Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/3/2019
02:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Taming the Digital Wild West

Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.

Fred Wolens, VP of Policy and Communications at Recorded Future, also contributed to this article.

The Internet is the digital Wild West, more so now than ever before.

The past two years specifically have been a vortex of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts. And these are only the highlights of what has been publicly reported.

Despite the increasingly dire headlines, there's hope yet for the Internet. It begins with an improved public/private model — backed by legislation — for policing cybercrime and helping American businesses defend themselves.

Step 1: One Focused Agency
For American individuals and businesses, there is no clear answer on who leads the fight on cybercrime — or who leads interagency collaboration. In federal law enforcement, there are numerous agencies within the Departments of Justice and Homeland Security that investigate cybercrime, among them: the FBI, Secret Service, Homeland Security Investigations (HSI), and Office of the Inspector General (OSI). In addition, you can also add state and local police agencies to the web of confusion — and that's still before considering the overlap with intelligence (ODNI/NSA), military (DIA or NCIS), and international (Interpol/Europol) agencies.

Certainly, there has been progress toward industry partnership in the past decade. Both the Secret Service and FBI have created cybersecurity-focused entities (the Electronic Crimes Task Forces [ECTF] and InfraGard, respectively). However, the limitations on law enforcement information sharing make these groups less effective, blunting their ability to further affect cybercrime.

Equally responsible for the marginal success in prior efforts is the lack of NSA participation. It is clear that the NSA has the most visibility into malicious cyber activity and is the most informed organization in America (and probably the planet) on adversary cyber activity.

We need an organization within the NSA — modeled on the UK's National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ, the British NSA equivalent) — that is focused solely on helping American individuals and businesses defend themselves. The NCSC provides timely guidance on threats, ranging from phishing to malware to fraud, and shares technology with the private sector directly. Similarly, America needs a well-informed cybersecurity guidance resource to fill the current void.

History has shown that businesses are ill equipped for sustained defense from well-funded and motivated attackers. Sophisticated enemies, with seemingly endless time are using the cyber domain to continuously victimize American businesses at will. The cost of doing business should not include fending off nation-state-sponsored offensive cyber campaigns.

The answer begins with Congress legislating a new organization, modeled after the NCSC, owned by the NSA, and mandated to share all possible threat guidance and defensive technology with American businesses. The goal: to increase America's cybersecurity awareness and resilience.

Step 2: Retain and Invest in Government Talent
We need America's best and brightest in public service defending America from cyber enemies. Employee compensation and training budgets must increase across the board.

The problem is that government salaries and the General Services Administration (GSA) schedule have not kept pace with private sector salaries for employees with cybersecurity skills. This is equally true across military, intelligence, and law enforcement agencies.

Government employees increase their skills, learn tradecraft, and then depart for the private sector because the opportunity costs are too great for them and their families to stay in government service. Ultimately, a government retirement plan can't compete with a 30% (or more) private sector salary increase.

Related to training, police officers are generally the first line of support for individual victims. But when the phone rings, it's frustrating for officers trying to take a report or advise on next steps. All law enforcement agencies should have sufficient budget for cybercrime training, and an NSA-led agency like the NCSC should lead the way on training these officers.

Congress must revise the GSA schedule for federal employees in cybersecurity concentrations, and earmark funding for police training across all agencies because, as a nation, we can't afford to continually lose our most talented people to the private sector.

Step 3: Empowering the Private Sector
The private sector has the knowledge and skills to be a force multiplier for law enforcement. Network defenders and researchers typically have better tools and data than law enforcement on cyber malfeasance. The current problem for the private sector is trust, or the lack thereof, with law enforcement. Specifically, private sector collaborators need protection from having the law wielded against them as a result of their efforts.

The past 15 years are a testament to the success of proactive private sector volunteers and working groups — DNS Changer is a great example. It was created to tackle dire cyber threats and assist with attribution.

A primary impediment to increased cooperation is the Computer Fraud and Abuse Act (CFAA) (18 US Code §1030), signed in 1986 and, to a lesser extent, Section 1201 of the Digital Millennium Copyright Act (DMCA) (17 US Code §1201). These two laws indiscriminately lump in valid cybersecurity research along with the most reprehensible of cybercrimes. The CFAA criminalizes "exceeding unauthorized access" to websites, which allows site owners to unilaterally prevent any investigation of potential vulnerabilities through prohibitions written in to terms of service.

Similarly, the DMCA penalizes almost any circumvention of copyright protections (including encryption protocols), which is often necessary to carry out security research. These federal laws are being augmented by state laws, such as legislation recently passed in Georgia, that perpetuates these oversights.

Revised legislation should reaffirm Fourth Amendment digital rights and also encourage law enforcement to share cybercrime case details (not national security cases or cases that began from a counterintelligence nexus) with the private sector where relevant. Legislative efforts should also creatively provide law enforcement with improved investigative tools (again, while reaffirming the Fourth Amendment), increase law enforcement budgets for training, and encourage all nations to adopt similar definitions for "unauthorized access." Additionally, we should encourage more legislation like the Internet of Things Cybersecurity Improvement Act of 2017 that provides specific security research exemptions.

As a society, we have an incredibly skilled and willing modern-day private sector that has been diligently working behind the scenes toward a safer Internet. This is the reason that global malware attacks are relatively muted. For example, large-scale attacks like the Storm and WannaCry worms were poised for maximum destructive impact before the private sector intervened. Congress should do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them and vice versa.

Related Content:

Author Bios:

Fred Wolens is VP of Policy and Communications at Recorded Future, the real-time threat intelligence company. Fred oversees Recorded Future’s compliance programs, and manages many of the internal policies that guide the company’s intelligence efforts. Before joining Recorded Future, Fred was a member of Facebook’s Public Policy Team, managing PR and policy for many security, privacy, and safety issues. In the past, Fred has also worked with a number of technology companies including AirBnB, Uber, and SurveyMonkey, and with the Office of the Shadow Foreign Secretary in the United Kingdom researching technology policy. Fred holds a B.A. in Political Science from Stanford University, and a J.D./M.B.A. from Harvard.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...
CVE-2019-13624
PUBLISHED: 2019-07-17
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
CVE-2019-13625
PUBLISHED: 2019-07-17
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.