Yesterday we talked about the ridiculousness of President Obama’s new cybersecurity executive order, in which he declares a national emergency around “malicious cyber-enabled activities” and enables his own government to do mean things to anyone they think is responsible for cyber badness (that his own NSA is the primary instigator of serious cyberattacks gets left ignored, of course). One of the points we made is that the definitions in the executive agreement were really vague, meaning that it’s likely that they could be abused in all sorts of ways that we wouldn’t normally think of as malicious hacking.
Helpfully, the ever vigilant Marcey Wheeler has provided some examples of how the vague language can and likely will be twisted:
The EO targets not just the hackers themselves, but also those who benefit from or materially support hacks. The targeting of those who are “responsible for or complicit in … the receipt or use for commercial or competitive advantage … by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, … where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” could be used to target journalism abroad. Does WikiLeaks’ publication of secret Trans-Pacific Partnership negotiations qualify? Does Guardian’s publication of contractors’ involvement in NSA hacking?
And, that’s not all. How about encryption providers? Not too hard to see how they might qualify:
And the EO creates a “material support” category similar to the one that, in the terrorism context, has been ripe for abuse. Its targets include those who have “provided … material, or technological support for, or goods or services in support of” such significant hacks. Does that include encryption providers? Does it include other privacy protections?And the EO creates a “material support” category similar to the one that, in the terrorism context, has been ripe for abuse. Its targets include those who have “provided … material, or technological support for, or goods or services in support of” such significant hacks. Does that include encryption providers? Does it include other privacy protections?
We’ve already seen some — including government officials — argue that Twitter could be deemed to be providing “material support” to ISIS if it didn’t take down Twitter accounts that support ISIS. Twitter wouldn’t directly qualify under this executive order (which targets non-US actors), but it shows you how easy it is to stretch this kind of thinking in dangerous ways.
Making sure the technology we use every day is secure is important. But vaguely worded executive orders and an over-hyped “national emergency” isn’t the solution. Instead, it’s likely to be abused in serious ways that harm our freedoms.