The Need for Private-Public Partnerships Against Cyber Threats -- Why A Good Offense May be Our Best Defense.

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/daniel-garrie/the-soft-power-war-isis-d_b_8818866.html

The Internet has delivered on its promise of social and economic progress.
Unfortunately, it has also delivered unprecedented opportunities for
scaling global conflict, terrorism, criminal activity, state and industrial
espionage and vandalism. These risks continue to expand.

Cybersecurity is a multidimensional problem that transcends the risk
management and response capabilities of any single enterprise, industry, or
sector. No enterprise, industry or sector has an answer or even a claim to
superiority regarding cybersecurity threats. There is a simple operational
premise that informs expert thinking about our exposure to the risks of
cyber-attacks. "If you can imagine it, they can do it. And even if you
can't imagine it, they have -- and are working on it."

The costs of cyber attacks--financial, legal and reputational-- for
organizations, businesses, and government agencies are growing at an
alarming rate. The consensus annual cost of cyber-attacks to the global
economy is around $445 billion. Even the most sophisticated enterprises
know that it is not a matter of "if" they will be hit, but when and how
bad. This means our money, intellectual property, private communications,
market sensitive data, and identities remain at constant risk.

To paraphrase FBI Director, James Comey:

"There are only 2 kinds of companies left in the world--those that have
been hacked and those that don't yet know they've been hacked. No one is
safe. Unfortunately, there is no simple fix --no app for that--not even
adequate insurance."

The fact of the matter is that the solution to the problem of growing cyber
threats is not simply a technology "patch". Cybersecurity has never really
been a technology question to begin with. Technology and its digital
portals are simply the newest conduits for a widening range of individual,
group and state-sponsored actors seeking the familiar criminal and
geopolitical ends of theft, fraud, espionage, extortion and destruction.
Playing only defense against the sources of cyber threats has proven to be
an expensive zero-sum game of Whack-a-Mole.

In today's highly competitive global economy, it is not realistic to expect
companies to stand idly by while their business interests are attacked and
their resources are drained. Corporations may legally take defensive
protective measures provided they are strictly defensive--and, hence, do
not violate existing international or domestic law. These measures may also
include remediation tools such as disinformation and so called "honeypots"
Explain honeypots.

It must be reiterated, however, that a corporation has to take great care
in conducting cyber operations as the law clearly does not allow a company
to initiate cyber hostilities. As most corporate lawyers lack the technical
aptitude to properly attribute a cyber incident or to understand the
appropriate response, their advice in the face of hostilities should err on
the side of caution. Given the legal restraints, the best and default
response to cyber hostilities is for a corporation is to contact the
government to respond on its behalf.

Of course this requires a strong partnership between the government and the
private sector. Unfortunately, in the United States this partnership is in
its infancy and is complicated by a host of problems including: distrust
between the private and public sector, corporate reputational concerns,
potential liability caused by a cyber incident, and sensitivity of
operating in a global economy. This set of difficulties incentivizes both
public and private actors to look only after their own interests, withhold
critical information, and make decisions without consultation. As a result,
the response to any cyber hostilities typically leaves the victimized
corporation damaged, unsatisfied, and frustrated. See, e.g., Devlin Barrett
& Danny Yadron, Sony, U.S. Agencies Fumbled After Hacking, WALL ST. J.,
Feb. 23, 2015, at B1.

The government is aware of this problem and has taken steps to better
coordinate a response to hostile cyber activities, while simultaneously
promoting information sharing between the public and private sectors.
Already, we have witnessed the beginnings of a potential "game-change".
Although exact details have yet to be revealed, the U.S. government has
signaled a willingness to consider offensive counter-measures against a
state or state-sponsored actor (as was the case with Sony), terrorist
group, or other threat to industry and infrastructure. On February 25, 2015
the Director of National Intelligence, as ordered by the President,
established the Cyber Threat Intelligence Integration Center (CTIIC). See
Fact Sheet: Cyber Threat Intelligence Integration Center, whitehouse.gov
.(Feb. 25, 2015). The CTIIC, intended to be "a national intelligence center
focused on 'connecting the dots' regarding malicious foreign cyber threats
to the nation and cyber incidents affecting U.S. national interests," has
the mission of assisting "relevant departments and agencies in their
efforts to identify, investigate, and mitigate those threats." Id.
Additionally, on February 13, 2015 the President issued an Executive Order
to promote private sector cybersecurity cooperation by authorizing greater
intelligence sharing while protecting business confidentiality. See
Executive Order--Promoting Private Sector Cybersecurity Information
Sharing, Feb. 13, 2015

While these efforts are a significant step in the right direction, there is
far more that needs to be done in responding to the ever-growing cyber
threat to corporations.

Cybercrime remains a "virtually" perfect crime and act of war. It is low
risk and high reward. It is agile, cheap and remotely scalable. It
constantly evolves as technology evolves such that law enforcement
officials wind up responding to outdated threats. Victims have little or no
recourse. Cybercrime in many ways does not fit within our current legal and
law enforcement framework for domestic and international crime. Laws,
courts, treaties and international boundaries have little efficacy in
limiting cyber tactics, weapons and the targeting of civilians. Easily
disguised and launched from safe havens, cybercrime carries little risk of
detection, prevention, apprehension or punishment. With so much to gain and
so little to lose, why stop?

A robust public-private cyber partnership is needed--one that will consider
more radical ideas. For example, a corporation that is the victim of a
cyber incident must feel comfortable disclosing information with the
government. On the other hand, a corporation that shares information with
the government may face irreparable damage to their reputation and immense
present or future customer claims through their disclosure. Only by
creating a confidential reporting mechanism coupled with limiting financial
liability will corporations be willing to openly report a cyber incident.

One possibility is to adopt a regulatory regime similar to that imposed on
financial institutions following the passage of the Patriot Act. Currently,
a financial institution must notify the Financial Crimes Enforcement
Network (FinCEN) of any transactions suggestive of criminal behavior, money
laundering, or terrorist financing by filing a suspicious activity report
(SAR). See The SAR Activity Review, By the Numbers, 8 FINCEN (June 2007) .
To encourage this reporting the Bank Secrecy Act (BSA) was instituted to
prohibit "financial institutions from disclosing the contents of a SAR or
even its existence." See 31 U.S.C. §5318(g)(2)(A)(i)). Other banking
regulations provide a "safe harbor" and "expand this confidentiality
privilege and shield financial institutions from liability for reporting
such activity." 12 C.F.R. §21.11(k) and 31 U.S.C. §5318(g)(3)

By shielding SAR reporting activity from "discovery in civil litigation"
and limiting the financial liability of a corporation that reports
suspicious activity, information sharing dramatically increased between
financial institutions and regulators. This regulatory model is useful for
those interested in increasing public-private information sharing involving
cyber incidents as corporations have the same concerns as financial
institutions when they file a SAR.

Another possibility is to expand the powers of the Federal Intelligence
Surveillance Court (or FISC) to allow companies to petition for a
government response to cyber offenses committed against their interests.
Presently in the United States the FISC is responsible for issuing warrants
for domestic surveillance of suspected foreign operatives in the United
States. See Foreign Intelligence Surveillance Court, ,ALLGOV.com.

But imagine a scenario whereby an American corporation in the aerospace
industry is hacked and all investigations point to the responsible party
being an agent of a sovereign nation. While the corporation may be able to
recover fiscally through insurance policies, the damage caused by the hack
to the company may be of permanent significance. Currently, there are few
options for the victimized corporation. But with an expansion of the FISC,
the aggrieved corporation would be able to petition a government body for
redress. The government body, acting on behalf of the corporation, would
make a special appeal for emergency action. If the expanded FISC agreed
that action was necessary, the government actor would be permitted to take
action against the sovereign nation with impunity. One possible variant of
this idea would be to create a stand-alone cyber court to provide judicial
oversight of the response rather than adding cyber jurisdiction to the FISC.

These two relatively unexplored recommendations are not intended to be a
panacea for the corporate cyber problem but rather illuminate the need for
creativity in developing a response strategy. It will take unorthodox
solutions to remove the disincentives currently inhibiting the
public-private partnership. Yet, the importance of enhancing this
public-private partnership cannot be overstated and is of utmost importance
for both corporations and the national security of the United States.
Neither corporations nor the government can afford to remain static as the
speed and ferocity of cyber hostilities, in particular those launched by
state actors against private companies, are the new normal. Former U.S.
Secretary of Defense Leon Panetta succinctly summarized both the
opportunities and threats created by the increased dependence on cyber
operations when he stated in New York City on October 12, 2012 to the
Business Executive for National Security:

"Cyberspace is the new frontier, full of possibilities to advance security
and prosperity in the 21st century. And yet, with these possibilities, also
come new perils and new dangers. The Internet is open. It's highly
accessible, as it should be. But that also presents a new terrain for
warfare. It is a battlefield of the future where adversaries can seek to do
harm to our country, to our economy, and to our citizens. But the even
greater danger -- the greater danger facing us in cyberspace goes beyond
crime and it goes beyond harassment. A cyber attack perpetrated by nation
states [or] violent extremists groups could be as destructive as the
terrorist attack on 9/11. Such a destructive cyber-terrorist attack could
virtually paralyze the nation."

While the importance of cyberspace is obvious, the sobering truth is that
cyber hostilities discussed by Mr. Panetta are now a reality. This could
not be more clearly demonstrated than by the actions of North Koreans
against Sony or the attack upon the U.S. Office of Personnel Management
(OPM).

It is time to stop reacting to these attacks and instead proactively
develop a comprehensive response strategy built upon a corporate-government
partnership.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!