Cybersecurity

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Marc Hochstein, Executive Editor of American Banker,  a leading media outlet covering the banking and financial services community, discusses bitcoin.

According to Hochstein, bitcoin has made its name as a digital currency, but the truly revolutionary aspect of the technology is its dual function as a payment system competing against companies like PayPal and Western Union. While bitcoin has been in the news for its soaring exchange rate lately, Hochstein says the actual price of bitcoin is really only relevant for speculators in the short-term; in the long-term, however, the anonymous, decentralized nature of bitcoin has far-reaching implications.

Hochstein goes on to talk about  the new market in bitcoin futures and some of bitcoin’s weaknesses—including the volatility of the bitcoin market.

Download

Related Links

Andy Greenberg, technology writer for Forbes and author of the new book “This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World’s Information,” discusses the rise of the cypherpunk movement, how it led to WikiLeaks, and what the future looks like for cryptography.

Greenberg describes cypherpunks as radical techie libertarians who dreamt about using encryption to shift the balance of power from the government to individuals. He shares the rich history of the movement, contrasting one of t the movement’s founders—hardcore libertarian Tim May—with the movement’s hero—Phil Zimmerman, an applied cryptographer and developer of PGP (the first tool that allowed regular people to encrypt), a non-libertarian who was weary of cypherpunks, despite advocating crypto as a tool for combating the power of government.

According to Greenberg, the cypherpunk movement did not fade away, but rather grew into a larger hacker movement, citing the Tor network, bitcoin, and WikiLeaks as example’s of its continuing influence. Julian Assange, founder of WikiLeaks, belonged to a listserv followed by early cypherpunks, though he was not very active at the time, he says.

Greenberg is excited for the future of information leaks, suggesting that the more decentralized process becomes, the faster cryptography will evolve.

Download

Related Links

A market has developed in which specialized firms discover new vulnerabilities in software and sell that knowledge for tens or hundreds of thousands of dollars. These vulnerabilities are known as “zero day exploits” because there is no advance knowledge of them before they are used. In this blog post, we recognize that this market may require some kind of action, but reject simplistic calls for “regulation” of suppliers. We recommend focusing on the demand side of the market.

Although there is surprisingly little hard evidence of its scope and scale, the market for vulnerabilities is considered troublesome or dangerous by many. While the bounties paid may stimulate additional research into security, it is the exclusive and secret possession of this knowledge by a single buyer that raises concerns. It is clear that when a someone other than the software vendor pays $100,000 for a zero-day they are probably not paying for defense, but rather for an opportunity to take advantage of someone else’s vulnerability. Thus, the vulnerabilities remain unpatched. (Secrecy also makes the market rather inefficient; it may be possible to sell the same “secret” to several buyers.)

The supply side of the market consists of small firms and individuals with specialized knowledge. They compete to be the first to identify new vulnerabilities in software or information systems and then bring them to buyers. Many buyers are reputed to be government intelligence, law enforcement or military agencies using tax dollars to finance purchases. But we know less about the demand side than we should. The point, however, is that buyers are empowered to initiate an attack, a power that even legitimate organizations could easily abuse.

Insofar as the market for exploits shifts incentives away from publicizing and fixing vulnerabilities toward competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use, the market has important implications for global security. It puts a premium on dangerous vulnerabilities, and thus may put the social and economic benefits of the Internet at risk. While the US might think it has an advantage in this competition, as a leader in the Internet economy and one of the most cyber-dependent countries, it also has the most to lose.

Unfortunately, so far the only policy response proposed has been vague calls for “regulation.” Chris Soghoian in particular has made “regulation” the basis of his response, calling suppliers “modern-day merchants of death” and claiming that “Security researchers should not be selling zero-days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”

Such responses, however, are too long on moral outrage and too short on hard-headed analysis and practical proposals. The idea that “regulation” can solve the problem overlooks major constraints:

Continue reading →

In our 2011 law review article, Tate Watkins and I warned: “[A] cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve not only to supply cybersecurity solutions to the federal government, but to drum up demand for those solutions as well.”

In The Hill today, Kevin Bogardus writes under the headline “K St. ready for cybersercurity cash grab”:

The cybersecurity push has drummed up work for influence shops downtown. There have been more than a dozen lobbying registrations for clients that mention “cybersecurity” since Election Day, according to lobbying disclosure records.

Robert Efrus, a long-time Washington hand, is one of many lobbyists working the issue.

“It is a growing niche on K Street,” Efrus said. “I think there are a lot of new players that are seeing action with the executive order and legislation being on worked in Congress, not forgetting the funding opportunities. A lot of tech lobbyists have upped their involvement in cyber for sure.” …

“From a lobbying perspective, with everything else going south, this is one of the few positive developments in the whole federal policy arena,” said Efrus[.] …

Lobbyists note that cybersecurity is one of the few areas where budget-conscious lawmakers are looking to spend.

Cybersecurity is officially government’s growth sector.

Marc Ambinder has some phenomenal reporting in Foreign Policy today about how the NSA assists companies that are the victims of (usually Chinese) cyberespionage. It is a must read.

One thing we learn: “Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate.”
That is just slightly more than half a percent of GDP, which puts the scope of the threat in perspective.

The most interesting thing, though, is this:

In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China’s cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.

Press reports have indicated that the Obama administration plans to give certain companies a list of domain names China is known to use for network exploitation. But the coming effort is of an entirely different scope. These are American state secrets.

Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies – with their permission – to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or “attribute,” the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.

Will you look at that? Information sharing between the government and the private sector without liability protection. Even more than information sharing, it seems some businesses are allowing the NSA to monitor their systems.

As I’ve said before, there is nothing preventing the government from sharing information about cyberattacks with the private sector. Legislation isn’t required to allow that. As for businesses sharing information with government, they too are free to do so. The only question is whether they should get a free pass for violating contracts or breaking the law when they share in the name of security. I think that would be a mistake.

As Ambiner points out, “the NSA’s reputation has been tarnished by its participation in warrantless surveillance[.]” People don’t trust the NSA with good reason. Security is important, but so are civil liberties. Removing the possibility of liability would also remove any incentive companies might have to be a check on what information the NSA collects. Ambinder writes that given their experience with the warrantless wiretapping program, today “telecoms are wary of cooperating with the NSA beyond the scope of the law.” That’s as it should be. Do we really want to give companies cover to cooperate with the NSA beyond the scope of the law?

According to Ambinder, the NIE suggests “that the NSA will have to perform deep packet inspection on private networks at some point.” (This is the so-called EINSTEIN 3 system This doesn’t sound like a good idea, but if it is to happen, it should be debated in public. Liability protection might allow businesses to allow the NSA to employ the system in secret.

Today, the House Science Committee is holding a hearing on “Cyber R&D Challenges and Solutions.” Under consideration is a bill reintroduced by Rep. Mike McCaul that takes numerous steps purported to increase the network security workforce. The bill passed overwhelmingly last year.

I have no doubt that, as we move more of our lives online, we need to draw more people into computer security. But just as we need more network security professionals, we need more programmers, geneticists, biomedical engineers, statisticians, and countless other professions. We will also continue to need some number of doctors, lawyers, mechanics, plumbers, and grocery clerks. Does it make sense to introduce legislation to fine tune the number of practitioners of every trade?

Of course not. Which raises the question: what is so special about computer security? And the answer, I think, is “nothing is so special about computer security.” More people will get trained in computer security if the returns to doing so are higher, and fewer people will get trained in computer security if the returns to doing so are lower. Entry into the computer security business is simply a function of supply and demand.

The Washington Post reports, “The median salary for a graduate earning a degree in security was $55,000 in 2009, compared with $75,000 for computer engineering.” Is it any surprise, then, that more smart, tech-savvy students have pursued the latter route in recent years?

Intervening in a market that shows no signs of failing can have lots of unintended consequences. Most obviously, subsidies would run the serious risk of drawing *too many* workers into the computer security workforce. Those workers might find that they spent years investing in specialized skills without as much of a payoff as they expected. Tinkering could also affect the composition of people drawn into the field, with ill effect, for example by lowering the equilibrium salary and reducing the incentive for those with natural talent and without the need for training to work in security.

The bottom line is that a shortage of a particular kind of worker is a problem that solves itself. As salaries for security workers get bid up, more people will get training in security. The supply and demand dynamic is completely sufficient to get people into the correct professions in sufficient numbers.

The McCaul bill works through various subsidies and governmental reports to try to accomplish the same thing that the market would do if left to operate on its own. If the government wants to hire more computer security professionals, let them pay the money needed to draw people into this field. But let’s not jump through needless hoops to accomplish what should really be a straightforward task.

[Good question in *The Economist*](http://www.economist.com/news/international/21567886-america-leading-way-developing-doctrines-cyber-warfare-other-countries-may) from December of last year, before all the Mandiant madness:

> As Mr Libicki asks, “what can we do back to a China that is stealing our data?” Espionage is carried out by both sides and is traditionally not regarded as an act of war. But the massive theft of data and the speed with which it can be exploited is something new. Responding with violence would be disproportionate, which leaves diplomacy and sanctions. But America and China have many other big items on their agenda, while trade is a very blunt instrument. It may be possible to identify products that China exports which compete only because of stolen data, but it would be hard and could risk a trade war that would damage both sides.

Given what China-U.S. relations are today, its not clear there are any good options. This situation reminds me of [America’s early history of piracy](http://www.victorianweb.org/authors/dickens/pva/pva75.html). Until China is better integrated into the global order, the executive is going to have quite a challenge on his hands.

Politicians from both parties are now saying that although President Obama took comprehensive action on cybersecurity through executive order, we still need legislation. Over at TIME.com I write that no, we don’t.

Republicans want to protect businesses from suit for breach of contract or privacy statute violations in the name of information sharing, but there’s no good reason for such blanket immunity. Democrats would like to see mandated security standards, but top-down regulation is a bad idea, especially in such a fast-moving area. But as I write:

>Yet guided by their worst impulses – to extend protections to business, or to exert bureaucratic control – members of Congress will insist that it is imperative they get in on the action.

>If they do, they will undoubtedly be saddling us with a host of unintended consequences that we will come to regret later.

The executive order does most of what Congress failed to do in its last session. What Congress could add now is unnecessary and likely pernicious. The executive order should be given time to work. Only then will Congress now if and how it might need to be “strengthened.”

Gabriella Coleman, the Wolfe Chair in Scientific and Technological Literacy in the Art History and Communication Studies Department at McGill University, discusses her new book, “Coding Freedom: The Ethics and Aesthetics of Hacking,” which has been released under a Creative Commons license.

Coleman, whose background is in anthropology, shares the results of her cultural survey of free and open source software (F/OSS) developers, the majority of whom, she found, shared similar backgrounds and world views. Among these similarities were an early introduction to technology and a passion for civil liberties, specifically free speech.

Coleman explains the ethics behind hackers’ devotion to F/OSS, the social codes that guide its production, and the political struggles through which hackers question the scope and direction of copyright and patent law. She also discusses the tension between the overtly political free software movement and the “politically agnostic” open source movement, as well as what the future of the hacker movement may look like.

Download

Related Links