Pages

Search This Blog

Translate

Search Tool




May 7, 2020

Analysis | The Cybersecurity 202: Democrats push a bill to combat child pornography without undermining encryption

By Joseph Marks


with Tonya Riley

House and Senate Democrats are pushing a $5 billion plan to combat child pornography and other online child exploitation — without undermining strong encryption protections that the Justice Department has said allow those criminal activities to thrive.
The bill, which lawmakers introduced in the House and Senate yesterday, is effectively a multibillion-dollar response to law enforcement leaders arguing tech companies must give the government a way to access online communications with a warrant. And it's the first counterproposal to another bipartisan bill designed to combat child exploitation that's become ground zero in the fight over encryption.
If you weaken strong encryption, all that filth would just move to dark web platforms and you’d make it easier for really bad guys to harm children,” Sen. Ron Wyden (D-Ore.), a sponsor of the Senate bill, told me, using a term for unregulated portions of the Internet where it’s easier for criminals to act anonymously.

Sen. Ron Wyden, (D-Ore.). (Andrew Harnik/AP Photo/Bloomberg News)
The bill, called the Invest in Child Safety Act, would fund a dramatic increase in law enforcement manpower, creating positions for 90 new Justice Department prosecutors and 100 new FBI agents focused on combating online child sexual exploitation.
It would also fund 65 new analysts, engineers and counselors at the National Center for Missing and Exploited Children, which officials say has been hobbled by limited resources and outdated technology in recent years and is unable to handle an explosion in child sexual abuse imagery online. A New York Times investigation found instances of those images soared from about 100,000 in 2008 to more than 18 million in 2018.
“Government institutions at every level have failed kids [on this issue],” Wyden said. “I happen to think the way you turn it around is to put significant dollars into prosecutors, investigators and preventive services, and hold them accountable.” Wyden and other security experts say weakening encryption would make it far easier for criminals to steal all users' information and harass and abuse people online — including children — and that there are other ways for law enforcement to stop the crimes.
The bill is also sponsored by Sens. Kirsten Gillibrand (D-N.Y.), Bob Casey (D-Penn.) and Sherrod Brown, (D-Ohio) in the Senate and Rep. Anna Eshoo (D-Calif.), who represents part of Silicon Valley, in the House.
The bill aims to compete with another Senate measure that’s far less encryption friendly.
That bill, dubbed the EARN IT Act, would strip tech companies of their prized liability protections when users share child pornography and other materials that exploit children. It would also establish a 19-member commission to create rules companies can follow to earn back that liability shield.
Tech companies and cybersecurity experts fear the commission would require companies to dial back their strong encryption systems — which shield information on the entire route between the sender and recipient — so law enforcement could get access to particular messages with a warrant. Right now, even the companies can't see the contents of the messages due to the end-to-end encryption.
Sen. Richard Blumenthal (D-Conn.), one of the EARN IT Act’s lead sponsors, has denied the bill is aimed at weakening encryption, saying there’s no guarantee the commission will recommend such a move. But he also has declined to take encryption off the table.
The bill has been pilloried by cybersecurity experts. Eighty-five percent of The Cybersecurity 202's standing panel of security experts said in a recent survey that it shouldn’t be passed. One major criticism is that it would give a substantial role on the new commission to Attorney General William P. Barr, who has been one of the government’s most vocal critics of strong encryption.
Barr has criticized Facebook in particular for expanding its digital protections across its messaging services, which the company says will make everyone more secure but Barr argues will lead to a surge in sharing of child pornography on the site.
The EARN IT Act has 10 Senate sponsors including six Democrats and four Republicans, compared to the Invest in Child Safety Act, which has no Republican support so far.
Yet both bills are sure to struggle to gain any attention while Congress focuses on responding to the coronavirus pandemic.

Attorney General William P. Barr addresses the International Conference on Cyber Security at Fordham University in New York. (Richard Drew/AP)
Encryption advocates say warrant-proof encryption makes the vast majority of people safer.  
While it does allow some criminals to evade police oversight, they say that’s worth it on balance to ensure information for all users is well protected against hackers.
They also argue law enforcement has rushed to attack encryption rather than exploring alternate ways of getting the information.
For example, police can get hacking warrants that allow them to use some of the same tools criminal hackers use to get access to information. They could also build cases with more shoe- leather police work that doesn’t require access to computers.
Those methods both take a lot of time and money and might be aided by a large boost in funding, such as the Invest in Child Safety Act envisions.
Wyden declined to say whether money from the bill should be used to boost those other investigatory techniques, saying he didn’t want to tell police and prosecutors “how to do their jobs.”
He says he’s confident, though, that increased resources will do a better job of tackling the problem than attacking encryption. “I can’t find very many policy changes that create more potential harm to kids than weakening encryption and making it easier for predators to get into their devices and into their homes,” he said.
Congress has never formally debated a bill that would explicitly weaken encryption. 
Justice Department and FBI officials have been pushing to find workarounds to strong encryption since 2014 but with no significant achievements. The FBI backed away from a court battle in 2015 that might have created a legal precedent that tech companies have to help law enforcement crack into encrypted systems when they have a warrant.
In that case, the FBI withdrew its request that Apple help agents break into a cellphone used by San Bernardino, Calif., shooter Syed Farook after an unnamed third-party vendor offered a tool that could crack into the device without Apple’s help.
The law enforcement case on encryption was also seriously damaged by a 2018 report that found the FBI, which has been the lead agency attacking encryption, repeatedly overstated how many cases were foiled by the protection.

The keys
Serious vulnerabilities in an Indian app are prompting worries about the use of location data to track the coronavirus's spread.

People wearing protective masks in Mumbai, India. (Dhiraj Singh/Bloomberg News)

Hackers could easily exploit vulnerabilities in the app, called India's Health Bridge or Aarogya Setu, to expose people who are infected with the virus in a given area, researcher Baptiste Robert explained to Andy Greenberg at Wired. The app relies partly on GPS location information, which contact tracing apps in other nations have eschewed because they worry it makes identifying people too easy.
The report should raise alarm bells for other governments that have rushed to roll out contact tracing apps amid the pandemic, privacy advocates say.
“I expect many of the contact tracing apps to have these types of issues, and I think particularly the ones that rely on GPS are going to be more privacy-invasive,” said Ashkan Soltani, a former Federal Trade Commission lead technologist who reviewed Robert's findings and has analyzed other contact tracing apps.
It's not the first security flaw researchers have identified in the app. A previous version of the Android version of the Aarogya Setu app leaked users' location data to YouTube, the New York Times found last week.
A Commerce Department rule will ensure U.S. companies can help set global standards for 5G telecom networks. 

A technician wears a protective mask as he installs a new Huawei 5G station on a tower. (Kevin Frayer/Getty Images)

U.S. companies’ participation in the groups was left in limbo last year by a Commerce Department order that restricted them from working with the Chinese telecom Huawei. That gave China the upper hand in 5G development and damaged U.S. competitiveness, Karen Freifeld and Chris Prentice at Reuters report.
The U.S. government has launched a global campaign to limit Huawei’s role in 5G networks, arguing the company could aid Chinese government spying, but some industry officials worry the efforts are doing too much damage to U.S. companies. 
“It is very much past time that this be addressed and clarified,” said Naomi Wilson, senior director of policy for Asia at the Information Technology Industry Council. “Their policies have inadvertently caused U.S. companies to lose their seat at the table to Huawei. ”
State election officials are slamming a federal commission for being too slow to help with voting security guidelines.  

A voter. (Patrick Semansky/AP)
The Election Assistance Commission began working on an update to those voluntary guidelines for voting machines in 2017 but won’t complete them in time to be useful for the 2020 contest. By the time they are finished, the technical details probably will be out of date, officials from Virginia and Florida argued at a videoconference meeting yesterday, Federal Computer Week's Derek B. Johnson reports.
The process is not fast enough to adapt to the changing security environment or to address the accessibility needs of many voters,” Virginia Elections Commissioner Christopher Piper said. “The fact is the delay has proven to be a convenient excuse in all sectors not to update our voting systems.”
The update has been in progress at the same time states have been scrambling to update their protections after Russia probed election systems in most states in the 2016 contest. Congress has also appropriated more than $1 billion to update election systems during that time.
EAC guidelines aren't binding, but many states rely on them to set their own security rules for new voting equipment.

Hill happenings

Sens. Elizabeth Warren (D-Mass.) and Amy Klobuchar (D-Minn.) want the FTC to crack down on coronavirus scammers.

Sen. Elizabeth Warren (D-Mass.). (Brian Snyder/Reuters)
The lawmakers cited an uptick in emails from scammers posing as representatives from the Small Business Administration that are targeting small businesses seeking coronavirus relief.
“We are calling on the agency to take stronger action to ensure that the huge population of potential victims — the nearly 60 million hardworking men and women who own or are employed by small businesses — are protected during this time of crisis,” they wrote in a letter to Federal Trade Commission Chairman Joseph Simons.

Industry report

Zoom has tapped Trump's first national security adviser for a board role as it responds to security concerns.

H.R. McMaster. (Jabin Botsford/The Washington Post)
Zoom announced the new role for retired Lt. Gen. H.R. McMaster yesterday following weeks of concerns that the videoconference platform's security isn't sufficient to protect the millions of people who've begun using its services since the coronavirus pandemic began. McMaster is also a senior fellow and lecturer at Stanford University.
Zoom also hired Jonathan “Josh” Kallmer as head of global public policy and government relations. Kallmer was executive vice president for policy at the Information Technology Industry Council.
More industry news:

Two networks of inauthentic Facebook accounts had spent years leveraging the social media company’s reach to amplify thinly-veiled Russian propaganda.

CyberScoop

China’s leading chip maker, SMIC, is preparing for a multibillion-dollar stock sale, as the country tries to build up its semiconductor capabilities during a heated trade conflict and tech battle with the U.S.
The Wall Street Journal

Cyber insecurity

Hackers who impersonate CEOs to con their victims are developing even more tricks, researchers found. 

A Wall Street sign is displayed in front of the New York Stock Exchange. (Mark Kauzlarich/Bloomberg News)

The hackers, identified by researchers at the cybersecurity company Prevallion, have updated their malware at least seven times this year, Shannon Vavra at CyberScoop reports. The attacks seem to be targeted at select financial institutions, researchers note.
More news about hacks and breaches:

This latest alleged Nintendo leak includes the source code for the N64, Wii, and Gamecube, but that doesn't mean emulators can just use it.
Vice

Global cyberspace

Hackers infected a core system of a big European health-care conglomerate.  

A doctor looks at computer screens at a hospital. (Sophia Sandurskaya/AP)
Germany-based Fresenius Group said the security incident had stalled some pharmaceutical production but that hospitals had not been affected, Sean Lyngaas at CyberScoop reports.
More international cybersecurity news:

An Israeli security company said the hacking software, called Aria-body, had been deployed against governments and state-owned companies in Australia and Southeast Asia.
New York Times

Chat room

Thoughts on a trailer for U.S. Cyber Command?
Maybe your purpose on this planet isn't on this planet.https://t.co/lr7tBQp775 pic.twitter.com/oHLgwcY2eq
— United States Space Force (@SpaceForceDoD) May 6, 2020

Daybook

  • The Knight Foundation will host a webinar on coronavirus misinformation, featuring Dr. Safiya Umoja Noble, at 1 p.m.
  • The Cyberspace Solarium Commission will host a virtual forum on Friday from 11 a.m. to 12 p.m.
  • The Senate Commerce Committee will host a hearing on the state of broadband amid the covid-19 pandemic on Wednesday at 10am.
  • The Information Technology and Innovation Foundation will host a webinar “Mind the Gap: A Design for a New Energy Technology Commercialization Foundation” on Wednesday at noon.
  • The Open Technology Institute will host an event on the role of technology in pandemic response efforts on May 14 at 11:30 a.m.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.