Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

  • The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
  • Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
  • Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.


PROTECT IP Act may be open to some Reasonable Amendments

In response to concerted objections to aspects of the PROTECT IP Act, legislation sponsor Senator Patrick Leahy (D-Vt.) announced by radio and press release that the sponsors may eliminate a controversial provision requiring Internet Service Providers (ISPs) to interfere with the Domain Name System as a technique to prevent consumer access to foreign websites deemed “rogue” or havens for pirated goods.

According to the press release, the Senate is set to hold a procedural vote January 24, 2012. With over 40 co-sponsors of the bill, the position may face internal opposition, but Senator Leahy remains an influential voice on such topics and in the Senate.

According to the press release:

The PROTECT IP Act provides new tools for law enforcement to combat rogue websites that operate outside our borders but target American consumers with stolen American property and counterfeits.  One of those tools enables law enforcement to secure a court order asking Internet Service Providers (ISPs) to use the Domain Name System to prevent consumer access to foreign rogue websites.  This provision was drafted in response to concerns that law enforcement has remedies it can take against domestic websites, but does not currently have the power to stop foreign rogue websites.  I worked closely with the ISPs in drafting this provision to ensure they were comfortable with how it would work, and I appreciate their support. …

I and the bill’s cosponsors have continued to hear concerns about the Domain Name provision from engineers, human rights groups, and others.  …  I remain confident that the ISPs – including the cable industry, which is the largest association of ISPs – would not support the legislation if its enactment created the problems that opponents of this provision suggest.  Nonetheless, this is in fact a highly technical issue, and I am prepared to recommend we give it more study before implementing it.

Though described as a balanced bill, the legislation and SOPA – the even more extreme House legislation – have split the intellectual property industries, with strong support from many in the creative community and nearly unanimous opposition from the tech industries. Even within the media industries, concerns run high and I have spoken to a number of publishers and media representatives who feel that the proposals will do more harm than good.

A hearing on SOPA designed to allow critics of the legislation to be heard is now scheduled for January 18th.

Senator Leahy’s announcement may be the first step towards slowing an otherwise out-of-control legislative disaster.

Business Law Today Features Rich Array of Cyberspace Issues

In the December 2011 of Business Law Today, The Cyberspace Law Section has weighed in with a series of articles discussing critical issues for online legislation, policy and security. The first is my introduction to the Protect IP Act and SOPA, the second focuses on international regulation, the third on the SEC move into disclosure of data threats, and the last on the internal regulations for updated policies.

All four articles are helpful and interesting. Please take a look.

As a postscript, let me point out that my article was intended to provide a neutral overview of the proposals currently before Congress. This was difficult for me to do. SOPA has a number of well-known problems and undermines data security. Moreover, the involvement of credit card companies and advertising companies will create a host of unintended consequences that will add to the cost of doing business while having only marginal impact on piracy. Nonetheless, the article was written to provide context to the current debate and help the public understand just how much additional regulation has been added in recent years.

New Legislation Renews Conflict Between Content Creators and Content Distributors
By Jon M. Garon

Business Interests Under Attack in Cyberspace: Is International Regulation the Right Response?
By Henry L. Judy and David Satola

The SEC Staff’s ‘Cybersecurity Disclosure’ Guidance: Will It Help Investors or Cyber-thieves More?
By Roland L. Trope and Sarah Jane Hughes

Going Mobile: Are Your Company’s Electronic Communications Policies Ready to Travel?
By Kathleen M. Porter

Maryanne Zeleznik speaks with Jon Garon on Cincinnati Edition

Over the weekend, I spent a few minutes with the Cincinnati local public radio station WVXU. The interview aired Sunday, Dec. 4, 2011 at 7:10. If you are interested, please give a listen.

Law and Informatics
Maryanne Zeleznik speaks with Jon Garon, a law professor at NKU’s Chase law School, about Law & Informatics and how information can be shared and protected in the digital age.
By: Maryanne Zeleznik
For more information: Law and Informatics
 Listen to the MP3 (9:46)

Rethinking Terrorism in the Informatics Age

Terrorism cannot be far from American’s minds this week as we commemorate the September 11th attacks, memorialize the heroes who gave their life, and mourn both the lives of those lost and the end of the peace dividend we had hoped to enjoy following the end of the Soviet Union and the wave of democracy that swept through Eastern Europe.

In cyberspace, analysts vacillate between Cold War concerns from China and Russia (and their satellite nations) involving state-sponsored, non-border attacks on the U.S. and the West and terrorist attacks from non-state actors and self-proclaimed freedom fighters.

At the Reuters Aerospace and Defense Summit, defense industry analysts discussed these attacks, many of which “appeared to be state-sponsored and came from multiple countries.” The speakers did not identify any particular government. As reported by Reuters, “every defense company is constantly under attack. If anybody tells you they’re not, it just means they don’t know,” said Northrop Grumman Chief Executive Wes Bush. “It is a threat that is broad-based. It’s not just from one source … and it’s just unceasing.”

In March 2011, a foreign intelligence service stole 24,000 computer files in March from a defense contractor developing systems for the U.S. military. The breach was acknowledged in July. “This was significant,” Deputy Defense Secretary William Lynn told reporters.

Lynn said the attackers swiped “data related to systems that are being developed for the Department of Defense. … It was done, we think, by a foreign intelligence service. In other words a nation state was behind it,” he added. Lynn declined to identify the likely suspected nation involved in the theft.

Earlier in the year, credible evidence pointed to China for attacks on Google and dozens of military defense contractors. Again, the DoD has not officially named the country or countries involved in the attack, but because Chinese dissidents were specifically targeted as well as other evidence, China’s involvement has been widely reported.

Perhaps one of the most damaging of these attacks was to RSA, the security division of EMC. In an comprehensive expose in Vanity Fair, the RSA attacks are explained.  “RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.”

The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty.

The DoD is responding. “The new Social Media in Strategic Communication (SMISC) program was submitted under the Defense Advanced Research Projects Agency (DARPA), an arm of the Department of Defense. The goal is to “develop a new science of social networks built on an emerging technology base” to help the agency keep abreast with communication technologies, namely Twitter. This is just one counter-insurgency activity being pursued.

The world is a very different place than it was a decade ago. We are only beginning to understand how much we have lost.


Special thanks to Vince Polley this (and so many other topics). Follow him at KnowConnect PLLC (supplemented by related Tweets: #mirln).

17,000 Counterfeit Items Collected in Minnesota Sweep – A Drop added to the Bucket

The Minneapolis Star and Tribune reported this morning that “in a five-day Twin Cities sweep, federal agents seize 17,000 counterfeit items, everything from faux football jerseys to charade Chanel perfume.” In its feature story, “Fake goods, stolen secrets cost Minnesota businesses billionsJim Spencer identified attacks against companies such as Valspar through industrial espionage of its trade secrets.

The sweep of the goods – and the sheer size of the raid – helps make real what is more often considered an amorphous or even humorous risk. Last month shoppers in China identified a number of counterfeit Apple stores. The ability to create entire stores selling counterfeit goods seems inconceivable, but the public becomes inurned to the fake DVDs sold on street corners and millions illegal of MP3 and DVD downloads.

But in a time of job loss and economic upheaval, the undermining of the U.S. innovation economy remains a serious threat. As the Star Tribune reported:

David Yen Lee, a technical director at Valspar, got caught trying to steal $20 million worth of chemical formulas to give to a Chinese company in exchange for a high-ranking job. Lee got 15 months in jail.

The bust of a group led by a Minnesotan named Charles Thompson led to the arrests of eight people accused of selling $500,000 worth of counterfeit items, said Mike Feinberg, a Minnesota-based agent with ICE. The suspects pleaded guilty and got probation.

Moreover, because the risks of apprehension are low and the consequences tend to result in short jail terms, organized crime realizes this is a very economically efficient market to exploit.

At the same time, however, economic efficiency and rationality must drive the enforcement actions. Congress is quick to draft new laws rather than fund enforcement of laws already perfectly appropriate to stop the illegal conduct. Moreover, the enforcement should be focused on the legitimate industry threats. Like the recent raid, the emphasis must be directed at large scale criminal conduct. Only once the antipiracy efforts become focused on major players (rather than college students and single mothers) and proper resources are invested in defense of these assets can the problem be addressed.