Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

4/22/2015
11:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Government Giving 'No More Free Passes' To Cybercriminals

At RSA Conference Wednesday, Assistant Attorney General for National Security John Carlin explained the government's new "all tools approach" to cracking down on cyberespionage and other crime.

SAN FRANCISCO, WEDNESDAY, APR. 22  -- Attribution, extradition, diplomacy and other factors have largely helped cyberiminals evade the law. Yet, as John P. Carlin, assistant attorney general for national security at the U.S. Department of Justice explained at the RSA Conference today, the US has become more aggressive, aiming to increase the costs of cybercrime and make it clear "that it is not okay to steal from American companies." 

"There are no free passes," said Carlin. "That is where the PLA case came from."  

In May 2014, DOJ indicted five members of the Chinese People's Liberation Army (PLA) for hacking and espionage offenses against American companies in the nuclear power, metals and solar products industries. Although Carlin said it's likely those five people may never be apprehended and see their day in court, it is important that they be publicly named and formally charged. "We don't want to send the wrong message that we're decriminalizing theft," he said.

In December 2014, the FBI officially named North Korea as the culprit behind the attacks on Sony Pictures Entertainment, and President Obama stated "We will respond. We will respond proportionately and we'll respond in a place and time and manner that we choose."

"That's an important message," said Carlin, "not just to the North Koreans, but to all the [malicious] actors out there."

Carlin explained that attribution is not always easy, but that to the degree it is possible, the government aims to act upon it. "One, we have to be able to figure out who did it, and that's where we need the private sector's help. Two, we can't be afraid of saying it, otherwise it's cost-free. Three, then there have to be costs." 

Those costs, said Carlin, may include indictments or a variety of diplomatic of economic sanctions; and those measures must increase until the activity stops.

"These are hard cases to prove up," he said. "But they're not impossible."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
1panneau
50%
50%
1panneau,
User Rank: Apprentice
5/3/2015 | 8:31:19 AM
I am skeptical
A good start but efforts are still needed
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2015 | 12:43:31 PM
Re: It only hurts when...
Essentially its trickle down hurt-onomics.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:14:30 PM
Re: It only hurts when...
I hear you, but I would not think anybody suggesting that, when sonly picture gets hacked it was big trouble for the company but also employees and customers. Every attacks eventually touch individuals.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:11:39 PM
Re: UN and International Law
As it was mentioned in your note: ""The fight against cybercrime also requires specialist information hubs and intelligence coordination ..." Well, there is not "specialist information hubs and intelligence coordination", so that is the end for that rope.  As I mentioned, international rules are not clear and not easily enforceable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:06:50 PM
Re: Fine Line
When it goes to out of geographical boarders it becomes more and more difficult to take actions or to charge somebody responsible. International rules are not clear and not easily enforceable.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:04:18 PM
Re: Do these points of promised actions include taking action against criminals victimising private citizens?
 It should involve both private citizens, companies and governments. Everybody gets hurt after a successful cyberattack.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/25/2015 | 7:00:22 PM
Defensive or offensive strategy?
I would be a little bit cautious when it comes to offensive strategies in cyberattacks. We should not confuse security strategies with a soccer game strategies. Offensive strategies would not reduce the risk you are exposed. Best strategies in security is about taking it seriously by re-thinking security and coming up with creative ideas to prevent from being hacked.
RoninM567
50%
50%
RoninM567,
User Rank: Apprentice
4/23/2015 | 5:36:51 PM
It only hurts when...
"that it is not okay to steal from American companies." But theft from American citizens is OK.
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
4/23/2015 | 3:45:55 PM
UN and International Law
In reading about the state of cybercrime and legislation on an international level through UN reports, it's interesting to see that two highlights they point to as an indication of hope for the future include 2013 and 2014, which are noted as landmarks in the fight against cybercrime. [1] 

"In January 2013, EC3 opened its doors. Based at Europol in The Hague, the centre provides specialist operational support and intelligence coordination to cybercrime investigations in the 27 European Union member states and, in turn, harnesses their capability and expertise to deliver more comprehensive and targeted responses to online threats."

"In 2014, Interpol's new Digital Crime Centre will be operational at its Global Complex for Innovation in Singapore. In the development of both centres, strong emphasis has been placed on delivering collaborative responses which draw on the full range of cybersecurity stakeholders, including industry, academia and civil society organizations, as well as government authorities."

I found the following quotes from the UN Chronicle [1] telling and a good discussion springboard regarding what we still need to do to improve on catching and properly punishing cybercriminals:

"Legislation around the globe will not only need to catch up but also keep pace with criminal misuse of emerging technologies. There is now a real risk that, without harmonization, countries with lower levels of cybersecurity, weaker cybercrime legislation and diminished law enforcement capability will become safe havens for cybercriminals for many years to come."

"International cooperation is already essential to successfully investigating and prosecuting cybercrime. However, we also need to think smarter, beyond the traditional criminal justice practices of apprehending, prosecuting and convicting individuals. Effective disruption and prevention measures are, and will continue to be, possible. International organizations like Europol, Interpol and the United Nations are force multipliers in the delivery of effective multi-sector initiatives to dismantle botnets, reduce the profits of the digital underground economy and actively engage citizens in protection against attacks."

"The fight against cybercrime also requires specialist information hubs and intelligence coordination. Very often it is only at the international level that analysts can gain an accurate picture of the extent and harm of a cybercriminal group's activities. The law enforcement and security communities, for instance, need organizations like Europol, Interpol, United Nations Office on Drugs and Crime, and United Nations Interregional Crime and Justice Research Institute to help them make sense of the threat, and make crucial links between offences in often very disparate parts of the world."

 

[1] UN Chronicle, August 2013
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/23/2015 | 11:14:30 AM
Fine Line
Two things, first I understand that it is difficult to enforce santions on an international level for crime but I feel that the punishment is scoffable. What happens to the individuals who perpetrated the acts? I believe that people learn more, unfortunately, from getting burnt from the stove than from soft punishments geared towards the deterrence of touching the stove.


Second, is it wise to pose economic sanctions against a country that could recall the debt owed from you? This is if in fact cyber terrorism is supported up through the government sectors. Not an economist, but does anyone else see an inherent flaw in the cost? If someone could explain an opposing viewpoint here I would be eager to learn of another view point.
Page 1 / 2   >   >>
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.