Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/12/2016
12:00 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail vvv
200%
-100%

New Book Traces Obama Strategy To Protect America From Hackers, Terrorists & Nation States

A review of Charlie Mitchell's 'Hacked: The Inside Story of America's Struggle to Secure Cyberspace.'

Hardcover, 320 pages
Published June 20th 2016 by Rowman & Littlefield Publishers

One of the most pressing issues in cybersecurity policy is the question of jurisdiction. Who should secure cyberspace from rogue hackers, terrorists, and nation-states? Is it the responsibility of the government, the private sector, or both? In his recent book, Hacked: The Inside Story of America’s Struggle to Secure Cyberspace, Charlie Mitchell traces how that question has been answered in the Obama administration, mapping recent attempts by the government and industry to cooperate on the issue.

Towards the end of his second term, President Bush began to explore the issue of cybersecurity and the Obama administration picked up where he left off, except the 44th president, hoping not to stifle economic growth by putting undue burdens on corporations, was less inclined to use regulation as a security mechanism than his predecessor. Hoping for a more voluntary approach, the administration attempted to partner with the private sector and the two aspects of that partnership that Mitchell highlights were cybersecurity standards and information sharing.

After Congressional failure to pass cyber legislation (a constant theme throughout the book), the White House decided to take the lead and in 2013 the President issued an executive order based on government and private sector collaboration.

The most significant example of such collaboration was the National Institute of Standards and Technology (NIST) cybersecurity framework creation process. The executive order tasked NIST with developing a framework of “voluntary standards” for cybersecurity in collaboration with the tech industry. Both sides met and discussed the framework at a series of conferences at various college campuses across the country. The basics of the framework included “five core functions: know, prevent, detect, respond, and recover…  It would also include three framework implantation levels.” It also included a list of other issues that NIST officials hoped industry leaders would consider including “improving authentication” and “bolstering the cybersecurity workforce.”

The process was constantly threatened by business leader’s fears that the framework (specifically the metrics used to measure adoption of the framework) would devolve into regulation, accordingly the three implementation levels were changed to four “tiers.” The Framework was released in 2014 to positive reviews from the business community, but the media and security experts had more unenthusiastic takes.

Information sharing, another area of collaboration highlighted by Mitchell, refers primarily to the flow of information about cyber threats between the government and private industry. Laws and national security considerations limit the sharing ability of the federal government, and concerns about liability and government punishment inhibit industry sharing with the government.

Hacked follows the twisted path that information sharing-legislation takes through Congress and explores how Washington strives to foster increased information sharing between the two parties. A number of bills are proposed in the House during Obama’s second term with different approaches to information sharing, especially concerning who in the government information should be shared with: the Department of Homeland Security, the NSA, or multiple government agencies.

Mitchell spends most of his time not on the specifics of the bills but on the excruciatingly difficult and long process that the House and the Senate take to pass them. Cybersecurity legislation is repeatedly passed over because of looming elections, government shutdowns, squabbles between Republicans and Democrats, the budget, immigration, and the Iran nuclear deal. Even when it is brought up, it is constantly assailed by privacy advocates such as the ACLU.

Mitchell closes the book with musings on the future of cybersecurity in the United States. Questions still exist about whether the voluntary approach favored by the Obama administration has staying power, especially when a new President takes office this January. Restructuring at the federal government level, especially within Congress and the bureaucracy, is also necessary to deal with the cyber threat more efficiently, and he warns against seeing information-sharing as an end in itself instead of part of a larger cyber strategy. The private sector, especially the insurance community, has made great strides in security, but the government still struggles to provide adequate incentives for companies to invest in it, and time will tell whether the government or private industry will take the lead in cybersecurity development in the future.

Mitchell ends by stating that “cybersecurity, and cyber threats, are now a permanent feature of the governing, political, and economic landscape,” the dangers they pose will not disappear, and any response to them must be based on this fundamental fact. Though a bit dry at times, Hacked is a must read for anyone seeking greater familiarity with this essential element of national security, which will only grow in importance in the coming years.

Related Content:

 

Wilson Alexander is a writer passionate about national security and international relations, as well as how technology shapes human life around the globe. He has written for Taylor University's The Echo and presented papers at the Butler Undergraduate Research Conference and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.