Politicians are supposed to represent the people who elected them into office. Lately, they have failed when it comes to a number of issues related to cybersecurity and privacy. For example, a bill was recently passed that repealed some regulations set for Internet service providers (ISPs) by the Federal Communications Commission (FCC). Also, the Central Intelligence Agency (CIA) is not quite as regulated as we are led to believe. Where the blame lies is debatable, but what matters now, as always, is for citizens to stay informed and learn what they can do to make sure that politicians represent the people and their best interests.
Senate Joint Resolution 34 of the 115th Congress was passed into law on April 4, 2017. This repealed some restrictions on ISPs that prevented them from selling customers' Internet history to other companies without their consent. The law has received major backlash because it allows ISPs to make a profit on a service that they are already charging you for and lets the companies who buy the browsing history identify what sites you may have visited, which is an invasion of privacy. This bill also eliminated some “data security and breach notification requirements” that were in place for ISPs. Generally, it is considered good practice to alert users of security breaches so they can protect themselves, but this bill has loosened the requirements for notifying customers that their data may have been stolen or that there was a breach.
How does something like this pass into law? Former U.S. Attorney for the Western District of Pennsylvania David J. Hickton explained to me that people do care, if given the opportunity, but mostly they just aren't informed. So what are we supposed to do about all of the public changes that people don't know about? Well, those of use in the know can contact our senators and representatives in Congress (more on this below). We can also spread the word so others become educated on the issues and encourage them to get involved.
Education is a critical part of the political process. Learning about cybersecurity and privacy issues and informing others can help further discussions about on what is going on and how to address these problems. The following sites offer helpful resources:
- EDUCAUSE Cybersecurity Initiative
- Electronic Frontier Foundation
- Global Cyber Alliance
- Stay Safe Online
Education leads to action. One example of civic activism is the case of net neutrality, which has been in the news recently. The comedian John Oliver initially brought awareness to the issue three years ago and "propelled an arcane telecom topic into the national debate by spurring millions of ordinary Americans to file comments with the Federal Communications Commission in favor of net neutrality." This powerful example demonstrates how people can be mobilized to put public interest ahead of private profit.
We as citizens need to demand greater governmental transparency and accountability to be able to address cybersecurity vulnerabilities, often retroactively. In a post-Snowden era, the issue of government surveillance must be addressed more effectively to ensure public safety and restore trust. For example, WikiLeaks Vault 7 revealed some startling methods that the CIA may be using to inject exploits into operating systems (including IOS, Android, MacOS, Windows, and Linux) in order to collect data. Again, this issue is not well known among the general public. The idea of the threat is simple: Linux and its distributions are typically open source and have a lot of code that people need to go through. Thousands of people work on this code, and updates are pushed out daily for all of the different aspects that go into building a functional operating system. In theory, an organization could inject some malicious code into these open-source codebases, leaving the software open to an exploit that the organization could take advantage of later. The Vault 7 leaks claim that this is exactly what was done by the CIA. WikiLeaks also claims that the CIA still keeps vulnerabilities they discover a secret so that they can exploit them, instead of informing the companies or organizations about the potential vulnerabilities so they can fix the problems and protect themselves and their clients.
The recent massive global ransomware cyberattack resulted from a similar exploitative strategy at the NSA, which was hoarding malicious software that feeds on a Microsoft vulnerability. Here we have yet another opportunity to heed worn-out wake-up call — what's needed is change on a systemic level and specific action.
On an individual level, we can all contact our elected officials to get involved. It is vital to let them know when we do not support their actions (putting our privacy at risk by selling our personal information to ISPs or compromising our security by hoarding software vulnerabilities) and hold them accountable. Educating ourselves and others is only part of the process. We need to take an active role so our voices can be heard on the issues that are important to us and, ultimately, effect change to protect our privacy and security.
Elton Hartman is an undergraduate student at the University of Pittsburgh.
© 2017 Elton Hartman. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.