U.S. President Barack Obama signed an executive order Friday aimed at encouraging companies and organizations to share more information about cybersecurity threats with the government and each other.
The signing came as part of a White House-sponsored conference on cybersecurity and consumer protection at Stanford University in California. And its comes after President Obama earlier this year unveiled several new initiatives, totaling $14 billion, intended to tighten security and expand privacy initiatives. And it includes the creation of a so-caller Cyber Threat Intelligence Integration Center or CTIIC.
The agency would collect intelligence about cyber-threats provided by federal agencies as well as from private industry. That data in turn would be analyzed to create comprehensive threat assessments for all levels of government.
The move follows high-profile hack attacks against Sony Pictures Entertainment, Anthem Health Insurance, Target, Home Depot, EBay and JPMorgan Chase.
The proposal has its supporters as well as critics.
VOA reached out to David Ulevitch, chief executive officer of the cybersecurity firm Open DNS and to Robert Graham, a security developer and CEO of the cybersecurity firm Errata Security to hear their thoughts on whether the Obama administration’s efforts could make the U.S. more or less secure from cyber-attacks.
Q) What’s your sense of the CTIIC? Is it the right solution to the hacking problem? And if not, what would you suggest?
Ulevitch: “We’re seeing renewed attention and focus on trying to create information centers of collaboration. We see the creation of a number of different programs I think to, in general, raise awareness across different levels of government in terms of what cyber-risks are out there, to raise the bar for knowledge. The announcement of the creation of CTIIC is probably a very, very positive move in the right direction. One of the things that’s difficult in government is there’s a lot of different organizations that have differing views of the world, and differing views of cyber-intelligence. It sounds like this should create a forum for collaboration and information sharing, and that’s certainly a positive thing.”
Graham: “It’s just bureaucracy. It’s the same thing they’re already doing over at US-CERT (“Computer Emergency Readiness Team”), over at Homeland Security, which has failed. It’s pretty much another organization with the same mission. The government has proven itself to be technically incompetent. We experts can tell that; while they might have good people at US-CERT, the whole process, the whole organization, produces crap. It’s technically laughable sometimes, and that’s what we’ll get from CTIIC as well.”
Q) What are the most pressing cybersecurity risks at present, and how would you balance responsibilities between the public and private sectors?
Ulevitch: “The greatest risks are to the private sector right now. The financial ramifications of a serious attack could be quite devastating, making the risks of financial loss one of the most direct threats today, in part because they have real effect in the loss of money or data, but a chilling effect in terms of how people use the Internet as well.”
“We’re in an interesting period here. There are many private security companies that are pushing forward in terms of threat research and intelligence, even maybe in ways the clandestine services haven’t moved to yet. Finding ways to encourage information sharing more willingly between the private and public sector is crucial, and I think CTIIC will do that.”
Graham: “It depends on whether you describe risks as people or technical issues. If you’re looking at people, China is a big risk, while cyber-terrorists really aren’t so much of a problem. But if you’re speaking of technical issues, we’re not focusing on these.”
“The ways that Chinese hackers will pick into a government system are probably the same techniques they’ve been using for 10 years, such as SQL injection and phishing, which we just ignore. We don’t solve those issues. These are pretty straight forward – teenagers know how to exploit them and defend against them, yet we ignore them. We’re more focused on who’s doing the hacking rather than how the hacking happens.”
Q) The Obama administration has expressed concerns about the growing use of encryption, which FBI Director James Comey warned could lead to “a very dark place.” How do you see the encryption debate, and should governments be given backdoors into encrypted communications?
Ulevitch: “Encryption tools and techniques are being created everywhere, and most of them are open-source and available. The genie is out of the bottle, and I don’t necessarily think it’s a bad genie. The good guys benefit from the ability to protect their data the same as potential adversaries do. Encryption tools exist, and they’re only going to get better. The real question is what do you do in a world where much of the data is going to be encrypted? I think that’s like any other arms race, where you just raise the bar in terms of get at what you’re looking for, for patterns in the data where it doesn’t really matter whether the data is encrypted or not.”
“We saw this with the clipper chip some time ago. This seems to come up every five to 10 years – the idea that there can be some safe way to allow the government to decrypt data that would never fall into the hands of adversaries. That’s a provably a wrong statement over and over again, because every backdoor has been shown to create brittleness in the overall encryption frameworks. This is just a losing proposition.“
Graham: “Well if you want to live in a police state, then by all means agree with the administration. Which is more important to you: the government or other people? We live in a free society and we have a Constitution and a Bill of Rights that restrict the power of government. Encryption backdoors gives way too much power to the government to eavesdrop on us. Being able to encrypt our own data is a key civil right.”
“In the last couple years since the [National Security Agency contractor Edward] Snowden revelations, we’ve seen that government has been doing enormous amounts of monitoring and eavesdropping on the America people. Not only did we not know about it, we still can’t know about it. And the problem with encryption backdoors is that it allows the government to monitor people without their knowledge. “
Q) Beyond the public and private sectors, what are individuals’ responsibilities to addressing cyber-threats?
Ulevitch: “That’s a complex question. We know in security that education has generally not been successful for most people. But there are things people can do – two-factor identification, different passwords for different services. At the end of the day, the people who are storing the data, conducting the transactions, holding their health care information, those people are responsible to secure the data. The challenge in today’s landscape to have a secure posture and it’s even harder frankly to find the people who are qualified to know how to make that information secure.”
Graham: “None. What’s the responsibility for people who drive? Well, don’t crash into other people. But if you run off the road yourself, the only person you hurt is you. It’s the same for cyber-security. We all make trade-offs every day. ‘Well, I have to enter this password a lot of times, so I’ll just use a short one. But if someone guesses my easy password, I’m the one that pays the price.’ That’s the way it should be.”
“The police state mentality is that everyone must cater to what the police state says their responsibility is. If the government decrees you must have a 20 character password, you’re basically rendering the computer as unusable. “