View From The Top: Government’s Role In Cybersecurity
At the DarkReading News Desk, live from Black Hat, industry experts Dan Kaminsky, Richard Bejtlich, Katie Moussouris, Paul Kurtz, and Rod Beckstrom talked about how government is hurting and could be helping infosec.
Last week we debuted the Dark Reading Video News Desk, streaming live from Black Hat, featuring over 30 interviews with speakers, trainers, and sponsors from the conference. Over the coming weeks, all the individual interviews will be posted here on Dark Reading.
In the meantime, here is a peek at some opinions about the geo-political aspects of cybersecurity shared at the News Desk by five industry thought leaders -- Richard Bejtlich, chief security strategist for FireEye; Dan Kaminsky, chief scientist and founder of White Ops; Paul Kurtz, CEO of TruSTAR and former cybersecurity advisor to the White House; Katie Moussouris, chief policy officer for HackerOne; and Rod Beckstrom, founding director of the U.S. National Cybersecurity Center and former CEO of ICANN.
On the two major political aspects that concern him related to attribution for cybercrime, Richard Bejtlich, chief security strategist for FireEye, said:
In the incidents at both Sony and the Office of Personnel Management, attribution was established "fairly early on. Maybe it wasn't handled very well in terms of delivery of the message, but the real hold-up was we don't know what to do next. And you'd think after years and years of intrusions some policy measures would come about, but clearly everyone's sort of making it up as they go along...
"The second part of attribution I worry about is, high levels of attribution and low levels of attribution. So in a case of say US and Russia, we both have really good attribution capabilities in the government and the private sector... Low attribution countries say like India and Pakistan, they could easily be fooled by a third party trying to make it look like there's a conflict between the two of them."
On the question of how we will solve the problem of a cybersecurity talent shortage, Dan Kaminsky, chief scientist and founder of White Ops, suggested what he described as the "fairly controversial" viewpoint that government may play a role in supplying cybersecurity expertise. Kaminsky said:
"For being a hacker, I'm not particularly anti-government. I look around and I see government does some things.
"Look, you're walking down the street, and someone hits you in the head with a lead pipe. Awful, I know. But look at all the things that happen next. There are bystanders -- they notice, they see something, they're bothered by it. They have a number they can call. A societal infrastructure. 911. Specially trained people in a specially outfitted vehicle show up, take you to a special building with some of our most trained people in our entire global society, who put your head back together. Other people in uniform show up, they want to know what happened here, they go out, they find the guy, they put him in a specially equipped box. I mean, we have societal infrastructure...
"We really don't want to live in a world with rampaging barbarians. You look around the Internet and well we kinda have a lot of rampaging barbarians. So the long term 'where are we gonna get training, where are we gonna get people, where are we gonna get who we're going to be hiring on the five- to 10-year timescale' -- I have some hope."
"Look, if government is going to have a role in securing the Internet, it's going to be more than being the biggest and baddest hacker in the room. We get it, you can break into stuff. But we're not gonna hack our way into unhackable networks and we're not gonna leak our way into networks that don't leak."
On the importance of sharing threat intelligence information, particularly as it relates to nation-state actors, Paul Kurtz, CEO of TruSTAR and former cybersecurity advisor to the White House, said (in an interview Aug. 3 before the News Desk broadcast):
"I do think we will see a new law this year, maybe even this week or next, that will address information sharing between companies -- private to private, and private to government, and government to private. That will be a very good step in the right direction."
Kurtz explained that knowing more about the adversary is important because it makes it harder for nation-states to act through proxies and third parties -- and that such information is important to have, even if it puts a nation in the uncomfortable position of having to act upon the knowledge that another country is, directly or indirectly, involved in cyberattacks against them.
"We still need to know," said Kurtz, and by "we," he says he does not just mean the government, but the private sector. "If I'm getting attacked by IP address X and the indicators of compromise are the following, the private sector needs to know that. We can't wait for the White Knight to ride in with the data."
On the topic of how the proposed updates to the Wassenaar Arrangement -- that limit the export of "intrusion software" -- would inhibit the security professionals who need to protect against zero-day exploits, but fail to inhibit those who create such exploits, Katie Moussouris, chief policy officer of HackerOne said:
"Hacking Team was such a treasure trove of information. But what is especially interesting in terms of export controls is that they have lawyers, they did consult with their lawyers, they have a means to apply for export licenses in their own country, and there are a number of ways they could legally obtain export licenses for their software or use resellers that reside in other countries.
"So the folks that were targeted, who were making the software that was targeted by this regulation, have multiple means of getting around it, whereas the defense end of things and the folks who are not building this type of software but unfortunately are caught in that language dragnet really are the ones that are suffering, and as a result, defense of the Internet as a whole is suffering."
(See also Moussouris' blog on Dark Reading, "Mad World: The Truth About Bug Bounties," a response to Oracle CSO Mary Ann Davidson's short-lived rant about reverse engineering and vulnerability disclosure.)
On the topic of putting restrictions on the use of encryption or government backdoors in encryption products, Rod Beckstrom, founding director of the U.S. National Cybersecurity Center and former CEO of ICANN said:
"I think that the Fourth Amendment and the Bill of Rights were created to protect the citizens from their government, not vice versa. So it's important to keep that in mind when we think about these policy issues because they very often impact Fourth Amendment rights... I personally believe that if Thomas Jefferson and [James] Madison were sitting here with us on this panel today, there's absolutely no question that emails and electronic communication would clearly fall under the Fourth Amendment under 'letters and effects'... I have absolutely no doubt that all the founding fathers would say 'that's in.'"
Not only would backdoors weaken encryption for everyone and be bad for business, said Beckstrom, but the United States should set a better example for the world, particularly if it expects better behavior from nations with lesser human rights records and democratic processes.
On the topic of putting restrictions on the use of encryption or government backdoors in encryption products, Rod Beckstrom, founding director of the U.S. National Cybersecurity Center and former CEO of ICANN said:
"I think that the Fourth Amendment and the Bill of Rights were created to protect the citizens from their government, not vice versa. So it's important to keep that in mind when we think about these policy issues because they very often impact Fourth Amendment rights... I personally believe that if Thomas Jefferson and [James] Madison were sitting here with us on this panel today, there's absolutely no question that emails and electronic communication would clearly fall under the Fourth Amendment under 'letters and effects'... I have absolutely no doubt that all the founding fathers would say 'that's in.'"
Not only would backdoors weaken encryption for everyone and be bad for business, said Beckstrom, but the United States should set a better example for the world, particularly if it expects better behavior from nations with lesser human rights records and democratic processes.
Last week we debuted the Dark Reading Video News Desk, streaming live from Black Hat, featuring over 30 interviews with speakers, trainers, and sponsors from the conference. Over the coming weeks, all the individual interviews will be posted here on Dark Reading.
In the meantime, here is a peek at some opinions about the geo-political aspects of cybersecurity shared at the News Desk by five industry thought leaders -- Richard Bejtlich, chief security strategist for FireEye; Dan Kaminsky, chief scientist and founder of White Ops; Paul Kurtz, CEO of TruSTAR and former cybersecurity advisor to the White House; Katie Moussouris, chief policy officer for HackerOne; and Rod Beckstrom, founding director of the U.S. National Cybersecurity Center and former CEO of ICANN.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024