December 15, 2015 6:42 PM
Later this week, the House is slated to vote on a $1.1 trillion “omnibus” spending bill to fund the federal government through next fall. Naturally, the legislation will likely contain numerous riders and add-ons that address issues unrelated to appropriations, ranging from oil exports to compensation for 9/11 victims. But one potential addition to the lengthy omnibus bill is extremely troubling: according to several reports, House leaders are considering adding cybersecurity information sharing to the package. Rushing a cybersecurity bill through Congress before the holidays is premature, especially given how little we know about the details of a potential cyber addition to the omnibus.
Congress has been busy with cybersecurity legislation this year. In October, the Senate passed the Cybersecurity Information Sharing Act, known as CISA. Earlier, in April, two cybersecurity bills passed the House—the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA). Each of these bills aims to tackle legal barriers that limit how companies can share what they learn about cyber attacks with other businesses or government agencies. But these three bills differ in certain key respects, so the two houses of Congress will need to reconcile these differences before sending any legislation to President Obama’s desk.
November 12, 2015 4:43 PM
The behemoth Consumer Financial Protection Bureau (CFPB) played a big role in Tuesday night’s GOP presidential debate on Fox Business, both during the commercials and in the candidate’s answers.
A new ad by American Action Network that made its debut during commercial break correctly linked the CFPB—created by the Dodd-Frank so-called financial reform act rammed through Congress in 2010—to denial of mortgages and car loans due to the CFPB’s costly and paternalistic rules that hit Main Street bank and credit unions. The candidates critical of Dodd-Frank dinged those same policies, but often without naming the CFPB.
Carly Fiorina called out the CFPB directly and for another disturbing policy. She pointed out that the CFPB is an entity with “no congressional oversight that is digging through hundreds of millions of your credit records.”
The “digging” refers to CFPB’s massive database of mortgage and credit card info that rivals that of the National Security Agency in both size and intrusiveness. As former House Speaker Newt Gingrich wrote recently in The Wall Street Journal, “Every month the CFPB … gathers data on 22 million mortgages, 5.5 million student loans, two million bank accounts with overdraft fees, and hundreds of thousands of auto sales, credit scores and deposit advance loans.” My Competitive Enterprise Institute colleague Iain Murray and I have been writing about the troublesome database and its threat to privacy since the CFPB created it more than two years ago.
November 4, 2015 4:43 PM
Most Americans own a smartphone and use cloud computing services such as Gmail, Dropbox, and Facebook. Increasingly, we store sensitive data on our devices and in the cloud—but is it safe?
On Tuesday, October 20, 2015, the Competitive Enterprise Institute held a briefing to discuss the current debate over data encryption. It was moderated by CEI Associate Director of Technology Studies Ryan Radia. Watch the video below:
October 26, 2015 9:13 PM
This week, the U.S. Senate will vote on the Cybersecurity Information Sharing Act. Also known as “CISA,” the bill aims to improve cybersecurity by making it easier for companies and the government to share information about potential cyber threats with each other. (The latest version of CISA is here; a package of amendments slated to be voted on is here.) But CISA suffers from a serious flaw that Senate lawmakers have repeatedly ignored: the bill doesn’t put agencies on the hook if they misuse information shared with them in the name of cybersecurity.
CISA’s basic premise—that information sharing can improve cybersecurity—makes sense, as I’ve long argued. Every day, big Internet companies deal with all kinds of cyber attacks, many of which target data that providers store on their customers’ behalf. Internet firms learn from the attacks they experience, and over time, they can improve the resiliency of their systems. Similarly, the more willing companies are to share information about cyber threats with federal agencies upon request, the better the government will be equipped to investigate and punish cyber criminals.
August 31, 2015 4:35 PM
On Friday, the U.S. Court of Appeals for the District of Columbia Circuit handed down its much-awaited ruling in Obama v. Klayman, one of several lawsuits challenging the legality of the NSA’s bulk collection of Americans’ telephone records. In 2013, the District Court for D.C. issued a preliminary injunction after it found the plaintiffs were “substantially likely” to show that the NSA was collecting their telephone records in violation of the Fourth Amendment to the U.S. Constitution. The D.C. Circuit disagreed with this conclusion, reversing the preliminary injunction and sending the case back to the lower court for further proceedings.
Although the D.C. Circuit’s decision in Klayman has major implications for future cases about government surveillance, it won’t immediately affect the NSA’s bulk collection program. When the District Court in D.C. granted the plaintiffs a preliminary injunction, the court decided to “stay” its preliminary injunction pending an appeal—meaning the NSA could continue its bulk collection while the lawsuit made its way through the federal courts. This process has taken longer than expected, with nearly two years elapsing since the preliminary injunction issued in December 2013.
August 27, 2015 1:26 PM
The Daily Beast’s Justin Glawe has written an article about a North Dakota law aimed at limiting law enforcement use of unmanned aircraft systems (UAS), or drones. He claims that the law was watered down by police interests and corporate lobbyists, and that the weakened protections now authorize law enforcement’s use of non-lethal UAS-mounted weapons:
With all the concern over the militarization of police in the past year, no one noticed that the state became the first in the union to allow police to equip drones with “less than lethal” weapons. House Bill 1328 wasn’t drafted that way, but then a lobbyist representing law enforcement—tight with a booming drone industry—got his hands on it.
The bill’s stated intent was to require police to obtain a search warrant from a judge in order to use a drone to search for criminal evidence. In fact, the original draft of Representative Rick Becker’s bill would have banned all weapons on police drones.
Then Bruce Burkett of the North Dakota Peace Officer’s Association was allowed by the state house committee to amend HB 1328 and limit the prohibition only to lethal weapons. “Less than lethal” weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore permitted on police drones.
Scary stuff, right? I certainly don’t want the police to have armed UAS—whether they be deployed with lethal or non-lethal weapons—and requiring warrants is a good first step. But based on a reading of the statute in question, it does not appear to do what Glawe and others claims it does.
August 5, 2015 12:59 PM
Today, the U.S. Senate is scheduled to vote on the Cybersecurity Information Sharing Act (CISA), which is a serious threat to civil liberties and privacy.
CEI’s Ryan Radia offered these thoughts:
CISA doesn’t provide any meaningful deterrent against government agencies using information they receive from companies in ways that exceed the uses authorized by the Act. Although CISA requires agencies to issue guidelines that are supposed to prevent the misuse of information shared under the Act, this is hardly reassuring. Agencies violate their own internal procedures and guidelines all the time with impunity, from the IRS to the State Department.
That’s why it’s critical that any cyber information sharing legislation include a provision that gives relief to individuals injured by governmental misuse of information shared by companies. In this Congress, and in the last two Congresses, the House passed cyber threat information sharing legislation that allowed injured parties to sue the government for damages (i.e., a waiver of sovereign immunity). Another approach to deterring misconduct, used in the Wiretap Act, would bar the government from using evidence in court that is derived from shared cyber threat information for purposes beyond those allowed by the bill. Either a waiver of sovereign immunity or a suppression remedy needs to be included in any bill that liberalizes information sharing, or else companies won’t be able to meaningfully ensure that the government doesn’t use information they share with it for impermissible purposes.
Read more on CISA:
April 21, 2015 11:29 AM
The Competitive Enterprise Institute, TechFreedom and a coalition of free-market groups issued an open letter to Members of Congress, urging them to consider amendments to the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. The NCPAA intends to increase cyber security by facilitating greater sharing of potential cyber threats by private companies with each other and with government. But it also raises real privacy concerns because potential Cyber Threat Indicators could include private information like email content or Internet usage history.
“Congress must ensure that agencies can’t strongarm companies into sharing information involuntarily, and that agencies can be held liable for recklessly misusing private data they might receive. And agencies should be barred from using such information for regulatory purposes or for unrelated criminal prosecutions,” said Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute. “Finally, the existing bill’s blanket immunity for ‘defensive measures’ could encourage unauthorized access to protected computers, potentially endangering innocent bystanders caught in the middle of cyberattacks.”
The letter proposes eight amendments:
June 2, 2014 11:51 AM
At a recent event titled “A Statesman Forum on Cybersecurity Policy and Diplomacy” at George Washington University, House Intelligence Committee Chairman Mike Rogers (R-Mich.) stated:
Every investigation, every group that review it found no illegal activity, no abuses, and that it was lawful. It’s hard to say that there was some horrible rogue agency when all the groups that investigated it came to the same conclusion.
Rep. Rogers is wrong. His statement, which referred to the National Security Agency’s data collection programs under Section 215 of the USA PATRIOT Act (50 U.S.C. § 1861), ignores the report published by the Privacy and Civil Liberties Oversight Board (PCLOB) in January 2014 concluding that the NSA’s data collection programs under Section 215 are illegal. The findings of PCLOB—an independent federal agency established in 2004 to ensure that government surveillance does not overstep its lawful bounds—are worth revisiting after the USA FREEDOM Act, a bill intended to reform NSA surveillance activities, lost more than half of its sponsors last week following a new version of the bill out of the House Rules Committee.
Section 215 is the provision of the USA PATRIOT Act, a 2001 law which amended the Foreign Intelligence Surveillance Act (FISA), that prescribes the conditions under which intelligence agencies, like the NSA, may gain access to information such as phone call data. This law has been the key legal justification for the NSA’s controversial metadata collection programs, which many people accuse the agency of using to collect domestic data. In June 2013, Edward Snowden, a former private contractor for the NSA, revealed documents to Glenn Greenwald and other reporters who used them to expose these programs.
May 19, 2014 4:12 PM
In the electric power industry, if you run an extension cord across the street to serve another, you go to jail. The local utility has a protected monopoly. We’ve put most of that "public utility" vision behind us in communications. Wired and wireless and satellite options abound for Internet service; we'll likely see blimps and communications drones, and who knows what else.
Yet special interests still want the Federal Communications Commission (FCC) to regulate the content flows and grid infrastructure, the prices and services of the Internet via something called net neutrality. They actually are quite open about wanting government regulated monopoly power.
The Internet as a utility, like the power company. They want speed limits.
We're nearly a decade into a series of disruptive efforts to inflict "net neutrality" on the Internet; Neutrality is the idea that we won't have access to content where and when and as fast as we want it without government and special interests controlling the wires.
Neutrality proponents want to inflict a "Mother-May-I" method of operation on the Internet; they want planning boards and regulatory affirmation of content carriage arrangements and of infrastructure deals.
It's not a bright new idea, and not even one rooted in a plausible belief in natural monopoly, or one informed by angelic visions of "common carriage. Regulation like net neutrality devolves into cronyism. It was also rooted in cronyism.
Early telecommunications and power networks were highly competitive, with duplicative infrastructure. The powerful didn't like the competition. The cronies got a franchise and guaranteed profit, everybody else got shut out, and the effects still linger.