Two Steps Forward, One Step Back

The real work now begins — making everyone safe and regaining trust in our infrastructure.

“Everyone is online, and everyone is vulnerable.”

-Barack Obama

Part of embracing worldwide internet connectivity and access to information is recognizing the inherent risks — risks that are not commonly addressed by individuals or businesses. There is an ingrained “not my problem”, or more correctly “someone else’s problem,” mentality to security. We have been conditioned for years to “take the blue pill,” and accept some old practices (installing an antivirus on an individual PC or using a firewall to protect an organization’s network). These practices are the silver bullet for organizations who believe that they will be “taken care of” by merely installing new software. For some time, we have been repeatedly faced with the harsh reality — Target, Sony and Anthem just to name a few. On an individual level, we keep hearing of compromised social media accounts used to tarnish brand names, promote political agendas and defraud individuals. However, these events are often attributed to foreign nations (an easy “out,” especially if we keep saying it was China/Russia/North Korea — the obvious villains), and we go on with our lives without learning any lessons.

Additionally, we haven’t figured out how to learn from each other’s mistakes and incidents. CERTs (Computer Emergency Readiness Teams) have existed for decades now, and they know how to share some basic incident information — mostly when that sharing pertains to passing along data that affects constituents of other CERTs. Nevertheless, the ability to share actionable threat information still does not exist. Companies are scrutinized by regulators, and end up aligning their disclosure policy to regulations, fearing repercussions of breaches rather than their actual impact. This is especially true when viewed in conjunction to the CFAA (Computer Fraud and Abuse Act). The act has been exploited by prosecutors in a draconian attempt to punish petty internet crime, we all end up putting our head down just to stay off the radar.

So, to start with the good news, I had been hoping the White House cybersecurity summit held on Friday would address public-private collaboration in the form of information sharing. Luckily, it took center stage. Information sharing needs to be done in a meaningful way, with incentives for sharing data by providing indemnity when done correctly (and anonymously of course). This is exactly what the bill, signed by the president, attempts to achieve. It remains to be seen how the practice of ISAOs (Information Sharing and Analysis Organizations) will address this. Going beyond ISACs (Information Sharing and Analysis Centers), anonymizing the data sources, providing safe-harbor for data shared and focusing not just on post-breach information, but on true intelligence (through sharing relevant pre-breach data and having the ISAO process, analyze and provide relevant intelligence back to the members). If executed correctly, this bill could provide a powerful framework with the potential to fast-track the private sector’s ability to adapt and prepare for imminent attacks. Harmonizing public sector and governmental sharing via the ISAO would greatly enhance the ability to prevent such threats. Again, the key is practicality, especially as it needs to be applied not only to the Fortune 500, but to the true core of the economy: small and medium businesses. These often do not have the capabilities and resources to apply the advanced analytical and protective efforts that big companies have. Nevertheless, they are targeted just as much if not more than Fortune 1000 companies are.

I’ve mentioned the CFAA (Computer Fraud and Abuse Act) briefly earlier, and it would be a disservice not to address it in full. As it is right now, the act can be readily abused. It criminalizes most research activities that are needed in order to advance the practice of cybersecurity and hinders creativity and innovation. It has been used repeatedly by zealous prosecutors to target scapegoats (I’m referring to the unfortunate case of the young and brilliant Aaron Swartz), and go after hackers for all the wrong reasons (such as Andrew “weev” Aurenheimer and Barret Brown). One of the issues that went unaddressed during the summit is amending the CFAA in the right direction. There were some discussions about adopting security as a fundamental practice for operating online, ensuring sure that encryption isn’t criminalized, and showcasing security as a business differentiator. These are all great, but I would have liked to hear a more conclusive and decisive stance regarding how the CFAA is going to be amended — and in the right way.

Last but not least — one topic that has been almost completely avoided is the issue of malpractice. As an industry, we are seeing a huge shortage in skilled practitioners. This has led to a situation in which many less-than-skilled people end up providing subpar services that misrepresents the true exposure of a company to threats. Additionally, companies may choose to ignore warnings from good practitioners that point to shortcomings in their security posture. Both practices should bear consequences in the form of malpractice, as well as addressing the burden of proof that a security review, advice, or practice has been performed diligently. This is a critical element that the information security industry needs in order to escape from its current perceived “hackish” nature in which everyone that learns how to run a couple of scripts is hired to test a company’s risk posture.

One of the interesting aspects that arises from the Executive Order (Promoting Private Sector Cybersecurity Information Sharing) is how privacy is being addressed, if at all. Privacy goes both ways — for the companies sharing information, as well as for consumers who entrust their information with companies who may end up sharing it. The onus of a successful threat intelligence sharing program is on both the companies who share the information and need to anonymize it, as well as the ISAO that needs to assure that no personal or corporate information is shared. As such, the privacy issues are being indirectly addressed in the Executive Order, which calls for the formation of voluntary standardization practices.

The security summit had some excellent moments of foresight and progress. But, as usual, there are still significant gaps in the program that must be addressed in order to successfully solve the issues of modern cybersecurity.