Does this sound like a Michael Crichton novel? We can only hope. Several news agencies are reporting on a study released by Mandiant, an American computer security firm, that has traced huge volumes of hacking activity to a building in a rundown neighborhood of Shanghai believed to be under the control of a Chinese military unit identified as the “Comment Crew” or “Shanghai Group.”
What are they after? In addition to orchestrating attacks against high level US and Canadian government interests, they are increasingly targeting the intellectual property of companies involved in critical infrastructure such as the electrical power grid, gas lines, and waterworks. Other industries targeted include information technology, aerospace, military contractors, satellite and telecommunications, financial services, and even legal services. The group is reportedly draining terabytes of data from these sources.
The study details the efforts of the Comment Crew in hacking Coca-Cola during its acquisition of a large Chinese company, presumably in an effort to uncover negotiation strategies and other information critical to the deal. The attack was traced to a “spearphising” email sent to a Coca-Cola executive. The email appears to be from a friend and includes a link that initiated the download of malicious code. The executive clicked on the link.
The group is also believed responsible for a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors, and many major companies.
Scary stuff indeed! Cyberwarfare, or government sponsored cyberattacks, are not new and there have been many high profile incidents in the news. According to former US national security advisor Richard Clark, Israel used cyberwarefare to make their planes invisible to the Syrian air command system during a 2007 bombing raid carried out against a nuclear facility under construction in Syria. The US and Israel are believed to be responsible for the attack on an Iranian uranium enrichment facility that supposedly destroyed several pieces of key equipment using a highly sophisticated computer virus. The Chinese are also believed to have gained access to key elements of the F-35 advanced fighter jet when they hacked into the computer systems of BAE Systems, a British defense contractor.
In an attempt to head off more of these types of attacks the Obama administration last week issued a cybersecurity executive order designed to promote security through a joint government and industry self monitoring program. The order puts into place key elements of the cybersecurity legislation that was defeated last term by a Republican filibuster and was opposed by key groups like the US Chamber of Commerce for fears that it would place undue regulatory burdens on business.
Government sponsored cyberattacks on business is somewhat of a new phenomena and seriously escalates the risks of business to business dealings. I suspect we only know the tip of the iceberg when it comes to hacking, and the protection of key business intellectual assets should be at forefront of all business dealings. It would appear that you cannot really be too cautious these days.
The January 11, 2013 suicide of internet activist Aaron Swartz has sparked a debate about the proper scope and application of the criminal provisions of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.
Two days after his death, The New York Times reported that Aaron’s “family said in part: ‘Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.’” Similarly, The Rolling Stone reported on January 23 that “Swartz’s friends and family have said they believe he was driven to his death by a justice system that hounded him needlessly over an alleged crime with no real victims,” and “Swartz’s tragic death has already begun forcing lawmakers to start rethinking our draconian computer laws. And House Oversight Committee Chairman Darrell Issa (R-California) even promised an investigation of the Justice Department prosecutors who did their best to send a young Internet pioneer to prison.”
Yet, George Washington University Law School’s Professor Orin S. Kerr of The Volokh Conspiracy has committed to writing a two-part post as an apology for the prosecution of Aaron. Part 1 of Professor Kerr’s post summarizes the criminal charges against Aaron, describes the alleged criminal conduct and explains that: “Aaron Swartz decided to ‘liberate’ the entire JSTOR database[, much of which is copyrighted, according to the indictment.] He wanted everyone to have access to all of the journals in the database, so he came up with a plan to gain access to the database and copy it so he could make it publicly available to everyone via filesharing networks.” Professor Kerr tentatively concludes: “I think the charges against Swartz were based on a fair reading of the law. None of the charges involved aggressive readings of the law or any apparent prosecutorial overreach. All of the charges were based on established caselaw. Indeed, once the decision to charge the case had been made, the charges brought here were pretty much what any good federal prosecutor would have charged.”
Stanford Law School’s Professor Jennifer Granick disagrees, and she chastises Professor Kerr for lumping Aaron’s alleged conduct of “circumventing code-based restrictions” in with the crime of ”using someone else’s password, which is the quintessential access without authorization” proscribed by the CFAA because, as Professor Granick explained, “[u]sing another person’s password gets you access to their files. Circumventing the JSTOR/MIT efforts to block him merely got Aaron _fast_ access to files he was already authorized to download.” Professor Granick, like Professor Kerr, has written a two-part blog post, entitled Towards Learning from Losing Aaron Swartz.
The outcry surrounding Aaron’s suicide is understandable. As JSTOR recognizes: “He was a truly gifted person who made important contributions to the development of the internet and the web from which we all benefit.” Yet a reform of the CFAA should be based on desired, rational outcomes, not a grief reaction to the tragic loss of Aaron Swartz.
Accordingly, any proposal for immediate reform should be received with equally immediate skepticism. To illustrate, Forbes has reported that “an ‘Aaron’s Law’ that’s already been proposed to make those reforms may need serious tweaking if it’s going to prevent the next overzealous hacker crackdown.” More specifically, Forbes quotes Tor Ekeland, the attorney for convicted hacker Andrew Auernheimer (a/k/a Weev), who recognizes that “[t]he [CFAA] is a prosecutor’s wet dream and a defendant’s nightmare,” “[a]mending the definition of unauthorized access to exclude [terms of service] violations is just putting a band aid on a gaping, gushing wound.”
Professor Granick proposes that we learn from losing Aaron. I agree. But the lessons from the loss of such genius should be infinitely more thoughtful and intricate than some myopic fix of the CFAA.