As Ashton Carter unveiled the Pentagon’s new Cyber Strategy last week, he underscored its importance by revealing that networks had been infiltrated by actors within Russia. The Defense secretary did not emphasize a provision of the strategy that could send private data about U.S. citizens and companies to foreign militaries.
Here’s what it says: “To improve shared situational awareness DOD will partner with DHS [Department of Homeland Security] and other agencies to develop continuous, automated, standardized mechanisms for sharing information with each of its critical partners in the U.S. government, key allied and partner militaries, state and local governments, and the private sector. In addition, DOD will work with other U.S. government agencies and Congress to support legislation that enables information sharing between the U.S. government and the private sector.”
The new strategy indirectly, but unequivocally, ties into information-sharing legislation that’s slowly making its way to the president’s desk. Among the various bills moving around Capitol Hill, the most important is the Cyber Information Sharing Act. Among other things, CISA would protect companies from being sued for sending data about their users to DHS, which would be permitted to send it in real time to DOD and other U.S. agencies and outfits. In turn, DOD’s new strategy claims the right to share cyberthreat data beyond the United States. Presumably, that would include information obtained via CISA.
In particular, the new strategy pledges DOD cyber assistance, including information sharing, to allies in the Middle East: “As a part of its cyber dialogue and partnerships, DOD will work with key Middle Eastern allies and partners to improve their ability to secure their military networks as well as the critical infrastructure and key resources upon which U.S. interests depend. Key initiatives include improved information sharing to establish a unified understanding of the cyber threat, an assessment of our mutual cyber defense posture, and collaborative approaches to building cyber expertise.”
For his part, the nation’s top cyber warrior is openly pleading for new info-sharing laws. “We’ve got to get cyber-information-sharing legislation passed,” Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said earlier this month at an Armed Forces Communications and Electronics Association event. Rogers said his ability to share information with the FBI was key to fingering North Korea as the perpetrator of the Sony hack.
But if CISA or one of its cousins becomes law, what kind of information might fly from company servers to DHS to DOD and then around the world? Members of the privacy community describe the scope as incredibly broad.
Robyn Greene, who serves as policy counsel for the Open Technology Institute at the New America Foundation, argued that the bills would allow companies to collect and share a lot more information about the people that they interact with online. Moreover, there would be few limits on how the U.S. government could use that information. It could, for example, be used to investigate or prosecute crimes that have nothing to do with stopping hacks.
“This authorization would not just seriously undermine Americans’ Fourth Amendment rights, which would otherwise require the government to obtain a warrant based on probable cause to access much of that same information, it would create an expansive new means of general-purpose government surveillance. (Sec. 5(d)(5)(A)),” she wrote.
Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, has made similar arguments. “Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted. “¦ It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information.”
Whether that sharing presents a vulnerability or a security solution depends on the information moving back and forth. But there’s no doubt that sharing some information specifically relevant to cyberattacks can help shore up defenses. Furthermore, liability protections and legislation could facilitate more of that sharing. “Cyber-information-sharing is critical to thwarting attacks,” said Chris Smith, who directs cyber strategy at the SAS Institute. “The reason … that people weren’t doing it was because it wasn’t easy. “¦ There are privacy issues, but it might be related to intellectual property as well.
“With the constantly changing variants of cyberattacks, organizations can no longer simply rely on the known attack vectors or attack profiles that existing solutions focus on,” Smith said. He said an organization must look at data “at multiple different levels and in multiple different combinations” if it is to tell normal from abnormal behavior. In this context, multiple levels could be understood as across a variety of partnerships.
Is there a way to improve information-sharing without throwing the data doors wide open? Greene said CISA could be helped by limiting sharing to only that data relevant to cyberthreats, and not, for instance, investigations into other criminal activity. She also suggested limiting the broad liability protections by giving consumers some way to seek recourse for damages done by information-sharing.
Others say that better sharing of certain kinds of information would help predict cyberthreats without particularly imperiling privacy or constitutional rights.
Matt Kodama of the cyber-intelligence and predictive-analytics group Recorded Future told Defense One that one of the most simple and straightforward indicators of potential cyberattacks is observing strange behavior among administrators. “After attackers break into a network, they need to avoid detection, get to their real target, and carry out the cyber crime. They might do this with lots of high-tech tricks, but there’s a much easier way. If the attacker can gain access to a user account with lots of access rights, like a computer administrator, they will be able to move right past all the alarms and defenses. “¦ However, the behavior of that user account, once it’s been hijacked by a cyber attacker, will be unusual. The user account is allowed to take those actions, but on any regular day the person using that user account doesn’t do all of those things. That’s the ‘user behavior’ that can tip off the defenders,” Kodama said.
Since companies don’t usually grant administrator privileges to the people who use their services, sharing information about admin behavior could be one way to improve situational awareness without endangering user privacy.
Another warning sign is the uploading of large files, especially ones that contain lots of mystery code that doesn’t seem to have any clear purpose. Sophisticated defenses will attempt to open such files in a sandbox, or walled-off portion of a machine or network, so it can’t spread its infection.
But more and more cutting-edge viruses can detect when they are being sandboxed, and goofy admin behavior can be a lagging indicator of a major intrusion, not a predictive one. Those who argue for sharing more information say that CISA doesn’t go far enough to encourage sharing the kind of data that will help the government fight off ever more sophisticated online attacks.
A recent Congressional Research Service report by Eric Fischer found that the bills in question don’t offer much incentive for companies to actually share user data. Liability protections, in other words, are not a carrot but the absence of a stick.
What We're Following See More »
"North Korea said on Friday it might test a hydrogen bomb over the Pacific Ocean after President Donald Trump vowed to destroy the reclusive country, with leader Kim Jong Un promising to make Trump pay dearly for his threats. Kim did not specify what action he would take against the United States or Trump, whom he called a 'mentally deranged U.S. dotard' in the latest bout of insults the two leaders have traded in recent weeks."
President Trump this afternoon announced another round of sanctions on North Korea, calling the regime "a continuing threat." The executive order, which Trump relayed to Congress, bans any ship or plane that has visited North Korea from visiting the United States within 180 days. The order also authorizes sanctions on any financial institution doing business with North Korea, and permits the secretaries of State and the Treasury to sanction any person involved in trading with North Korea, operating a port there, or involved in a variety of industries there.
In response to a reporter's question, President Trump said "he’ll be looking to impose further financial penalties on North Korea over its nuclear and ballistic tests. ... The U.N. has passed two resolutions recently aimed at squeezing the North Korean economy by cutting off oil, labor and exports to the nation." Meanwhile, the Guardian reports that South Korea's unification ministry is sending an $8m aid package aimed at infants and pregnant women in North Korea. The "humanitarian gesture [is] at odds with calls by Japan and the US for unwavering economic and diplomatic pressure on Pyongyang."
President Trump on Tuesday night met with UN Secretary Guterres and President of the General Assembly Miroslav Lajcak. In both cases, as per releases from the White House, Trump pressed them on the need to reform the UN bureaucracy.