Want more cybersecurity news and analysis in your inbox? Sign up for The Cybersecurity 202.
A faction of lawyers and cybersecurity experts are irked by the way prosecutors used the country’s main anti-hacking law to bring charges against WikiLeaks founder Julian Assange.
They say it’s a stretch to use the 35-year-old Computer Fraud and Abuse Act to nab Assange for the alleged crime — offering to help Chelsea Manning decipher a password so she could get greater access to a military database and pass more secrets to WikiLeaks.
And even that alleged crime, they say, is the mark of some crafty legal maneuvering since prosecutors couldn’t bring charges against Assange for what actually riled them — that WikiLeaks published secret information that threw U.S. diplomatic relations into chaos in 2010 and upended the presidential election in 2016 — without undermining First Amendment free speech protections. In other words, it’s a little like getting Al Capone for tax evasion — if the evidence of tax evasion was pretty tenuous.
“It’s clear that this prosecution isn’t substantially driven by any CFAA violation that may or may not have occurred,” David Segal, co-founder of the liberal advocacy group Demand Progress, told me. “Rather, an alleged such violation is being used to de facto prosecute for the publication of leaked materials.”
Indeed, it’s highly unlikely the government would have bothered to indict — and seek to extradite from England — someone who wasn’t Julian Assange for trying, but evidently failing, to assist in a computer hack, as Julian Sanchez, a senior fellow focused on technology and privacy at the libertarian Cato Institute, pointed out on Twitter.
Also, of course, it seems inconceivable DOJ would put the effort they have into extraditing someone who had merely agreed to run a password hash against some rainbow tables for another intruder.
— Julian Sanchez (@normative) April 11, 2019
Experts’ criticism isn’t so much about sympathy for Assange as it is irritation that the CFAA’s broad language — which predates the modern Internet — can be bent and twisted to fit a lot of things involving computers that seem pretty innocuous.
The creative use of it to grab Assange only highlights for them the cloud of legal menace often faced by legitimate security researchers who use hacking to point out cybersecurity vulnerabilities. And it’s a reminder that prosecutors have used the law before to aggressively prosecute activists.
“CFAA is a ridiculously broad statute or, at least it has been interpreted that way by many courts,” Jeffrey Vagle, an affiliate scholar at Stanford University’s Center for Internet and Society, told me. “It was written in a completely different era with respect to how we use computers. It was not a well-thought-out law, and that’s come back to haunt us.”
A provision that bars “exceed[ing] authorized access” on a computer, for example, can be read to apply to simply violating a website’s terms of service — such as by lying about your age in an online form.
That provision was what the Justice Department relied on to prosecute Aaron Swartz, an Internet activist who violated JSTOR’s terms of service by using an automated program to download troves of public-access academic journals from the online database. Swartz, an advocate for broad public access to information, wanted to demonstrate that the online database limited access to academic articles to institutions that could pay high fees. Swartz faced up to 50 years behind bars and a fine of $1 million but committed suicide in 2013 before his case went to trial.
That was just one of numerous prosecutions that activists deemed questionable under the law, as my colleague Brian Fung detailed. Another example: “In 2016, journalist Matthew Keys…was sentenced to two years in confinement under the law. Keys, who formerly worked for Tribune Media, was convicted under the CFAA for passing computer log-in information to the digital activist group Anonymous,” which then used the login to alter an online Los Angeles Times article, Brian reported.
Companies have also used civil portions of the law to threaten ethical hackers who try to find and publicize bugs in their software that can violate customers’ privacy.
In Assange’s case the charges deal with a specific CFAA provision focused on classified government materials, as University of Southern California Law Professor Orin Kerr outlined on Twitter:
Second, it’s based on a relatively aggressive (and somewhat controversial) view of the Computer Fraud and Abuse Act — that accessing files in violation of an order on classified materials is an unauthorized access.
— Orin Kerr (@OrinKerr) April 11, 2019
The same interpretation of the same provision was used to convict Manning in a military tribunal, Kerr pointed out, but prosecutors will have a tougher time making the case in a civilian courtroom.
Prosecutors are also tacking on a separate charge related to terrorism in order to extend the statue of limitations for the hacking crime — which is normally five years — to the eight years Assange has been holed up in the Ecuadorian embassy in London as CFAA-focused attorney Tor Ekeland pointed out on Twitter.
So, basically, they’re saying that the SOL is 8 years because the 18 U.S.C. § 1030(a)(1) CFAA charge is listed as an act of terrorism under 18 U.S.C. § 2332bg(5)(b)(i). Got that? https://t.co/25NaYSToVf If true, they filed the indictment in the nick of time (3/6/18) #Assange
— Tor Ekeland (@TorEkelandPLLC) April 11, 2019
There have been efforts to update CFAA, most notably by Rep. Zoe Lofgren (D-Calif.) who introduced a bill after Swartz’s death to narrow the law’s scope.
“The bill, which would have removed exceeding authorized access as an offense, was colloquially known as Aaron’s Law. It did not pass,” Brian reported.
Correction: An earlier version of this story reported that Matthew Keys was sentenced to two years behind bars. In fact, he was confined to a prison camp.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: Russia’s disinformation efforts during the 2016 presidential campaign targeted Bernie Sanders supporters more than was previously known, my colleague Michael Kranish reported Friday.
At the Post’s request, Clemson University researchers examined a trove of Russian-originated tweets that appeared designed to urge Sanders supporters to fall in line behind President Trump rather than Hillary Clinton after the Vermont senator dropped out of the race.
“It is impossible to say how many [tweets] were targeted at Sanders supporters because many don’t include his name,” Michael reported. “Some 9,000 of the Russian tweets used the word ‘Bernie,’ which were ‘liked’ 59,281 times and retweeted 61,804 times.”
“But that was only one element of the Russian effort to target Sanders supporters, the researchers said. Many thousands of other tweets, with no direct reference to Sanders, were also designed to appeal to his backers, urging them to do anything but vote for Clinton in the general election.
Here’s a take from one of the Clemson researchers, Darren Linvill, associate professor of communications: “I think there is no question that Sanders was central to their strategy. He was clearly used as a mechanism to decrease voter turnout for Hillary Clinton,” The tweets examined in the new analysis “give us a much clearer understanding of the tactics they were using. It was certainly a higher volume than people thought.”
PATCHED: A United Nations agency has sent formal invitations to representatives from 25 nations — including the United States, Russia and China — to participate in a dialogue about rules of the road in cyberspace that will launch later this year.
Timo S. Koster, the Dutch government’s top diplomatic official for cybersecurity issues, tweeted the invitation and a partial list of participants Thursday.
All 25 nations participating in #UNGGE on advancing responsible state behavior in cyberspace in the context of international law pic.twitter.com/ALdxtQOMof
— Timo S. Koster (@tskos) April 11, 2019
Previous rounds of the Group of Governmental Experts in cybersecurity have produced broad agreements about how international law should apply in cyberspace and what sort of nation-on-nation hacking is out of bounds during peacetime. The most recent round in 2017, however, disbanded without any agreements amid bickering between the United States and Russia.
Former State Department cyber coordinator Chris Painter told me last year that the 2019 dialogues should focus less on agreeing to new global cybersecurity norms and more on how to enforce the ones nations have agreed to.
PWNED: The Chinese telecom giant Huawei is pushing back on U.S. officials’ claims the country can’t be trusted in other nations’ next-generation 5G wireless networks, Reuters reported.
“We are probably the most tested vendor in the world,” Huawei’s cybersecurity director Sophie Batas told journalists at Huawei’s new cybersecurity center in Brussels.
“She criticized comments by Robert Strayer, U.S. State Department deputy assistant secretary for cyber, international communications and information policy, who told journalists on Wednesday that countries adopting risk-based security frameworks for 5G would lead to Huawei being banned,” Reuters reported.
“I have difficulty believing that a government like the United States organized a press conference yesterday to single out one particular company, and I wonder why it is going so far,” Batas said.
The Assange arrest dominated most of Thursday’s news cycle and is sure to continue today. Here’s more about:
And, while we’re on the topic, here’s a hot take on the arrest from NSA Cybersecurity Adviser Rob Joyce:
Looks like the Assange / Wikileaks deadman switch just dropped. Coverage here:https://t.co/EnxLCO6bpg
— Rob Joyce (@RGB_Lights) April 11, 2019
More cybersecurity news from the public sector:
Deputy Attorney General Rod Rosenstein defended the Justice Department’s handling of the special counsel’s still-secret report, saying Attorney General William Barr is “being as forthcoming as he can” about redacting and releasing the document.
Wall Street Journal
Navy Secretary Richard Spencer says adding a new assistant secretary for cybersecurity and tightening contractors’ security practices are top priorities for 2020.
Cybersecurity news from the private sector:
If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved. The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping …
THE NEW WILD WEST
Russian lawmakers are barreling toward final approval of a law that would effectively segregate the nation’s Internet from the rest of the world, Reuters reported.
The nation’s “Internet sovereignty” bill “aims to route Russian Web traffic and data through points controlled by state authorities and to build a national Domain Name System to allow the Internet to continue working even if Russia is cut off from foreign infrastructure, according to the report.
“The bill’s authors say the measures are needed to defend the country after the United States adopted what they described as aggressive new U.S. cyber security policies last year.”
Critics, however, say the bill would make it far easier for the Kremlin to censor foreign news sources, silence dissenters and ramp up domestic digital surveillance.
More cybersecurity news from abroad: