Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/3/2019
02:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Taming the Digital Wild West

Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.

Fred Wolens, VP of Policy and Communications at Recorded Future, also contributed to this article.

The Internet is the digital Wild West, more so now than ever before.

The past two years specifically have been a vortex of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts. And these are only the highlights of what has been publicly reported.

Despite the increasingly dire headlines, there's hope yet for the Internet. It begins with an improved public/private model — backed by legislation — for policing cybercrime and helping American businesses defend themselves.

Step 1: One Focused Agency
For American individuals and businesses, there is no clear answer on who leads the fight on cybercrime — or who leads interagency collaboration. In federal law enforcement, there are numerous agencies within the Departments of Justice and Homeland Security that investigate cybercrime, among them: the FBI, Secret Service, Homeland Security Investigations (HSI), and Office of the Inspector General (OSI). In addition, you can also add state and local police agencies to the web of confusion — and that's still before considering the overlap with intelligence (ODNI/NSA), military (DIA or NCIS), and international (Interpol/Europol) agencies.

Certainly, there has been progress toward industry partnership in the past decade. Both the Secret Service and FBI have created cybersecurity-focused entities (the Electronic Crimes Task Forces [ECTF] and InfraGard, respectively). However, the limitations on law enforcement information sharing make these groups less effective, blunting their ability to further affect cybercrime.

Equally responsible for the marginal success in prior efforts is the lack of NSA participation. It is clear that the NSA has the most visibility into malicious cyber activity and is the most informed organization in America (and probably the planet) on adversary cyber activity.

We need an organization within the NSA — modeled on the UK's National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ, the British NSA equivalent) — that is focused solely on helping American individuals and businesses defend themselves. The NCSC provides timely guidance on threats, ranging from phishing to malware to fraud, and shares technology with the private sector directly. Similarly, America needs a well-informed cybersecurity guidance resource to fill the current void.

History has shown that businesses are ill equipped for sustained defense from well-funded and motivated attackers. Sophisticated enemies, with seemingly endless time are using the cyber domain to continuously victimize American businesses at will. The cost of doing business should not include fending off nation-state-sponsored offensive cyber campaigns.

The answer begins with Congress legislating a new organization, modeled after the NCSC, owned by the NSA, and mandated to share all possible threat guidance and defensive technology with American businesses. The goal: to increase America's cybersecurity awareness and resilience.

Step 2: Retain and Invest in Government Talent
We need America's best and brightest in public service defending America from cyber enemies. Employee compensation and training budgets must increase across the board.

The problem is that government salaries and the General Services Administration (GSA) schedule have not kept pace with private sector salaries for employees with cybersecurity skills. This is equally true across military, intelligence, and law enforcement agencies.

Government employees increase their skills, learn tradecraft, and then depart for the private sector because the opportunity costs are too great for them and their families to stay in government service. Ultimately, a government retirement plan can't compete with a 30% (or more) private sector salary increase.

Related to training, police officers are generally the first line of support for individual victims. But when the phone rings, it's frustrating for officers trying to take a report or advise on next steps. All law enforcement agencies should have sufficient budget for cybercrime training, and an NSA-led agency like the NCSC should lead the way on training these officers.

Congress must revise the GSA schedule for federal employees in cybersecurity concentrations, and earmark funding for police training across all agencies because, as a nation, we can't afford to continually lose our most talented people to the private sector.

Step 3: Empowering the Private Sector
The private sector has the knowledge and skills to be a force multiplier for law enforcement. Network defenders and researchers typically have better tools and data than law enforcement on cyber malfeasance. The current problem for the private sector is trust, or the lack thereof, with law enforcement. Specifically, private sector collaborators need protection from having the law wielded against them as a result of their efforts.

The past 15 years are a testament to the success of proactive private sector volunteers and working groups — DNS Changer is a great example. It was created to tackle dire cyber threats and assist with attribution.

A primary impediment to increased cooperation is the Computer Fraud and Abuse Act (CFAA) (18 US Code §1030), signed in 1986 and, to a lesser extent, Section 1201 of the Digital Millennium Copyright Act (DMCA) (17 US Code §1201). These two laws indiscriminately lump in valid cybersecurity research along with the most reprehensible of cybercrimes. The CFAA criminalizes "exceeding unauthorized access" to websites, which allows site owners to unilaterally prevent any investigation of potential vulnerabilities through prohibitions written in to terms of service.

Similarly, the DMCA penalizes almost any circumvention of copyright protections (including encryption protocols), which is often necessary to carry out security research. These federal laws are being augmented by state laws, such as legislation recently passed in Georgia, that perpetuates these oversights.

Revised legislation should reaffirm Fourth Amendment digital rights and also encourage law enforcement to share cybercrime case details (not national security cases or cases that began from a counterintelligence nexus) with the private sector where relevant. Legislative efforts should also creatively provide law enforcement with improved investigative tools (again, while reaffirming the Fourth Amendment), increase law enforcement budgets for training, and encourage all nations to adopt similar definitions for "unauthorized access." Additionally, we should encourage more legislation like the Internet of Things Cybersecurity Improvement Act of 2017 that provides specific security research exemptions.

As a society, we have an incredibly skilled and willing modern-day private sector that has been diligently working behind the scenes toward a safer Internet. This is the reason that global malware attacks are relatively muted. For example, large-scale attacks like the Storm and WannaCry worms were poised for maximum destructive impact before the private sector intervened. Congress should do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them and vice versa.

Related Content:

Author Bios:

Fred Wolens is VP of Policy and Communications at Recorded Future, the real-time threat intelligence company. Fred oversees Recorded Future’s compliance programs, and manages many of the internal policies that guide the company’s intelligence efforts. Before joining Recorded Future, Fred was a member of Facebook’s Public Policy Team, managing PR and policy for many security, privacy, and safety issues. In the past, Fred has also worked with a number of technology companies including AirBnB, Uber, and SurveyMonkey, and with the Office of the Shadow Foreign Secretary in the United Kingdom researching technology policy. Fred holds a B.A. in Political Science from Stanford University, and a J.D./M.B.A. from Harvard.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.