Cybersecurity: The Here and Now
Sam Ramer serves as General Counsel and Vice President of Government Affairs at Symplicity. Before joining Symplicity, Sam served as the Senior Majority Counsel on the U.S. House of Representatives Judiciary Committee, dealing with crime, terrorism, homeland security and investigations. At Symplicity, Sam oversees all of the company’s legal, government affairs, and compliance functions, including privacy issues. He also works closely with Symplicity’s clients and partners to address their critical cybersecurity, privacy and related issues._
October was National Cyber Security Awareness Month, and therein lies a problem. Cybersecurity is a 24-hour-a-day, 7-day-a-week, 365-day-per-year job for the United States on all levels of society. However, we have become accustomed to doling out awareness and fundraising to solve our problems on specific months of the year, as if they were seasonal beverages at Starbucks. The toll that cyber theft and cyber espionage takes on our country and industrial infrastructure demands a persistent, habitual response, a way of integrating cyber security into our lives the way door locks, alarm systems and personal defense have become second nature to us.
The good news is that the United States has a long history of individual responsibility, and our culture of innovation can provide the tools necessary to make cybersecurity a much more manageable problem. The bad news is that these factors can be inapposite, with machine security not addressing, or even reducing, the role that individual responsibility can play. While Americans wait for government and industry to address cybercrime, the issue has become one the greatest threats to our nation’s economy, even eclipsing that of terrorism.
I recently spoke with a prominent computer developer about assessing the security of a computer system. I asked him, “If you had to break into a system, absolutely HAD TO, what’s the first way you would do it?”
“Without a doubt, social hacking would be the first way I would go,” he said.
“Social hacking” is the simplest way for computer security to be compromised. Someone with an appetite for data befriends or cajoles an employee into providing access to a system. And then the hacker gets to work. It’s an old criminal tactic: Get the victim to open the door for you, and you can leave the burglar’s tools at home.
We blanch at the idea that someone could get access to our lives electronically, yet we hand our credentials to people all the time. Our passwords are rotated, our children watch us access our phones, our friends post to Instagram for us. Our computers have become virtual homes, and we often let others enter, and we trust them not to keep the keys for themselves.
Americans still expect that both government and private industry will take every effort to protect their networks from cybercrime. As cyber-attacks escalate on our financial and military systems, there is an expectation that Congress will pass legislation to help solve the problem. However, the strong reaction from privacy groups and the netroots makes any legislation that touches the internet problematical. Indeed, in the closing days of the 113th Congress, it is unlikely that any cyber legislation will pass. The most prominent cyber bill, the Cyber Information Sharing Act (S.2588), has cleared committee, but it is doubtful there is enough time for the bill to receive floor consideration. Even if it did pass the Senate, there is no guarantee that the House would be willing to entertain a Democratic-written platform. Especially since the next Congress looks better from the House leadership perspective. It’s well-known that House and Senate leadership prefer an approach that favors national security, and the next Congress will be without Colorado Senator Mark Udall, a favorite of privacy-first advocates, who lost his campaign for re-election. In short, look for next year’s 114th Congress for the legislative process to begin anew to tackle what James Clapper, the Director of National Intelligence, has identified as the nation’s biggest threat.
While the debates continue in Congress, private industry continues to be criticized for the way its handles cybercrime, even while it primarily pays the price for intrusions. “60 Minutes” featured a story this week on the record number of cyber intrusions suffered by U.S. companies this year. The program called 2014 “The year of the data breach”, and highlighted the intrusions into Target and Home Depot Stores.
The Target intrusion began when cyber-thieves gained access to the user name and password to the systems belonging to one of Target’s vendors. Once the “social hack” was completed, the thieves had access to Target point-of-sale systems, installing malware that captured the credit card information of millions of customers. “60 minutes” blamed industry, stressing that the time it takes, on average, for a business to discover a cyber-intrusion is 229 days. The National Federation of Retailers blamed magnetic stripe credit cards, the security experts blamed the retailers, and “60 minutes” praised the efforts of companies like Apple and Google for creating new payment mechanisms to deter theft. Like most media outlets, it was clear that “60 minutes” journalists favored a machine solution.
But what security gives, security also takes away. Any efforts by private industry to make their systems more private may help deter hackers, but the Government has deep concerns about the extent of new encryption in mobile devices and software. As software becomes more difficult to gain access to, it has also become harder for law enforcement agencies to collect evidence in criminal investigations. This is known as the “going dark” problem. For example, Apple has recently announced that they will encrypt their phone software. In response, FBI Director James Comey has been speaking publicly about how the FBI is struggling to keep up with changing technology, and how legislation is needed to make sure that the FBI has the ability to collect the communications they are authorized to intercept. Private industry might think that the FBI’s concerns will not affect their bottom line: They may be wrong. Last month, using the 225-year-old All Writs Act, the Justice Department asked a Federal magistrate in New York to force a phone manufacturer to assist the FBI in breaking into one of its password-protected phones. The magistrate granted the request. As more private companies encrypt their devices, the more Government will ask courts to force the manufacturers to provide access, the way telephone companies currently must assist States and Federal agencies with wiretaps and pen registers. Is it easy to comply with hundreds or thousands of Government warrants and wiretap orders? Ask Verizon.
Colleges and universities face unique challenges in dealing with cybersecurity, but also provide some hope in training the next generation of information workers in basic cybersecurity practices. Universities may not operate the critical infrastructure of the country, but they do possess a vast amount of research data that must be protected. As we saw from the tragic case of Aaron Swartz, it was a simple matter for him to walk onto the MIT campus, find an unlocked equipment room, and gain access to millions of academic articles. Attacks can come remotely as well, as we saw in February, when more than 300,000 student identities were exposed in a cyber-intrusion at the University of Maryland.
Since there is such a variety in universities and colleges throughout the U.S., it would be useful to have a broad framework to guide them in their efforts to secure their networks. Luckily, such a guideline exists: The new Framework for Improving Critical Infrastructure Cybersecurity, issued by the National Institute of Standards and Technology (NIST). The Framework is not a standard by which a university can by certified; rather, it is a complete cyber-security approach, using industry best practices and standards. The Framework consists of several focus areas that can help colleges plan and achieve a more secure data network for their students:
The Framework Core presents a high level, strategic view of how organizations should manage cybersecurity risk. The Core consists of five continuous Functions-Identify, Protect, Detect, Respond, Recover. Within each Function, the Core provides information on existing standards, guidelines and practices.
Framework Implementation Tiers (“Tiers”) provide directions on how an organization handles cybersecurity risk and the processes in place to manage that risk. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.
A Framework Profile enables an organization to plan a cybersecurity outcome based on business needs. By combining the work done in the Core and Profile stages, an organization can identify its current profile and plan to move to its desired profile. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
While the Framework is voluntary, and only applies to “critical infrastructure”, colleges can at least emulate the practices of industry, and in the process, train their students to think about cybersecurity in a personal way. The NIST Framework provides a flexible guide that universities can tailor to their individual needs, from the research university to the liberal arts college. In addition, should litigation follow a serious data breach, the framework could be useful in convincing a court (or the next “60 minutes” film crew) that the university takes cybersecurity seriously.
In the here and now, universities can play a national role in cyber defense. Higher education often strives to inculcate values and ethics into the next generation of leaders. It’s not too hard to imagine that higher education can make computer security the next social advocacy it champions, and help the country as it defends itself from cyber threats, from home and abroad. If the “social network” was born on a college campus, it would seem fair for the “social hack” to be eliminated on one.