Snowden leaks confirm: CISA is a surveillance bill
The recently-revealed OPM breach and NSA overreach seriously undermine core CISA justifications
Last week was a bad week for supporters of the Cybersecurity Information Sharing Act of 2015 (CISA), a proposed piece of legislation that would offer legal immunity to corporations that share customer data with federal agencies like the National Security Agency.
On Thursday, the New York Times and ProPublica revealed documents leaked by Edward Snowden showing that the NSA and FBI have been secretly joining forces to snoop on Internet traffic in pursuit of cybersecurity suspects since 2012.
Later that day, the Washington Post reported that the Office of Personnel Management (OPM) had suffered one of the largest system infiltrations in recent memory, exposing roughly 4 million current and former federal employees’ and contractors’ personally identifiable information (PII) to foreign hackers.
In one dramatic day, the chief justifications for CISA have been seriously undermined. The OPM hack demonstrates that the government is not a capable steward of sensitive data, while the Snowden leak establishes that intelligence agencies have already been directly extracting certain cyberthreat data from Internet traffic without a warrant. CISA is likely more about providing a post hoc legal cover for existing activities than it is about innocently encouraging voluntary information sharing.
Lesson #1: The government has already been extracting cyberthreat indicators on its own
One of the biggest talking points pushed by pro-CISA advocates is that cyberattacks can be prevented if the government makes it easier for private entities to share private data with federal agencies by disallowing innocent customers caught in the surveillance from pursuing justice in court.
The idea is that offices like the Department of Homeland Security (DHS), Department of Justice (DOJ), and the NSA can promptly analyze threats to warn other organizations to properly defend themselves before they too are attacked.
Now we know that the FBI and NSA secured authority to directly monitor and extract data of Internet traffic associated with addresses and cybersignatures tied to suspected cybersecurity crimes. In other words, the NSA and FBI do not need to wait for private entities to voluntarily share the kinds of information that CISA is purportedly necessary to access. In many cases, they can simply hoover up the information they want without a warrant.
First, it’s noteworthy that intelligence and law enforcement agencies have already had the authorities to detect and respond to allegedly state-backed infiltrations, like last winter’s Sony hack and the recent OPM hack. While we don’t know whether any planned attacks were indeed thwarted by these capabilities, CISA advocates can no longer point to actual attacks to justify new powers.
More broadly, these revelations completely change the character of the debate over CISA. The question is no longer “whether” but “how much” surveillance the NSA will be quietly empowered to exert if CISA is passed.
The New York Times reports that the DOJ and NSA secretly teamed up to expand “upstream” interception and surveillance of Internet traffic to target hackers and cybercriminals along with the usual run-of-the-mill terrorists since 2012. Rather than building out a whole new massive data extraction infrastructure for strictly law enforcement purposes, the NSA lent its own capabilities for the FBI to use.
The FBI and NSA officials publicly maintain that their only goal was legitimate: to crack down on foreign hackers. But it is hard to know whether a threat is foreign or domestic from the outset.
Over at the Daily Beast, Shane Harris filled in more important details:
A question arose in 2011 about whether certain types of “signatures,” or patterns associated with hacking activity, could be used to identify possible targets, the former officials said. Legally, the government doesn’t have to know who a hacker is in order to monitor his communications, but it must be able to demonstrate that there’s some reason to believe the hacker is connected to a foreign government. For example, is he using an Internet address that is located in a particular country? The precise criteria that intelligence agencies use to determine whether a hacker is likely abroad and working for a foreign government are classified.
So the Department of Justice sought and secured authorities to use IP addresses and cybersecurity threat signatures as selectors for upstream surveillance. This signature-based intrusion detection system theoretically would allow FBI agents to more precisely target foreign hackers committing crimes warranting legitimate investigation and arrest.
However, as the NSA’s own slides recognize, the new kinds of searches authorized can pull in a lot of information. Any data that hackers have extracted through their online mischief would be accessible. Innocent parties’ data could easily be caught in the dragnet.
Worse: if turned to collect information on a “USP [U.S. person] hacker,” this procedure would “basically [be] doing surveillance for [law enforcement] purposes without a warrant” according to leaked NSA slides.
Lesson #2: CISA would empower the NSA far more than privacy advocates originally suspected
It’s easy to see why federal law enforcement agents would be tempted to apply the NSA’s juicy surveillance apparatus to prosecute foreign hacker types. It’s also not hard to understand why the NSA might agree to lend its kickass exfiltration programs for FBI investigations in exchange for possible “information sharing” perks.
The only problem is, as usual, the law. The Section 702 authority of the FISA Amendments Act (FAA) that justifies upstream collection of Internet traffic is explicitly limited to foreign intelligence investigations of foreign agents located outside U.S. borders.
While the NSA and FBI could theoretically collect information on signatures and addresses originating from foreign governments or foreign agents, the agencies are more constrained when threats have ambiguous origins, arose internally, or merely appeared to originate from within US borders.
The National Security Council was in a bit of a bind. “Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” a classified NSC memo from 2009 reads.
So intelligence authorities set out lobbying to water down the requirements for surveillance approval of suspected cyberterrorists.
NSA Director Keith Alexander considered the push to expand NSA power to monitor international telecommunications for any “malicious cyberactivity,” even if the target cannot be established as a foreign power outside of U.S. borders, to be one of his “highest priorities.” But it is unclear whether or not the NSA actually attained these authorities.
CISA would conveniently provide legal cover for the NSA’s ambitions.
As I explained last month, CISA authorizes federal agencies to use the information shared in relation to a cyberthreat for criminal investigations — thereby further blurring the lines between law enforcement and foreign intelligence investigations.
Now that we know the NSA and FBI can monitor IP addresses and signatures associated with malicious cyber activities, it is clear that the expanse of data that CISA would open to the controversial agency is far broader than originally feared.
Jonathan Mayer provides an excellent summary of the former and current state of public information on this matter at his Web Policy blog. His infographic explaining the back door surveillance that CISA would allow is displayed below.
A sketch of our future under CISA: A private company provides a legitimate cyberthreat warning about a malicious botnet to one of the many coordinating offices at DHS. The company wants to help other entities to prepare and prevent the botnet from inflicting millions’ worth of damages on their systems. A patriot! DHS thanks them, scrubs any customer PII, and shares the information with other agencies, which proceed to store the data for searching in the future. What luck! The NSA finds some interesting cybersignatures. Agents apply the authorities revealed by Edward Snowden to do upstream tracking of activities associated with this signature — which, incidentally, could contain private PII that would otherwise need to be scrubbed.
What do you know: CISA provides a nice workaround for the NSA to attain the powers for which they’ve secretly been lobbying for years. What a strange coincidence.
Lesson #3: The government really, really sucks at cybersecurity
I’ve been beating the drum about the federal government’s particularly poor track record on information security for some time, but this most recent incident provides a palpable reminder of this inexcusable incompetency to educated observers of the CISA debates.
The total number of information security failures has increased by a jaw-dropping 1,169% since FY 2006 despite spending billions on cybersecurity investments over the same time.
And around 40% of those reported since FY 2009 have involved the PII of personnel and civilians, similar to the major hack of OPM reported last week.
OPM, in particular, should have shored up its cybersecurity defenses. Last July, officials revealed that OPM systems had been infiltrated by a likely state-sponsored hacker in March of 2014. Despite this early warning lesson, OPM did not even take the simple step of encrypting personnel data. They may as well have forked over the office keys and security codes to their adversaries while they were at it.
Unfortunately, OPM is not an outlier. Federal agencies routinely send passwords in plain text over exposed emails. Thousands of pieces of computer equipment simply disappear each year. Computers are often given to employees without any administration controls or strong authentication requirements. Agency personnel, succumbing to the irresistible urge to download “pooping mouse” pointers and custom emojis, download malware to government systems constantly.
Indeed, the agencies that would be most empowered to manage massive amounts of data concerning private Americans under CISA reported some particularly boneheaded mistakes last year.
DOJ employees were fooled by deceptive websites to download malicious software onto agency computers 182 times in FY 2014. DHS reported 1,816 pieces of computer equipment lost or stolen. DOD personnel downloaded malware onto network systems 370 times and reported roughly 2,500 employee policy violations in the past year alone. These disquietingly elementary mistakes suggest that DOJ, DHS, and DOD are ill-prepared to responsibly and effectively undertake proposed CISA authorities.
And of course, there was the NSA’s iconic and ironic data breach in 2013 that gave us all a peak behind the curtain concealing the modern surveillance state. Edward Snowden’s ambitions, regardless of our personal opinions, were self-consciously well-intended. A less principles-minded insider could leak personal data to foreign governments or moneyed interests in the growing market for database compiling.
The NSA’s own lawyer apparently agrees with me. He or she so distrusted the agency’s data security abilities that the attorney suggested the agency keep exfiltrated cyberthreat data away from the normal repository to prevent hackers from gleaning “so much” information about innocent Americans.
A big part of the problem flummoxing federal systems is the overlapping and confusing bureaucracy governing information security provision. For years, the Government Accountability Office has criticized the feds’ growing mass of uncontrolled information security procedures, which do not “specify how they link to or supercede other documents” nor “describe how they fit into an overarching national cybersecurity strategy.” My early survey of federal programs found at least 62 separate cybersecurity centers with redundant and ill-distinguished missions.
Another big problem is poor personnel data hygiene and education. Annual FISMA reports repeatedly warn that major agencies do not implement simple security measures like strong authentication or proper password management. Many agencies, including DHS and DOJ, did not require cybersecurity professionals to undergo any training or certification programs for several years. A recent federal survey shows that federal cybersecurity professionals self-reform low proficiencies in digital forensics, threat analysis, and cyber operations — areas critical to robust cybersecurity provision.
Our cybersecurity vulnerabilities give us enough headaches already. CISA would simply create a juicy and ill-equipped target for hackers looking to siphon personal data.
Putting it all together
The proposition that cyberattacks could be prevented by making it easier to share information with the federal government has always struck information security experts as wrong-headed, if not outright suspicious.
Last week’s revelation proves Senator Ron Wyden’s characterization of CISA as a “surveillance bill by another name” more prescient than ever.
Based on the facts, CISA will clearly fail to meaningfully improve cybersecurity while providing dangerous new Internet surveillance powers to the NSA.
If these facts are clearly articulated, the American people are unlikely to support such a measure. Unfortunately, the powers of surveillance understand this as well. They will attempt to downplay these revelations, stir up anxieties about imagined threats, or even go so far as to misleadingly argue that last week’s events actually support the need for CISA.
The task for advocates of strong privacy and cybersecurity is to ensure that the truth wins out.
