State of the Net 2012: It's SOPA, But Not Just SOPA

Posted on January 19, 2012 - 12:14 by imeister

It was my privilege to spend Tuesday in Washington, DC for the Congressional Internet Caucus Advisory Committee's State of the Net Conference 2012, which definitely reflected the degree to which PROTECT-IP and SOPA loom large over the American Internet policy landscape, and to which many policy-shapers from across the political spectrum have woken up to how critical sound Net policy really is. There was a lot to love: the debates were full-throated, civil, and constructive; both panelists and attendees were clearly engaged and happy to be there; and if Paul Brigner of the MPAA is to be believed, the superlaser on the SOPA Death Star, pointed squarely at the integrity of the global DNS, is going offline as soon as the bill hits the Senate floor.

There was also a surprising and very welcome amount of attention paid to section 230 of the Communications Decency Act. StopBadware has spilled some ink in the past over the degree to which the CDA at once protects Net infrastructure intermediaries in a valuable way, but, as drafted, does much to discourage self-policing when dealing with malware reports. In particular, Brian Cute (late of ICANN and now head honcho of Public Interest Registry, the stewards of .org) and John Morris (late of the StopBadware board and now at NTIA, the legal stewards of the root zone) spoke eloquently of the urgent need for infrastructure stakeholders to take good netizenship seriously, notwithstanding the current statutory status quo. For StopBadware, there was a lot to love.

My one big wish coming out of the conference, though, is that policymakers display somewhat more willingness to reframe the debates around SOPA, DNSSEC, CDA 230 (and various other wonky acronyms) in terms of service abuse. The problem that undergirds "rogue sites" (a term I have never heard used more times than in the opening plenary), whether they be fake pharmaceuticals, malware distribution, or "dedication to copyright infringement" (whatever that really means) is one of accountability. I believe, unreservedly, that when domain names or hardware under US jurisdiction is used to abuse the laws of the United States, the legal personality responsible for that abuse, or part of the problem, should be held to account in an Article III court. We need the real deal, with every due process protection imaginable, and with hefty, easily collectible default penalties if they ignore the court. In my view, holding intermediaries like domain name registrars, web hosting providers, and other infrastructure operators responsible for obfuscating or evading this bedrock principle of Western law is an important element of achieving this state of affairs. SOPA’s liberal construction of U.S. jurisdiction is, in this very limited sense, the right idea. It’s also important to maintain an accurate and universal directory of domain name owners and IP address lessees, with protections for owner anonymity but the ability to pierce its veil for good cause shown. (No more paper airplanes, please! We believe in anonymity too!)

So why doesn't SOPA, or whatever alternative DC policymakers are considering, address the issue of domain name accountability head on? Why has Congress not laid out a statutory structure to govern disputes over Internet “land” when disputes over real property are some of the best understood legal frameworks anywhere? The solution could be deceptively simple. (As I'll explain in a subsequent post, we've had the tools to fix this since the heyday of Anglo-Norman law.) Not that government intervention is necessarily required - yet.

This is where my question to Dr. Crocker, the chairman of ICANN, about WHOIS comes into play (as tweeted here). ICANN has the (bureaucratic and necessarily glacially-paced) tools to fix the accountability problem, as their own WHOIS Review Team has elegantly pointed out. But WHOIS records continue to list fake addresses or junk data, many registrars can't be bothered to do anything about it (since they're effectively on the take), and ICANN itself seems insufficiently motivated to use the tools at its disposal to force the issue. I hope to attend ICANN's next public meeting in Toronto in October to observe and, if so permitted, to make the case for real WHOIS reform.

All told, however, it is an unambiguously positive development that the US government has made cybersecurity a legislative and executive priority, and StopBadware very much looks forward to working with everyone at the policy table to secure a safer Internet in 2012.

2011 Staff Reflections: Tech Policy Wish List

Posted on January 3, 2012 - 14:05 by imeister

2011 saw the U.S. Congress finally begin the task of explicitly addressing cybersecurity (as a general matter) through legislation, rather than foisting the responsibility on executive agencies like the FCC with little explicit statutory mandates. Regrettably, the two signature pieces of cybersecurity legislation currently before Congress, PROTECT-IP/SOPA and the Cybersecurity Information Sharing and Protection Act (CISPA), are fatally flawed. The former conflates the concerns of intellectual property rightsholders with unquestionable cybersecurity threats such as malware distribution; the latter provides virtually no guidance on the controversial question of what information should be considered cybersecurity information, and does little to promote data sharing within the broader cybersecurity community. 2011 also saw ICANN's WHOIS policy review team recently produce what is sure to be a foundational document addressing the growing problem of establishing accountability for domain name holders and the registrars who serve them. My wish list for 2012:

  • Congress should revisit PROTECT-IP and CISPA with an eye towards addressing the problem of badware websites, and creating civil causes of action that allow motivated cybersecurity researchers to seek the suspension or revocation of domain names being used for malicious purposes.
  • The FCC should use its statutory authority to promote greater data sharing among firms with cybersecurity data and an interest in maintaining the integrity of their networks, and should consider imposing sanctions on ISPs and hosting providers who act with reckless disregard for the health and safety of their networks.
  • The Department of Commerce, as the legal guardian of the global DNS, should strongly encourage ICANN to adopt the recommendations of the WHOIS policy review team and act with all deliberate speed to improve the accuracy of the WHOIS system and the accountability of those who disregard it.

In cybersecurity practice, 2011 also saw a number of high-profile botnet takedowns: Rustock in March, Coreflood in April, and DNSchanger in November, among others. The FBI has successfully modeled a public-private partnership that places the government in the driver's seat, draws on private sector expertise, and submits disputes about the legality of malware distribution to the appropriate judicial authorities. This is cause for celebration and substantial hope. In 2012, I hope that other companies well placed to assist the DoJ and FBI will go out of their way to do so, following Microsoft's lead.

Cybersecurity data sharing: you're doing it wrong

Posted on December 9, 2011 - 11:06 by imeister

One aspect of cybersecurity that StopBadware routinely emphasizes as essential to collective defense against malware is data sharing. As we've pointed out in the past, there are few incentives favoring, and many opposing, the sharing of malware attack-related data among private ecosystem participants like ISPs and web hosting providers, which makes tackling malware threats collaboratively prohibitively difficult. Apparently, data sharing problems are on Congress's mind as well. Last week, the House Intelligence Committee considered and passed HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011, one of Congress's most visible efforts to confront computer security issues, which specifically addresses the sharing of "cyber threat intelligence". Unfortunately, the bill's sponsors appear to perceive all forms of cyber threat intelligence -- everything from a RSA-style infiltration to a blind SQL injection -- as (a) presumptively classified and in desperate need of control and (b) something from which private companies like ISPs and web hosting providers need protection.

First off, it seems the height of ridiculousness to assert that the intelligence community requires Congress's special permission to share information with important private sector infrastructure companies (like telcos and ISPs) if it possesses information that demands action. Federal intelligence and law enforcement agencies share, and are certainly not statutorily barred from sharing, malware- and cyberattack information with private parties already; specifying a system of temporary security clearances presumes that the disclosure of much of such information will place the national security of the United States in jeopardy. So either the status quo is somehow a dangerous threat to our nation, or the bill's solution is in search of a problem.

Moreover, the bill fails to address the actual collective action problem at the core of malware data sharing. By allowing companies to specify how malware data is shared with other private parties, the broader cybersecurity community, whose operations dwarf those of the federal government, need not be materially enriched in any way. In essence, the government seeks to establish a cybersecurity clearinghouse that need enrich only itself. The government should provide additional resources and tools to companies willing to make common cause with one another in the cybersecurity fight, not reward companies that share data -- which is very loosely defined by the bill, is exempt from the Privacy and Freedom of Information Acts, and may include PII and customer-created content -- with it and it alone.

Secondly, the bill takes the extraordinary step of immunizing all participating companies from any criminal or civil liability as a result of sharing information or failing to act on information they receive. Content providers like ISPs and hosting providers are already immunized for failure to take action on malware reports under section 230 of the CDA as courts have interpreted the law; further grants of immunity should be conditioned on at least a minimal standard of accountability for gross negligence in the handling of such data.

The Washington Post has reported that in response to objections from privacy advocates and concerns from the White House, the bill has been amended to include protections against coercive data sharing practices and oversight by the intelligence community Inspector General. It's a step in the right direction, but does little to cure the bill's other flaws, including facilitating sharing of irrelevant, private information and use of data submitted for purposes other than cybersecurity defense. While increased sharing of cybersecurity information within the Internet ecosystem is a laudable goal, Congress should seriously consider an approach that emphasizes data sharing within the private sector, and better protect the general public from abuse.