Truman Center Policy Program Manager Dan Paltiel, a keynote speaker at Cyber Security Summit 2016, spoke on the current state of cyber defense in Cyber After 2016: Protecting Your Network in the New Political Environment. Earlier he was Program Coordinator and Research Assistant in the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), where he worked on cybersecurity and technology policy issues. Dan lived in Amman, Jordan, where he studied Arabic and taught English. He holds a BA in History from Amherst College, and hails from New Haven, Connecticut. He is fluent in French and Arabic.
Mr. Paltiel said the Truman Center serves to bring together “in a trusted space” three diverse stakeholder groups: the federal government, privacy and civil liberties organizations, and business, represented in part by the Chamber of Commerce. These three are joined to hammer out policy positions that ideally are palatable to each. The 16 Truman Center chapters around the U.S. bring together functional expert groups to work toward agreeing on tough policy issues. Cyber security is one such expert group.
“We feel that policymakers today continue to approach individual policy problems on cyber security as standalone technical issues that need to be solved with single standalone solutions. We feel that this is a flawed approach and it’s only made worse in that the relevant stakeholders are too often siloed in their own communities, said Mr. Paltiel. “Sometimes, two different stakeholders working on the same thing don’t even share the same lexicon, and they have trouble communicating why they differ on a particular issue.”
He recounted recent history surrounding attempts to regulate the cyber realm. A 2012 debate on Capitol Hill defined four key pillars of concern. Critical infrastructure was item number one on the list, followed by information-sharing. The role of the Department of Homeland Security needed to be determined, and protocols for data breach reporting needed sharp focus.
Stakeholder battlefronts were clear. The federal government pressed for standards to raise costs to attackers. Privacy and civil liberties groups sought to keep anonymous shared data, and wanted to limit the sharing of data with civilian agencies. And business, represented by the Chamber of Commerce, wanted to block government mandates because laws would hurt the bottom line.
The 2012 effort failed to come up with an agreement among the stakeholders, Mr. Paltiel said.
To move forward President Obama issued an executive order in 2013 that lead to issuance of a cybersecurity framework from NIST (the National Institute of Standards and Technology). The passage of CISA (Cyber Information Sharing Act) in December of 2015 drew mixed reactions, he said. The feds liked the voluntary sharing of information with government aspect. Privacy and civil liberty groups didn’t like CISA. The business response was mixed. The Chamber of Commerce approved the act because of the broad liability protection for companies. But, major online players including Yelp, Twitter, Apple and Reddit opposed the bill because it didn’t sufficiently protect user privacy and it didn’t limit permissible uses of that information by government, Paltiel said.
Significant breaches among high-visibility organizations between 2013 and 2014 made bigger waves than earlier attacks of critical infrastructure had done. “At this time, the problem of cyber security moved to something that affected the pocketbooks of average consumers.” Announced hackings at stalwart firms including Neiman Marcus, Sally Beauty Supply, J.P. Morgan, Home Depot and Yahoo brought the problem into higher visibility. “Cybercrime was becoming an issue for an average American consumer,” he said.
Government was seeking some way to hold attackers accountable. May of 2014 marked a beginning. Responding to a cybercrime, five Chinese officers from the People’s Liberation Army were indicted. No one expected any of the five to be extradited to the U.S., but it was the start of a program to use the new capability of attribution to publicly “name and shame” perpetrators of cybercrimes.
Experiencing an attack in cyberspace doesn’t necessarily mean that you respond exclusively in cyberspace, he said. Available tools he named are diplomacy, economics, law enforcement and soft power.
ISAOs (Information Sharing and Analysis Organizations) were established in early 2015, instituted under the Department of Homeland Security to stimulate greater information sharing and incident reporting. The Whole Government Approach unleashed the U. S. Treasury Department to freeze bad actors’ assets that are held in the U.S., and also use the existing powers of other agencies not typically associated with the cyber realm.
February of 2016 introduced the Cyber National Action Plan. DHS was assigned to lead in the private sector, Paltiel said. Overall, the plan mandates which government agency is in charge of which enforcement sectors in the event of a serious national cyber incident.
“Of course it’s no secret to you that improving cyber security costs a lot of money. Government spending now is about $9 billion with growth of nine percent per year. By contrast, private sector spending is about $120 billion per year, growing at 24 percent per year. Two commercial banks currently spend more on cyber security than the whole Department of Homeland Security.”
Government needs to invest more, he said, but it seems unlikely that Congress will pass the requested funds. He indicated that the $19 billion requested in the FY17 budget would represent a 35 percent increase.
“Where does that leave our industry?” he asked.
Citing a 2014 report from an information security company, a small to mid-sized firm’s system on average would take 188 days for discovery of a hacking. “Of these clients, 81 percent of the victims did not discover the breach themselves – it was usually a merchant bank, a credit card company, a regulatory body…”
The average attacker’s ROI for purchasing an initial exploitation kit on the Dark Web represents a 1,425 percent return. The FBI is vastly under resourced to handle cases like this, he said, adding, “Law enforcement is overwhelmed. The FBI often advises people to just pay the ransom.”
Paltiel turned to a topic on one of his presentation slides called active cyber defense spectrum. Related to this is the Computer Fraud and Abuse Act that limits legal actions that may be taken by U.S. hacking victims. Trying to destroy an intruder’s network is against the law and punishable, he said. Nor is it clearly defined what activities are permitted under the law. Many companies are unsure of their liability in gathering hacker intelligence.
“Pseudo-legal activities are being pursued by companies as a result of undersourced law enforcement.”
The situation remains unclear and unresolved, based partly on the unlikelihood of securing the requested budget increase from Congress, and on the fact that a presidential election process is underway, he said.