As Ashton Carter unveiled the Pentagon’s new Cyber Strategy last week, he underscored its importance by revealing that DOD networks had been infiltrated by actors within Russia. The defense secretary did not emphasize a provision of the strategy that could send private data about U.S. citizens and companies to foreign militaries.
Here’s what it says: “To improve shared situational awareness DOD will partner with DHS [Department of Homeland Security] and other agencies to develop continuous, automated, standardized mechanisms for sharing information with each of its critical partners in the U.S. government, key allied and partner militaries, state and local governments, and the private sector. In addition, DOD will work with other U.S. government agencies and Congress to support legislation that enables information sharing between the U.S. government and the private sector.”
The new strategy indirectly, but unequivocally, ties into information-sharing legislation that’s slowly making its way to the President’s desk. Among the various bills moving around Capitol Hill, the most important is the Cyber Information Sharing Act. Among other things, CISA would protect companies from being sued for sending data about their users to DHS, which would be permitted to send it in real time to DOD and other U.S. agencies and outfits. In turn, DOD’s new strategy claims the right to to share cyber threat data beyond the United States. Presumably, that would include information obtained via CISA.
In particular, the new strategy pledges DOD cyber assistance, including information sharing, to allies in the Middle East. “As a part of its cyber dialogue and partnerships, DOD will work with key Middle Eastern allies and partners to improve their ability to secure their military networks as well as the critical infrastructure and key resources upon which U.S. interests depend. Key initiatives include improved information sharing to establish a unified understanding of the cyber threat, an assessment of our mutual cyber defense posture, and collaborative approaches to building cyber expertise.”
For his part, the nation’s top cyber warrior is openly pleading for new info-sharing laws. “We’ve got to get cyber-information sharing legislation passed,” Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said earlier this month at an Armed Forces Communications and Electronics Association event. Rogers said his ability to share information with the FBI was key to fingering North Korea as the perpetrator of the Sony hack.
But if CISA or its cousins becomes law, what kind of information might fly from company servers to DHS to DOD and then around world? Members of the privacy community describe the scope as incredibly broad.
Robyn Greene, who serves as policy counsel for the Open Technology Institute at the New America Foundation, argued that the bills would allow companies to collect and share a lot more information about the people that they interact with online. Moreover, there would be few limits on how the U.S. government could use that information. It could, for example, be used to investigate or prosecute crimes that have nothing to do with stopping hacks.
“This authorization would not just seriously undermine Americans’ Fourth Amendment rights, which would otherwise require the government to obtain a warrant based on probable cause to access much of that same information, it would create an expansive new means of general-purpose government surveillance. (Sec. 5(d)(5)(A)),” she wrote.
Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, has made similar arguments. “Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted … It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information.”
Whether that sharing presents a vulnerability or a security solution depends on the information moving back and forth. But there’s no doubt that sharing some information specifically relevant to cyber attacks can help shore up defenses. Furthermore, liability protections and legislation could facilitate more of that sharing. “Cyber information sharing is critical to thwarting attacks,” said Chris Smith, who directs cyber strategy at the SAS Institute. “The reason … that people weren’t doing it was because it wasn’t easy…There are privacy issues, but it might be related to intellectual property as well.”
“With the constantly changing variants of cyber-attacks, organizations can no longer simply rely on the known attack vectors or attack profiles that existing solutions focus on,” Smith said. He said an organization must look at data “at multiple different levels and in multiple different combinations” if they are to tell normal from abnormal behavior. In this context, multiple levels could be understood as across a variety of partnerships.
Is there a way to improve information-sharing without throwing the data doors wide open? Greene said CISA could be helped by limiting sharing to only that data relevant to cyber threats, and not, for instance, investigations into other criminal activity. She also suggested limiting the broad liability protections by giving consumers some way to seek recourse for damages done by information-sharing.
Others say that better sharing of certain kinds of information would help predict cyber threats without particularly imperiling privacy or constitutional rights.
Matt Kodama of the cyber intelligence and predictive analytics group Recorded Future told Defense One that one of the most simple and straightforward indicators of potential cyber attacks is observing strange behavior among administrators. “After attackers break into a network, they need to avoid detection, get to their real target, and carry out the cyber crime. They might do this with lots of high-tech tricks, but there’s a much easier way. If the attacker can gain access to a user account with lots of access rights, like a computer administrator, they will be able to move right past all the alarms and defenses … However, the behavior of that user account, once it’s been hijacked by a cyber attacker, will be unusual. The user account is allowed to take those actions, but on any regular day the person using that user account doesn’t do all of those things. That’s the ‘user behavior’ that can tip off the defenders,” Kodma said.
Since companies don’t usually grant administrator privileges to the people who use their services, sharing information about admin behavior could be one way to improve situational awareness without endangering user privacy.
Another warning sign is the uploading of large files, especially ones that contain lots of mystery code that doesn’t seem to have any clear purpose. Sophisticated defenses will attempt to open such files in a sandbox, or walled-off portion of a machine or network, so it can’t spread its infection.
But more and more cutting-edge viruses can detect when they are being sandboxed, and goofy admin behavior can be a lagging indicator of a major intrusion, not a predictive one. Those who argue for sharing more information say that CISA doesn’t go far enough to encourage sharing the kind of data that will help the government fight off ever more sophisticated online attacks.
A recent Congressional Research Service report by Eric Fischer found that the bills in question don’t offer much incentive for companies to actually share user data. Liability protections, in other words, are not a carrot but the absence of a stick.