President Obama has left few questions about what he plans to unveil in his State of the Union address tonight, having dropped several previews in the last two weeks about legislation the White House is proposing. He will undoubtedly go into more detail tonight at 9 p.m. ET, and we will be watching specifically to hear him expand on comments already made about proposed changes to cybersecurity legislation (.pdf).
The State of the Union address is traditionally the vehicle for the president to reveal his legislative agenda for the year to Congress. With Republicans now in charge of both houses, President Obama did something he hasn’t done in the six State of Unions he’s delivered before tonight—he took his agenda to the public first. The point of this public tactic is no doubt to win support for his new proposals outside the Beltway, applying pressure on Capitol Hill.
There are several areas of the address that will be of interest to WIRED Threat Level readers. Some of them involve changes to the existing Computer Fraud and Abuse Act, some of them involve new legislative proposals.
1. Information-Sharing About Computer Intrusions
Obama has proposed legislation that would give companies certain immunity for sharing information with the government about breaches they experience. The move is meant to help the government predict and combat cyberattacks by encouraging companies to share threat data with the Department of Homeland Security and information-sharing and analysis centers—known as ISACs—without fear of potential lawsuits from customers. Similar legislation was proposed in the past but failed to gain traction due, in part, to concerns from civil liberties groups that the data could include information that violates the privacy of customers and provides the government with another avenue for conducting warrantless surveillance. Of particular concern to privacy groups is a provision of the new proposal that would allow DHS to further share the information in “near real time” with other government agencies, including the FBI, Secret Service, NSA, and the Defense Department’s U.S. Cyber Command.
Groups like the Electronic Frontier Foundation are concerned that personal information shared with law enforcement and intelligence agencies might be used for purposes other than combating cyber threats. But the White House has pointed out that in order to qualify for immunity under the proposal legislation, companies would be required to remove unnecessary personal information before handing it off to DHS. The White House proposal also calls for imposing limits on how and when the data can be used and tasks DHS and the Justice Department with developing guidelines for its retention and use.
2. 30-Day Breach Notification
The White House is also proposing a federal breach notification law. This would require entities that are hacked—private companies, educational institutions and government agencies, for example—to notify victims within 30 days after discovering that their personally identifiable information has been stolen or accessed by an unauthorized person. The proposal attempts to resolve disparities between a patchwork of state breach notification laws that are confusing and costly to enforce.
3. Expansion of Federal Law Deterring Spyware
The White House proposal would allow the government to seize any proceeds gained from the sale of spyware or other tools intended to be used for unlawful data interception. In the wake of a recent indictment against the maker of a spyware app called StealthGenie, this is meant to target all sellers of spyware and stalkingware. StealthGenie is a spy app for iPhones, Android phones and Blackberry devices that was marketed primarily to people who suspected their spouse or lover of cheating on them, but products like it are also used by stalkers and perpetrators of domestic violence to track their victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online. Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, last October following his indictment in Virginia on federal wiretapping charges, which included conspiracy to market and sell the surreptitious interception device. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case.
Although it’s not uncommon for the makers of illicit tools used in criminal hacking to be charged with illegal activity, it’s often the case that the developers of such tools are also its surreptitious users. The case against Akbar was remarkable for its focus on the seller of a commercial software program who wasn’t accused of using the tool for illegal purposes. The government argued that the maker of such software is liable as an enabler of a privacy invasion.
4. Give Courts Authority to Shut Down Botnets
Botnets, or armies of infected machines, are used by cybercriminals to deliver spam, conduct denial-of-service attacks and distribute malware. A burgeoning business has developed to supply spammers and cybercriminals with access to readymade bots by renting them time on the hijacked machines. The White House proposal would give courts the authority to shut down botnets and would also give immunity to anyone complying with such an order as well as authorize officials to reimburse someone who incurs a monetary cost for complying with the order. The proposal is meant to cement authority that has already been exercised by courts in a few cases—notably the Coreflood botnet case in which a federal court granted the FBI a controversial order to distribute code to infected machines to disable the botnet malware on those systems.
5. Criminalize the Sale of Stolen Financial Data
It’s already illegal to steal financial data or use it for fraudulent purposes, and it’s illegal to traffic in stolen data, but the White House is proposing to put a fine point on the law by criminalizing the overseas sale of stolen U.S. credit card and bank account numbers. The proposal targets the vendors on and administrators of underground carding forums—many of them hosted and administered outside the U.S.—where stolen credit card data is traded and sold.
6. Cybercrime Can Be Prosecuted Like Mob Crimes
The White House proposes to affirm that the federal RICO statute or racketeering law applies to cybercrimes. Although conspiracy to commit fraud is already included in the Computer Fraud and Abuse Act and covers individuals who may not actually commit a crime but facilitate it in some way or are involved in the planning of it, this change further codifies that they can also be charged under the RICO statute. Mark Jaycox, legislative analyst for the EFF, says the RICO statute sets a lower bar for prosecuting anyone who belongs to a criminal organization no matter their role in it. This would potentially allow even the most minor player in a hacking conspiracy to be prosecuted under the RICO statute. And Jaycox notes that RICO doesn’t actually define “organization,” therefore there is concern that prosecutors could get creative in their definition of it.
7. Additional Changes to the Computer Fraud and Abuse Act
The White House is proposing several changes to the federal anti-hacking statute, which was originally passed in 1984 during the early days of hacking and has struggled to keep pace with the changing nature of computer intrusions. The CFAA prohibits unauthorized access to a computer whether that involves bypassing protections on the computer—such as in the case of hacking—or exceeding authorized access to a computer for unauthorized purposes (for example, an employee who has legitimate access to his company’s database but uses that access to steal data). Currently, basic hacking is considered a misdemeanor unless it’s done for profit or for the furtherance of another crime. As for exceeding authorized access, George Washington University law professor Orin Kerr points out that courts are currently divided over what constitutes a violation of this.
The proposed changes would turn a basic case of unauthorized access into a felony punishable by a sentence up to three years or up to ten years in some cases if it’s considered a hack for profit or for the furtherance of another crime.
The proposal also attempts to clarify the kind of activity that is considered unauthorized access. It states that access is unauthorized any time a user accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” This is likely meant to address problems that occurred with the prosecution of Andrew “weev” Auernheimer. Auernheimer was convicted of hacking an AT&T web site by using a vulnerability in the site that allowed anyone to obtain the unprotected email addresses of iPad customers. His defense attorneys argued that this wasn’t unauthorized since by posting the information online and failing to protect it, AT&T had essentially authorized anyone in the world to access it. The government argued, however, that Auernheimer knew AT&T did not intend for users to access the data in the way he did and therefore it was unauthorized. The White House proposal, according to Kerr, could be intended to strengthen the government’s stance in similar cases in the future.
“[T]he expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory,” Kerr wrote in a Washington Post column last week. “And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”
Ordinarily, Auernheimer’s act, if considered a violation, should have been a misdemeanor, but the government charged him with a felony by saying that his unauthorized access was in furtherance of another crime—a New Jersey state law against unauthorized access. Defense attorneys considered this a double-counting of a single offense and Auernheimer’s conviction was later overturned.
The White House proposal appears to address this. For example, it states that simple unauthorized access is a felony if done against a government computer, if the value of the data exceeds $5,000 or if it’s done in furtherance of a state or federal felony crime. But if, in the latter case, the state or other federal violation is “based solely on obtaining the information without authorization or in excess of authorization”—that is, with no other additional crime than this, then it would not qualify for a felony. Kerr says the wording is tricky, however, and could be interpreted as a means to address the double-counting problem that prosecutors encountered with the Auernheimer case. As long as the law governing the other state or federal felony crime is not just about unauthorized access but includes an additional element to it then a defendant could be charged with a felony for exceeding authorized access based on the combination of the CFAA and the state law.
“If the state unauthorized access crime has just one element beyond unauthorized access such as ‘obtaining information,’ the thinking would run, the violation is not based ‘solely on obtaining the information without authorization,” Kerr notes. “That will usually be the case, though, which to my mind introduces a serious double counting problem…. Given that the Administration’s proposals would make liability for breaching a written condition a felony where the theory is allowed — mostly serious 10-year maximum felonies — the double-counting problem gives me some heartburn.”
The White House also proposes to make it illegal to traffic in any tool that provides the “means of access” to a computer, if the maker has reason to believe someone could use it for illegal purposes. This is meant to criminalize the sale or trading of stolen passwords or similar credentials but the proposal also refers to trafficking in “any other means of access” to a computer. Critics are concerned that the latter could be interpreted to outlaw the sale or distribution of penetration tools or exploit code—code that is used by cyber criminals to attack vulnerabilities in computer systems to gain access to them. This matters because exploits and penetration tools are also used by security professionals to determine if a system is vulnerable to attack. Jaycox says this is the most dangerous part of the White House changes to the CFAA.
“They’re potentially killing the security tools researchers use to find security holes,” he says. “The chilling effect this may have on researchers is enormous.”
In summary, Kerr says on the whole he’s “skeptical” of the administration’s proposals for the CFAA since they would make some punishments too severe and “expand liability in some undesirable ways.” But he notes that the administration has also made some compromises. “They’re giving up more than they would have a few years ago, and there are some promising ideas in there,” he noted in his assessment.
It will all depend on which of the proposals, if any, lawmakers decide to adopt and how they word their changes.