Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

4/22/2015
11:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Government Giving 'No More Free Passes' To Cybercriminals

At RSA Conference Wednesday, Assistant Attorney General for National Security John Carlin explained the government's new "all tools approach" to cracking down on cyberespionage and other crime.

SAN FRANCISCO, WEDNESDAY, APR. 22  -- Attribution, extradition, diplomacy and other factors have largely helped cyberiminals evade the law. Yet, as John P. Carlin, assistant attorney general for national security at the U.S. Department of Justice explained at the RSA Conference today, the US has become more aggressive, aiming to increase the costs of cybercrime and make it clear "that it is not okay to steal from American companies." 

"There are no free passes," said Carlin. "That is where the PLA case came from."  

In May 2014, DOJ indicted five members of the Chinese People's Liberation Army (PLA) for hacking and espionage offenses against American companies in the nuclear power, metals and solar products industries. Although Carlin said it's likely those five people may never be apprehended and see their day in court, it is important that they be publicly named and formally charged. "We don't want to send the wrong message that we're decriminalizing theft," he said.

In December 2014, the FBI officially named North Korea as the culprit behind the attacks on Sony Pictures Entertainment, and President Obama stated "We will respond. We will respond proportionately and we'll respond in a place and time and manner that we choose."

"That's an important message," said Carlin, "not just to the North Koreans, but to all the [malicious] actors out there."

Carlin explained that attribution is not always easy, but that to the degree it is possible, the government aims to act upon it. "One, we have to be able to figure out who did it, and that's where we need the private sector's help. Two, we can't be afraid of saying it, otherwise it's cost-free. Three, then there have to be costs." 

Those costs, said Carlin, may include indictments or a variety of diplomatic of economic sanctions; and those measures must increase until the activity stops.

"These are hard cases to prove up," he said. "But they're not impossible."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
1panneau
50%
50%
1panneau,
User Rank: Apprentice
5/3/2015 | 8:31:19 AM
I am skeptical
A good start but efforts are still needed
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2015 | 12:43:31 PM
Re: It only hurts when...
Essentially its trickle down hurt-onomics.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:14:30 PM
Re: It only hurts when...
I hear you, but I would not think anybody suggesting that, when sonly picture gets hacked it was big trouble for the company but also employees and customers. Every attacks eventually touch individuals.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:11:39 PM
Re: UN and International Law
As it was mentioned in your note: ""The fight against cybercrime also requires specialist information hubs and intelligence coordination ..." Well, there is not "specialist information hubs and intelligence coordination", so that is the end for that rope.  As I mentioned, international rules are not clear and not easily enforceable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:06:50 PM
Re: Fine Line
When it goes to out of geographical boarders it becomes more and more difficult to take actions or to charge somebody responsible. International rules are not clear and not easily enforceable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:04:18 PM
Re: Do these points of promised actions include taking action against criminals victimising private citizens?
 It should involve both private citizens, companies and governments. Everybody gets hurt after a successful cyberattack.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:00:22 PM
Defensive or offensive strategy?
I would be a little bit cautious when it comes to offensive strategies in cyberattacks. We should not confuse security strategies with a soccer game strategies. Offensive strategies would not reduce the risk you are exposed. Best strategies in security is about taking it seriously by re-thinking security and coming up with creative ideas to prevent from being hacked.
RoninM567
50%
50%
RoninM567,
User Rank: Apprentice
4/23/2015 | 5:36:51 PM
It only hurts when...
"that it is not okay to steal from American companies." But theft from American citizens is OK.
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
4/23/2015 | 3:45:55 PM
UN and International Law
In reading about the state of cybercrime and legislation on an international level through UN reports, it's interesting to see that two highlights they point to as an indication of hope for the future include 2013 and 2014, which are noted as landmarks in the fight against cybercrime. [1] 

"In January 2013, EC3 opened its doors. Based at Europol in The Hague, the centre provides specialist operational support and intelligence coordination to cybercrime investigations in the 27 European Union member states and, in turn, harnesses their capability and expertise to deliver more comprehensive and targeted responses to online threats."

"In 2014, Interpol's new Digital Crime Centre will be operational at its Global Complex for Innovation in Singapore. In the development of both centres, strong emphasis has been placed on delivering collaborative responses which draw on the full range of cybersecurity stakeholders, including industry, academia and civil society organizations, as well as government authorities."

I found the following quotes from the UN Chronicle [1] telling and a good discussion springboard regarding what we still need to do to improve on catching and properly punishing cybercriminals:

"Legislation around the globe will not only need to catch up but also keep pace with criminal misuse of emerging technologies. There is now a real risk that, without harmonization, countries with lower levels of cybersecurity, weaker cybercrime legislation and diminished law enforcement capability will become safe havens for cybercriminals for many years to come."

"International cooperation is already essential to successfully investigating and prosecuting cybercrime. However, we also need to think smarter, beyond the traditional criminal justice practices of apprehending, prosecuting and convicting individuals. Effective disruption and prevention measures are, and will continue to be, possible. International organizations like Europol, Interpol and the United Nations are force multipliers in the delivery of effective multi-sector initiatives to dismantle botnets, reduce the profits of the digital underground economy and actively engage citizens in protection against attacks."

"The fight against cybercrime also requires specialist information hubs and intelligence coordination. Very often it is only at the international level that analysts can gain an accurate picture of the extent and harm of a cybercriminal group's activities. The law enforcement and security communities, for instance, need organizations like Europol, Interpol, United Nations Office on Drugs and Crime, and United Nations Interregional Crime and Justice Research Institute to help them make sense of the threat, and make crucial links between offences in often very disparate parts of the world."

 

[1] UN Chronicle, August 2013
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/23/2015 | 11:14:30 AM
Fine Line
Two things, first I understand that it is difficult to enforce santions on an international level for crime but I feel that the punishment is scoffable. What happens to the individuals who perpetrated the acts? I believe that people learn more, unfortunately, from getting burnt from the stove than from soft punishments geared towards the deterrence of touching the stove.


Second, is it wise to pose economic sanctions against a country that could recall the debt owed from you? This is if in fact cyber terrorism is supported up through the government sectors. Not an economist, but does anyone else see an inherent flaw in the cost? If someone could explain an opposing viewpoint here I would be eager to learn of another view point.
Page 1 / 2   >   >>
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.