Last year, a single strain of malware was responsible for credit card breaches at Target, Home Depot, and more than 1,000 other US companies, with damages totalling hundreds of millions, if not billions of dollars. In many cases, the companies involved didn't know about the threat until it had been alive in their systems for months. For many industry observers, the most painful point is the timing: If the industry had raised the alarm when the first warning signs surfaced, the worst of the damage could have been averted.
That idea seems to have gotten Washington's attention. In February, President Obama signed an executive order to promote information sharing on cyberthreats, and a new crop of information-sharing bills in Congress look to clear the path even further. Last week, the House of Representatives passed the Protecting Cyber Networks Act, which would establish new sharing guidelines and liability protections, and the Senate is expected to take up the bill in the coming weeks. At the same time, many see PCNA and other bills like it as an unprecedented intrusion into otherwise neutral networks — what Ron Wyden described as "a surveillance bill by another name." While most researchers still see themselves as engineers, there's a growing fear that these new measures will turn them into detectives.
"A surveillance bill by another name"
The result is one of the more puzzling privacy fights in recent memory, as Congress looks to legally authorize the information sharing that's already taking place, and privacy advocates say the bills in question aren't about sharing information at all. So what's wrong with the way data is shared, and how do the new bills plan to fix it? And more importantly, can they do it without turning network operators into spies?
There's already a lot of information sharing in the cybersecurity world, but it tends to happen on an informal basis, and federal agencies like the FBI are often last on the list. Only a few attackers will be eye-catching enough for a public report, so the rest tend to travel through a patchwork of smaller listservs, each covering a specific issue like DNS security or DDoS mitigation. Rodney Joffe, a senior vice president at Neustar, says he works across dozens of such channels, and the result is effective but overwhelming. "I'm continually dragging my deck chair from one campfire to another," Joffe says. What's appropriate in one channel might be too sensitive for another, and for many of the participants, the sharing ends up happening without official corporate approval. "In many cases, the company doesn't know that there are these backchannels keeping the wheels on the bus," Joffe says.
The information being shared is usually simple — a specific, easily defended attack, or the latest style of phishing email — but getting it to all the right people can be complex, particularly when trade secrets or breach disclosure laws are involved. At its least controversial, the new info-sharing bills are meant to solve that problem, cutting a legal path through the complex web of privacy and disclosure laws.
"The company doesn't know that there are these backchannels keeping the wheels on the bus."
But the bills also take a new approach to the people behind those attacks. For law enforcement agencies, the point of tracking a threat is to catch the criminals behind it, not just to fix the vulnerability that let them get in. If there's technical evidence in the wake of an attack like Target, agencies like the FBI want to use that evidence to find the parties responsible, and hopefully throw them in jail. That's a shift from the current research landscape, which generally sees attribution as secondary to patching vulnerabilities and identifying malicious code, but many in government see it as a necessary change. It's also a priority for President Obama, who laid out the plan in his 2009 Cyberspace Policy Review, a document that insiders say is still guiding the White House's agenda in the area. "Key elements of the private sector have indicated a willingness to work toward a framework under which the government would pursue malicious actors," reads one passage from the review.
That shift is reflected in the text of the bill itself. The bill requires reasonable measures to remove personal information, but only "information identifying a specific person not directly related to a cybersecurity threat." If you're related to the threat, then collecting your personal information is part of the point: how else will they figure out who's responsible?
"Waiving privacy rights will not make security sharing better."
At the same time, much of the security community sees the drive to catch criminals as a distraction from the more important work of securing systems. On April 16th, 67 different security researchers and technologists signed onto an open letter against the new bills, arguing the measures would do little to prevent attacks. "Private information about individual users is often a detriment in developing threat signatures because we need to be able to identify an attack no matter where it comes from and no matter who the target is," the letter reads. "Waiving privacy rights will not make security sharing better." As long as point-of-sale terminals are vulnerable, someone will be there to exploit them; catch one group of online thieves, and another group will take their place. The only way to stop the thefts is to fix the vulnerability itself.
The precise definition of "cybersecurity threat" has also caused concern among many privacy advocates. Fraud or terrorism suspects could also potentially be classified as threats, drawing network security workers into a much broader range of investigations. "This is the heart of why it's a cybersurveillance bill," says Drew Mitnick, a cyberpolicy analyst at Access, an internet-rights advocacy group. "We don't want businesses to feel like they need to investigate these crimes that are totally unrelated to the network security services they're providing."
It's still unclear whether those objections will be enough to sink the new legislation. Unlike CISPA, President Obama has publicly supported the new bill, and the recent string of high-profile hacks seems to have forged a rare bipartisan consensus on the issue. The House has already done its part, and the bills will be heading to the Senate in the weeks to come, where new privacy measures may be added. But it’s hard to say whether those measures will be enough, and it will be difficult for any info-sharing bill to split the difference between patching vulnerabilities and chasing criminals. Whatever happens in Congress, that larger split may be much harder to fix.