
President Obama creates new cyber sanctions programme - tekacs
http://www.bbc.co.uk/news/world-us-canada-32151406
======
cooked
> sanction "individuals or entities" that pose a cyber threat to the "national
> security, foreign policy, or economic health or financial stability of the
> United States,"

If you detangle the weasel words, this is basically "emergency executive
powers to do whatever we want to people we don't like, as long as we can tie
it back to the internet". Combined with the existing surveillance dragnet,
that's horrifying.

~~~
GabrielF00
No, it doesn't mean that the executive branch can do "whatever [it] wants", it
means that the executive branch can seize US assets from certain people
outside the US or prevent them from accessing the US financial system.

That's a lot of power, but it isn't unlimited power.

~~~
fweespeech
It can seize assets from any foreign national based on the standards of
evidence they've used in the past to declare someone a "hacker".

Under the CFAA, accessing a web page as an unauthorized person would probably
be justification enough.

~~~
navait
You're missing the part where criminal intent is required.

~~~
pzxc
Aaron Swartz didn't have criminal intent. Look how that turned out. Even if he
hadn't committed suicide, look at how that _would have_ turned out.

Intent speaks to motivation, which speaks to the internal workings of one's
mind. That may be relevant in a criminal trial. But it's far too nebulous of a
concept to be considered when they're deciding whether to freeze your bank
account. So they won't, no matter what lip service they pay.

They will "freeze first and ask questions later." We all know it's the truth.

~~~
jackpirate
He certainly did have criminal intent in that he knew what he was doing was
against the law.

------
balabaster
Given the U.S. Government's laughable ability to properly classify "hackers"
apart from script kiddies, security experts, programmers, I.T. admins and any
other computer "expert" where does that leave anyone in the I.T. industry that
a politically influential corporation [i.e. Sony et al.] takes a dislike to? A
software engineer posts a politically embarrassing YouTube video and is
arrested as a hacker and thus a cyber terrorist under the guise of "national
security"?

~~~
task_queue
Reminder that not using a browser to access a website has been construed as
hacking.

Reminder that 90% of development tools are hacking tools. Subversion has
subversion right in the name.

~~~
johngalt
> not using a browser to access a website has been construed as hacking.

Huh? I haven't heard that one before?

The whole 'hacking tools' thing is just ignorance. As if wireshark and port
scanners have no legitimate use. "We don't understand these things therefore
they are scary"

~~~
fweespeech
[http://arstechnica.com/security/2013/05/reporters-use-
google...](http://arstechnica.com/security/2013/05/reporters-use-google-find-
breach-get-branded-as-hackers/)

[http://www.washingtonpost.com/blogs/worldviews/wp/2013/07/30...](http://www.washingtonpost.com/blogs/worldviews/wp/2013/07/30/the-
free-web-program-that-got-bradley-manning-convicted-of-computer-fraud/)

> That Manning was convicted of computer fraud seems to suggest that using
> wget on a U.S. government computer to download large numbers of files can be
> considered the digital equivalent of trespassing – even if it's on turf
> you're otherwise allowed to access.

I think is what he means.

~~~
ethanbond
What the... This is a _simple_ distinction.

Computer fraud means using a computer to do something you're not authorized to
do. He was not authorized to use wget, he used it, thus he committed fraud.

He was authorized to access that "turf," but not with wget. Why? Specifically
for the reason he did it: it's a risk.

Whatever your opinion on whistleblower protections, this is not a risky
judgment.

~~~
Crito
Does any American website enumerate in their terms of use the software that
you are allowed to use to access them? Could they?

~~~
ethanbond
No, but I'm almost certain that the DOD's filesystem likely includes a "using
any unapproved software to access this system is considered unauthorized."

It's almost as if there's a difference between DOD classified file storage and
google.com.

~~~
Crito
_Could_ it be done with a non-DOD site? If not, why not?

Could I make a website that immediately drops you onto a landing page that
says _" The rest of this website may only be accessed using Safari. Use of
Firefox, Chrome, or any other software constitutes unauthorized access."_?

~~~
snowwrestler
Yes, you could make such a website, but I doubt that it would mean anything in
court.

Manning was active-duty military, accessing classified military systems. There
are all sorts of duties, laws, and regulations that apply to that situation
that don't apply to a civilian accessing some random website on the web.

------
nickysielicki
First of all, this article doesn't have a single criticism of this?

It is really scary to me that our lawmakers are enacting legislation for
topics they have absolutely no personal experience with. Their decisions are
based on what can only amount to 100 hours, optimistically, of information
sessions given by people representing multinationals with agendas.

All I want to know is what the hell constitutes a "malicious cyber activity".
Is that as innocuous as U.S. v Auernheimer?

~~~
tekacs
This article is by the BBC. Most of us Brits consider it a national treasure
for providing relatively unbiased and often deadpan reporting on news topics.
:)

That's not to say that there couldn't have been criticism if another source
provided them with some, but the BBC tend not to provide their own 'opinion'
as a criticism (think Wikipedia).

~~~
vdnkh
I work with a bunch of Brits and they say the BBC leans heavily left like NPR
here.

~~~
_delirium
I read/listen to a bit of both (despite living in Denmark), and they strike me
as leaning upper-class more than anything else, especially NPR. High culture,
art museums and classical music, cultured fancy vacation destinations (Venice!
Paris!), that kind of thing. Which all strikes me as more bourgeois than left.
The upper classes aren't very culturally conservative, and are embarrassed by
reactionary groups with lower-class bases, like UKIP or the Tea Party, so
could be grouped on the left if your idea of left is opposing such groups. But
they aren't very left economically, and keep their distance from lower-class
movements on the left too, anything that gets too "red".

In a Danish context I would imagine the archetypical NPR listener voting for
the Social Liberals, who are basically in the exact center (socially liberal,
economically free-market, but not radically so in either category).

~~~
task_queue
In the US there is no economic left. The left and right are distinguished by
their social policy.

------
fweespeech
I submitted the Politico article yesterday:

[http://www.politico.com/story/2015/04/new-us-sanctions-
forei...](http://www.politico.com/story/2015/04/new-us-sanctions-foreign-
hacker-cyber-spy-116579.html)

> President Barack Obama said Wednesday that the U.S. will now treat foreign
> hackers and cyber spies like terrorists and nuclear arms dealers.

There is also the medium post he made about it [claiming legitimate security
researchers won't be targeted, not that I really believe that]:

[https://medium.com/@PresidentObama/a-new-tool-against-
cyber-...](https://medium.com/@PresidentObama/a-new-tool-against-cyber-
threats-1a30c188bc4)

To be honest, it sounds like Obama is positioning all "hackers" as
"terrorists" and "foreigners" in the public view. I fully expect him or the
next President to declare a "War on Cybercrime".

It also means, as of today, the Treasury can literally freeze all of the
assets of any non-US citizen on circumstantial evidence. Lets face it, the
case against North Korea for the Sony Hack is primarily based on
circumstantial evidence. Its indicative but none of it truly is proof.

It also pretty much creates a situation where the Executive can freeze the
accounts of anyone it doesn't like on circumstantial evidence. Eventually, if
they continue the "hackers == terrorists" mantra...they'll start throwing them
in prions without trials. And let us be honest, we all know this is where it
is going to go eventually.

To the average person, the computer is a magical box. This makes it the
perfect weapon for a terrorist group with the right type of fanatic to engage
in cybercrime to fund their operations while simultaneously the perfect tool
to suppress people on the basis of circumstantial evidence that the public,
frankly, doesn't understand.

I doubt it would ever be used against a US Citizen but already we have
security researchers being treated like criminals when they try to enter the
US. And, frankly, we have some obligation to say "Hey, this isn't right".

------
basicallydan
I'm a little surprised that this BBC article doesn't mention the ongoing DDoS
attack on GitHub by China.

Does it seem like this programme could give US authorities the power to
sanction the Chinese government over something like a DDoS attack?

EDIT: Ah, looks like GitHub is back to normal. Maybe the attacks are over now?

~~~
drzaiusapelord
This is exactly what this is. China and Russia have legitimized cybercrime.
Its done openly with approval of the goverment. See Brian Kreb's expose on
various cyberwarrior Russian companies that operate with impunity.

The US can identify these companies and sanction them, which is something they
should have done long ago. If you don't want sanctions, don't attack our
infrastructure or citizens. Autocratic one party states need to be reminded
that we won't stand for this shit any longer. What China did to Github is
inexcusable and deserves a response.

~~~
notsony
> What China did to Github is inexcusable.

How do you know it was China? An IP address does not mean the person sitting
behind the computer is Chinese. The person could just as easily be controlling
a botnet from a VPN while sipping a latte in a coffee shop in Palo Alto.

~~~
igammarays
Read the details of the attack. It's not a botnet. The attack works by
injecting malicious JavaScript into common websites within Chinese borders,
and doing this _only_ for visitors of these files from outside China.

Only the Great Firewall (or the website owners, ie. government-controlled
Baidu) can possibly do that.

[http://www.netresec.com/?month=2015-03&page=blog&post=china%...](http://www.netresec.com/?month=2015-03&page=blog&post=china%27s-man-
on-the-side-attack-on-github)

------
sandworm
DPRK attacks film studio = sanctions, counterattack, TO WAR!

China attacks Github = nothing, silence, heads kept in sand.

The attack itself is irrelevant. The scale of response is only related,
inversely related, to the political size of the attackers. Small countries and
individuals are to be punished. Large countries holding billions of US debt
are to be forgiven. The extent of damage done doesn't enter into the equation.

~~~
themeek
The United States hacks and counterattacks China all of the time.

The reason for calling the DPRK's attack on the propaganda creation of the
State Department 'cyberterrorism' and 'cyberwar' is that it aligns with US
foreign policy (SK's official policy now is to pursue reunification).

NK is going down - China is more complicated. We do hack and counterattack
China though, all the time.

------
codazoda
I haven't done any research into what this executive order actually does but
language like "not one we expect to use everyday" makes me nervous. This
sounds like down-playing. Laws written with good intentions are often used
later in ways and at frequencies with which they weren't designed.

~~~
johngalt
If they say "we don't expect to use it everyday", that means they expect to
use it every hour.

~~~
balabaster
no, just on days where they need to shut someone up ;)

------
yAnonymous
So, are the U.S. going to sanction themselves?

~~~
arh68
Good question. Should the US be sanctioned for DDoSing North Korea? Should the
US be surprised when China enacts similar legislation?

~~~
borgia
> Should the US be surprised when China enacts similar legislation?

I wouldn't be surprised to see Obama label such an act by China as an "act of
war".

~~~
LLWM
I would. Doing that without any follow-up erodes your credibility. And the US
is not going to go to war with China.

------
omgitstom
It is like the only tool the US government has to handle this problem is a
hand grenade. No precision.

All it is going to take is one lazily worded law / executive order, and anyone
in the security space could have the possibility to go to jail if enforced
broadly.

~~~
balabaster
You'll be fine, just don't piss off anyone that has influential lobbyists...
like the communications, media, banking or oil & gas companies, the NRA, any
corporations or financial transactions that politicians have stakes in, anyone
in authority or anyone that could make your life... uncomfortable. You'll
probably be fine. Maybe :P

~~~
omgitstom
I'm pretty sure if the government wanted me in jail, they could do so.

As the machine gears turns and laws are created as time moves forward, I don't
see any other outcome then total lock down. All liberties and freedoms are
gone.

------
ck2
Can we get spammers labeled as terrorists?

~~~
balabaster
Can we also get the guys who keep leaving unsolicited advertising on my car at
the station and also on my front doorstep despite a sign on my front door
saying "No junk mail" classified the same?

------
chucksmart
Sidestep Congress with a 'national emergency.' Really necessary?

~~~
tptacek
The mechanisms of "national emergency" and the IEEPA are both products of
congressional oversight. If they didn't want him to be able to do that, they
could repeal the IEEPA. Of course, this is pretty silly: if they put this
executive order to a vote in the House, the only flak Obama would get is that
he is not also bombing China.

------
kordless
I submitted the RT story yesterday:
[https://news.ycombinator.com/item?id=9305942](https://news.ycombinator.com/item?id=9305942).
The RT article has a copy of the executive order, which is a legally binding
law enabling _" promulgation of rules and regulations"_ until it (hopefully)
is reviewed and struck down by the judicial system as being unconstitutional.
Given what we've seen historically from this White House and Congress, I'm not
holding my breath.

This legally binding order gives the US Government the right to lay claim to
assets held by individuals and corporations who may _" constitute an unusual
and extraordinary threat to the national security, foreign policy, and economy
of the United States"_, all without prior notice.

Laws and legal contracts provide us a trusted system by which we may operate
within a society. By 'sweeping off' certain rights, that trust is effectively
eroded to the point implicit trust is all that remains of the 'contract' held
with the governing body, in this case the US Government. This opens up the
path to abuse of power by certain individuals by enabling them to hack the
remaining (implicit) trust to suit their own needs.

While cyber criminals should be held accountable for their actions and the
acts they commit can create additional suffering for individuals, corporations
and communities, I don't feel eroding trust of the governing body of a country
is the most logical approach to combatting crime committed by the criminals.
Implicit trust in things of importance, especially infrastructure, never ends
well for the parties trying to trust each other. FWIW, this is an opinion
based on trust observations seen while working on infrastructure, which is not
necessarily a fact of all our reality. At the very least, this is a
complicated issue.

There are certainly other avenues available to us for addressing criminal
behavior on the Internet. Those avenues are most likely technical in nature,
and are clearly well beyond the responsibilities (or abilities) of The Office
of the President of the United States.

It _feels_ like the US is currently in a massive bought of cognitive
dissonance: wanting to stop attacks while (at least for some) holding our
freedoms as individuals to high levels. As with most duality situations, this
will resolve itself at a future date in one way or another. For all of us, I
hope this is done in a transparent, trustworthy and LEGAL way.

I would add that implementing technical measures to combat these attacks in
and of themselves could be considered violations of this Executive Order as
they may judged by the government at will: _" any person determined by the
Secretary of the Treasury, in consultation with the Attorney General and the
Secretary of State, to be responsible for or complicit in, or to have engaged
in, directly or indirectly, cyber-enabled activities originating from, or
directed by persons located, in whole or in substantial part, outside the
United States that are reasonably likely to result in, or have materially
contributed to, a significant threat to the national security, foreign policy,
or economic health or financial stability of the United States"_.

 _Cyber-enabled activities likely to result in a threat_. Think about it.

------
sarciszewski
I think this is a pretty clear sign that hackers should seriously consider a
mass exodus from the United States. This decision might not be right for
everyone, of course, but neither is having your life destroyed because of the
foolish executive orders.

------
belorn
I guess its a start, even if the irony seems a bit thick with NSA on the
forefront with offensive cyber operations.

Has there been anything similar to Stuxnet from China?

