Speaker 0
0:10 – 2:02
Welcome to Tech Talk. Bye. CT. Welcome to CT's Tech Talk where we dish on tech and Internet policy while actually explaining what these policies mean to our daily lives. I'm Brian Wazlowski, and we've got some rock stars with us today. It is time to talk tech. Debate on how to enhance cyber security is moving forward in congress, but many advocates are saying the proposals are really just more government surveillance cloaked in cyber. We'll explore how increased information sharing between the government and the corporate sector may lead to the NSA having even more information about you. We'll also be talking about how copyright mixes with cybersecurity research and explore why you should want good guy hackers finding security flaws before the bad guys do. We've all seen the headlines of massive breaches from Target to Anthem and then the even more disturbing breaches at The US Office Of Personnel Management. Congress seems ready to act in the response of cybersecurity legislation that would mandate increased information sharing between the federal government and corporations. Makes total sense. Right? Not so fast. We have Greg Nojime here to tell us more about the proposed legislation we are seeing and why so many civil liberties civil liberties advocates are concerned about what's moving forward. Welcome, Greg. It's good to be here, Brian. You're just back from the hill fighting the good fight. Right? That's that's right. So I would like to talk about CISA. Is that how we're saying it? Yeah. C I s a, the long name, the Cybersecurity Information Sharing Act that is moving through the senate. This seems to be the most prominent cybersecurity bill moving. You've called it a cyber surveillance bill. Why is that? You know, it's not just because FISA rhymes with FISA. Oh, that's good. It's because
Speaker 1
2:03 – 2:57
this bill, makes it so that whatever the government gets for cybersecurity reasons from a company, you'll see the company wants to share indications of a threat that it's seeing, the government can turn it to surveillance uses uses. It can use it for criminal investigations. It can use it for criminal investigations that have nothing to do with cybersecurity, carjacking, kidnapping, a drug running with a gun. I mean, these things have nothing to do with cyber, and yet the bill preempts all law and permits companies to share these cyber threat indicators that will include pieces of personal information from communications you've sent or received. It liberties groups are calling it a cyber surveillance bill.
Speaker 0
2:58 – 3:17
Of the civil liberties groups are calling it a cyber surveillance bill. Well, on first blush, you know, some of the things you just said, I'm like, oh, well, you know, if you have the data, why shouldn't you be able to, like, go after or use it for carjackings and whatnot? What's the problem with this? Like, really, why is this the problem? You know, normally, when law enforcement wants to investigate,
Speaker 1
3:17 – 4:14
a crime, if it wants the contents of your communications, and sometimes the cyber threat indicators will have pieces of content. If it wants the contents, it's gotta go in front of a judge, get a warrant, and prove probable cause. Here, the company can just share the information for even for investigating those crimes because that's what the bill, allows and then, bypass the warrant requirement. I think that's not what people have in mind when they hear cybersecurity bill. It's certainly not what we have in mind. And and let let me just say, Brian, I I think there is a need for some legislation to facilitate information sharing for cyber reasons between the government and the private sector. We need a scalpel because there are some problems that need to be fixed. CISA is a sledgehammer and we don't need a sledgehammer.
Speaker 0
4:15 – 4:21
So what are you know, if we need a scalpel, what are the elements that you would have in an effective cybersecurity
Speaker 1
4:22 – 5:26
bill? I would have a narrow definition of the information that companies would need to share with the government or could be permitted to share with the government. I would require the companies to remove personally identifiable information that isn't needed to describe a threat or to mitigate the threat. I'd say that they could share that information with the government even if this particular or that particular law says they couldn't. I I would preempt those laws. But what the FISA bill does is say, well, you company, you can share this information unless you know it to be irrelevant. Well, nobody knows something to be irrelevant to a threat. And then it says, and you can share this information notwithstanding any law. That's certain to backfire. It's certain to have unintended effects. And instead of dealing with the problem by saying, okay, we're gonna define the problem, we're gonna define the information narrowly, we're gonna describe the laws that we're gonna identify the laws that we're preempting, it takes a blunderbuss approach.
Speaker 0
5:26 – 5:49
Mhmm. Interesting. So what's SAISA though, even with all these flaws, if it were to pass, would it have prevented any of the breaches that, you know, are grabbing the headlines, the Target one, the Anthem one? Would it have been effective in deterring that or stopping that? No. So take the Target exam take the target breach, for example. That was about target not doing basic things to secure its network.
Speaker 1
5:52 – 6:21
CISA doesn't solve that problem. What CISA does is make it so that if there's an attack on one company that another company doesn't know about, it increases the likelihood that that other company will get information about that attack. Okay. So it would handle it would help with some kinds of cyber attacks, the ones that are repeat offenders, if you will. But it wouldn't help with the new ones. And that's a lot of what we've been seeing is a a new vulnerability.
Speaker 0
6:25 – 7:14
Basic hygiene that companies and users ought to be doing that we're not. Yeah. We've had other people on you, such as Joe Hall, our technologist, talking about, you know, basic things that companies should be doing that they just don't. A lot of times, it's phishing scams that get people into the corporate infrastructure. It's poor management around the data you have, lack of use of encryption, all that sort of stuff. And CISA doesn't seem to cover any of that. But let's pivot a little bit. There's another piece of the legislation that you highlighted, that is worrisome, and it's, called countermeasures or hacking back, I've heard people call it. And I kinda take that to be if someone attacks you, you can punch them back. Why is this such a problem? It seems like something, okay. If you hack me, I'll come back at you. What's the issues with this, and why is it in slice of you then? You know, if someone punches you
Speaker 1
7:15 – 8:34
and you wanna punch back, you usually know who punched you. The problem in cyber is that attribution is inexact, and you could be punching the wrong guy. So a lot of times, the the attackers will route their attacks through, proxies, through, people whose computers have been taken over. They're part of a botnet. And so if you're hitting back at the person who punched you, you might be hitting the victim instead of the person who actually decided that the punch should be thrown. So in in cyber, it's just harder to get it right. So you don't want, to authorize countermeasures that can have these extra network effects. So a countermeasure that's limited to your network or the network of someone you were hired to protect, that seems okay. But once it goes outside, that's when it looks like hacking back. That's when these problems of attribution become, manifest. So, for example, this bill says and and the the the sponsors of the bill, they recognize this. They've acknowledged upfront. We're authorizing countermeasures. They could have extra network effects. But and then they said, well, an extra network effect, you can cause harm, but it can't be substantial.
Speaker 0
8:35 – 8:36
What is substantial?
Speaker 1
8:36 – 9:02
You know, you don't want courts figuring this out. You wanna make it clear, you you can't cause harm off your network. I mean, that should be the rule, but that's not where the bill is. So we're very worried that, again, in preempting all laws, including the Computer Fraud and Abuse Act, congress is gonna be authorizing hacking, for bad reasons that the bill is really designed to prevent.
Speaker 0
9:03 – 9:29
Wow. It seems as though, Congress is putting up a proposal that's really not gonna address any of the situations it's trying to cover. So when we get to the next phase, like, we've covered a lot of grounds here and you've kind of hinted at this. If it gets to a pass and I from what you've said before, it looks like this is going to move forward on some level. What are the amendments that we're hoping to see or that are needed to make this at least a pill that could be swallowed?
Speaker 1
9:30 – 10:52
So, one one good amendment would be an amendment that says, if you're deploying a countermeasure, you can't violate the Federal Computer Fraud Abuse Act. You can't authorize we're not gonna authorize hacking back. Another good amendment would be to narrowly define the personal information that can be shared. Another good amendment would be to say, look, if the companies are gonna be authorized to share this information with the government for cybersecurity reasons, the government has to use it only for cybersecurity reasons. No surveillance bill in, cyber clothing. Another feature of this bill, Brian, is that it says that once a company shares information with one agency of the government, that agency has to immediately share it with the NSA and with other agencies of the government. You know, I I don't think that the NSA needs everything that's coming in on in a civilian program, and yet this bill requires it. That seems, ill advised. It requires also that the information be shared immediately with the NSA. Sometimes, working a privacy protective measure takes a moment. If it takes a moment, the bill ought to allow for that moment to be taken, but it doesn't. A good amendment would be to allow, time for privacy when it takes some time.
Speaker 0
10:52 – 11:28
Yeah. And I think, you know, as you're talking about this, what really resonates for me is the type of data that is collected in these cyber incidents and that the people so let's just use, like, a retail one. You know, you and I shop at Target, you know, so why would we think that our shop shopping at Target suddenly our information is not in the hands of the NSA? I understand what you're, you know, you're saying in terms of, you know, the information being used for carjackings or different types of crime. But that means our data is with the NSA and that just doesn't seem right. Right. And and then what are they gonna do with it? Right. So so,
Speaker 1
11:29 – 12:46
there is going to be and I I think there is a problem today. We're not adequately protecting networks. Government networks, private networks, information sharing could be helpful. So I think we have to recognize that and understand that there is gonna be more information shared. And that really the job of CDT and other advocates is to make sure that, in the new regime, we limit the, impact on privacy as much as we possibly can. Again, by narrowing the information shared and limiting the uses to which it can be put. One thing about this, senate bill is that it says that if the information stolen is necessary to describe the crime or is relevant to describing the not the crime, but the but the incident, then it can be shared. Well, wait a minute. Is that gonna mean that companies are just going to routinely turn over that information when they don't necessarily have to? I think we have to be concerned about that. You know, you don't wanna be a victim twice. Right? Your stuff was stolen and it was taken and then the target hack, it was taken by some thief. You don't wanna be a victim twice because then it gets shared with the government as well.
Speaker 0
12:47 – 12:52
So as we send you back to the hill to keep fighting the good fight, any last thoughts for us on cyber legislation?
Speaker 1
12:55 – 12:58
CISA rhymes with FISA. We don't like it.
Speaker 0
12:59 – 14:46
Perfect. Thank you so much, Greg. Thank you. Let's imagine you're driving down the highway jamming to your tunes, which in my case would be the amazing Ingrid Michaelson, and then wham, you suddenly lose the ability to accelerate. Your car slows slows down, and you start to lose speed as a semi bearing up behind you. Horrifying. Right? Well, this scenario recently happened to a writer for Wired Magazine who willingly allowed two hackers to demonstrate how they could hack into his car system and truly take control. These two hackers found multiple vulnerabilities in the entertainment system used in the Jeep Cherokee and similar vehicles, and exploited them to take control of everything from the volume of the radio to the acceleration of the car. They shared their findings with the automaker who has since recalled 1,400,000 vehicles. So what could the story how could this story possibly be about copyright law? I have Eric Stallman with me today to help elaborate and explain. Welcome, Eric. Thank you. Thanks for having me on, Brian. So the story, when you sent it to me, the Wired story, terrified me because I already am semi terrified about having a computer in my car. I read a book. It was about the apocalypse and about, like, electromagnetic pulse and how, like, if that happens, your car won't work. So now I'm like, not only do I have a computer in my car that won't work if there's electromagnetic pulse, but now someone could hack me. This is very, very terrifying stuff. But, like, this was actually done as part of research. Right? Security research. They had good intentions. Is this a common thing, the vulnerability type research that these two gentlemen were doing? Yes and no. It's it's uncommon in the in the sense that that most of this type of research takes place in in a controlled environment. Not on the right Right. Not on the open road. And that was the peculiar and I think somewhat regrettable
Speaker 2
14:46 – 16:21
asset of this research. But but in general, yes, there is a lot of research being done on on on all the the, devices that we now connect to the to the Internet. Recently, Corey Doctorow said that your car is a computer that you put your body into. I think that's something that's been true for many years. But now that car is connected to the Internet, and with that connection comes a a new host of vulnerabilities. And we have lot of very, very smart researchers looking into those vulnerabilities. So what are other types of, you know, just for people that wouldn't know in general, types of things that people are researching that you might be aware of? Well, there's basic things research going on into the the security of secure socket layer, the the way that we ensure that our connections to the Internet are secure. There has been, research into the security of of things like heart rate monitors or insulin pumps because those can also be, hacked and modified by by, by researchers or by more nefarious hackers. Wow. So what does how does copyright play a role in any of this? That's a very good question, and and some people would argue that that it shouldn't. But the reason why it does is because of the Digital Mining Copyright Act. And I know you hate acronyms, but I don't have to use four. And that is TPM, which stands for technological protection measure. What's part of the copyright act says is that if you bypass or if you circumvent a technological protection measure that protects a copyrighted work, you have violated the law. Regardless of whether or not you commit copyright infringement, so just simply doing that act has violated the law. And any researcher that's doing research on some on a system that that where the research is not authorized is going to be exceeding authorized access, and so sort of circumventing a a TPM.
Speaker 0
16:21 – 16:38
And when they do that, they violate the copyright. So that means that the you know, whatever it is, whether it be in the case of the car, the system itself is copyrighted material or intellectual property that is protected. Right. And then by going through the security system, you are infringing and getting Well, you're you're not infringing.
Speaker 2
16:39 – 16:58
This is a very peculiar element of this part of the the the statute is that you don't even have to be copying anything or infringing copyright. The mere circumvention of the thing that protects the copyright work is a separate actionable offense. And because when you do research on systems where you have to bypass these measures, you're going to be circumventing them. You you violated the DMCA.
Speaker 0
16:59 – 17:09
Okay. So CDT recently, submitted comments to the US copyright office on this. What are we saying in our comments? Well, we're saying a few things. One, we're saying that the existing exemption that,
Speaker 2
17:11 – 17:45
statute for security testing is insufficient because it requires you to get the the authorization of the the owner of the the the device or the network or the or the software. In a lot of cases, particularly in the case of open source software, of open source software, it's been incorporated to a lot of different, software packages or devices. It's unclear who the person to give that authorization would be. And and two, we're we're saying that this is really something that should be worked out by the security research community rather than than than by the copyright office. So we're asking the the office to grant, an exemption for security research. So then that exemption,
Speaker 0
17:46 – 18:00
in theory, would allow for the type of hacking, for lack of a better word, of systems. But would it create more of a system for kind of the reporting back of that research to whatever the entity is, whether it be an automaker or,
Speaker 2
18:01 – 18:51
you know, who knows, the platform? It would allow the reporting both to that entity and to the public. So this is this is and this has been one of the main the main sticking points in in this whole debate is what is the appropriate way to to disclose a vulnerability. Understandably, carmakers or or any, owner of a of a network or or software would prefer that you just tell them, and then they're the ones who handle the disclosure. Vulnerability and and not address it until it's it's already been exploited in in the wild, so to speak. And so part of what the security researchers are looking for is a is a safe way to be able to inform the public and other parts of the research community so they can act on and fix these these vulnerabilities. Because, you know, one of the most powerful things that security researchers can do is is share information with one another so that we can address these things more expeditiously.
Speaker 0
18:52 – 18:56
Absolutely. So what do you think the chances are of the copyright office actually
Speaker 2
18:56 – 19:52
doing something around this and making the changes we'd like to see? Well, first, I think it's very dangerous to to try to guess at or handicap on, outcomes in any kind of proceeding. That is very warily of you to say. Right. And I do want to commend the copyright office for, I think they are asking, I mean they're thinking hard about this and they're talking to a lot of people and I think they're trying to get to a good place. But understandably, they are institutionally more closer to rights holders than they are to the security research community, and they have been very preoccupied with this question of how do you appropriately control disclosure. And I think that they're they're unlikely to to issue any kind of exemption that doesn't contain some kind of requirement around the way you handle disclosure. And I think that's going that could be problematic for the the research community, which would rather sort of self regulate that question.
Speaker 0
19:53 – 19:58
So what's kind of the time frame on even anything coming out on this? Well, so right now, there's
Speaker 2
20:00 – 20:24
there's a triennial review proceeding where every three years, you basically request these exemptions and the copyright office looks at them. We've all submitted comments now. We've had a a hearing on it. The the copyright office had some supplemental questions. They're now going through a process, of interagency consultation where they'll they'll consult other parts of the government that that think about these same questions and and come to an answer. But in terms of of of when we'll see that answer, I I think it'll be
Speaker 0
20:25 – 20:37
sometime in the next maybe, few months, but it's it's always hard to say. It does not sound like a fast process. So in the meantime, with, you know, this exemption not in place, it seems as though if we do want the good guy
Speaker 2
20:38 – 21:42
researchers or hackers to continue doing this, they're kind of operating in legal limbo. Right. Is that right? Yeah. So yeah. Somewhat. I mean I mean, I think that, again, they're they're operating in a and this is part of why we participate in this process is we would like clarity for the for the research community. They shouldn't have to do this research under under a under a cloud of, of of of uncertainty and potential litigation risk, especially with with to disclosing their their results, which will are very important to to both making everyone safer, but also just furthering our understanding of of how how systems work and and how to address their vulnerabilities. So, yeah, so they'll they'll continue to operate under legal uncertainty for the time being. But I think there is an effort to to address these, these questions outside of a regulatory or or a legal, environment or venue. And I think that that if we can all sort of mutually agree that the worst place to answer these questions is in a courtroom, then we'll we'll work towards a better answer. That's great. So is there anything you know, CDT filed comments. A lot of other groups have filed comments. I know our comments were also with a group of technologists.
Speaker 0
21:42 – 21:49
Anything that our listeners can do to if they care about this issue to advance it or nudge the copyright office in the right direction?
Speaker 2
21:49 – 22:22
I mean, at this point, I don't know that there's really an avenue for to to to comment to the to the copyright office directly. They they sort of have their their own windows for filing comments, and those windows have largely closed. But I think that that's something that everyone can do is to sort of pay more attention to to to this question and and sort of realize that that the the the entire issue of the security systems and security research is one that involves the vendor community, involves the rights holders, involves security researchers, involves law enforcement, and encourage these, these, communities to talk to one another.
Speaker 0
22:22 – 23:11
That's helpful. So, you're a biker. Are you gonna stick with biking? No cars for you after reading the Wired article? Yeah. I've been sticking with bicycles for about sixteen years, and and and currently, none of my bicycles are connected to the Internet. Well done. Alright. Thanks so much, Ari. Thanks. That's it for this week's CBT Tech Talk. You can find more information about the troubling cybersecurity bills moving through congress and about necessary forms to digital copyright laws at www.cdt.org. And Greg asked me to encourage everyone to reach out to their senators to oppose CISA. It's well worth the call or the email if you have the time. As always, tweet us any questions you have or topics you'd like us to cover to at SendenTech. Thanks for listening.