April 25, 2013 (TSR-RT) – Scared that CISPA might pass? The federal government is already using a secretive cybersecurity program to monitor online traffic and enforce CISPA-like data sharing between Internet service providers and the Department of Defense.
The Electronic Privacy Information Center has obtained over 1,000 pages of documents pertaining to the United States government’s use of a cybersecurity program after filing a Freedom of Information Act request, and CNET reporter Declan McCullagh says those pages show how the Pentagon has secretly helped push for increased Internet surveillance.
“Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws,” McCullagh writes.
That practice, McCullagh recalls, was first revealed when Deputy Secretary of Defense William Lynn disclosed the existence of the Defense Industrial Base (DIB) Cyber Pilot in June 2011. At the time, the Pentagon said the program would allow the government to help the defense industry safeguard the information on their computer systems by sharing classified threat information between the Department of Defense, the Department of Homeland Security and the Internet service providers (ISP) that keep government contractors online.
“Our defense industrial base is critical to our military effectiveness. Their networks hold valuable information about our weapons systems and their capabilities,” Lynn said. “The theft of design data and engineering information from within these networks greatly undermines the technological edge we hold over potential adversaries.”
Just last week the US House of Representatives voted in favor of the Cyber Intelligence Sharing and Protection Act, or CISPA — a legislation that, if signed into law, would allow ISPs and private Internet companies across the country like Facebook and Google to share similar threat data with the federal government without being held liable for violating their customers’ privacy. As it turns out, however, the DIB Cyber Pilot has expanded exponentially in recent months, suggesting that a significant chunk of Internet traffic is already subjected to governmental monitoring.
In May 2012, less than a year after the pilot was first unveiled, the Defense Department announced the expansion of the DIB program. Then this past January, McCullagh says it was renamed the Enhanced Cybersecurity Services (ECS) and opened up to a larger number of companies — not just DoD contractors. An executive order signed by US President Barack Obama earlier this year will let all critical infrastructure companies sign-on to ECS starting this June, likely in turn bringing on board entities in energy, healthcare, communication and finance.
Although the 1,000-plus pages obtained in the FOIA request haven’t been posted in full on the Web just yet, a sampling of that trove published by EPIC on Wednesday begins to show just exactly how severe the Pentagon’s efforts to eavesdrop on Web traffic have been.
In one document, a December 2011 slideshow on the legal policies and practices regarding the monitoring of Web traffic on DIB-linked systems, the Pentagon instructs the administrators of those third-party computer networks on how to implement the program and, as a result, erode their customers’ expectation of privacy.
In one slide, the Pentagon explains to ISPs and other system administrators how to be clear in letting their customers know that their traffic was being fed to the government. Key elements to keep in mind, wrote the Defense Department, was that DIB “expressly covers monitoring of data and communications in transit rather than just accessing data at rest.”
“[T]hat information transiting or stored on the system may be disclosed for any purpose, including to the government,” it continued. Companies participating in the pilot program were told to let users know that monitoring would exist “for any purpose,” and that users have no expectation of privacy regarding communications or data stored on the system.
According to the 2011 press release on the DIB Cyber Pilot, “the government will not monitor, intercept or store any private-sector communications through the program.” In a privacy impact assessment of the ECS program that was published in January by the DHS though, it’s revealed that not only is information monitored, but among the data collected by investigators could be personally identifiable information, including the header info from suspicious emails. That would mean the government sees and stores who you communicate with and what kind of subject lines are used during correspondence.
The DHS says that personally identifiable information could be retained if “analytically relevant to understanding the cyber threat” in question.
Meanwhile, the lawmakers in Congress that overwhelmingly approved CISPA just last week could arguably use a refresher in what constitutes a cyberthreat. Rep. Michael McCaul (R-Texas) told his colleagues on the Hill that “Recent events in Boston demonstrate that we have to come together as Republicans and Democrats to get this done,” and Rep. Dan Maffei (D-New York) made unfounded claims during Thursday’s debate that the whistleblowing website WikiLeaks is pursuing efforts to “hack into our nation’s power grid.”
Should CISPA be signed into law, telecommunication companies will be encouraged to share Internet data with the DHS and Department of Justice for so-called national security purposes. But even if the president pursues a veto as his advisers have suggested, McCullagh says few will be safe from this secretive cybersecurity operation already in place.
The tome of FOIA pages, McCullagh says, shows that the Justice Department has actively assisted telecoms as of late by letting them off the hook for Wiretap Act violations. Since the sharing of data between ISPs and the government under the DIB program and now ECS violates federal statute, the Justice Department has reportedly issued an undeterminable number of “2511 letters” to telecoms: essentially written approval to ignore provisions of the Wiretap Act in exchange for immunity.
“The Justice Department is helping private companies evade federal wiretap laws,” EPIC Executive Director Marc Rotenberg tells CNET. “Alarm bells should be going off.”
In an internal Justice Department email cited by McCullagh, Associate Deputy Attorney General James Baker is alleged to write that ISPs will likely request 2511 letters and the ECS-participating companies “would be required to change their banners to reference government monitoring.”
“These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks,” EPIC staff attorney Amie Stepanovich adds to CNET. “If this program was broadly deployed, it would raise serious questions about government cybersecurity practices.”
UPDATE: CISPA in limbo thanks to U.S. Senate Apathy (for now)
Despite an $84 million lobbying effort, CISPA, the controversial bill aimed at making it easier for corporations to share customers’ personal information with the government, faces an uncertain future after approval in the US House of Representatives.
The next step for the Cyber Intelligence Sharing and Protection Act, or CISPA, after passing by a 288 to 127 margin in the House, is a Senate vote. However, the Senate has yet to debate the bill and has given no indication that the proposal is a priority, as major issues including gun control and immigration linger in the national consciousness.
CISPA co-sponsor Rep. Mike Rogers (R-Mich.) of the House Intelligence Committee has maintained that the law would help corporations defend against supposedly inevitable cyber-attacks by striking “that right balance between our privacy, civil liberties and stopping bad guys in their tracks from ruining what is one-sixth of the US economy,” as quoted by the Associated Press.
If CISPA were to become law it would grant businesses and the government an unprecedented ability to share data without the need to consider anti-trust or classification laws. Hacked businesses would be granted legal immunity if they acted in “good faith” to protect their networks, thanks to a part of the bill whose broad language has drawn the ire of consumer and privacy advocates.
An initial version of the bill passed in the House of Representatives in 2012 but faded after a Senate filibuster. Last year only 40 Democrats supported the bill – though that number nearly doubled to 92 who voted for it in 2013. That seemingly sudden ideological shift followed an $84 million lobbying effort from major sponsors like Viacom, Time Warner, Verizon Wireless, and others, according to the Daily Tech.
The Electronic Frontier Foundation and American Civil Liberties Union, two of CISPA’s chief opponents, have warned that the legislation would reveal health records, credit information, and other information to the government without first being scrubbed by the companies turning over those files. The National Security Agency could then be granted access to those transmissions when investigating foreign hackers.
Google, Yahoo and Microsoft are among the tech companies that have supported the bill, but public backing has slowly eroded after Facebook revoked its support and a series of amendments in the House Intelligence Committee failed to sway the ACLU.
US President Barack Obama threatened to veto CISPA in 2012 and, citing privacy concerns, has kept his position with the current language of the bill. If CISPA overcomes the odds in the Senate, a presidential veto would again doom the law to months of debate in the House.