information security – Techdirt (original) (raw)

Abusive Governments (And The Criminals They Employ) Are Going To LOVE The UN’s Cybercrime Treaty

from the baby-and-bathwater-trebuchet dept

Various treaties and multi-national proposals to combat cybercrime have been around for years. I’m not exaggerating. These have been floating around for more than a decade. (Do you want to feel old? This cybercrime treaty proposal would be old enough to legally obtain a social media account in the United States if it were still viable.)

The UN has been pushing its own version. But its idea of “crime” seems off-base, especially when it’s dealing with a conglomerate of countries with varying free speech protections. The “Cybercrime Treaty” proposed by the UN focuses on things many would consider ugly, distasteful, abhorrent, or even enraging. But it’s not things most people consider to be the sort of “crimes” a unified world front should be addressing — not when there’s plenty of financially or personally damaging cybercrime being performed on the regular.

As Mike Masnick noted last year, the UN’s proposal aims to regulate speech, even if its stated ends are making the internet safer for everyone. The treaty would target “hate speech,” an often ill-defined term that encompasses everything from targeted attacks to shitposting to honest criticism that just happens to criticize things the government likes: things like preferred religions, citizens, ceremonies, holidays, or political figures.

It’s built for abuse. A year has passed and the UN’s “Cybercrime Treaty” doesn’t appear to have improved. While there’s stuff in there targeting actual criminal activity, there are still plenty of mandates just waiting to be abused by governments to target people they don’t like.

The EFF has an extensive rundown on the treaty’s modifications, most of which just make things worse for everyone if they’re enacted. And that begins with the treaty’s beginnings. The priorities have been disrupted.

Rather than focusing on core cybercrimes like network intrusion and computing system interference, the draft treaty’s emphasis on content-related crimes could likely result in overly broad and easily abused laws that stifle free expression and association rights of people around the world.

For example, the draft U.N.Cybercrime Treaty includes provisions that could make it a crime to humiliate a person and group, or insult a religion using a computer. This potentially makes it a crime to send or post legitimate content protected under international law.

Even computer-focused criminal laws have been regularly abused by governments (holla back CFAA!). This one sidesteps this focus to target computer users who aren’t trying to engage in criminal activity. They’re just being assholes. But give a questionable government a tool like this to use, and it will ensure it treats any criticism as a form of hate speech if it can, silencing dissent and preemptively silencing those who might have been considering speaking up. As the EFF points out, most human rights abusers come from countries with state religions and this law would allow them to ramp up the oppression they already offer to residents they don’t care for.

Sure, the UN has attached a caveat warning countries considering abusing the treaty from abusing the treaty. But if we’ve learned nothing else about the United Nations during its nearly 70-year run as a Manhattan property owner, it’s that it’s pretty much incapable of deterring any government from doing anything it truly wants to do.

That’s why this is a problem. Like anything else with horrendous unintended consequences, the treaty is well-meaning. But it’s also a toolbox for autocrats and oppressive regimes. And they know it. There are enough dissenters who love everything bad about the proposal to derail the treaty unless even the most minimum of protections for the governed are removed.

[T]he draft U.N.Cybercrime Treaty introduces vague provisions that will compel states to pass laws authorizing the use of overly broad spying powers without these safeguards—placing people at an increased risk of harm, and curtailing civil liberties and defendants’ fair trial rights. Even worse, during draft treaty negotiations, countries including India, Russia, China, Iran, Syria, and Tonga proposed amendments to remove Article 5, a general clause that emphasizes respect for human rights and references international human rights obligations. Rubbing salt into the wound, Egypt, Singapore, Malaysia, Pakistan, Oman, Iran, and Russia requested the deletion of even the most modest limitations on government spying powers, Article 42, on conditions and safeguards.

Going hand-in-hand with the partial stripping of rights in many nations around the world is the mandated expansion of surveillance nearly everywhere in the free world. To keep an eye on people saying mean things to each other, governments will need more access to more internet communications, something the UN is apparently cool with mandating. And the proposal is open-ended, preemptively blessing surveillance techniques that haven’t even been designed, much less brought to market.

The draft treaty also oddly refers to allowing authorities to use “special investigative techniques,” again without ever defining what those are. The current language, indeed, could allow any type of surveillance technology—from malware to IMSI catchers, machine learning prediction, and other mass surveillance tools—as well as any tool or technique that may exist in the future.

If the UN wants oppressive countries to stop pretending it’s only now they’re taking their gloves off, this Cybercrime Treaty is exactly what’s needed. If it really wants to stop cybercrime, it should focus more on universally recognized computer crimes, rather than speech that, while terrible, is still protected. And it definitely should rewrite the proposal with an eye on the unintended consequences, because it’s those consequences that will contribute the most to the inevitable abuse of this treaty.

Filed Under: cybercrime, cybercrime treaty, free speech, humilation, information security, insults
Companies: un

Ted Koppel Writes Entire Book About How Hackers Will Take Down Our Electric Grid… And Never Spoke To Any Experts

from the fudmongering dept

Famous TV news talking head Ted Koppel recently came out with a new book called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. The premise, as you may have guessed, is that we’re facing a huge risk that “cyberattackers” are going to take down the electric grid, and will be able to take it down for many weeks or months, and the US government isn’t remotely prepared for it. Here’s how Amazon describes the book:

Investigative reporting that reads like fiction – or maybe I just wish it was fiction. In Lights Out, Ted Koppel flashes his journalism chops to introduce us to a frightening scenario, where hackers have tapped into and destroyed the United States power grids, leaving Americans crippled. Koppel outlines the many ways our government and response teams are far from prepared for an un-natural disaster that won’t just last days or weeks – but months – and also shows us how a growing number of individuals have taken it upon themselves to prepare. Whether you pick up this book to escape into a good story, or for a potentially potent look into the future, you will not be disappointed.

The book also has quotes (“blurbs” as they’re called) from lots of famous people — nearly all of whom are also famous TV news talking heads or DC insiders who have a long history of hyping up “cyber” threats. But what’s not on the list? Anyone with any actual knowledge or experience in actual computer security, especially as it pertains to electric grids.

Want to know how useful the book actually is? All you really need to read is the following question and answer from an interview Koppel did with CSO Online:

Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?

No, I did not.

Also in that interview, Koppel admits that he hasn’t heard anything from actual information security professionals (though he admits he may have missed it since he’s been on the book tour). But, still, if you’re writing an entire book with a premise based entirely on information security practices, you’d think that this would be the kind of thing you’d do before you write the book, rather than after it’s been published. Instead, it appears that Koppel just spoke to DC insiders who have a rather long history of totally overhyping “cyberthreats” — often for their own profits. In another interview, Koppel insists that he didn’t want to be spreading rumors — but doesn’t explain why he didn’t actually speak to any technical experts.

?Going in, what I really wanted to do was make sure I wasn?t just spreading nasty rumors,? said Koppel in a phone interview…. ?After talking to all these people, I satisfied my own curiosity that this not just a likelihood but almost inevitable.?

“All these people”… who apparently did not include any computer security experts. Koppel claims that this isn’t a priority because Homeland Security doesn’t want to “worry” the American public:

?The public would have to understand it?s a plan that will work but if you don?t have a plan, that can be more worrisome. I just hope it becomes part of the national conversation during the presidential campaign.?

What?!? Homeland Security doesn’t want to worry the American public? Which Homeland Security is he talking about? The one that manhandles the American public every time they go to an airport? The same one that is constantly fearmongering about “cyber attacks” and “cyber Pearl Harbor”? Is Koppel living in some sort of alternative universe?

Is there a chance that hackers could take down electric grids and it would cause serious problems? Sure. Anything’s possible, but somehow we’ve gotten along without a single incident ever of hackers taking down any part of the electrical grid to date. And most actual information security professionals don’t seem to think it is a “likely” scenario as Koppel claims. The whole thing seems to fit into the usual category of cyberFUD from political insiders who are salivating over the ability to make tons and tons of money by peddling fear.

Is it important to protect infrastructure like the electric grids? Yes. Should we be aware of actual threats? Absolutely. But overhyping the actual threat doesn’t help anyone and just spreads fear… and that fear is quickly lapped up by people who will use it to profit for themselves.

Filed Under: cyberattacks, cybersecurity, electric grid, fearmongering, information security, ted koppel