The current state of the US and UK governments’ ass-backwards approach to cybersecurity was on full display this week – culminating with British Prime Minister David Cameron and President Obama meeting to discuss the issue at the White House on Friday. When it comes to cybersecurity, it seems the UK and US want to embrace every crazy idea except what we know actually works.
The UK’s Cameron suggested earlier in the week he wants to outlaw certain forms of encryption, which could potentially lead to some of the world’s most popular messaging apps (like iMessage and WhatsApp) being banned in the UK. That speech had been ridiculed from all angles for the past few days, with various experts labeling it a nightmare for Internet security – on par with authoritarian regimes such as Russia and China – and economically devastating for the British information technology industry.
Meanwhile, the White House has proposed a huge expansion of penalties under the highly-controversial law that was used to prosecute Reddit co-founder and privacy rights advocate Aaron Swartz. If passed, the administration’s proposalcould further criminalize mundane Internet activity – for example, potentially allowing for a ten-year jail sentence for sharing your HBO GO password – all to supposedly target foreign hackers that the law would likely never reach.
Less than 24 hours before Cameron-Obama the meeting, the Guardian published a secret report based on previously unreleased Snowden documents showing that the US government is fully aware that encryption is vital for security, and that the government risked leaving themselves vulnerable if they didn’t start implementing it on their own systems quicker. The British government likely knows this too: many of their employees use email encryption; and UK even recommend citizens use encryption to protect their data on a government website.
At the press conference after the meeting, Obama commendably didn’t embraceCameron’s proposal when asked about it, and even Cameron seemed to at least appear to back off his own anti-encryption proclamation, saying he’s “not trying to enunciate some new doctrine.”
But just because Cameron’s been proven to be technically illiterate and may be attempting to publicly back away from his most radical proposal, that doesn’t mean that he won’t later push forward. FBI director Jim Comey proposed similar legislation to Cameron’s just a few months ago, and Cameron used eerily similar talking points in Washington on Friday as Comey did in late 2014. Plus. the rest of Cameron’s plan is downright scary for Internet privacy even without a formal encryption ban.
And then there’s the White House’s so-called solution to the cybersecurity problem, which they unveiled earlier this week. President Obama introduced it saying we had to do something about incidents like the headline-grabbing Sony hack, or the juvenile hijacking of US Central Command’s twitter account – but what he didn’t say was that those proposals wouldn’t have stopped those attacks at all.
Part of the Obama administration’s proposal would dramatically expand the Computer Fraud and Abuse Act, the oft-abused and notorious statute that the Justice Department used to threaten the late Internet activist Aaron Swartz with 35 years in jail. (Aaron later took his own life while awaiting trial.) The CFAA already has incredibly harsh penalties, so much so that there’s been a movement for years to reduce them. And how the administration thinks increasing CFAA penalties is going to worry either North Korean hackers or ISIS sympathizers (ormore likely pranksters) who take advantage of negligent password practices is anyone’s guess.
It would also would put countless security researchers at further risk of prosecution, the exact type of people the government should consulting with before making these ill-thought proposals, not driving underground.