loss of their golden eggs.

Connolly: Yes to Privacy Act Liability for Mental and Emotional Distress

A couple of years ago I wrote here about the Supreme Court case denying that a person could collect damages from the government under the Privacy Act based on mental and emotional distress. It’s a narrow point, but an important one, because the harm privacy invasions produce is often only mental and emotional distress. If such injuries aren’t recognized, the Privacy Act doesn’t offer much of a remedy.

Many privacy advocates have sought to bloat privacy regulation by lowering the “harm” bar. They argue that the creation of a privacy risk is a harm or that worrisome information practices are harmful. But I think harm rises above doing things someone might find “worrisome.” Harm can occur, as I think it may have in this case, when one’s (hidden) HIV status and thus sexual orientation is revealed. It’s shown by proving emotional distress to a judge or jury.

Rep. Gerry Connolly (D-VA) has introduced the fix for the Supreme Court’s overly narrow interpretation of the Privacy Act. His Safeguarding Individual Privacy Against Government Invasion Act of 2014 would allow for non-pecuniary damages—that is, mental and emotional distress—in Privacy Act cases.

It’s a simple fix to a contained problem in federal privacy legislation. It’s passage would not only close a gap in the statute. It would help channel the privacy discussion in the right way, toward real harms, which include provable mental and emotional distress.