Back in August, I wrote a post wondering whether the following clause in the Cyber Intelligence Sharing Act would provide a way for corporations to avoid any government action punishing them for their negligence on cybersecurity.
(D) FEDERAL REGULATORY AUTHORITY.—
(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.
My worry was that a serial hacking target like Wyndam — or even just a company with sloppy security like GM — could immediately share information on a hack (or even a vulnerability identified by security researcher that technically violated a company’s DMCA rights) with the government, and in doing so avoid any further action from the government on that point.
Something similar appears to happen with the Bank Secrecy Act: banks share information and therefore limit their liability for money laundering or supporting terrorists or what have you.
If my concern is correct, it would provide companies that chose not to fix vulnerabilities a way to avoid NHTSA required recalls or FTC lawsuits.
At Computers Freedom and Privacy, I asked the author of CISA, Senate Intelligence staffer Josh Alexander, about the clause.
His only response was to point to this language permitting disclosure of information.
(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—
(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or
(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.
He emphasized that the government could still respond to unlawful activity. But bad security is not unlawful.
In other words, he had no response to my concerns. Which leads me to believe CISA guts the government’s ability to punish companies that don’t fix their security issues.
I guess that explains why the Chamber of Commerce is so excited about the bill.
Last week, Wired had a story about a hack of GM vehicles that the car company took 5 years to fix. As the story explains, while GM tried to fix the vulnerability right away, their efforts didn’t completely fix the problem until GM quietly sent a fix to its vehicles over their Verizon network earlier this year.
GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.
The article uses this is a lesson in how ill-equipped car companies were in 2010 (notably, right after they had been put through bankruptcy) to fix such things, and how much more attentive they’ve gotten in the interim.
GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.
Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.
GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”
What Wired doesn’t note is that GM was in the thick of recall hell by November 2014 because of its delay, during the same period, in fixing ignition problems. It’s not just the network problem GM wasn’t fixing, it was more traditional problems as well. Whatever hack GM pulled off, starting in November 2014 as a kluge to fix a long-running problem, GM did so while under great pressure for having sat on other (more obviously dangerous) problems with their cars. GM also did so knowing their recognizable Impala would be shown on 60 Minutes exhibiting this problem.
In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015. (For both shows they carefully masking-taped the car’s logos to prevent it from being identified, though car blog Jalopnik nonetheless identified the Impala from the 60 Minutes demo.)
So GM had a lot more urgency to find curious hacks in November 2014 than they did in 2010.
Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.
She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.
She listed some of the 56 corporations and business organizations that support the bill.
Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.
I actually think that’s reason to oppose the bill.
As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.
Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”
Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.
In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.
Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.
The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.
I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)
Which brings me back to GM’s decision — yesterday!!! — to support CISA.
The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).
So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.
Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.
But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.
But I don’t know how anyone thought a bankster–and particularly this bankster–could say this and still wield any credibility.
From Washington’s point of view, divesting its remaining shares will end an uncomfortable and distinctly un-American period of government ownership in a major industrial company.
Sure. Rattner places this sentiment in “Washington’s point of view.” Still, consider the messenger.
After all, he barely mentions here–as he did in his book–that this was not just a bailout of some industrial companies. It was also a bailout of two finance companies, Chrysler Finance and GMAC (he mentions that the government still owns Ally/GMAC, but still calls the scorecard, “nearly complete”). As such, it was also the bailout of the Private Equity firm, Cerberus, that had spent the previous years stripping Chrysler in the hopes of retaining just the finance arms.
He also neglects to mention that the government still pursues the un-American policy of treating banks according to a different set of rules, not only providing them free money, but seemingly exempting them from all laws.
Finally, he shows no self-awareness of his own history, including paying kickbacks so his firm could make big money off of New York State (for which he, like all banksters, got a mere wrist-slap).
I’m not saying the government should hold onto its GM stake forever (though unlike Rattner, executive compensation is the last reason I’d cite to applaud this sale). But having someone like Rattner call government intervention in purportedly capitalist companies un-American only perpetuates the idea that industrial companies should have to abide by so-called rules of capitalism that the titans of capitalism, the banksters, have all but discarded.
[I posted substantially this post yesterday, but the BlogGods ate it along the way. So I’m reposting.]
Along with the deceitful attack on Italians who make better car company owners than GOP Private Equity types and the Lee Iacocca spin, Mitt has rolled out a radio version of attack on the auto bailout. From Greg Sargent, here’s part of the script:
Barack Obama says he saved the auto industry. But for who? Ohio, or China? Under President Obama, GM cut 15,000 American jobs. But they are planning to double the number of cars built in China — which means 15,000 more jobs for China.
And now comes word that Chrysler plans to start making jeeps in — you guessed it — China. What happened to the promises made to autoworkers in Toledo and throughout Ohio — the same hard-working men and women who were told that Obama’s auto bailout would help them?
The ad continues Mitt’s deceptive insinuation that GM and Chrysler aren’t also adding jobs in the US, which they are doing.
But it does something else. It takes a decidedly anti-profit stance.
You see, there are two reasons car companies are so gung-ho to enter (or re-enter, in the case of Jeep) the Chinese market. First, because it’s growing; when I was working in China, auto people considered the rising Chinese middle class to be 300 million–almost an entire US full of population. And most of them were just aspiring to buy their first car. That’s a whole lot of first time car buyers to sell to, as compared to US consumers, who are driving less and replacing their cars at a slower pace given more durable cars.
The other reason to go to China? Profit margins are bigger there than here. When I was in Shanghai in the mid-2000s, the profit margin on Buick Regals was about $2,000, as compared to the roughly $200 profit margin on a similar car here. The margins are closer now (because manufacturing in the US has gotten cheaper and in China has gotten more expensive), but China still offers good profit margins. Selling Buick Regals or Jeeps in China allows GM and Chrysler to accept lower margins on cars here.
By selling high margin cars in China, US companies can be more competitive here, meaning they will be able to expand sales and therefore production here, too.
All this is implicit in Sergio Marchionne’s response to Mitt’s ignorant rantings.
Together, we are working to establish a global enterprise and previously announced our intent to return Jeep production to China, the world’s largest auto market, in order to satisfy local market demand, which would not otherwise be accessible. Chrysler Group is interested in expanding the customer base for our award-winning Jeep vehicles, which can only be done by establishing local production. This will ultimately help bolster the Jeep brand,and solidify the resilience of U.S. jobs.
Marchionne notes 1) you can’t sell in China unless you build in China, 2) selling in China makes the Jeep brand stronger, 3) making the Jeep brand (and its profit margins) stronger makes it easier to keep up US production.
Marchionne’s implicit point should be where this discussion is heading: free trade hasn’t worked out to be fair trade. China–and Japan and Korea–still protect their markets, meaning if you want to sell there, you’ve got to make cars there.
Mitt has promised to get tough on China. But his series of auto ads have made no mention–not a peep!–of how he’ll reverse this practice and make it possible for Jeep to export cars made in Toledo. Indeed, when Obama launched a trade dispute over auto parts in September, Mitt scoffed at the effort (and ignored Obama’s decent and sustained effort launching trade disputes, one of which pertaining to specialty steel recently won at the WTO).
“The president may think that announcing new trade lawsuits less than two months before the election will distract from his record, but American businesses and workers struggling on an uneven playing field know better,” Mr. Romney said in a speech to the Hispanic Chamber of Commerce in Los Angeles.
Mitt Romney wants to attack American companies for going where profits are. And he’s doing so without discussing why that’s necessary.
That makes him neither a tough guy nor a good businessman.
As part of its effort to pretend that Mitt would be good for the auto industry, the campaign had Lee Iacocca sum up why Mitt would be good for the auto industry.
The first paragraph of specifics reads:
When Mitt Romney is president, he will reduce our nation’s corporate tax rate to 25 percent from 35 percent – currently the highest combined tax rate in the industrial world – so that American car companies can compete on a level playing field at home and abroad. He will also stop the extra tax automakers are forced to pay when they want to bring home their profits to reinvest in the United States. President Obama could have done this the day he took office since his party controlled both houses of Congress, but he chose not to. [my emphasis]
Obama, of course, has a tax credit specifically for manufacturing companies, meaning under Obama the auto companies would pay less than under Mitt.
But the other part–particularly against Mitt’s egregious claims that the auto bailout has helped Chrysler and GM move production overseas–is even more ridiculous.
Iacocca says Mitt would be better for the auto companies because he’d allow the auto companies to repatriate profits from overseas without paying taxes.
But that assumes, of course, they’re making profits overseas. It would mean they were doing precisely the thing Mitt is attacking–moving into new markets, like China.
So on the same day Mitt attacks Chrysler and GM for making and selling cars in China, generating greater profit it can use to support workers here, his campaign sends out a post boasting that Mitt would require Chrysler and GM to contribute less domestically on the profits they made by making and selling cars in China.
So Mitt is still trying to dig himself out of the hole he created when he declared, “Let Detroit go bankrupt”?
I suspect most of the commentary on this ad will focus on the irony that, had Mitt had his way, all of GM’s dealers would have gone under, and without the buyout deals they ultimately got.
Me, I’m a bit surprised that Mitt didn’t choose an IN Chrysler dealer. Not only did Chrysler offer its dealers a much stingier package, but some dealers from IN fought losing their franchises all the way to SCOTUS, and some are still suing over “takings.”
But I’m most surprised by the sparse language used here to portray a dealer closure: “I received a letter from General Motors: they were suspending my credit line.”
Credit lines?!?!? Mitt wants to tug at heart strings and hit Obama with an attack akin to the Bain attacks that are working so well in swing states by invoking credit lines?!?!? Really?
Yes, it is true that at the heart of any car dealer is a credit line. But by including that in this ad, it seems to me, Mitt does several things. It reminds everyone who knows what role a credit line plays in a car dealer that the precipitating cause of the auto crash was the credit crash. It reminds viewers that the banksters, in killing their own industry, also killed the car industry. And not just any banksters, either. In GM’s case, the bankster in question was 51% owned by Cerberus Capital, a bunch of high profile Republicans (Dan Quayle and John Snow, among others) who were trying to do what Mitt got rich off: looting companies (in Cerberus’ case, including Chrysler) while profiting from the financialization that such looting offered. Only they were so bad at it, they effectively had to be bailed out by the taxpayers along with GM and Chrysler.
Thus, the villain in this ad–at least as described by the dealer–is someone just like Mitt, only stupider. The villain in the ad is not Obama–not to people who know how the auto industry works. It’s Mitt’s stupid Republican friends.
Someone gave Mitt Romney a shovel just in time to dig
shit snow in MI for the next two weeks. There’s a lot that is fact-impaired in this op-ed doubling down on the “let GM go bankrupt” (starting with the lack of funding for a bankruptcy, meaning a managed bankruptcy was impossible).
By the spring of 2009, instead of the free market doing what it does best, we got a major taste of crony capitalism, Obama-style.
Thus, the outcome of the managed bankruptcy proceedings was dictated by the terms of the bailout. Chrysler’s “secured creditors,” who in the normal course of affairs should have been first in line for compensation, were given short shrift, while at the same time, the UAWs’ union-boss-controlled trust fund received a 55 percent stake in the firm.
He’s complaining, of course, that VEBA (the trust fund run by professionals that allowed the auto companies to spin off contractual obligations–retiree healthcare–to the unions) got a stake in Chrysler while Chrysler’s secured creditors took a haircut.
So, in part, he’s basically complaining that the bailout preserved the healthcare a bunch of 55+ year old blue collar workers were promised. He’s pissed they got to keep their healthcare.
He’s also complaining that banks took a haircut, as would happen in any managed bankruptcy.
But it’s more than that. He’s complaining that a bunch of banks that themselves had been bailed out had to take a haircut. He’s complaining, for example, that JP Morgan Chase, Chrysler’s largest creditor at the time and the recipient, itself, of $68.6B in bailout loans, had to take a haircut on $2B in loans to Chrysler.
Mitt’s op-ed makes him sound a lot like Jimmy Lee, Chase’s top negotiator on the auto bailout, who,
demanded to know why, if the government thought banks important enough to give them tens of billions in TARP money, it wanted to squeeze them on [the Chrysler] deal.
I guess Mitt, too, thinks the banks are so important they should take precedence over retiree healthcare, too.
But as the kind of bankster who, at Bain, relied on government subsidies to fund his “restructurings” that ended up taking people’s jobs and healthcare, that’s not all that surprising.
Still, the UAW retirees who still have healthcare today instead of Jamie Dimon having another yacht probably don’t feel the same way as Mitt does.
The Obama Administration was gung ho to brag about the GM IPO last year. But if I’m not mistaken, this is the first time the White House has bragged nationally about jobs created thanks to the auto bailout (Ron Bloom, who got promoted into an official Assistant to the President role at the beginning of the year, wrote this).
Today brings word of more good news for the American auto industry. GM announced that it would hire 4,200 workers at seventeen of its plants around the country.
President Obama took office amidst the worst recession in a generation and nowhere was this devastion [sic] felt harder than in the American auto industry and the communities it has supported for decades. In the year before GM and Chrysler filed for bankruptcy, the auto industry shed over 400,000 jobs.
Facing this situation head on, the President made a bold and, at the time, politically unpopular choice: Despite calls from critics to simply let these companies – and the entire American auto industry – crumble, he refused to allow these companies to fail. Had the Administration failed to intervene, conservative estimates suggest that it would have cost at least an additional one million jobs and devastated vast parts of our nation’s industrial heartland.
But at the same time, the President did not provide unconditional support. He insisted that the companies and their stakeholders make tough choices and undertake massive restructurings requiring huge sacrifices from all of their stakeholders.
Because of this “tough love,” the American auto industry is now positioned to grow and prosper as the economy recovers. Since GM and Chrysler emerged from bankruptcy in June 2009 the auto industry has added 115,000 jobs – the fastest pace of job growth in the auto industry since 1998. Last year, for the first time in 16 years, the Detroit Three actually gained market share compared to their foreign counterparts.
And these companies are not just making cars and trucks – they’re making the kind of fuel efficient cars and trucks that will power us to energy independence, protect consumers against rising gas prices, and ensure America wins the future.
Some of the workers GM is hiring and re-hiring in today’s announcement will be at work producing larger-than-initially-planned quantities of the widely acclaimed Chevy Volt. And just last month, Ford – which didn’t receive government assistance but which supported our aid to GM and Chrysler and has said publicly that it would not have survived if the rest of the American auto industry had been allowed to collapse – reported its best first-quarter profit in more than a decade thanks in large part to its new fuel-efficient vehicles.
In the wake of an historic recession, there is no doubt that much work remains. And we will not rest until every American who is looking for work can find a job. But today’s announcement is another positive sign – including more than 2 million private sector jobs created over the past 14 months – that we’re seeing across the country.
The comparative silence about the success of the bailout in the terms that really matter to actual people–jobs–not only confirms Main Street suspicions about the White House viewing the economy solely through the lens of the banksters, but it also leads beltway folks like John Dickerson to wonder out loud whether there is anything a President can do to fix the economy (Dickerson must have skipped those weeks when his American history class covered the New Deal).
The effects of the too-small stimulus, though real, are a lot harder to see. But aside from the decade-long Military Industrial Complex stimulus the DC area has enjoyed, the auto bailout and related energy investments was the biggest concentrated stimulus the Administration championed. And it has had an effect, both in hiring at GM and Chrysler, but also in hiring in MI more generally.
It’d be nice if the Administration not only bragged about that, but replicated it for places like Nevada.
Update: John Dickerson corrects me; this July 2010 briefing (a presser leading up to an Obama trip to visit several plants in the MidWest, bragged about jobs created). Thanks to Dickerson for the correction.
Let me say at the outset that the GM bailout was far, far better handled than the bankster bailouts. And as a Michigan resident whose family still has ties to the auto business, I am tremendously grateful for that bailout.
That said, this is why I have not declared mission accomplished, in spite of the successful IPO last year.
You see, no one will be able to weigh the success or failure of the GM bailout for another year or so–until such time as the cars developed entirely under the leadership team picked by a bunch of people who knew nothing about the auto industry start rolling off the lines. As I noted last year, the success of the IPO was significantly premised on a number of business decisions made by Rick Wagoner and others fired during the bailout. Wagoner deserves the credit for his emphasis on China (and places like Brazil), which is the biggest source of GM’s profit these days and was widely touted as the reason it made a good stock buy. And Bob Lutz deserves the credit for GM’s improved product line.
So we won’t know whether the bailout succeeded until we see whether the guys now in charge can make decisions that are as smart as those made by the guys fired in the bailout.
Yet, as MSNBC lays out, thus far, it looks like the finance guys Steven Rattner brought in to run a car company have, predictably, made some really stupid decisions.
[GM CEO Daniel] Akerson recently told the Wall Street Journal that a GM car was just like the can of Diet Coke he was drinking during the interview.
“It’s a consumer product,” he said. “GM has to start acting like a consumer-driven, not engineering-driven, company. We sell a consumer product — our can just costs $30,000.”
Industry insiders with a memory of the 1990s immediately blasted this view as a return to [GM]’s failed [early 1990s] strategy to commoditize a product for which a strong emotional connection is important to drive sales and to cultivate brand loyalty.
“The only difference between GM then and GM now is that this is a company that has only recently emerged from the abyss of bankruptcy, one that can ill-afford a single misstep brought upon by misguided leadership, even though it has the most competitive lineup (of vehicles) it has had in decades,” [auto writer Peter] Delorenzo said.
It’s one thing to try to sell sugar water with nothing more than emotional attachment. But so long as there are well-engineered vehicles like Hondas on the road, you can’t dismiss the importance of engineering in designing cars.
In addition, Akerson (like Ed Whitacre before him) is trying to cut the time to market for GM’s cars.
Now Akerson says speed and cost are the aspects on which he will concentrate, telling the Journal that “during World War II, GM produced tanks and equipment within four years. Why should it take four years to put a car out?”
There have, historically, been two models for cutting the time to market for cars. There’s the model Chrysler used in the late 1990s, which led to the introduction of things like the PT Cruiser that were cute but which weren’t really good cars; that’s one of the things that led to a serious decline in Chrysler’s quality. Then there’s Toyota’s quality driven approach, which has served as the standard for Ford and GM in recent years as they have accelerated their own development time frame.
But as Toyota’s recent troubles show, not even Toyota can make cars in as short a time frame as they do and ensure their quality. What makes Akerson think GM can do what Toyota can’t?