In the wake of the most recent attack on [insert name of entity] the White House has announced a new initiative to finally tackle the problem of cybersecurity. It’s a wake up call.
It’s like déjà vu all over again. Or more like Charlie Brown and Lucy. The problem isn’t a lack of intention. It’s not that the government – whatever administration may be in charge – doesn’t WANT to make computers and networks more secure (well, it doesn’t want to make SOME computers and networks more secure at least). It’s that there is only so much a GOVERNMENT can do. They can reward. Punish. Lead by example. Develop [usually outdated] standards. Come up with new technologies. Buy stuff. Give stuff away. That’s about it.
The White House on Tuesday announced a new Cybersecurity initiative that does a bit from column A and a bit from column B. Like any other legislative proposal in the next 2 years, it’s unknown whether this has a snowball’s chance of passing. But remember, it’s a wake-up call.
Any legislative proposal always includes something to do with public-private partnership and information sharing. Why? Because it is something that theoretically can be done. And something that theoretically can help. Theoretically. That assumes that a significant part of the day-to-day problem is that the average CISO lacks sufficient information to do their job.
What is really needed is what the spooks and wonks call “actionable intelligence.” Don’t tell me what’s going on – tell me what do to, when, and why. Let me assess business impact.
As the White House observed, “the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.”
Yup. The reason I am not picking up the phone and telling others about threats, vulnerability, or incident information is because I am concerned about liability for reporting it.
I am not aware of ANY cases in 30 years where a company has been successfully sued, prosecuted or investigated and punished for the act of reporting a security incident. Sure, they have been sued for failing to have adequate security, or for mishandling a response, or for violating laws, regulations and contracts. But never have I seen any company held liable for the ACT of reporting the breach. And that is despite the fact that, in many cases (say, Target?) the act of reporting the breach caused an order of magnitude more damage, and cost the company several orders of magnitude more money than the actual breach did.
So what’s the purpose of this “targeted liability protection?” If I report a rumor or something, and I am wrong, and others act on it, they could theoretically sue ME for negligent reporting.
In theory, if I irresponsibly attribute an attack to someone not responsible, I could be held liable for defamation, or even possibly for the actions of other hackers who “hack back” based on my negligent attribution.
But we have to ask whether the potential for liability prevents me from reporting ANYTHING, or simply encourages me to report responsibly? Conversely, if we provide liability protection, what happens is that Citibank says, “Mark D. Rasch is responsible for the attack on our networks. Go get him!!” and when it turns out they are wrong, and I am defamed and attacked, they present the Rosanne Rosannadana defense (kids, ask your parents.) Never mind.
Companies keep saying that they REASON they don’t report or share information is for fear of liability. Maybe. But mostly, its fear of embarrassment (personal and professional, individual and institutional), and sheer laziness. And because they see no real advantage to it.
If we do “targeted” liability protection we have to make sure that the cure is not worse than the disease.
ISAC’s and Privacy
Sure, NOW you want privacy. Where were you when the NSA and the Coca Cola Company (How I Learned to Love the Bomb) were sucking up data?
The White House also says that they will, “safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection.”
So while I am being hacked, and want to call the Feds or share info with others, I have to take the time and effort to scrub the data of “unnecessary” personal information? IP addresses? Employee access lists? Possible targets? And then, of course (as the White House acknowledges) the government will have to scrub the data from its own networks. How? Not sure. What data? Ask again later. And who decides what information is “unnecessary?” Take a guess. Lawyers.
More Crimes – More Criminals
The White House also wants a new law that “would allow for the prosecution of the sale of botnets.” Huh? You mean that conspiracy to commit computer crime, and conspiracy to commit sale of access devices, and conspiracy to commit wire fraud, and conspiracy to commit theft aren’t crimes?
One of the problems with “new” crimes is that they are not, for the most part, subject to extradition, since extradition laws require “mutual criminality.” Thus, the “botnets for sale” law would likely not be subject to extradition unless other countries passed similar laws. Unless, of course it is already a crime, which it is.
I am sure that the administration will trot out examples of people who went scot-free for selling botnets because we didn’t have laws expressly prohibiting it. Yeah. I’ll wait for that list.
The administration also wants to “criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers,” – I thought 18 USC 1029, 1341, and 641 did that.
In fact, I could swear people have been prosecuted for that. But maybe the White House is proposing to make it a crime in the United States for a Bulgarian in Sophia to sell to a Hungarian in Budapest information which may have, at one time been in a computer in Sao Paolo, if the financial information relates to a U.S. person, or maybe if it came from a U.S. institution.
The problem isn’t that sale of stolen financial information isn’t and shouldn’t be a crime. It is, and it should be. The question is what should be the reach of the U.S. domestic criminal law.
Or, to put it more parochially, should a kid in Dubuque be subject to prosecution in Teheran for selling a credit card number of a person from Esfarayen? It’s called “extraterritorial jurisdiction,” and it’s a touchy international subject.
Suffice it to say, that we LOVE it when we can extend the reach of OUR laws. Not so much when others want to prosecute our people here in the ‘good ole US of A’ for violating THEIR laws.
Again, the devil is in the details.
The White House also proposes to “expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft” – cause making SPYWARE alone a crime isn’t enough (See, 18 USC 1030). It’s not clear how law enforcement would “deter” the sale of such spyware. This may harken back to the German “criminalizing tools” debate. Software doesn’t kill people. People kill people. Except when software kills them first.
The government also asked for legislation to “give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.”
Other criminal activity? Anywhere in the world? On whose say-so and with what protections if they are wrong? What if the North Korean government wanted to shut down a massive distribution channel dedicated to distributing criminal materials that defamed and mocked the Dear Leader? We’d be down with that, right? I mean, if a Court in Pyongyang ordered it pursuant to a law passed by the Supreme People’s Assembly, right?
I’m not opposed to giving the government the tools it NEEDS to accomplish legitimate objectives, provided that the tools are limited, the objectives defined, AND the use of these tools for other purposes prohibited. It’s just that I have never seen that happen.
Take for example the government’s proposal “update the Racketeering Influenced and Corrupt Organizations Act (RICO) so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes.”
Now RICO was one of those “tools” that the government “needed” to combat “organized crime.” There is no doubt that organized criminals commit cybercrime. But most RICO prosecutions are not aimed at organized crime – they are aimed at whatever poor schmuck the government can get. Again, it aint the tool. It’s the person wielding it.
The government also wants to amend (um “modernize”) the computer crime law to make it clear that the statute “can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”
This goes to the whole debate about whether all “unauthorized” uses of a computer (say, checking the Packers score, or lying about your weight on Match.com) should be criminal. That needs to be clarified. For sure. But this idea of using information obtained for someone’s own purposes being a computer crime? That sounds very dangerous.
National Data Breach Reporting
Right now there is a patchwork quilt of mandatory data breach disclosure laws, depending on the state where the data subject “resides” where the breach occurred, what kind of data was breached, where the company does business, and who regulates the company suffering the breach.
Breached entities have to navigate often-conflicting laws and regulations about what has to be told, to whom, when, and how. It’s good for the InfoSec business, but bad for business.
So the federal government is coming in for the rescue, superseding these state laws, and having one national data breach disclosure law. No more searching for the fax number of the New Jersey State Police Cybercrime Division to notify them BEFORE you notify victims.
No more dozens of different press releases. One ring to rule them all, and in the darkness bind them. One of my pet peeves is the requirement in many of these laws to report “trivial” or “potential” breaches.
While I am a firm believer in telling people something if that will impact their behavior (e.g., cancel your card, dude!) the temporary loss of a laptop computer on a train where there is no reason to believe (and forensic investigation shows no reason to believe) that the data has been accessed, causes needless worry, panic and expense. Make the loophole too big, NOBODY reports anything. Make it too small, and we have millions of new data breaches. Key is, like Goldilocks. Get it JUUUUUST right.
The President announced a Cybersecurity Summit in February. Sure, we need more conferences and summits. Particularly at Stanford University because keynote speeches, panel discussions, and small group workshops are just what we need “to improve cybersecurity practices at a wide range of companies.”
We do need to share best or better practices. Not just at Stanford, but everywhere and every day. But there’s good coffee in Northern Cal, so there’s that at least.
We can expect a flood of new legislative initiatives, Executive Orders, funding proposals, and other ideas on cybersecurity. Some good. Some bad. All worthy of debate. But somehow I think we’ll be doing this again next year. And the year after that. Hit that snooze button for me, will you?