For several years now, Congress has been wandering around the wilderness, trying to figure out why so much of America’s intellectual property is being sucked into a giant vortex somewhere over Asia and whether they should do something to stop it, like maybe pass a cybersecurity law. They’ve taken innumerable swings at it, and struck out every time, with the two parties unable to agree on what needs to be in a cybersecurity bill and what entities should be covered by it. Now Congress is in recess and it looks less and less likely that anything will be passed before the end of the session. And, for once, we all should be thankful for our lawmakers’ inability to act.
Congress is good at several things. It’s good at acting in its own interest. It’s good at posturing and showboating. And it’s good at taking nice, long breaks. What it’s not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms and government agencies with an alarming rate of success.
These are not isolated incidents or a string of small attacks over a long period of time. What’s happening is a coordinated, professional series of attacks from a handful of groups with highly skilled members. Some of these groups are private, others are government-funded and others are somewhere in the middle. They’re doing original vulnerability research, buying zero days from others in the underground and using custom malware to go after a specific set of targets with strategic and commercial value. If that sounds like the recipe for something over which Congress would panic and then run off and pass some ill-conceived piece of legislation, it is.
Luckily, Congress hasn’t been able to do that.
Because the last thing this situation needs is a goofy, compromised new law mandating yet another set of standards for companies and government agencies to check off. We’ve been going down that road for the last decade and it hasn’t worked. Not only have things not improved, they’ve been getting worse by the year, and no amount of legislation or regulation is going to fix that. This is not a government-solvable problem, at least not in the traditional sense.
But Congress, or at least some members of it, don’t seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation.
“Countless national security leaders from your Administration and the previous Administration have made clear that the threat from cyber attack is similar to the threat we faced from terrorism on September 10, 2001 – the danger is real and imminent, yet we have not acted to defend against it. We know our adversaries are already stealing valuable intellectual property and exploiting our critical infrastructure – those systems that control our water, electricity, transportation, finance, and communications systems – to prepare for attack,” Lieberman, the chairman of the Homeland Security and Governmental Affairs Committee, wrote in the letter.
“Therefore, I urge you to use your executive authority to the maximum extent possible to defend the nation from cyber attack. For example, under current law, as set forth in Title II of the Homeland Security Act of 2002, the Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack, and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity. Though executive action cannot offer private sector entities liability protections for compliance with these guidelines, I urge you to consider other incentives that you can offer by executive action to companies that own critical cyber infrastructure and decide to comply with the cyber defense standards that result from your Executive Order.”
Let’s be clear: If the companies that own and operate critical infrastructure–not to mention defense contractors–don’t understand the nature of the threat they’re facing at this point, no amount of incentives is going to change that. Neither Congress nor the president can fix this problem with the kinds of solutions they’re considering.
The one thing that could truly make a difference is a major change in the way that threat intelligence is handled. Information sharing has been a go-to theme for legislators, government security officials and others in the industry for years now. In theory, the idea is great. Government agencies and private companies share data on attacks and vulnerabilities, making the information gathered by one valuable to all. But in practice, it often fails, as companies and especially government agencies are reluctant to give up specifics on attacks or threats they’ve run into. As understandable as that is, it’s done no one any good up to this point. We’ve tried information sharing in any number of ways, and it just hasn’t made a difference.
What could make a major difference is making threat intelligence freely available, well beyond the normal borders of ISACs or other closed groups that normally have access to such data. Companies, government agencies, utilities and all kinds of other organizations are attacked every day, with a wide variety of tactics, exploits and techniques. Some of these companies have been facing attacks from high-level groups for several years now and have a good handle on their methodologies and patterns. Other organizations could benefit from the collective intelligence gathered by their peers in other targeted companies, giving them crucial insight into the way their adversaries operate.
The counter argument to this always has been that publishing data on attacks and vulnerabilities being targeted would give the attackers too much information on U.S. networks and their weak spots. Unfortunately, they have that information already, and have had for a long time. The time has come to shift the thinking from information sharing to widespread publication. Adam Shostack discussed this idea earlier this year in regards to data breaches.
“We all agree, it’s appropriate when the victim is known and the vulnerability addressed, or when the victim is anonymized. The victim may be known because of breach disclosure, or because the hackers engaged in defacement or data dumping. Contrast that with ‘sharing’ under some constrained set of conditions,” he wrote.
“The instant you go from publish to sharing, you start spending time and money on controlling who can see the data. That time and money is always limited, and so we should evaluate the return on that investment. Further, the instant that you start to de-contextualize an incident, by definition, you’re removing information that someone might use to gain understanding.”
The idea has broader application than just data breach information, of course, and it could be a vital component of a strategy to begin turning the tide against sophisticated attackers. The key would be finding the right platform and method for publishing this data, which would be difficult. But it can’t be any more difficult than defending against these attacks on your own, without any data and without any help.
We’ve tried that, and look where it’s gotten us.