Welcome to The Cybersecurity 202! I'm super impressed by this hyperpolyglot reporting from Ukraine in six languages. I sometimes struggle to be understood in just one of them.
Below: Teams of European Union cyber experts are working to defend Ukraine, and Trump's social media site launch is raising cyber red flags.
An effort to stem child porn would bring serious collatoral damage, experts say
A congressional effort to get tough on tech firms failing to keep child pornography off their platforms gets bad marks from cybersecurity experts in our latest poll.
About 81 percent of our Network experts group oppose the EARN IT Act — almost entirely because of concerns it would hamper adoption of strong encryption and make people less safe online.
“This bill is dangerous,” said Cindy Cohn, executive director of the Electronic Frontier Foundation. “It will reduce everyone’s security and privacy. It should be a top priority of anyone who cares about cybersecurity to block it from passing.”
A brewing battle
There's going to be a drag out fight over the bill, which is widely supported by many opponents of Big Tech and advocates for sexual assault survivors.
The EARN IT Act sailed through the Senate Judiciary Committee earlier this month, even as several senators said they want to fine-tune encryption protections before it becomes law. But that may be a tough sell. One of the bill’s main sponsors, Sen. Richard Blumenthal (D-Conn.), has pushed back on encryption concerns, calling them a “gigantic red herring” propagated by “Big Tech and their armies of lobbyists and their allies.”
Here’s the dilemma. The EARN IT Act would remove federal protections that currently prevent tech companies from being held legally liable for what users share on their platforms if they knowingly allow those users to share child pornography.
Cybersecurity advocates fear those new liability concerns will prompt tech firms to stop offering end-to-end encryption, which protects data from hackers and authoritarian government snoops but also makes it easier to secretly share child pornography and other illegal content.
- “Good intentions are admirable and no one would argue that protecting children isn't a fundamental role of government. However, the unintended consequences of this bill are simply too vast and would pave over decades of technical progress by the security community,” said Mark Weatherford, a former top Department of Homeland Security cyber official and a general partner at Aspen Chartered.
- Elizabeth Wharton, vice president for operations at the cybersecurity company SCYTHE, warned the bill would harm privacy “without actually protecting children and spur pedophiles to innovate new ways to hide in the shadows.”
The bill’s sponsors have sought to assuage some encryption concerns. They added a provision stating encryption can’t be the only reason a company is judged guilty of knowingly allowing child pornography on its platforms.
But that hasn’t made much of a dent in cyber pro’s opinions of the bill. Back in 2020, about 85 percent of Network respondents opposed an earlier version of the bill that lacked those protections.
More poll responses
A common theme among EARN IT critics is that the bill leaves too much wiggle room for courts and state governments to whittle away at encryption protections.
- McAfee Chief Technology Officer Steve Grobman: “While the intent of the legislation is admirable, I believe it will fail to achieve its goals and have devastating impacts to individual privacy.”
- Sascha Meinrath, director of Pennsylvania State University's X-Lab: “The collateral damage caused by the EARN IT Act would cause enormous harms and very real, if unintended, consequences, resulting in many Americans being less safe online.”
- Kendra Albert, a clinical instructor at the Cyberlaw Clinic at Harvard Law School: “EARN IT seeks to punish online platforms, but because it is badly drafted and its sponsors don't care about collateral damage, it will just end up harming people.”
Most laws that currently govern cybersecurity were written two decades or longer ago and have fallen dramatically out of step with the modern Internet, noted Tor Ekeland, a lawyer who specializes in defending people accused of hacking.
“Given Congress’s abysmal record in writing computer laws … I have little faith that the EARN IT Act will do … more than become another ill-informed computer law of unintended consequences,” he said.
The bill could also create a precedent that leads other nations to demand that tech firms scan user data for content beyond child pornography, such as statements critical of the government, Luta Security CEO Katie Moussouris warned.
- “The EARN IT Act will lead to broader surveillance, which historically harms vulnerable people,” she said.
Other critics argued that police should use other tools to uncover child pornography. Those include getting warrants to hack the devices of people suspected of sharing that content.
“There are further law enforcement tools to bring to bear against the scourge of child pornography without doing something that arguably would weaken the application of cybersecurity best practices,” said Jim Richberg, field chief information security officer at the cybersecurity firm Fortinet.
About 19 percent of experts supported the EARN IT Act. They mostly said reduced use of end-to-end encryption was a worthwhile tradeoff for making the Internet safer for children.
- “We should make sure that end-to-end encryption is available and used in appropriate national security and critical infrastructure affecting systems, but allow for social media systems to prioritize public safety,” said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
- “While end-to-end encryption is generally a good thing, law enforcement has always needed — and in most cases had — a way to investigate suspected criminal activity,” said Sam Visner, a technical fellow at the MITRE Corp.
Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley, argued that EARN IT critics are being too intransigent and should figure out a compromise that helps reduce the spread of material that exploits children.
“EARN IT Act opponents have a point about risks to encryption, but aren't acknowledging the political realities now at play that won't allow for perfection and zero trade-offs,” he said. “Rigidity is a formula for massive failure that will end up doing greater damage to encryption in the long run.”
The E.U. activated a cybersecurity team to help defend Ukraine
Six European Union countries mobilized their cybersecurity experts to help Ukraine days after the country asked for assistance, Politico Europe’s Laurens Cerulus reports. They’re considering sending the expert team into Ukraine, something that Ukrainian Foreign Minister Dmytro Kuleba said the country would “welcome” in a letter asking for support last week.
Ukraine’s requests: The country wants the experts to look at the “vulnerabilities of our key computer networks and systems,” Kuleba wrote. He also asked for “additional technical equipment and software for strengthening the cybersecurity infrastructure."
Context: The preparations come amid fears that Russia could couple an invasion of Ukraine with blistering cyberattacks and disinformation campaigns. President Biden yesterday described Russia’s deployment of troops into two pro-Russian separatist regions of eastern Ukraine as “the beginning of a Russian invasion,” and imposed a first round of punishing sanctions.
Officials are warning U.S. businesses to prepare for possible cyber retaliation and rising gas prices, Rachel Pannett and Ellen Francis report.
Key details about the cyber experts’ operation haven’t been ironed out. European officials still have to figure out how many experts — and who in particular — should work on the operation, Lithuanian Vice Minister of National Defense Margiris Abukevičius said.
Ukraine has vastly improved its cyber defenses in recent years, but is still likely to be outgunned by Russia’s immense capabilities.
U.S. government officials have warned allies about the potential cyber fallout of a conflict. Deputy national security adviser Anne Neuberger visited NATO nations three weeks ago and the United States and United Kingdom “quietly dispatched cyberwarfare experts to Ukraine,” the New York Times reported in December.
Glitchy launch of Trump’s social network raises privacy, cybersecurity fears
Truth Social was mostly inaccessible after it launched on Apple’s App Store because of “technical glitches, a 13-hour outage and a 300,000-person waitlist,” Drew Harwell reports. The disastrous launch has fueled doubts the app could withstand an onslaught from hackers.
“The basic thing they needed to actually get right to get someone in the door, they couldn’t get right,” privacy researcher Bill Fitzgerald said, adding: "I’m hard-pressed to understand why anyone would trust that these people would keep their information safe.”
It’s not the app's first cyber problems.
- In October, pranksters found what appeared to be an unreleased test version and almost immediately defaced it.
- Two months later, journalists discovered what appeared to be another test version, which was promptly removed.
- An internal beta version of the app was left publicly accessible, allowing the public to see bug reports and tests by moderators, the Daily Dot’s Mikael Thalen reports.
Former congressman Devin Nunes (R-Calif.), who resigned from Congress to become chief executive of Trump’s media and technology company, wants the app to have a “nation-state level” cybersecurity team because the site will be a target from the get-go, Reuters’s Julia Love and Helen Coster reported this month.
- More than 20 cybersecurity nonprofits are launching Nonprofit Cyber, a coalition to “enhance joint action to improve cybersecurity.” The Center for Internet Security’s Tony Sager and the Global Cyber Alliance’s Philip Reitinger will co-chair the coalition.
On the move
- Colonial Pipeline named Adam Tice as its new chief information security officer. Tice previously worked at Silicon Valley Bank and Equifax, which he joined after a 2017 data breach.
- NATO deputy head of innovation Philip Lockwood discusses NATO’s technological innovations at an event hosted by the German Marshall Fund of the United States today at 9 a.m.
- Assistant Attorney General for National Security Matthew G. Olsen discusses threats from China, Iran and other countries at an event hosted by the National Security Institute at George Mason University Law School today at 3 p.m.
- CISA Director Jen Easterly and others discuss the film “WarGames” at an event hosted by Columbia University's Hacked Film Festival, DEFRAG, on Thursday at 7:30 p.m.
Secure log off
Thanks for reading. See you tomorrow.