Stopping Mass Hacking Act gets debate started

With help from Darren Goode

SMH — Sens. Ron Wyden and Rand Paul and their co-sponsors introduced their legislation Thursday to block a proposed change to federal government hacking powers. Under the proposed amendment to Rule 41 of the Federal Rules of Criminal Procedure, a judge could issue a warrant for a suspect’s computer even when its location is unknown.


The sponsors of the Stopping Mass Hacking (SMH) Act say the change could lead to innocent people being snooped upon, for instance if their computers were botnet victims. “Devices will be subject to search if their owners were victims of a botnet attack — so the government will be treating victims of hacking the same way they treat the perpetrators,” Wyden wrote on Medium. The change goes into effect unless Congress acts by Dec. 1.

On the other side of the Capitol, Rep. John Conyers sounds like he’s ready to lead the parallel charge. “Many in the House, both Democrats and Republicans, remain concerned about the investigatory techniques at the heart of this discussion,” Conyers, the top Democrat on the Judiciary panel, said in an emailed statement. “We will continue to study the issue and, when appropriate, we hope to join Sen. Wyden in his call to block the change.”

— TECH, PRIVACY GROUPS ON BOARD WITH BILL; DOJ ISN’T: The Internet Association and the Computer & Communications Industry Association immediately endorsed the new bill, as did civil liberties groups like Access Now and the Center for Democracy and Technology.

“The proposed changes could give magistrates the authority to grant remote electronic searches of computers for evidence of any sort of crime in any district,” Internet Association President and CEO Michael Beckerman said. “The implications of this proposed change are far reaching, present an opportunity for congressional oversight, and should only be addressed as part of a broader national discussion about privacy and security.”

The Justice Department again described the Rule 41 change as having no effect on traditional protections and procedures and said it wouldn’t allow search techniques not already authorized. In an emailed statement, spokesman Peter Carr pointed to its advancement by several entities, including the Supreme Court and the Judicial Conference. And he elaborated on the botnet debate.

“In certain circumstances, the government may need to seek a warrant to take action online to clean up botnets — for example, by preventing the bot code from operating or otherwise severing its connection to the criminals who control it,” Carr said. “This rule change would permit agents to go to one federal judge, rather than submit separate warrant applications to each of the 94 federal districts. That duplication of effort makes no sense.”

— STILL DECIDING: Senate Judiciary Chairman Chuck Grassley. “We’ll be reading the meeting minutes, comments and documents submitted to the Judicial Conference in an effort to learn more about the proposed changes to Rule 41 that have been approved by the Supreme Court and forwarded to Congress for additional review,” Grassley said in an emailed statement.

HAPPY FRIDAY and welcome to Morning Cybersecurity! Your MC host appreciates a good bill name acronym; SMH Act is pretty amusing, and I’m still in awe of whoever came up with the USA FREEDOM Act. Got any favorites? Send thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

SPEAKING OF BOTNETS … — There’s a divide, too, over newly reintroduced legislation from Sens. Lindsey Graham and Sheldon Whitehouse aimed at combating botnets. The bill makes multiple changes to how law enforcement agencies can pursue botnets and how judges can penalize crimes associated with them. In favor: the Chamber of Commerce. "The Chamber supports increasing the resources that law enforcement agencies need to counter and mitigate cyber threats, including investigating and prosecuting cybercrime cases internationally,” wrote R. Bruce Josten, head of government affairs at the Chamber. "S. 2931 would help tip the scales of justice toward American law enforcement and industry."

Still not in favor: the Center for Democracy and Technology. “While we appreciate efforts to improve the bill, it still ranges too far,” said Gabe Rottman, deputy director for CDT’s Freedom, Security and Technology Project. “It lacks crucial safeguards to prevent collateral damage when the government seeks to shut down a botnet and would expand an already draconian computer crime law without necessary reforms to protect against abuse,” Rottman said, referring to the Computer Fraud and Abuse Act.

GROUP SEEKS TO OVERTURN MANNING CFAA CONVICTION — The Electronic Frontier Foundation this week asked a court to overturn the conviction of WikiLeaks leaker Chelsea Manning under the Computer Fraud and Abuse Act. EFF explained in a blog post today that the “the law is intended to punish people for breaking into computers systems — something Manning didn’t do.” Even if successful, the reversal would affect only one of 19 counts for which Manning was convicted.

“Congress intended to criminalize the act of accessing a computer that you aren’t authorized to access, such as breaking into a corporate computer to steal user data or trade secrets or to spread viruses,” said EFF legal fellow Jamie Williams. “The law should not be used to turn a violation of an employer’s computer use restrictions into a federal crime. That’s what happened here.” CDT and the National Association of Criminal Defense Lawyers joined EFF in the amicus brief to the U.S. Army Court of Appeals.

BANK ATTACKS STAY HOT — The recent bank heists that involve the SWIFT financial network — one successful, one failed — continue to roil the globe. Back home, Sen. Tom Carper sent letters Thursday to leaders of SWIFT and the Federal Reserve Bank of New York, which wasn’t itself breached by hackers but was used as a conduit in the Bangladesh Bank theft, asking them about whether they’ve improved security as a result and how they’re coordinating with federal government agencies.

Overseas, via Reuters: “The Association of Banks in Singapore (ABS) has invited SWIFT for a meeting in June to discuss the latest cyberattacks on banks in Bangladesh and Vietnam which involved SWIFT's financial messaging service.” And via Business World Online: “The Bangko Sentral ng Pilipinas (BSP) will soon lay out possible sanctions for persons and financial entities found liable for February’s $81-million bank heist, a senior central bank official said, just as the Senate wrapped up its public inquiry into the biggest money laundering case the country has seen so far.”

ROGERS TALKS ISRAEL, DHS — U.S. Cyber Command chief Adm. Michael Rogers, speaking at a U.S.-Israel cyber security forum Thursday hosted by George Washington University, touted his recent trip to Israel to highlight the importance of partnering against cyber threats. “Israel remains an important partner [and] it’s a partnership that we are focused on over time and so I was there to make sure that that message is conveyed,” he said. “We worked through a set of common problems, cybersecurity being one of those.”

Rogers also said he doesn’t think coordination with the Homeland Security Department will change if CYBERCOM is elevated to a full combatant command, which he believes will happen eventually. “We have clearly articulated roles and activities [and] we support DHS in their efforts,” he said. “I don’t think regardless of what level U.S. Cyber Command is, … I don’t see those fundamentals changing.” But he declined to comment when asked what metrics are used to measure success in the U.S. government’s cyber war against ISIL.

AUDITS NOTE IT SECURITY LAPSES AT CUSTOMS, IMMIGRATION SERVICES — DHS’s inspector general has released four independent audits outlining IT security deficiencies at both Customs and Border Protection and Citizenship and Immigration Services. The audits — two on Customs and two on CIS — outlined security management programs. One audit found that Customs and Border Protection needs to broadly improve and monitor existing security and role-based training programs to ensure that timely training is done and that access to financial systems is granted only after training is finished. Another found that account management at Citizenship and Immigration Services was particularly lacking, including not performing monthly recertification of user accounts, not maintaining account management documentation and not having adequate procedural documentation. All four audits performed by accounting firm KPMG are dated in September but were released just this month.

QUICK BYTES

— LinkedIn succeeded in getting those alleged 117 million passwords scrubbed from a website. Motherboard.

— Noodles & Company is looking into a possible breach. Krebs on Security.

— The Financial Times takes a look at the Global Cyber Alliance.

— The Office of Personnel Management breach doesn’t seem to have made a huge difference on federal agency security, according to an (ISC)2/KPMGreport.

— “18F’s plan for a single government login come under fire.” FedScoop.

— The hacker behind the Hacking Team breach is teaching folks his methods. Motherboard.

— A lawsuit alleges that Facebook scanned users’ private messages to boost “likes.” CNET.

— The Government Accountability Office found data security incidents for the nation’s weather satellite system. Nextgov.

That’s all for today. TTYL.

Stay in touch with the whole team: Darren Goode ([email protected], @DarrenGoode); Bob King ([email protected], @BKingDC); and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks