news from the Georgetown Cybersecurity Law Institute
The second and final day of Georgetown's Cybersecurity Law Institute opened with a long interview of recently retired FBI Director Robert Mueller. (Benjamin Powell, former general counsel at ODNI, conducted the interview.) Mueller traced his own interest in cyber security to his reading, in 1989, of Clifford Stole's book "The Cuckoo's Egg," which described the hunt for someone who hacked into Lawrence Berkeley National Laboratory. As Director, he saw firsthand the difficulty of attribution in the MafiaBoy denial-of-service attack case, an international investigation conducted by the FBI and Canada's RCMP.
In such cases it was important to identify the natural person responsible—the "warm body at the keyboard"—and such identification will remain important. More indictments like this week's charging of PLA hackers will surely come, and will be important in deterring not only individual criminals, but state services as well. He recommended that people read the indictment, calling the culpability of the individuals named "indisputable." (The recent arrests of BlackShades crimekit users afford another good example of a salutary deterrent.)
We've seen, Mueller added, many state-conducted attacks. While the PLA indictments dealt with information theft, he believes attacks will become increasingly destructive. 2012's attack on Saudi Aramco sets the template for the near future. He believes a large-scale destructive cyber attack to be "inevitable."
Companies need to identify both insider and external threats, and prompt detection is needed to stop and mitigate breaches. Seven out of ten of the businesses whom the FBI warned of breaches last year were unaware they'd been attacked, so there's clearly much room for improvement, both within the private sector and in terms of public-private cooperation. The private sector tends to connect with government episodically, often on the basis of who knows whom. Cyber security can (and has) taken lessons from counter-terrorism work, where cooperation among Federal, private, state, and local actors is relatively more advanced.
Mueller was, as Director, surprised at the degree to which companies feared they would lose either intellectual property or a market edge if they shared information. He thinks the Government might usefully provide companies protection from lawsuits prompted by information sharing.
Business, like government, continues to grapple with finding the right structures to deal with cyber risks. In the government, despite progress, there remain lanes that inhibit information sharing, and these need to be dealt with. NSA (which has "more geeks per square foot" than anyone else) is essential in interagency cooperation, particularly in the collaborative use of malware databases. The FBI's own cyber squad dates to 2002, and the Bureau now has more than one thousand specially trained cyber personnel available to respond quickly to incidents. It nonetheless remains tricky assembling the right expertise from around the country. We may have, in the future, virtual squads for investigation cyber attacks.
The FBI itself is a target, but Mueller treated this threat as a special case of the long familiar attempts by foreign governments and organized crime to compromise the Bureau. "The FBI's been a target for years. It's hit daily." The Bureau is ahead of the game in identifying internal threats (having for decades been concerned to identify spies). He thinks corporations haven't taken sufficient steps against insider threats, and that they could increase their security by systematically looking for anomalies.
In response to a question about what the Bureau is doing to recruit more cyber personnel (with an explicit reference to hiring people with tattoos, and an implicit reference to the present Director's joke about bringing in some hacker-stoners), Mueller made an interesting point. Pure technical skill is insufficient. You need cyber ability among your Special Agents, to be sure, but you also need traditional investigative aptitude, and that's the skill set the Bureau looks for.
An Enforcers' Roundtable followed former Director Mueller's interview. Representatives from CEB, the Connecticut Attorney General's office, the Federal Trade Commission, and the Department of Justice Criminal Division participated.
When asked what triggers an agency's involvement, the panel agreed that reports from agencies, victims, or press splashes all played a role, especially since finding one attack often leads to the discovery of others. The Federal Trade Commission representative pointed out that for a civil law enforcement agency like the FTC, news accounts and breach notifications are a great place to start.
The first thing a business should do is establish a plan before a breach occurs. Once there's a breach, a business should expect a lot of interaction with law enforcement. Be prepared for this, and don't underestimate the difficulty of improvising a breach response. A cursory customer service response won't cut it. The right people must be in place, their plans must be reasonable, and their plans must be carried out. You have to be able to execute the plan in a crisis. (The representative of Connecticut's Attorney General drew upon "I Love Lucy" for an example—Lucy and Ricky had thoroughly planned an impending childbirth, but the plans went out the window at the moment of labor, even with Fred and Ethel helping.)
Companies must reasonably oversee their third-party vendors? They can't assume a vendor's taking care of it.
Standards of reasonableness, as pervasive as they are throughout the law, continue to evolve, and those pertaining to cyber are of course still developing. Any granular cyber guidance from government would soon be overcome by events. One questioner suggested, reasonably, that more disclosure of government security practices might clarify reasonableness.
The Institute concluded with a simulation of cyber breach response. Among its lessons was advice to know your networks, know your data (and understand that it's an asset), and know your vendors. Compromise of a privileged ID is the attacker's Holy Grail, and international forensic investigations particularly benefit from ability to inspect machine data (as opposed to just user data).
Panelists stressed the importance of disciplined communications during a cyber incident. They also reinforced advice to have a pre-breach plan in place to avoid the "hair-on-fire" scramble of improvising during a cyber event.
Almost all cyber breaches have some human error at their root. The best prevention is job specific training and awareness. Job-specific reinforcement of sound cyber practices pays off. And it helps immeasurably if there's a good example at the top.