Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/12/2016
12:00 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail vvv
200%
-100%

New Book Traces Obama Strategy To Protect America From Hackers, Terrorists & Nation States

A review of Charlie Mitchell's 'Hacked: The Inside Story of America's Struggle to Secure Cyberspace.'

Hardcover, 320 pages
Published June 20th 2016 by Rowman & Littlefield Publishers

One of the most pressing issues in cybersecurity policy is the question of jurisdiction. Who should secure cyberspace from rogue hackers, terrorists, and nation-states? Is it the responsibility of the government, the private sector, or both? In his recent book, Hacked: The Inside Story of America’s Struggle to Secure Cyberspace, Charlie Mitchell traces how that question has been answered in the Obama administration, mapping recent attempts by the government and industry to cooperate on the issue.

Towards the end of his second term, President Bush began to explore the issue of cybersecurity and the Obama administration picked up where he left off, except the 44th president, hoping not to stifle economic growth by putting undue burdens on corporations, was less inclined to use regulation as a security mechanism than his predecessor. Hoping for a more voluntary approach, the administration attempted to partner with the private sector and the two aspects of that partnership that Mitchell highlights were cybersecurity standards and information sharing.

After Congressional failure to pass cyber legislation (a constant theme throughout the book), the White House decided to take the lead and in 2013 the President issued an executive order based on government and private sector collaboration.

The most significant example of such collaboration was the National Institute of Standards and Technology (NIST) cybersecurity framework creation process. The executive order tasked NIST with developing a framework of “voluntary standards” for cybersecurity in collaboration with the tech industry. Both sides met and discussed the framework at a series of conferences at various college campuses across the country. The basics of the framework included “five core functions: know, prevent, detect, respond, and recover…  It would also include three framework implantation levels.” It also included a list of other issues that NIST officials hoped industry leaders would consider including “improving authentication” and “bolstering the cybersecurity workforce.”

The process was constantly threatened by business leader’s fears that the framework (specifically the metrics used to measure adoption of the framework) would devolve into regulation, accordingly the three implementation levels were changed to four “tiers.” The Framework was released in 2014 to positive reviews from the business community, but the media and security experts had more unenthusiastic takes.

Information sharing, another area of collaboration highlighted by Mitchell, refers primarily to the flow of information about cyber threats between the government and private industry. Laws and national security considerations limit the sharing ability of the federal government, and concerns about liability and government punishment inhibit industry sharing with the government.

Hacked follows the twisted path that information sharing-legislation takes through Congress and explores how Washington strives to foster increased information sharing between the two parties. A number of bills are proposed in the House during Obama’s second term with different approaches to information sharing, especially concerning who in the government information should be shared with: the Department of Homeland Security, the NSA, or multiple government agencies.

Mitchell spends most of his time not on the specifics of the bills but on the excruciatingly difficult and long process that the House and the Senate take to pass them. Cybersecurity legislation is repeatedly passed over because of looming elections, government shutdowns, squabbles between Republicans and Democrats, the budget, immigration, and the Iran nuclear deal. Even when it is brought up, it is constantly assailed by privacy advocates such as the ACLU.

Mitchell closes the book with musings on the future of cybersecurity in the United States. Questions still exist about whether the voluntary approach favored by the Obama administration has staying power, especially when a new President takes office this January. Restructuring at the federal government level, especially within Congress and the bureaucracy, is also necessary to deal with the cyber threat more efficiently, and he warns against seeing information-sharing as an end in itself instead of part of a larger cyber strategy. The private sector, especially the insurance community, has made great strides in security, but the government still struggles to provide adequate incentives for companies to invest in it, and time will tell whether the government or private industry will take the lead in cybersecurity development in the future.

Mitchell ends by stating that “cybersecurity, and cyber threats, are now a permanent feature of the governing, political, and economic landscape,” the dangers they pose will not disappear, and any response to them must be based on this fundamental fact. Though a bit dry at times, Hacked is a must read for anyone seeking greater familiarity with this essential element of national security, which will only grow in importance in the coming years.

Related Content:

 

Wilson Alexander is a writer passionate about national security and international relations, as well as how technology shapes human life around the globe. He has written for Taylor University's The Echo and presented papers at the Butler Undergraduate Research Conference and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.