Threat Intelligence

1/3/2019
02:30 PM
Levi Gundert
Levi Gundert
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Taming the Digital Wild West

Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.

Fred Wolens, VP of Policy and Communications at Recorded Future, also contributed to this article.

The Internet is the digital Wild West, more so now than ever before.

The past two years specifically have been a vortex of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts. And these are only the highlights of what has been publicly reported.

Despite the increasingly dire headlines, there's hope yet for the Internet. It begins with an improved public/private model — backed by legislation — for policing cybercrime and helping American businesses defend themselves.

Step 1: One Focused Agency
For American individuals and businesses, there is no clear answer on who leads the fight on cybercrime — or who leads interagency collaboration. In federal law enforcement, there are numerous agencies within the Departments of Justice and Homeland Security that investigate cybercrime, among them: the FBI, Secret Service, Homeland Security Investigations (HSI), and Office of the Inspector General (OSI). In addition, you can also add state and local police agencies to the web of confusion — and that's still before considering the overlap with intelligence (ODNI/NSA), military (DIA or NCIS), and international (Interpol/Europol) agencies.

Certainly, there has been progress toward industry partnership in the past decade. Both the Secret Service and FBI have created cybersecurity-focused entities (the Electronic Crimes Task Forces [ECTF] and InfraGard, respectively). However, the limitations on law enforcement information sharing make these groups less effective, blunting their ability to further affect cybercrime.

Equally responsible for the marginal success in prior efforts is the lack of NSA participation. It is clear that the NSA has the most visibility into malicious cyber activity and is the most informed organization in America (and probably the planet) on adversary cyber activity.

We need an organization within the NSA — modeled on the UK's National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ, the British NSA equivalent) — that is focused solely on helping American individuals and businesses defend themselves. The NCSC provides timely guidance on threats, ranging from phishing to malware to fraud, and shares technology with the private sector directly. Similarly, America needs a well-informed cybersecurity guidance resource to fill the current void.

History has shown that businesses are ill equipped for sustained defense from well-funded and motivated attackers. Sophisticated enemies, with seemingly endless time are using the cyber domain to continuously victimize American businesses at will. The cost of doing business should not include fending off nation-state-sponsored offensive cyber campaigns.

The answer begins with Congress legislating a new organization, modeled after the NCSC, owned by the NSA, and mandated to share all possible threat guidance and defensive technology with American businesses. The goal: to increase America's cybersecurity awareness and resilience.

Step 2: Retain and Invest in Government Talent
We need America's best and brightest in public service defending America from cyber enemies. Employee compensation and training budgets must increase across the board.

The problem is that government salaries and the General Services Administration (GSA) schedule have not kept pace with private sector salaries for employees with cybersecurity skills. This is equally true across military, intelligence, and law enforcement agencies.

Government employees increase their skills, learn tradecraft, and then depart for the private sector because the opportunity costs are too great for them and their families to stay in government service. Ultimately, a government retirement plan can't compete with a 30% (or more) private sector salary increase.

Related to training, police officers are generally the first line of support for individual victims. But when the phone rings, it's frustrating for officers trying to take a report or advise on next steps. All law enforcement agencies should have sufficient budget for cybercrime training, and an NSA-led agency like the NCSC should lead the way on training these officers.

Congress must revise the GSA schedule for federal employees in cybersecurity concentrations, and earmark funding for police training across all agencies because, as a nation, we can't afford to continually lose our most talented people to the private sector.

Step 3: Empowering the Private Sector
The private sector has the knowledge and skills to be a force multiplier for law enforcement. Network defenders and researchers typically have better tools and data than law enforcement on cyber malfeasance. The current problem for the private sector is trust, or the lack thereof, with law enforcement. Specifically, private sector collaborators need protection from having the law wielded against them as a result of their efforts.

The past 15 years are a testament to the success of proactive private sector volunteers and working groups — DNS Changer is a great example. It was created to tackle dire cyber threats and assist with attribution.

A primary impediment to increased cooperation is the Computer Fraud and Abuse Act (CFAA) (18 US Code §1030), signed in 1986 and, to a lesser extent, Section 1201 of the Digital Millennium Copyright Act (DMCA) (17 US Code §1201). These two laws indiscriminately lump in valid cybersecurity research along with the most reprehensible of cybercrimes. The CFAA criminalizes "exceeding unauthorized access" to websites, which allows site owners to unilaterally prevent any investigation of potential vulnerabilities through prohibitions written in to terms of service.

Similarly, the DMCA penalizes almost any circumvention of copyright protections (including encryption protocols), which is often necessary to carry out security research. These federal laws are being augmented by state laws, such as legislation recently passed in Georgia, that perpetuates these oversights.

Revised legislation should reaffirm Fourth Amendment digital rights and also encourage law enforcement to share cybercrime case details (not national security cases or cases that began from a counterintelligence nexus) with the private sector where relevant. Legislative efforts should also creatively provide law enforcement with improved investigative tools (again, while reaffirming the Fourth Amendment), increase law enforcement budgets for training, and encourage all nations to adopt similar definitions for "unauthorized access." Additionally, we should encourage more legislation like the Internet of Things Cybersecurity Improvement Act of 2017 that provides specific security research exemptions.

As a society, we have an incredibly skilled and willing modern-day private sector that has been diligently working behind the scenes toward a safer Internet. This is the reason that global malware attacks are relatively muted. For example, large-scale attacks like the Storm and WannaCry worms were poised for maximum destructive impact before the private sector intervened. Congress should do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them and vice versa.

Related Content:

Author Bios:

Fred Wolens is VP of Policy and Communications at Recorded Future, the real-time threat intelligence company. Fred oversees Recorded Future’s compliance programs, and manages many of the internal policies that guide the company’s intelligence efforts. Before joining Recorded Future, Fred was a member of Facebook’s Public Policy Team, managing PR and policy for many security, privacy, and safety issues. In the past, Fred has also worked with a number of technology companies including AirBnB, Uber, and SurveyMonkey, and with the Office of the Shadow Foreign Secretary in the United Kingdom researching technology policy. Fred holds a B.A. in Political Science from Stanford University, and a J.D./M.B.A. from Harvard.

Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.