Article Lead Image

How the government scapegoats hackers to justify violating your privacy

It's not just a matter of bombings anymore. Now, even code poses a threat.


Gillian Branstetter

Internet Culture

Posted on Oct 21, 2015   Updated on May 27, 2021, 6:43 pm CDT

The anonymous hacker is quickly replacing the terrorist as the go-to bogeyman in the American cultural imagination. Like Islamist radicals, the kinds of hackers that have brought down the servers of corporate giants and government agencies are mysterious and stealthy, spreading fear and paranoia from a faraway land. 

In April, President Obama made the ideological connection between the two official with an Executive Order declaring a national emergency due to “malicious cyber-enabled activities” which constitute “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Both the Islamist radical and the Chinese, North Korean, or Russian hacker are frightening specters who deserve the attention of the American government. But as much as the federal government granted itself sweeping and invasive authority to violate the rights of millions of Americans in the name of fighting terror, today’s government once again steps over Constitutional boundaries in the name of keeping Americans safe from a new kind of threat.

The Cybersecurity Information Sharing Act (CISA), part of Obama’s increased push for cybersecurity in response to last year’s Sony Pictures hack, represents such a step. The bill sounds innocuous enough: It encourages companies to share data about hacks with each other and the federal government so all parties can better prevent further theft of Americans’ data.

The bill sounds innocuous enough: It encourages companies to share data about hacks with each other and the federal government so all parties can better prevent further theft of Americans’ data.

But CISA stands to make the same mistakes CISPA did in 2013. Just as advocates for increased government surveillance manipulated public fears about terrorism to defend the PATRIOT Act, advocates for CISA are relying on the high-profile breaches at U.S. companies and government agencies to further invade the private digital lives of Americans.

This has become abundantly clear in the past month—which Obama designated Cybersecurity Awareness Month. The Senate Intelligence Committee, chaired by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), immediately seized upon a breach at credit agency Experian as in order to pass “important, balanced legislation to help companies get the information they need to stop losses like this.” Burr and Feinstein argued that opponents to the bill (which include Silicon Valley giants like Google and Apple and the Electronic Frontier Foundation) “will only succeed in allowing more personal information to be compromised to criminals and foreign countries.”

Legislators conducted similar fear-mongering tactics in support of CISPA, the last attempt in Congress’s whack-a-mole regulation of the Internet. The games first began with 2012’s Stop Online Piracy Act (SOPA). Despite criticisms from Silicon Valley, the EFF, and even the White House (which now supports CISA), lawmakers like Rep. Mike McCaul (R-Texas) said CISPA would help to prevent “digital bombs” and former New York representative Dan Maffei claimed the bill would stop attempts to “hack into our nation’s power grid.”

As much as it was the case with CISPA (which failed to pass through the Senate due to privacy concerns), CISA would not just be invasive but ineffective at preventing the kinds of threats its proponents suggest. The Computer & Communications Industry Association—which represents tech giants like Google, Facebook, eBay, Sprint, and Yelp—released a statement saying CISA “does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.” The group particularly called out CISA’s doctrine of “hack-backs.” Termed “digital revenge” by PCWorld’s Melissa Riofrio, these would enable companies to respond to hackers, even state-sponsored ones, with little oversight.

What we truly have to fear are faulty, invasive solutions promising to prevent events they can’t all in the name of fear itself.

This is very reminiscent of the federal response to the threat of terrorism—which resulted in bills, laws, and programs that failed at their mission to keep interests of the U.S. safe, and only succeeded at violating our basic rights. Much like CISA, leaders describe the NSA’s mass surveillance program— revealed by former contractor Edward Snowden in 2013—as a necessity to fight a strange and enigmatic evil. Obama and former Vice President Dick Cheney find themselves on rare common ground here—the former claims the NSA’s spying program stopped 50 distinct terrorist attacks (a claim since thoroughly debunked) and the latter claims that NSA spying could have prevented 9/11.

But much like CISA, the surveillance conducted in the name of fighting terrorism has made us less safe. In a massive report published shortly after the Snowden leaks, the New York Times disclosed that the NSA’s lengthy campaign against encryption in commercial electronic devices has likely left millions of Americans vulnerable. “They’re not just spying on the bad guys,” security expert Bruce Schneier told the MIT Technology Review, “they’re deliberately weakening Internet security for everyone. … It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”

The road to such invasive and dangerous threats to our privacy is paved with good intentions. The NSA likely genuinely believes they are protecting Americans and fighting terrorists, while CISA is an honest attempt by the Obama administration and members of Congress to build a coalition of private and public actors to prevent devastating data breaches. Hackers are an actual threat to average Americans, and cyberwarfare stands to replace traditional battle and espionage as the foremost theater of international conflict.

But the real threat is not nefarious foreign hackers or terrorists. What we truly have to fear are faulty, invasive solutions promising to prevent events they can’t all in the name of fear itself.

Gillian Branstetter is a social commentator with a focus on the intersection of technology, security, and politics. Her work has appeared in the Washington Post, Business Insider, Salon, the Week, and xoJane. She attended Pennsylvania State University. Follow her on Twitter @GillBranstetter

Illustration by Tiffany Pai

Share this article
*First Published: Oct 21, 2015, 6:57 pm CDT