OYEZ, OYEZ, OYEZ — For what may be the first time ever, the fate of a cybersecurity law rests in the hands of the Supreme Court. This morning, the nine justices will hear oral arguments in Van Buren v. United States , a case about whether the 1986 Computer Fraud and Abuse Act prohibits a person who is authorized to access a computer from using that access in an unauthorized way (such as to download and leak sensitive data). Supporters of the appellant, Nathan Van Buren, argue that reading the nation's only major cybercrime law in this way would create a precedent for criminalizing many innocent and beneficial acts, such as security research not specifically authorized by a website's terms of service. Supporters of the government argue that a strict interpretation of the law is necessary to deter theft and exposure of sensitive data. The case could rest on how concerned the justices are about the slippery slope that technology, cybersecurity and privacy experts discuss in their amicus briefs. "If they're focused on hypotheticals far from the facts of this case, then that bodes well" for Van Buren, said Orin Kerr, a Berkley law professor who specializes in cybercrime and filed a brief supporting Van Buren's position. "The government's problem is that they don't have an obvious limiting principle: Their view sweeps incredibly broadly." Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation who also filed a brief on Van Buren's side, noted "the kinds of innocuous things we all do on the Internet that [violate] terms of service or our employers' computer use agreements: fibbing on a social media profile, sharing streaming passwords, checking sports scores at work, and so on." But supporters of the government are also concerned about a slippery slope — one that could result from narrowing the meaning of the CFAA's prohibition against behavior that "exceeds authorized access." The Federal Law Enforcement Officers Association, which filed a brief on the government's side, told MC that it would be listening for indications that the justices are concerned about doxing. "Where someone with access to law enforcement databases maliciously abuses that access to 'dox' law enforcement agents," the group said in a statement, "there may be no other obvious federal criminal remedies available to prosecute that very harmful wrongdoing." The FLEOA also argued that prosecutorial discretion will help avoid the worst-case scenarios imagined by CFAA critics, such as charges against people who lie about their weight on a dating service. The Van Buren case's potential to reshape the breadth of the CFAA has attracted a diverse range of interested parties, with the Koch Brothers-backed Americans for Prosperity Foundation and the Reporters Committee for Freedom of the Press on one side and the Managed Funds Association and the Electronic Privacy Information Center on the other. The internet voting firm Voatz earned enmity in cyber circles for filing a brief on the government's side. |
BACK FROM THE BREAK — Congress returns this week for a mad dash to wrap up their work before the end of the year. One major outstanding piece of business is the fiscal 2021 National Defense Authorization Act. The House and Senate versions of the massive policy bill contained dozens of policy recommendations proposed or inspired by the Cyberspace Solarium Commission — chief among them the creation of a Senate-confirmed National Cyber Director. The House draft, H.R. 6395, would establish the office, while the Senate version, S. 4049, included place-holder language that called for a study of the issue. Lawmakers and staffers are bullish that some form of the position will be included in the final NDAA — which could be unveiled as early as this week — despite opposition from the Trump White House. There's also optimism that a top-to-bottom assessment of U.S. Cyber Command's forces will make the final cut. The fate of the annual intelligence authorization bill is also wrapped up in the debate. The Senate attached its version of the bill to the chamber's NDAA. The House Intelligence Committee approved its version of the bill, H.R. 7856 , in July, but the full chamber has yet to pass it. With very few legislative vehicles left, the NDAA is one of the best shots for lawmakers to get something done. Hanging over all of this, of course, is President Trump's threat to veto the must-pass defense bill if it contains language that would rename military bases and installations named after Confederate generals. KREBS SPEAKS OUT — Even out of office, Chris Krebs is still debunking conservatives' false election-rigging conspiracy theories. Krebs, whom Trump fired as director of DHS' Cybersecurity and Infrastructure Security Agency on Nov. 17, shared his reaction to his firing and Trump allies' discredited claims in an interview broadcast Sunday on CBS' "60 Minutes." The use of paper ballots in states such as Georgia "thoroughly … debunks some of [the] sensational claims out there" about supposed vote-tampering software, Krebs said — claims that have been amplified by right-wing figures such as Trump lawyers Rudy Giuliani and Sidney Powell. "It's just — it's nonsense," said a clearly exasperated Krebs. Republicans' demonization of the election process is a "travesty," said Krebs, a lifelong Republican, who noted that election officials have received death threats simply for doing their jobs. "There are some real heroes out there," he said. "There are some real patriots." When CBS' Scott Pelley asked Krebs what he thought of the news conference at which Giuliani breathlessly warned of vote-rigging, the former CISA director replied, "It was upsetting, because what I saw was a apparent attempt to undermine confidence in the election, to confuse people, to scare people." FOLLOW THE RULES — Hackers are using email forwarding rules to hide evidence of their intrusions from their victims, the FBI warned in a private alert obtained by MC. "The web-based [email] client's forwarding rules often do not sync with the desktop client, limiting the rules' visibility to cyber security administrators," the bureau said in the alert issued late last week. "Cyber criminals then capitalize on this reduced visibility to increase the likelihood of a successful business email compromise." The FBI said it was issuing the Nov. 25 alert to raise the profile of the issue and warn corporate IT administrators to configure their networks so as not to miss these changes. Not only do auto-forwarding rules help criminals carry out such schemes, which the FBI estimates to have caused more than $1.7 billion in global losses, but their sneaky nature can delay the remediation of a breach, because initial assessments after the discovery of a breach may miss these changes. The longer it takes to discover these forwarding rules, the FBI said, the more time hackers have to continue tricking employees and stealing money. Plus, the bureau added, "cyber criminals may also use auto-forwarding rules to delete records from the recycle bin to further obfuscate their activities." AND NOW FOR SOME GOOD NEWS — Nigerian police, with the assistance of INTERPOL, have arrested three men who allegedly participated in a cybercrime group that distributed malware, conducted phishing attacks and ran scams targeting businesses. The "prolific gang" has used 26 malware variants, including AgentTesla, Loki, Azorult and Spartan, to hack companies and government agencies in more than 150 counties since 2017, INTERPOL said last Wednesday. Investigators continue to piece together their operations but have already identified roughly 50,000 targets. As part of INTERPOL-led "Operation Falcon," investigators worked with the security firm Group-IB to gather information about the cybercrime gang's structure and process data from breach investigations. TWEET OF THE LONG WEEKEND — Kind of funny, in a bleak way.
|
No comments:
Post a Comment