Photo by Matt McClain, The Washington Post/Getty Images
Soldier at the 9/11 Memorial at the Pentagon.
Photograph by Matt McClain, The Washington Post/Getty Images.
Image credit: National Geographic

Being a sequence of quotations from contemporary articles contextualizing the visit of the rising Vice President of China amidst a conspicuously timed introduction of unprecedented domestic cybersecurity legislation.

National Post Full Comment (Feb 14) – “From bitter gruel, Xi Jinping to ascend to China’s top job” by Peter Goodspeed
http://fullcomment.nationalpost.com/2012/02/14/xi-jinping/

He arrives in Washington Tuesday on the first stop of a week-long tour of the United States in one of the final diplomatic rituals he must undergo before becoming China’s next leader.

Now vice-premier, Mr. Xi is widely expected to replace President Hu Jintao as secretary-general of the Chinese Communist Party in October, when China will change 60% of the members of the party’s Central Committee and replace seven of the nine members on the ruling Standing Committee of the Politburo.

By spring 2013, he should replace Mr. Hu as president, then become chairman of the Central Military Commission.

Meanwhile…

Hillicon Valley (Feb 13) – “Senate cybersecurity bill would let firms appeal Homeland Security regulations” by Gautham Nagesh
http://thehill.com/blogs/hillicon-valley/technology/210349-senate-cybersecurity-bill-would-let-firms-appeal-regulations

The legislation would task the Department of Homeland Security with determining which sectors of the economy would be covered by new cybersecurity regulations, after risk assessments in consultation with the private sector, the intelligence community and others.

But designated sectors would have the right to appeal whether the regulations apply to them. Several groups representing portions of the private sector considered part of the critical infrastructure have expressed concern about the impact of the regulations on both security and the bottom line.

“Passing the bill is crucial for national security, but not if the provisions on critical infrastructure regulation are watered down. This will be a real test for this Congress,” said James Lewis, senior fellow and director at the Center for Strategic and International Studies.

James A. Lewis is one of the star witnesses for the Senate Homeland Security and Governmental Affairs Committee’s hearing this Thursday on what has been termed “comprehensive” cybersecurity legislation being unveiled by Majority Chair Joe Lieberman and co-sponsor Minority Chair Susan Collins. Senator John (Jay) Rockefeller IV is the other primary co-sponsor, and will be the first witness at Thursday’s hearing.

Examples of sectors considered likely to fall under the new regulations are utilities, water treatment plants and transportation providers. Some sectors, such as major financial institutions and telecom providers, may ask for exemptions based on a demonstrated ability to secure their systems.

After determining which firms are critical infrastructure, DHS would then, in consultation with the private sector, determine cybersecurity performance requirements for firms in the covered sectors.

“There would be a huge market incentive for designated sectors to meet the security standards. But if they don’t DHS and the AG would decide on penalties,” said the spokesman.

What about international cybersecurity standards and practices?

WSJ (Jan 27) – “China’s Cyber Thievery is National Policy—And Must Be Challenged” by former NSA Director Mike McConnell, former Secretary of DHS Michael Chertoff, and former Deputy Secretary of Defense William Lynn.
http://online.wsj.com/article/SB10001424052970203718504577178832338032176.html
This appears to be a copy liberated from between the lines of Rupert Murdoch’s curious digital divide:
http://defense-technologynews.blogspot.com/2012/02/dtn-news-defense-intelligence-news.html

The bottom line is this: China has a massive, inexpensive work force ravenous for economic growth. It is much more efficient for the Chinese to steal innovations and intellectual property—the source code of advanced economies—than to incur the cost and time of creating their own. They turn those stolen ideas directly into production, creating products faster and cheaper than the U.S. and others.

Cyberspace is an ideal medium for stealing intellectual capital. Hackers can easily penetrate systems that transfer large amounts of data, while corporations and governments have a very hard time identifying specific perpetrators.

Stewart A. Baker, another witness for Thursday’s hearing, on the metaphorical wall isolating domestic and foreign intelligence gathering: “I thought that the civil liberties dangers it was supposed to ward off were probably more theoretical than real.”
http://www.skatingonstilts.com/skating-on-stilts/tired-of-reading-chapters-backwards.html

Continuing with the perspectives expressed in the WSJ:

The report to Congress notes that the U.S. intelligence community has improved its collaboration to better address cyber espionage in the military and national-security areas. Yet today’s legislative framework severely restricts us from fully addressing domestic economic espionage. The intelligence community must gain a stronger role in collecting and analyzing this economic data and making it available to appropriate government and commercial entities.

Congress and the administration must also create the means to actively force more information-sharing. While organizations (both in government and in the private sector) claim to share information, the opposite is usually the case, and this must be actively fixed.

National Journal (Feb 13) – “Feinstein Introduces Information-Sharing Bill Ahead Of Senate Cybersecurity Debate” by Josh Smith
http://techdailydose.nationaljournal.com/2012/02/feinstein-introduces-informati.php

Feinstein’s proposal would require the government to designate an agency as a “cybersecurity exchange” to coordinate information sharing; allow the government to share classified cybersecurity information with certain private-sector organizations; and provide liability protection for companies that share information.

“Alongside terrorism, cybersecurity is perhaps the number one threat facing our nation today, but many obstacles exist that prevent the cooperation and coordination needed to deter this growing threat,” Feinstein said in a statement.

NextGov (Feb 13) – “DHS budget would double cyber spending to $769 million” by Aliya Sternstein
http://www.nextgov.com/nextgov/ng_20120213_7454.php

There is bipartisan support for improving computer network defenses, so the outlook may be positive for obtaining much of the proposed $769 million from Congress. The funding would go toward the National Cyber Security Division for protecting federal networks and coordinating with the private sector on safeguarding critical infrastructure systems such as utility grids.

For perspective:

U.S. Department of Defense (Feb 13) – “DOD Releases Military Intelligence Program Requested Top Line Budget for Fiscal 2013”
http://www.defense.gov/releases/release.aspx?releaseid=15058

The Department of Defense released today the military intelligence program (MIP) requested top line budget for fiscal 2013. The total request, which includes both the base budget and Overseas Contingency Operations appropriations, is $19.2 billion.

The department determined that releasing this top line figure does not jeopardize any classified activities within the MIP. No other MIP budget figures or program details will be released, as they remain classified for national security reasons.

What is the mood of the Senate, and the posture towards the private sector?

United States Senate Democrats (Feb 9) – ‘[Senate Majority Leader Harry] Reid Outlines Process For Cybersecurity Legislation, Including “Fair and Open” Amendment Process [in letter to US Chamber of Commerce CEO Tom Donohue]’:
http://democrats.senate.gov/2012/02/09/reid-outlines-process-for-cybersecurity-legislation-including-%E2%80%9Cfair-and-open%E2%80%9D-amendment-process/

I was struck by the testimony of the leaders of our Intelligence Community at recent Intelligence Committee hearings. Director of National Intelligence James Clapper called cyber security “a profound threat to this country, to its future, its economy, and its very being.” And Robert Mueller, Director of the Federal Bureau of Investigation (FBI), stated that, “stopping terrorist attacks with the FBI is the present number one priority, but down the road, the cyberthreat, which cuts across all programs, will be the number one threat to the country.” Think about that: in the years to come, malicious cyber activity will pose a threat to our country greater than terrorism. We simply cannot afford to repeat the mistakes of the past by failing to prepare for the leading threats of the future.

Yet, addressing cyber security is not simply a matter of staving off a future threat; it demands that we stop the hemorrhaging of national security secrets, intellectual property, and jobs already underway. In a recent letter to Senate Republican Leader McConnell and myself, eight former high-ranking national security officials led by Secretary of Homeland Security Michael Chertoff and Secretary of Defense William Perry pointed out that, not only are critical infrastructure such as power plants and hospitals at risk; moreover, “foreign states are waging sustained campaigns to gather American intellectual property – the core assets of our innovation economy – through cyber-enabled espionage.” They counseled that the “constant barrage of cyber assaults has inflicted severe damage to our national and economic security, as well as to the privacy of individual citizens. The threat is only going to get worse. Inaction is not an acceptable option.”

At this point, all signs indicate informed consensus for this legislation to pass quickly through Committee into an opportunity for debate culminating in passage through the Senate.

In closing, witness Stewart A. Baker from his text Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism, (Stanford, California: Hoover Institution Press, 2010), p. 5-6.
http://www.skatingonstilts.com/skating-on-stilts/tired-of-reading-chapters-backwards.html

In the 1990s, after a term as the National Security Agency’s top lawyer, I spoke out in favor of keeping a wall between spies and cops. The idea was simple enough. Agencies like the National Security Agency (NSA) gathered intelligence on a global scale, and they rarely observed the legal constraints that applied to domestic policemen. To protect the civil liberties of Americans, it only made sense to separate intelligence gathered in that way from evidence assembled in a criminal investigation. With a wall between the two, criminal investigators from agencies like the Federal Bureau of Investigation (FBI) would be forced to observe the legal restrictions that went with criminal investigative tools. They wouldn’t be tempted to take the shortcut of using intelligence that had been gathered with less attention to civil liberties.

That was the theory, anyway. In practice, the wall crippled our last, best chance to catch the hijackers before September 11, 2001. In August of that year, the wall kept the FBI from launching a fullscale criminal search for the hijackers—even though all of our security agencies were expecting an imminent al Qaeda attack, and even though both the FBI and the Central Intelligence Agency (CIA) knew that two dangerous al Qaeda operatives had entered the United States. The failure to track those operatives down wasn’t a matter of incompetence or a failure to communicate, at least not in the last weeks. FBI criminal investigators spent the last part of August begging for a chance to track the terrorists. They were shut down cold—by lawyers who told them the wall simply could not be breached.

I wasn’t the most enthusiastic proponent of the wall. I thought that the civil liberties dangers it was supposed to ward off were probably more theoretical than real. But I saw no harm in building in an extra margin of protection for civil liberties. If nothing else, the wall would reassure privacy advocates in the courts, in the newspapers, and on Capitol Hill that intelligence would not be misused. It was insurance, not just for civil liberties, but for the intelligence agencies themselves. For both reasons, I thought, it was best to keep the wall high.

It made eminent sense inside the Beltway.

Until the world outside the Beltway broke through, just a few yards from where I’m standing.

Will the world outside the Beltway be heard in the composition of these new laws and during the creation of these new authorities? Are the new cyber sabers already rattling?

The Joy of Tech #354 - They always dreamed of having a home in the range
The Joy of Tech #354 - They always dreamed of having a home in the range

On Wednesday September 21st, EFF Austin [ @EFFaustin ] was notified about the Austin Police Department’s (APD) Digital Analysis Response Team’s [ DART, @APDDART ] “Operation Wardrive” [ #OpWardrive ] via the KVUE [ @KVUE ] news article that originally appeared at the following URI (it’s relatively common for journalism operations to reuse the same URI to track stories as they develop, sometimes redirecting to new articles):
http://www.kvue.com/news/local/APD-conductiong-Operation-Warfare-to-keep-internet-users-safe-130218768.html

For reference, the text of the original KVUE article is cited in EFF Austin’s response.

Beginning with KVUE’s article, which appears to have been the only source of information and perspective on APD’s intent, a largely uncoordinated but similarly informed collective action took place across multiple points of interface and communication with APD and the Austin City Council [ @AustinTexasGov, #ATXCouncil ]. This seems to have ensured that officials and decision makers in a position to intervene were made aware of public sentiment in a timely manner. Sufficient public concern was observed to motivate officials towards action.

There is uncertainty about whether “Operation Wardrive” has been canceled or postponed, as reflected in this sequence of tweets from KVUE’s account on Thursday morning.

@KVUE (Thu Sep 22 10:23am, 10:20am, 9:30am CST)
@KVUE (Thu Sep 22 10:23am, 10:20am, 9:30am CST)

APD Chief of Police Art Acevedo is more clear in his email response (Thu Sep 22 10:13:55am CST) to Austinite Mark Boyden‘s thoughtful email addressed to all Austin City Council members, several local activists, Acevedo, and APD Public Information Office Manager Anna Sabana.

Thank you for sharing your concerns with me. This WarDrive idea was not approved by APD Executive Staff and in fact has been disapproved. We will be releasing a statement later today. Although the involved unit’s intent was noble (educating the public about the risks to your personal information), a PSA or other educational effort would be much more effective. To place you further at ease, the idea was killed before actual implementation.

The APD Public Information Office did not publish a formal statement on Thursday via APD News Releases nor the City of Austin Communications and Public Information Office.

KVUE’s Shelton Green [ @SheltonG_KVUE, bio, email ] reached out to EFF Austin seeking our perspective for a follow-up story. EFF Austin President Jon Lebkowsky [ @jonl, wikipedia, homepage ] sat for that interview, which was crafted into the following story, which led the news on KVUE last night (Thu Sep 22 10:00pm).

What’s Next?

As Shelton Green mentions at the end of the story, EFF Austin would like to work with the Austin Police Department Digital Analysis Response Team to craft a winning public education campaign on the risks as well as the virtues of operating an open, publicly-accessible wireless access point. We’ve begun to compile information and gather existing recommendations in this space (if you have sources, please add as a comment or mention to @EFFaustin with hashtag #OpWardrive).

EFF Austin has also decided to continue with our Texas Public Information Act Open Records request. We expect to receive an assessment of the viability of each of our 10 specific inquiries along with an estimate of fees we must pay to have the records processed.

Yesterday, some members of the EFF Austin Board of Directors were frankly shocked by the arrival of an unsolicited $10 donation. I had forgotten we even have a Paypal account. But it made us feel good, and reminded us that we are embarking on a path which will have attendant fees and expenses. We would like to help serve the public interest by walking that path, and would therefore like to ask if you can help support our efforts. If you like what we’re doing, please consider donating (we’re a nonprofit) to help us defray approaching expenses. There’s a Paypal donate button at the upper right of this page.

We believe in transparency and sunlight’s powers of disinfection. EFF Austin will provide transparency into our expenses and you can be sure we will sing praises to our supporters for their role in helping us act. Thank you.

If you’d like to get more involved, consider following us on Twitter, liking us on Facebook, joining our interesting email discussion list, or coming to our next meetup.

Open Wireless Access Points - security threat?
Open Wireless Access Points - security threat?

Update (Sep 22 @ 1:07pm) – The Austin Police Department has decided to cancel Operation Wardrive and focus on the public education facet of this work. See Mark Boyden’s comment, an email response from APD Chief Art Acevedo. Thanks go to Scott Henson at Grits For Breakfast for his attention to this matter.

Yesterday (September 20th @ 2:46pm CST), KVUE News published an article relaying the Austin Police Department‘s intention to identify open residential wireless access points (WAPs) throughout the city.

Police will soon conduct an operation to find open wireless Internet connections in the city.

The APD Digital Analysis Response Team, or DART, will hold “Operation Wardrive” Thursday, Sept. 22. DART unit members will make contact with residents who have open wireless connections and teach them the importance of securing them.

This raises a number of immediate questions, perhaps the most simplistic and potentially revealing being simply: “why?” The answer to that question appears to be the same answer provided for lots of questions lately: safety.

From the article:

Leaving your wireless network open invites a number of problems:

  • You may exceed the number of connections permitted by your Internet service provider.
  • Users piggy-backing on your internet connection might use up your bandwidth and slow your connection.
  • Users piggy-backing on your internet connection might engage in illegal activity that will be traced to you.
  • Malicious users may be able to monitor your Internet activity and steal passwords and other sensitive information.
  • Malicious users may be able to access files on your computer, install spyware and other malicious programs, or take control of your computer.

The EFF Austin Board of Directors finds nothing wrong with this analysis of the potential risks Internet users undertake when intentionally or unintentionally leaving their wireless access points open for shared use. In fact, we could cite a few more. However, these are much the same risks that Internet users undertake when using ANY shared wireless access point, such as those provided by cafés, public parks, or the Austin Public Library.

Missing from the cited analysis is any recognition of potential benefits to be gained from publicly sharing one’s wireless access point. Lately, the virtues of contributing to any shared commons tends to be overshadowed by fears of bad actors (both real and imagined). For some facts, it’s worth reviewing cryptographer and computer security specialist Bruce Schneier‘s discussion on the virtues and risks of running an open wireless network.

More importantly, missing from the cited analysis is any recognition of the unintended consequences of APD collecting this information. The Austin Police Department is a public agency and is thus subject to the Texas Public Information Act (TPIA), Chapter 552 of the Texas Government Code, which guarantees the public’s access to information in the custody of government agencies. As a result of undertaking “Operation Wardrive” the records generated by that operation are subject to open records requests. That information is potentially valuable to perpetrators interested in undertaking the kind of malfeasance outlined in the KVUE article.

The EFF Austin Board is not interested in this data beyond knowing what is collected and why. We are more interested in the provenance of this Austin Police Department operation, and doing what we can to help APD increase public education about the virtues and risks of running an open wireless access point. To that end, we have decided to file an Open Records request today seeking information on this operation.

“Operation Wardrive” Open Records Request (Sep 21, 2011)