Dangerously Vague Cybersecurity Legislation Threatens Civil Liberties

https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation

March 20, 2012 | By Dan Auerbach and Lee Tien
Dangerously Vague Cybersecurity Legislation Threatens Civil Liberties

There is a spate of proposed cybersecurity legislation working its way through the House and Senate. The bills are aimed primarily at facilitating cooperation regarding so-called “cybersecurity” issues among different branches of government as well as between government and the private sector. The bills range from being downright terrible to appropriately intentioned, yet they all suffer from the fundamental inability to clearly define the threats which are being defended against and the countermeasures that can be taken against those threats. Without good definitions and an emphasis on transparency, we cannot be certain that government entities and corporations will refrain from abusing their power, interpreting the definitions in the statute expansively, and infringing on civil liberties. Below we provide some pitfalls of broad definitions, with a separate legal analysis forthcoming.

Defining threats too broadly

How do the bills define cybersecurity threat? Each bill has its own nomenclature, but the core concepts are quite similar. In Senator Joseph Lieberman's Cybersecurity Act of 2012 (S. 2105), for example, a "cybersecurity threat" is what is being guarded against, and a "cybersecurity threat indicator" is the activity of a possible cybersecurity threat that allows private or government entities to monitor and operate countermeasures. For technical readers, a cybersecurity threat could be stealing passwords from a secure government server, and the corresponding threat indicator could be a port scan to search for vulnerabilities. Senator John McCain's SECURE IT Act (S. 2151) does not use the term "cybersecurity threat indicator" but uses virtually identical language to define "cyber threat information." In all cases, the language of what constitutes the notion of a "threat" and "threat indicator" is just too vague.

For example, one current provision of the Lieberman bill states: The term “cybersecurity threat” means any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system. [text]....Moreover, a cybersecurity threat indicator is defined in the text as a huge disjunction of vaguely worded scenarios that include, for example: “a method of defeating a technical [or operational] control.” Such a broad definition implicates far more than what security experts would reasonably consider to be cybersecurity threat indicators --- things like port scans, DDoS traffic, and the like. Indeed, merely using a proxy or anonymization service to let you browse the web privately could be construed to be a cybersecurity threat indicator. Using cryptography to protect one's communications or access systems securely could similarly be taken as a way to defeat an operational control. Measuring the performance of one's Internet service provider, or analyzing whether packets are being modified maliciously could all be seen as cybersecurity threats under this definition. Finally, it is conceivable that violating intellectual property rights could be construed as a threat, in which threat indicators could be as innocuous as the use of the BitTorrent protocol.

This definition of threat indicators is troubling because § 701 of the Lieberman bill and § 102(a)(1) of the McCain bill would each authorize private sector entities to surveil any traffic that transits their own networks for cybersecurity threats or cyber threat information, without being bound by the Wiretap Act or other legal limits. Effectively, the broad definitions of threats could immunize a whole host of monitoring activities by a huge swath of different government and non-government actors.