National Cybersecurity Protection Advancement Act

U.S. House of Representatives passes useless and deceptive bill (H.R. 1731)

First and foremost, I am not a legal expert by any loose definition of the term. I read through the NCPA rather carefully and often had a difficult time making sense of anything. Heck, one of the few bills I would support without hesitation is one requiring all bills, etc. to be written in English (meaning that it shouldn't take a degree to understand the thing).

Having said all of that, I reached a very similar interpretation and have many of the same concerns as groups such as the ACLU & EFF which can be found at Stop Cyber Surveillance.

For any of you willing to endure the headache, I encourage you to read H.R. 1731 for yourselves. It's a 49 page PDF with large font and annoyingly excessive margins. Reading my (or anyone's) opinions is no substitute for reading the source and forming your own opinion.

Why the NCPA is Useless

The stated purpose of the NCPA is:

To amend the Homeland Security Act of 2002 to enhance multi-directional
sharing of information related to cybersecurity risks and strengthen
privacy and civil liberties protections, and for other purposes.

Does it enhance multi-directional sharing of information related to cybersecurity risks?

In my opinion and to the best of my knowledge, that's a problem that simply doesn't exist. The best that this bill does is allow for and somewhat protect the sharing of such information, and it's not as though there were anything preventing the sharing of the information to begin with anyways. If this were meant to protect some third-party from suffering legal actions for attempting to notify a company of security holes which they have found, that would be a very different story. But no, this seems to be protecting companies like Facebook in sharing a cyber threat indicator.

Does it strengthen privacy and civil liberties protections?

Well, it does repeatedly state that reporters are to take reasonable efforts to remove information that can be used to identify specific persons and is reasonably believed at the time of sharing to be unrelated to a cybersecurity risk or incident, and to safeguard information that can be used to identify specific persons from unintended disclosure or unauthorized access or acquisition. I just consider this requirement to be too vague to offer any real protection of privacy. So… No usernames or passwords? What about IP addresses? For threats such as DDoS attacks, it can be difficult to filter out regular/innocent users and impossible to tell which were intentionally targeting a server from those which were themselves victims. I would also suggest that any useful information is likely to be traceable to an individual because A) there is so much data available on any given person and B) in any situation that I can think of, such data would only be of use if it contained information such as IP addresses.

Beyond the vague definitions above, NCPA also provides no transparency. They would be exempt from disclosure under section 552 of title 5, United States Code, and withheld, without discretion, from the public under subsection (b)(3)(B) of such section. Even if you were to take action for any damages, if you were somehow aware of information which was not disclosed to the public, you would have the burden of proving by clear and convincing evidence the willful misconduct proximately caused injury to the plaintiff. Assuming that it was intentional, good luck proving it!

And finally, it provides a very broad definition of what is considered a threat. If I try using Twitter over TOR, could that be considered a threat? What about if I accidentally come across a listing of email addresses of iPad + AT&T users (despite what the article claims, a regular user found this information without any hacking… It required no authentication)? What if I'm searching for flaws in order to notify the company so that they can fix them (similar to a bug bounty)?

Why the NCPA is Deceptive

You mean aside from claiming to protect your privacy and civil liberties while really just granting immunity to those who are now protected in sharing data with the NSA or other Federal entities? The NCPA makes it unclear whether or not existing laws still apply. In several places, it creates rules notwithstanding any other provision of law to later say  that it does not impact or modify procedures in existence. Either existing laws still apply or they don't! Which is it?

It's also deceptive in that it really does nothing to enhance security. Better security is achieved though having and using appropriate technologies and techniques, not through politics.

Is it Cyber Surveillance?

Possibly. I don't think it was created with that intention, but the obvious lack of experience and knowledge by those who wrote the bill as well as the lack of specific definitions leave it open to this possibility. Any information shared is voluntary, but the NCPA removes all transparency and provides immunity, and I expect that would lead to excessive and irresponsible sharing of information with a variety of Federal agencies, including the NSA. To make matters worse, most of the legal system suffers from lack of technical knowledge and even fear of hackers. Being afraid of what you don't understand can and has lead to dogma and cruelty.

This is just One of Five

There have been many before, and I can almost guarantee there will be many to follow. Stop Cyber Surveillance lists all five of them, and they all seem to be the same thing in slightly different wording.

I am against all of these bills, but I do recognize that the state of online security is not as good as it could and should be. Despite my focus thus far on criticizing a bunch of bills supposedly designed to improve things, I want to redirect the focus of this from the problems to solutions. Here are some quick tips to better online security for everyone.

  1. Be sceptical and use common sense. Humans are often the weakest link when it comes to security.
  2. Use strong and unique passwords everywhere. KeePass and LastPass are great tools for making this easier and more convenient.
  3. Keep your Operating System and other software updated. This applies to servers as well!
  4. Open Source software is generally considered more secure than proprietary. Security through obscurity is like believing it will go away if you ignore it hard enough.
  5. Developers… Know How NOT to Store Passwords!
  6. Don't use WordPress, FTP… I want to say Windows in general, but that might be asking too much. I will, however, add Internet Explorer.

I think that having a security check list and learning from the mistakes of others is the best way to reduce the threats we are facing. Unfortunately, although all of the resources you are likely to ever need are out there, they are scattered all over the Internet and it can often be difficult to know which methods are truly better than others. What we need is guidelines for both companies and individuals on how to stay safe.

Do you have any suggestions are links to any resources you have found particularly helpful? Please, let me (and everyone else) know in the comments!