The first fallout from Cybergate

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/35447.html

By Mark Rasch
SecurityFocus
Posted: 10/02/2004 

Did Republican staffers commit a crime by clicking on the "My Network
Places" icon to access Democratic memos, asks SecurityFocus columnist
Mark Rasch.

Politics is dirty business, and rarely so much as in the area of
patronage: appointments to sought-after federal jobs in general, and
to the federal bench in particular. So it should be little surprise
that, with so much at stake, one political party would want to use the
insecurity inherent in computerized databases to its political
advantage.

What is surprising, however, is that, caught with their hand in the
cookie jar, Senate Republicans employed the tactic of blaming the
victim: they said, in essence, It's your fault that we got and used
your information. If successful, this tactic does not bode well for
the government's ability to prosecute computer crimes, and to protect
critical infrastructures.

With the resignation last Thursday of Senate staffer Manuel Miranda as
the first victim of what I might call "cybergate," we may learn
whether this tactic will be pursued and whether it will be ultimately
successful.

The scandal itself revolves around the process by which federal judges
are appointed, and more importantly, how such appointments are blocked
by the opposing party. When President George W. Bush came to office,
he sought to make numerous appointments to the federal bench -- some
to positions that conservative Republicans had deliberately left
vacant for years of Democratic administrations.

The Democrats, at the time a majority in the Senate, sought to use
tactics similar to those they criticized Republicans for in preventing
such nominations from reaching a vote on the floor of the Senate. The
key Senate Committee responsible for such appointments was the
Judiciary Committee.

Democratic staffers wrote and transmitted confidential memoranda
describing the means they would use to block such nominations in
general, and the nomination of conservative Republican Miguel Estrada
in particular. A year ago, in February 2003, columnist Robert Novak --
the same columnist responsible for revealing the name of a CIA
operative on a leak from government officials -- published information
from these Democratic strategy memos. Novak reported that the
information came from "internal Senate sources" but refused to
identify these sources when questioned by Boston Globe reporter
Charlie Savage.

It now appears that the memos were stored on a computer server that
also served the Judiciary Committee. When the Republicans regained
control of the Senate, they regained control of the Judiciary
Committee as well. Eager young staffers apparently discovered that
access to the Democratic strategy memos was not password-protected,
and was located on the shared server, where they could access it by
clicking on the "My Network Places" icon on their own desktops.

There is some dispute over what happened next -- though in my opinion
it makes no difference. The Republicans argued that a computer
technician told the Democrats about the configuration problem in the
summer of 2002, and the Democrats claim they knew nothing about it
until November of 2003. In either event, it's clear that Republican
staffers, learning of the lack of protection to the documents, used
the opportunity to take, read and leak the contents of the memos.

The 'They Deserved It' Defense

When the source and method of the leaks became apparent, the Senate
Sergeant at Arms launched an investigation. Former Republican Senate
Judiciary Committee Staffer Manuel Miranda came under suspicion, as he
was one of the committee's point people on judicial appointments, and
had since left the Judiciary committee to work for Senate Majority
Leader Bill Frist.

What is amazing is what comes next. When interviewed by the Boston
Globe about the incident, Miranda reportedly claimed that the only
wrongdoing was on the part of the Democrats, both for the content of
their memos, and for their negligence in placing them where they could
be seen.

"There appears to have been no hacking, no stealing, and no violation
of any Senate rule," the Globe quoted Miranda as saying. "Stealing
assumes a property right and there is no property right to a
government document. . . . These documents are not covered under the
Senate disclosure rule because they are not official business and, to
the extent they were disclosed, they were disclosed inadvertently by
negligent [Democratic] staff."

So, Miranda claims it isn't stealing because you can't steal
government documents, and it's not a violation of the rules because
they aren't government documents. Or something like that. He also
seems to argue that the password misconfiguration made the documents
fair game.

There was a time when that would have been true.

When the federal computer crime law passed was passed by Congress in
1986, the statute only made it illegal to access certain computers
(deemed "federal interest computers") without authorization, and made
no provision for those who exceeded the scope of authorized access.  
This was not an oversight, but a deliberate limitation on the scope of
the statute, and it was cited by courts in, for example, dismissing
computer crime charges against Boston IRS employee Richard Czubinski
who repeatedly violated rules and searched IRS databases for
information about friends, relatives and political enemies. Congress
specifically indicated that people who were authorized users of a
computer system, and who used that access to look at individual files
they were not supposed to see, should not be covered by the law.

But in one of the many amendments to the federal computer crime
statute, Congress changed the wording, and explicitly criminalized the
act of exceeding the scope of authorized access to a system. Doing
this to federal computers is outlawed by Title 18 U.S.C. 1030(a)(2),
which makes it a crime to intentionally access a computer without
authorization or to exceed authorized access, and thereby obtain
"information from any department or agency of the United States."

So, did the Republican Judiciary Committee staffers violate the law?

What I love about being a lawyer is that the answer to any question is
always the same: "It depends." The law requires proof that the
unauthorized access, or the exceeding of authorized access, was done
intentionally.

With no passwords, and no lines of demarcation, it is possible to
argue that the Republicans' access to the Democratic strategy
documents was not deliberate, or that it was not exceeding the scope
of authorization, because all of the documents were on a single,
unprotected server.

This, of course, defies common sense, but the law often defies common
sense. Similarly, the federal law requires proof that the information
obtained be obtained from "an agency or Department of the United
States." It seems that Miranda is arguing that, when the Democratic
staffers act in a political capacity, their documents no longer relate
to an Agency or Department - it's just politics. Finally, Miranda
seems to argue that there is no proprietary right to government
documents. While he is correct that government documents are not
entitled to copyright protection, this does not imply that it is
therefore okay to break into a computer database and take them.

The investigation continues, and Miranda, while continuing to proclaim
his innocence, is so far the only casualty. But if his argument that
failures of security excuse the taking of documents is accepted,
truth, justice and information security may be the next casualties of
political warfare.


Mark D. Rasch, J.D., is a former head of the Justice Department's
computer crime unit, and now serves as Senior Vice President and Chief
Security Counsel at Solutionary Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.