Last week, Access sent the following letter to members of the Senate Subcommittee on Crime and Terror prior to the Hearing on “Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.” The letter calls attention to unpatched software vulnerabilities and privacy protections and argues against broad information sharing as a means for increasing cybersecurity. The ongoing legislative debate over proposed cybersecurity legislation, such as CISA, demonstrates how information sharing and liability immunity provisions harm user privacy.
Attached to Access’ letter was a separate letter sent to the President by a coalition of 35 organizations, companies, and technologists asking for a pledge to veto CISA and detailing methods to increase communications security without giving up users’ digital rights.
The hearing discussed the private and public cooperation efforts to combat cybercrime and featured panelists from the private sector and from federal law enforcement agencies. Unfortunately, the hearing did not feature any representatives from civil liberties organizations to explain the damage that overbroad remedies to botnets and other cybersecurity threats, such as Microsoft’s recent seizure and takedown of legitimate No-IP domains, could wreck on the rights of users.
—–
Dear Chairman Whitehouse, Ranking Member Graham, and Distinguished Members of the Senate Subcommittee on Crime and Terrorism:
On behalf of Access and internet users worldwide, thank you for convening this hearing on “Taking Down Botnets: Public and Private Efforts to Dismantle Cybercriminal Networks.” Cybercrime costs the American economy tens of billions of dollars each year, and botnets (enormous networks of infected computers) are responsible for a significant share of malware, identity theft, and other cyberattacks.
Botnets account for a substantial amount of cybercrime worldwide. Botnets are large networks computers that have been infected by malicious software. A single documented botnet has infected more than 1.2 million individual devices. The infected computers, or bots, use the internet to coordinate criminal activities and fraud, without the users’ awareness. Such activities include sending spam email campaigns, spreading viruses, and flooding targets with distributed denial of service (DDoS) attacks.
Unfortunately, in the pursuit of computer security, solutions often undermine what they aim to protect. Some approaches proposed to address the harms of botnets not only fail to adequately protect the internet and those who use it, but actually actively harm users. For example, Microsoft recently argued in a federal court that a Domain Name System (“DNS”) Provider was negligent, and instead should collect more personal information on users and store it insecurely, practices that are antithetical to well-accepted best practices.
In order for users to freely interact across the internet, communications security provides assurance personal information will not be exposed to bad actors. Attempting to provide security by increasing the amount of personal data available thwarts steps taken by individuals and companies to secure their own information. Proper steps toward data security rely on a holistic approach that considers all levels of the internet, to avoid causing negative adverse effects. Responsible protection of personal information from botnets, and other cybercrime, is necessary to secure the advantages of our digital economy.
In a coalition letter transmitted earlier today to President Obama, Access, along with several other civil society organizations, companies, and computer security experts called on President Obama to oppose cybersecurity legislation moving through the Senate. The Coalition listed six elements that a comprehensive approach to cybersecurity should address, such as the creation of incentives and processes for the improvement of digital security, the establishment of a system for responsible vulnerability reporting, and the provision of educational resources to users, companies, and other actors. The letter also included a list of things that cybersecurity legislation must avoid, such as a “tunnel vision” approach that would address information sharing alone. The full letter is attached.
Additionally, Access has published the Data Security Action Plan — seven security-enhancing steps that companies can take to the increase protection of data against unauthorized access. Already, leading internet companies such as Twitter, Dropbox, and DuckDuckGo have supported the Action Plan with the goal of raising the bar on data security. But the codification of arguments, like the one put forward by Microsoft, would provide negative incentives for companies to collect more personal information from users than necessary and to improperly protect that information once collected.
At today’s hearing, committee members will have the opportunity to speak with representatives of the cybersecurity industry and other experts; we ask that members consider posing the following questions to the panelists:
- Users often fall victim to botnets when they use software and hardware that contains vulnerabilities. This situation is exacerbated when companies discontinue support for widely-used operating systems, as Microsoft recently did with Microsoft XP, leaving users exposed to unpatched, known vulnerabilities. What processes and incentives can be put in place to protect their data security? If left unpatched, what impact on personal privacy could be caused by unauthorized access to a user’s system?
- Out of date, insecure software can be easily hacked by criminals and nation-state adversaries. Once hacked, private data on these computers can be stolen, and the infected computers’ networking and computing resources added to a botnet. In spite of the real threats, consumers, government organizations and the private sector continue to use out of date software. Notable examples include the Federal Government’s continued use of the 13-year old Microsoft Windows XP operating system, and the wireless industry’s failure to provide subscribers with regular updates to the Android mobile operating system. Until the problems associated with out of date software have been addressed, this country will continue to have a significant cybersecurity problem. What, if anything, do the government and private sector witnesses plan to do to address these issues?
- What is the US government currently doing to prevent or mitigate the proliferation of botnets? Have these efforts been effective? If not, why not? How much personal information about users is being collected or shared as part of these efforts?
- DNS Providers do not operate in collaboration with their customers. Nonetheless, Microsoft has argued that notice to DNS providers would undermine efforts to track down and disable botnets. To what extent can notice to impacted parties be provided, in order to give an opportunity for a traditional adversarial proceeding?
- As a result of the National Security Agency’s dual mission to protect American cyberspace and to enable counterintelligence, the agency performs a cost-benefit analysis on software vulnerabilities and often stockpiles them for use, rather than disclose them in the interest of improving public security. When investigating a botnet, what measures can be taken to ensure compromised users are immediately notified of security breaches instead of leaving them vulnerable in the name of furthering an investigation?
Thank you for considering these issues, which affect all users. We look forward to working with out on this important topic.
Sincerely,
Amie Stepanovich
Senior Policy Counsel, Access
888.414.0100, ext. 702