As the government moves to secure the nation’s networks from cyber-attacks, striking a balance between security and digital rights is again the topic of concern. Although the White House proposal has received less backfire than several similar bills, concerns have struck a common chord.
The ongoing problem is that a strong cyberstrategy would require imposing systems of monitoring and security standards that do not float well with digital rights and privacy. Some of the stronger government cybersecurity systems, including Einstein 3 and the CINDER program, could root out many key problems, but their nature of scanning information flowing through networks make them unlikely candidates for public systems.
Securing critical infrastructure remains a key concern in cybersecurity—areas essential to a functioning nation, that would be key targets in the case of a cyberconflict including the energy grid, financial sectors, and transportation networks. The problem is that the majority of critical infrastructures are privately owned, and reining them into a cybersecurity strategy raises questions of how much control government should have over private enterprise, let alone issues of privacy.
Thus, the latest cyberstrategy, introduced by the White House in the Cyberspace Policy Review, is focusing largely on companies and networks voluntarily implementing many of its standards.
The breadth of the bill is a key point of debate. A Center for Democracy & Technology (CDT) analysis states problems could arise from the legislation extending the reach of the Computer Fraud and Abuse Act (CFAA), that helps the federal government fight cybercrime, “in ways that give rise to some troubling issues.”
According to the analysis, the current proposal will broaden the CFAA, increasing penalties for cybercrime and expanding what qualifies as cybercrime.
It states users could face some serious issues, as “violating terms of service that they haven’t even read could land them in prison,” and if two individuals created false accounts on MySpace and Facebook “and used those fake accounts in a coordinated fashion, they could have been subject to racketeering charges under the Administration proposal.”
Among other issues, it could criminalize modifying devices, such as “jail breaking” an iPad to install different software and sharing the code for doing so. It also adds physical property, including a user’s home, to what is subject to civil forfeit if it was used in a crime.
“Imagine, for example, a teenage hacker who has used his parents’ computer to attempt to break into a bank network. If his parents were aware of his attempts but failed to turn him in, not only would that computer be subject to forfeiture, but so would his parents’ house,” stated the CDT.
“The conduct constituting a violation of the CFAA must be narrowed before Congress considers legislation to extend the statute and enhance the penalties under it,” it stated.