BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Three Cybersecurity Alternatives if CISA Fails

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 9 Sep 2015 19:44:49 -0600
http://www.nextgov.com/cybersecurity/2015/09/three-cybersecurity-alternatives-if-cisa-fails/120449/

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive
pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that
stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion
with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the
loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22
amend­ments that will also get a vote when the bill comes up, is the
Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity
short­com­ings in both the government and the private sec­tor. Two
sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy
law­makers—have fought to delay the bill and would rather see it dropped
com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed
sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing
for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of
which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and
could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at
New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the
State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel
Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a
cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity,
which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the
bill.

“The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly
be­lieves that CISA is the only game in town on cy­ber­se­cur­ity
le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al
se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a
co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close
to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor
and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on
in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,”
said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights
or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts
have floated.

INCENTIVES FOR VULNERABILITY BUYBACKS

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a
vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a
web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or
she must de­cide what to do with the in­form­a­tion. Se­cur­ity
re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them
of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing
about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will
likely take a more prof­it­able route, turn­ing to the shadier corners of
the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing
on on­line black and gray mar­kets is by of­fer­ing to buy them from the
people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug
bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of
thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently
be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing
boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its
web­sites and apps. But it spe­cific­ally ex­cluded from the bounty
pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture,
like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams
by of­fer­ing the private sec­tor grants or tax write-offs for the
pur­chases.

“If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black
mar­ket or the gray mar­ket, then we’re go­ing to help them do that and
en­cour­age them to do that,” said Laper­ruque.

CLARIFICATIONS OF ANTI-HACKING LAWS

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the
private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing
laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to
pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long
cri­ti­cized the law for be­ing overly broad and dis­cour­aging
le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills
like Aaron’s Law—named after a se­cur­ity re­search­er who took his own
life after be­ing charged with data theft—which would cla­ri­fy when
re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is
law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct
re­search without fear­ing pro­sec­u­tion” would be a boon to
cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don
White­house, would al­ter the com­puter-hack­ing law, but pri­vacy
ad­voc­ates are wor­ried that the change would make se­cur­ity re­search
more dif­fi­cult rather than easi­er.

AN END TO GOVERNMENT "STIGMATIZATION" OF ENCRYPTION

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on
tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end
en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat
to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the
com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has
asked tech com­pan­ies to build in a way to de­code en­cryp­ted
com­mu­nic­a­tion that com­pan­ies could use when asked by law
en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies,
cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit
them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd
and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight
Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance
on the so-called “back­doors” that would al­low law en­force­ment to
ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor
cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more
busi­nesses from tak­ing up the prac­tice.

“The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity
meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment,
pro­tect con­sumers, and pro­tect busi­nesses.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: