The White House has been unable to get a bill passed by Congress to improve the cybersecurity of critical IT infrastructure in the US. Therefore, the administration has released a draft Executive Order (EO), essentially allowing the executive branch to out-flank the legislative branch of the US government. In this case, the EO closely follows a bill introduced in the Senate by Joe Lieberman (I-Conn) and Susan Collins (R – Maine). In past security bills, cybersecurity has been under the Department of Homeland Security (DHS); this EO proposes that DHS determine which government agency has responsibility for different areas of security. That may end up with DHS having complete responsibility, and that possibility has seriously concerned lawmakers and security experts.
Part of the EO asks industry to voluntarily submit cyber threat information to the government. In theory, this information could not be used for regulatory purposes or used against companies. However, the EO does not offer any liability protection to companies – only Congress can do that.
The EO does not advocate any specific technology nor even an approach to remediating or mitigating risks. On one hand, this is good as the government is notoriously slow on approving specific products, with the approval time measured in years. In almost all cases, a product is obsolete before it is certified. On the other hand, it is not clear what value it could possibly derive by not at least providing requirements on security solutions.
The EO does not mandate anything; everything is voluntary. What it does is give the appearance that the government is “doing something” and could make it appear that congressional action is not necessary. The EO will add additional reporting and regulatory bureaucracies to business at an as yet unknown cost, but without any real benefit.
We do need a consistent security framework, especially for critical infrastructure like finance and energy generation and delivery. That framework should come from congress, not the executive branch. It should also be carefully monitored to insure that it does not actually decrease the security of these infrastructures by collecting protected data in yet another set of government databases. This is especially problematic, as the EO does not include any of the reforms to the Federal Information Security Management Act (FISMA) that were in the Senate bill. FISMA is supposed to protect the US critical information infrastructure.
This EO should not make you feel safe. You should not relax. You are still responsible for the security of your data, and it is you who will pay the price for any data breaches that occur.
In my view, there are three kinds of cyber warriors out there:
Those after financial gain.
These activist groups do all-out sophisticated attacks targeted at very specific individual organizations. These groups are not in it for the money, but to steal intellectual property or for the grief they can cause. They are vandals.
- G2G (government to government).
These are attacks planned and executed by one government against another government for political or military reasons. While these kinds of attacks have been going on for decades, they leapt to a new level with attacks like Stuxnet. Stuxnet proved that a cyber attack can do significant physical damage, not just mess up or steal some data.
Each of these is dangerous. The criminals hit individuals and companies in the pocket book, costing U.S. individuals over US$20B per year, and US$110B worldwide. The average cost to a company that is attacked is US$8.9M.
While only 2% of the attacks were by hacktivists, these attacks accounted for over half of the compromised records. Every company, government or other organization has probably irritated somebody. Simply being associated with a product or group or belief can be sufficient to become a target in some group’s sights.
No business is safe, no matter how big or small it is. Over 70% of the successful attacks were against relatively small organizations with 100 or fewer employees. Criminals have changed their focus to opportunistic attacks against weaker targets. They find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale.
No person is safe. If you have a bank account or credit/debit card, drive a car, own a house or rent an apartment, fly commercial airlines, or have any financial transactions with government you are vulnerable. That last category is huge. Over 20% of New York City residents get food stamps, prior to Sandy’s arrival. Also included are VA benefits, Social Security, Medicare, paying taxes, E-Zpass, …. Every one of these organizations is a target, and most have been successfully attacked.
How does the Cloud help? It helps by significantly reducing an organization’s risk. Almost all (94%) of compromised data involves web, application or database servers. These servers are often the first component that an organization moves to the Cloud.
Even more breaches (97%) can be avoided through simple or intermediate controls, such as keeping operating systems, network components, and other software up-to-date with all security patches. Cloud Service Providers are very good at these kinds of conceptually simple but potentially operationally difficult tasks. Managing IT is their core competency.
About seven eighths of all breaches take weeks or months to discover, even though in most cases information about the breach was in the victim’s computer logs. Cloud Service Providers have the staff, knowledge and processes to effectively monitor these logs, at least for the common types of attack.
Often, moving to the Cloud does not increase security risk, but actually lowers the risk.
The last word:
The US government has admitted that it is responsible for Stuxnet. This is probably a very bad thing to have done. It was bad to admit that we are responsible; the jury will be out for a decade or two on whether the act was a bad thing to have done. In addition to the proposed executive order discussed above, the US has committed to being a “good citizen” when it comes to cybercrime:
- The US is part of the G8, which in 1997 released a plan to combat cybercrime and protect data and systems from unauthorized impairment.
- The US signed and ratified the treaty written at the 2001 Convention on Cybercrime, the first international convention aimed at Internet criminal behaviors.
- The US government itself has passed at least nine laws since 1984 against cybercrime, and has authorized a number of government agencies to monitor and protect us including the FBI, National Infrastructure Protection Center, National White Collar Crime Center, Internet Fraud Complaint Center, Computer Crime and Intellectual Property Section and the Computer Hacking and Intellectual Property Unit of the Department of Justice, and Computer Emergency Readiness Team/Coordination Center at Carnegie-Mellon.
Yet one fifth of all cybercrime originates in the US, clearly some of it directly conducted by the US government itself. It is hard to get sympathy when you cry “Wolf!” when you are a mountain lion.
On the other hand, “rules of war” are useless. No leader is honored for following the rules but losing the country. Nobody ever won a war by following the rules, but the winners do get to write the history.
Keep your sense of humor.