Is network neutrality a public-safety issue? The answer is yes, according to Catherine Sandoval, a commissioner with the California Public Utilities Commission, who spoke out at a recent network neutrality public forum in Sacramento, California. The forum was hosted by Representative Doris Matsui, and featured FCC commissioners Jessica Rosenworcel and Mignon Clyburn. Multichannel News, Fox40 News, and The National Journal all reported recaps of the event. At the forum, Rosenworcel stated that the public safety aspect of network neutrality was not talked enough about in Washington, reports Multichannel News.
The recent network neutrality debate has spurred widespread discussion since January 2014, when the U.S. Court of Appeals for the District of Columbia stripped the FCC of its power to enforce network neutrality protections under the regulatory framework it was using (holding that the classification of broadband carriers as “information services” as defined in the 1996 Telecommunications Act contradicted a previous FCC decision that put broadband companies beyond its regulatory reach). Read the full case here. Read a Washington Post report on the case here.
If the FCC reclassifies Internet carriage as a “telecommunications service,” online communications would automatically be subject to common carrier protections. Instead, the FCC has proposed a rule allowing companies to pay for access to a fast lane to deliver content to their customers. So how does this proposed rule effect public safety?
According to Catherine Sandoval, allowing paid prioritization of Internet traffic could hurt critical systems such as 911 call centers and water pumps, reports The National Journal. Not only that, according to the Multichannel report, Ms. Sandoval went on to warn that other critical systems could be negatively impacted, citing nuclear power plants and critical care smart beds for stroke patients.
How does net neutrality effect these systems which have broad public safety implications? According to the Fox40 News Report, Ms. Sandoval explained at the forum that the free and open use of the internet has allowed utilities to develop programs and apps to monitor and control energy use, and that “subjecting internet access to negotiations and slowdowns to minimum speeds can make pumps fail to open so they don’t provide water for cooling a power plant or water to fight a fire.” The Multichannel report then goes on to explain that the minimum broadband speeds available for the non-paying ISP clients would not provide the quality of broadband service required by these critical systems. However, the National Journal reports that many skeptics of net-neutrality rules point to public safety as a reason that Internet providers should be given flexibility to prioritize some services.
For a fuller recap of the net neutrality public forum, here are links to the articles by Multichannel News, Fox40 News, and the National Journal. Click here to access a Washington Post article discussing the broader implications of the proposed FCC rule, including whether it this type of internet regulation should be controlled by the FTC or the FCC.
Is the exposure of the Islamic State of Iraq and Greater Syria (ISIS) throughout various social media websites a sign that ISIS is technologically capable of launching a major cyberattack against the United States? According to a recent article by Time Magazine Online, the answer is no.
While the article acknowledges ISIS’s recruitment campaign over social media networks like Facebook, Twitter and YouTube, the report states that the ISIS’s use of modern technology to recruit does not equate with an ability to launch a major cyberattack. The article reports that the group has yet to acquire either the manpower or resources to launch a large-scale cyberattack. Specifically, ISIS lacks the type of technology and hardcore programmers needed to launch sophisticated attacks against the United States, according to the article. To demonstrate the deficiencies, the article compares and distinguishes the support and resources of ISIS with those of Chinese hackers with state-sponsored hacking operations.
The article does suggest that ISIS might be capable of launching a larger-scale cyberattack against the United States in the future, however, the article goes on to emphasize that a future attack would likely be more of an annoyance than a debilitating strike on the United States’ infrastructure. Click here for the full article.
Ninth Circuit Applies Exclusionary Rule to Violation of Posse Comitatus Act, Potential Effect on NSA Related Cyber Prosecutions
The Ninth Circuit, in United States v. Dreyer, a divided Court of Appeals case, recently concluded that suppression of evidence pursuant to the exclusionary rule was an appropriate remedy when the actions of a civilian agent of the Naval Criminal Investigative Service (NCIS) violated the Posse Comitatus Act by turning over criminal data to prosecutors revealed by a cyber-search. The case turned on two issues: was there a violation given the civilian status of the agent performing the search, and should the exclusionary rule apply to deter future violations?
The Court was unanimous on the first issue, finding the actions of the civilian agent to be in violation of DoD Posse Comitatus policy provisions, rather than the criminal Posse Comitatus statute (the text of the act only mentions the Army and Air Force). While exceptions exist, those exceptions were held inapplicable when, as here, a search was performed that was broad enough to include anyone in the state of Washington, whether connected with the military or not. However, in the world of cyber security, this type of application may present a dilemma. Can the scope of cyber searches be adequately compared to physical searches? The Court made that exact comparison when it rejected the Government’s argument that an exception did apply to the agent’s conduct:
“To accept that position would mean that NCIS agents could, for example, routinely stop suspected drunk drivers in downtown Seattle on the off-chance that a driver is a member of the military, and then turn over all information collected about civilians to the Seattle Police Department for prosecution.”
The Court was divided on the suppression issue. The question on suppression centered on whether the exclusionary rule was needed to deter future violations. In order to make that decision, the Court determined whether the violations were “widespread” and “repeated”. This determination is what split the Court. While the majority felt that the facts before them demonstrated that in this case alone there are apparent widespread and repeated violations, Judge O’Scannlain disagreed. Judge O’Scannlain dissented, failing to find a widespread problem where only four agents were found to have violated the act, three of whom were part of the same investigative team.
Since the NSA operates under a military director, the Posse Comitatus Act applies to the actions performed by the NSA. However, the applicability of using the Posse Comitatus Act to regulate the actions of the NSA is qualified on how the NSA’s information is used. Using the same analysis performed by the Dreyer Court, the issue becomes whether the searches performed by the NSA fit within an exception to the Posse Comitatus statute and policy provisions. The exception would take effect depending on whether or not the NSA is performing overly broad searches that target civilians not connected with the military. However, even if the searches are overly broad, a violation of the Posse Comitatus policy provisions or statute exist only if the data is then transferred to state or federal prosecutors for use in executing domestic civilian law.
In addition, it is extraordinary for a suppression remedy to be applied for a statutory violation when the statute does not provide for a suppression remedy (like the wiretap act does). Without Congress providing for suppression in the statute, suppression is a Court-made remedy for Constitutional violations. Generally, statutory violations do not lead to suppression — an example being the “Knock and Announce” statute (18 U.S.C. §3109) for the execution of federal search warrants. The possibility of Constitutional suppression for a violation of a statute comes from the standard of “reasonableness” enshrined in the Fourth Amendment. “How can a search that violates a statute be reasonable?”, some argue. Others argue that Congress should not be able to affect what is Constitutional with just a statute, because by definition a statute is subservient to the Constitution. The Eighth Circuit raised but largely avoided the issue of suppression for a violation of the Posse Comitatus Act during the lengthy litigation over the events at Wounded Knee in the early 1970’s (Bissonette v. Haig). This, too, could have implications for the use of criminal law to affect conduct in cyberspace, given the massive role of the U.S. military in cyber security.
Here is a summary on the United States v. Dreyer decision by the JustSecurity Blog.
Cyber Round Up: Iran Cyber Attacks on Israel; Cybersecurity Companies Taking Advantage of Consumers; Retailers Cybersecurity Responsibilities; Scamming the Scammers; The New Yorker on Anonymous
- Prime Minister Binyamin Netanyahu states Iran is behind cyber attacks against Israel, read the story by The Jerusalem Post here.
- Are cybersecurity companies focused on protected consumer’s computers, or scaring them into buying more protection? Scientific American reports on the lack of oversight of cybersecurity companies and their tendency to exaggerate threats to increase profits.
- USA TODAY reported Sunday on the Target and Home Depot breaches, focusing specifically on the lack of cybersecurity on the part of the companies. The report describes how these companies are removing the blame by claiming the difficulties of protecting consumers from foreign predators in the cyber world. Who should carry the burden of protection in a world where consumer businesses and cybersecurity issues are increasing merging? Read the story here.
- Looking for a way to scam the scammers that constantly send fake advertisements to your inbox? While according to Network World, a program was created to do exactly that, the article warns that what might seem an “ethical gray area” is not so gray in the legal world. According to the article, a person who takes this revenge approach could be prosecuted for breaking computer crime laws.
- While the online collective known as Anonymous has grown exponentially since its inception, take a look at the full story of how the group formed and expanded, including summaries on some of their most infamous acts, in the new detailed narrative published by The New Yorker: The Masked Avengers.
Is NATO’s new definition of what constitutes an armed attack under Article V more bark than bite? That is the view of certain cybersecurity experts, according to a CNBC Report. The report highlights three main obstacles, discussed by those experts. For more information on NATO’s declaration, read this recent post.
The first obstacle, according to the report, is the difficulty of attributing the origin of the cyberattack. While certain NATO members may have the capacity to determine the origin, the experts cited by the article counter that those member states may not be eager to reveal their intelligence and technological capabilities.
The second obstacle, according to the report, is that evidence is less concrete in the digital world than with physical warfare, where satellites can capture images. The report notes that the ambiguity that results from the less than clear evidence is likely to allow reluctant NATO members to argue that they are not persuaded.
Finally, the third obstacle discussed by the report, is the absence of an exact standard that would be used to determine when there is amble evidence of a cyberattack that would require retaliation.
According to the report, NATO will consider each cyber incident on a case-by-case basis, but that may not be enough to identify, attribute and respond to cyberstrikes in a timely manner.
Cyber Round Up: Army Possible Cyber Branch; NATO Recognizes Military Response to Cyber Attack; Pay Scale for Federal Cyber Pros; Removing Limits to Cyber Education; Grassley Comments at National Cyber Seminar; Home Depot Cyber Breach; Senator Feinstein’s Cyber Security Bill
•The Army News Service released a report on Wednesday that the army activated a Cyber Protection Brigade, the first of its kind in the Army, and a discussion of a new cyber branch is in the works.
• Should the feds create a job category and salary scale for government cybersecurity workers — or is the profession too mercurial to assign pay grades? NextGov reports on the potential pros and cons of a pay scale for federal cyber professionals.
• Conventional warfare vs. cyberwar policy. Cyber offense police vs. cyber defense. Vertical-technical approaches to cyber studies vs. horizontal-strategic approaches. W. Hord Tipton, writing for Information Week Government, would urge us to remove the limits to one approach vs. another and instead look to broadening cyber education to produce a well-rounded cyber workforce. Read his commentary here.
• Reuters reports that NATO leaders marked an expansion of the organization’s original interpretation of an attack when they agreed on Friday that a large-scale cyber attach on a member country could be considered an attack on the entire U.S.-led alliance.
• Politicalnews.me has published the statement of U.S. Senator Chuck Grassley of Iowa at the National Cyber Security Alliance Seminar, here. In his statement, Senator Grassley discusses some of the areas of Cyber Security that the U.S. Senate have been focused on, including in particular the federal government’s partnerships with private business to protect critical infrastructure.
• Could the Home Depot credit card breach prove to be larger than the Target breach? Forbes reports on similar breaches in this comparison story, here.
• According to CBS Local, Senator Dianne Feinstein is urging Silicon Valley leaders to call their congressional representatives to express their support for her cyber-security bill which provides legal authority for companies to share cyber-related information with the government. Read the story here.
The Wales Summit Declaration released on September 5, 2014, by the Heads of State and Government participating in the meeting of the North Atlantic Council in Wales contains these provisions directly related to cyber security:
- [72.] As the Alliance looks to the future, cyber threats and attacks will continue to become more common, sophisticated, and potentially damaging. To face this evolving challenge, we have endorsed an Enhanced Cyber Defence Policy, contributing to the fulfillment of the Alliance’s core tasks. The policy reaffirms the principles of the indivisibility of Allied security and of prevention, detection, resilience, recovery, and defence. It recalls that the fundamental cyber defence responsibility of NATO is to defend its own networks, and that assistance to Allies should be addressed in accordance with the spirit of solidarity, emphasizing the responsibility of Allies to develop the relevant capabilities for the protection of national networks. Our policy also recognises that international law, including international humanitarian law and the UN Charter, applies in cyberspace. Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. (emphasis added)
-  We are committed to developing further our national cyber defence capabilities, and we will enhance the cyber security of national networks upon which NATO depends for its core tasks, in order to help make the Alliance resilient and fully protected. Close bilateral and multinational cooperation plays a key role in enhancing the cyber defence capabilities of the Alliance. We will continue to integrate cyber defence into NATO operations and operational and contingency planning, and enhance information sharing and situational awareness among Allies. Strong partnerships play a key role in addressing cyber threats and risks. We will therefore continue to engage actively on cyber issues with relevant partner nations on a case-by-case basis and with other international organisations, including the EU, as agreed, and will intensify our cooperation with industry through a NATO Industry Cyber Partnership. Technological innovations and expertise from the private sector are crucial to enable NATO and Allies to achieve the Enhanced Cyber Defence Policy’s objectives. We will improve the level of NATO’s cyber defence education, training, and exercise activities. We will develop the NATO cyber range capability, building, as a first step, on the Estonian cyber range capability, while taking into consideration the capabilities and requirements of the NATO CIS School and other NATO training and education bodies.
The statement that “[a] decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis,” implies that a cyber attack could be a “use of force” or an “armed attack” as those key legal terms are used in the United Nations Charter. While the terms “armed attack”, “use of force” and “cyber attack” remain undefined — and, crucially, when a cyber attack constitutes an armed attack or a use of force remains unclear — the language suggests that cyber attacks which “threaten national and Euro-Atlantic prosperity, security, and stability” and cyber attacks whose “impact is as harmful to societies as conventional attack” would qualify as armed attacks or uses of force under international law. Note that those definitions would leave open the possibility of cyber attacks which do not result in death or serious bodily injury nevertheless qualifying as uses of force or armed attacks, a point this author has argued for years. I believe that actions in cyberspace might threaten national security to an extent that a military response is justified or even necessary, even if neither the cyber attack nor it reasonably immediate consequential damages result in death or serious bodily injury.
My colleague and co-instructor of Cyber Security Law and Policy, Professor Milton Mueller is, as he always does, attending the Internet Governance Forum (IGF), this time in Istanbul, Turkey. This is the Ninth Annual Meeting, and the theme is “Connecting Continents for Enhanced Multistakeholder Internet Governance.” Milt will be a speaker — along with Vint Cerf — at a Main/Focus session on Thursday, September 4, 2014, entitled, “Evolution of Internet Governance Ecosystem and Role of the IGF.” (While that is, in fact, a very big deal, if you are familiar with multistakholderism you will understand that there are two moderators and 21 speakers at that session alone, and 703 scheduled speakers overall.) The official Twitter account for the IGF is @intgovforum and the hashtag for this meeting is #IGF2014. Professor Mueller’s own tweets can be found at https://twitter.com/miltonmueller , and his coverage is underway.
In addition, you can read Mueller’s blog for the Internet Governance Project at Syracuse University at http://www.internetgovernance.org/ . His most recent article, dated August 29, 2014, relates to this IGF meeting and is entitled, “The Not-Mundial Initiative: Governance and Ungovernance in Istanbul.”
Milton Mueller is a true expert with vast experience, and our students will benefit greatly from his teaching.
In April, the Advisory Committee on Criminal Rules proposed amendments to the Federal Rules of Criminal Procedure that would give authorities “more leeway to secretly hack into the suspected criminal’s computer,” so The Hacker News in a recent report.
A magistrate judge with authority in any district where activities related to crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information within or outside that district. (p. 515)
Effectively, so the document, the change is intended to cover remotely accessed searches and seizures primarily a) to find out about the location of a computer when it is not known, and b) to search multiple computers in known locations outside the district of the issuing judge.
The Hacker News assessed the proposed amendment and translated it into plain English: With the new Rule 41, statutory law would allow authorities to “easily obtain warrants,” in order to secretly access suspects’ and witnesses’ computers
- by employing zero-day exploits on software vulnerabilities (thus hacking into suspects’ computers)
- whenever their location is unknown and presumably outside the jurisdiction of the issuing judge (thus in any of the other 93 judicial districts)
- in large quantities whenever evidence or technical details related to suspected operators of botnets are targeted (hence, a single warrant could authorize the search of thousands of computers)
Both The Hacker News and the Advisory Sub-Committee on the Criminal Rules provide a what occurs to me as an easily accessible set of reasons and justifications for the invasive proposal. It is based on the nature of cyber crime and a) how anonymizing technologies prevent the identification of the originating computer, and b) how containing and dismantling botnets require measures in many different jurisdictions.
My take on what makes the proposed amendment a messy policy problem, which will not be solved to the satisfaction of either stakeholder (government/law enforcement or civil society/privacy), builds on several layers where interests conflict with the pros of the envisioned change to the Federal Rules of Criminal Procedure:
1. The Ethical Layer: Governmental Use of Spyware
When governments employ spyware to utilize zero-day exploits and software vulnerabilities, ramifications range from the national to the global level, including:
- A Potentially lower level of checks and balances:
Conventional surveillance measures often have additional checks and balances on the organizational level, for example when telecommunication service providers facilitate wire-taps only after having received rightfully issued warrants. Contrarily, for the use of spyware, government agencies do not have to satisfy such external procedural requirements. Additionally, spyware suites usually equip their operators with remote access measures that may be more invasive than and exceed those that are covered by the respective warrant. In 2011, the German Bundestrojaner and its Staatstrojaners, spyware employed by German federal and state law enforcement agencies, carved out this difficulty of the government catching up with technology.
- Negative impact on overall Internet security:
Making zero-day exploits of vulnerabilities in commonly used software an integral part of law enforcement is likely to have negative impacts on the overall level of security in the Internet. The Heartbleed Bug and how it had reportedly been exploited over the course of a longer time by the National Security Agency serves as an example of choice, as it shows how governments can have knowledge about pervasive security flaws without sharing it. While they keep zero-day exploits secret in order to keep using them, these security gaps remain open and can be exploited by anyone who comes across them (our post about the zero-day exploit market and how suppliers cater to governments may be worth a look in this context as well).
2. The Factual Layer: Potential Extraterritoriality
Despite the intention of covering (only) all 94 judicial districts of the United States (US), the purpose of the amendment to Rule 41 is to search and seize data electronically stored on systems, whose location is not known. Accordingly, the very nature of cyberspace implicates potential search and seizure operations targeting devices that are not within the US at all. In that case, given that no prior consent has been obtained from the authority that has jurisdiction over the targeted system, a nation-state’s sovereignty may have been violated.
3. The Constitutional/Legal Layer: Particularity and Proportionality
The authorization of a search and seize of computers without knowing where they are located or how many will be subject to a (single) warrant also calls for considerations of particularity and proportionality. The draft minutes reflect the committee’s argumentation, due to which “any constitutional restriction should be addressed by each magistrate with each warrant request.” (p. 515)
This post only introduces what occurred to me as the most striking points in favor and against the proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure. Instead of recounting further arguments, my intention is to illustrate how The Onion Router (TOR) and other anonymization technologies or botnet facilitated denial of service attacks are challenging procedural law and call for innovative legislation.
With decision of May 5, the Advisory Committee recommended to publish the proposed amendment to Rule 41 for public comment (p. 486), before it will be passed on to Congress for respective enactment.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Potential Public Safety Issues with the FCC’s Proposed Network Neutrality Rules
- Cyber Round Up: Medical Devices as a Cyber Vulnerability; US Regulators Concerned about ‘Armageddon-Type’ Cyber Attack; Islamic State Takes Over Social Media; Taiwan Probes Xiaomi on Cyber Security; Cyber Attacks Hit Military Transport Companies
- TIME: An ISIS Cyberattack Against the United States is Unlikely
- Ninth Circuit Applies Exclusionary Rule to Violation of Posse Comitatus Act, Potential Effect on NSA Related Cyber Prosecutions
- Cyber Round Up: Iran Cyber Attacks on Israel; Cybersecurity Companies Taking Advantage of Consumers; Retailers Cybersecurity Responsibilities; Scamming the Scammers; The New Yorker on Anonymous
- NATO’s Cyber Declaration: More Bark than Bite? on
- Cyber Provisions in NATO Wales Summit Declaration on
- The Heartbleed Bug and the Political Implications of Vulnerability Management on
- Fourth Amendment does not (yet) apply to NSA’s telephone call database (metadata) on
- Symposium Tomorrow: “The Constitutionality and Consequences of America’s Use of Drones and the NSA Spying Program” on
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010