At a glance.
- DHS goes to Black Hat.
- US cyber czar urges that the US make itself a "harder target."
- Cybercrime bill introduced in the US Senate.
- CISA's VDP seems to be working.
Mayorkas and Easterly pitch Federal jobs, collaboration at Black Hat.
Department of Homeland Security Secretary Alejandro Mayorkas called on Black Hat conference participants to share their “creativity,” “ideas,” and “boldness” with the Government, according to CyberScoop, as the nation “navigate[s] a path that has not yet been mapped.” Touting the forthcoming Cyber Talent Management System, which aims to plug holes in the Federal talent pipeline with relaxed prerequisites and better pay, Mayorkas said, “What’s at stake here is nothing less than the future of the internet, the future of our economic and national security, and the future of our country.”
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly also communicated at the event her commitment to rethinking public-private initiatives, taking into account industry’s typical grievances, the Washington Post reports.
That last, of course, is a reference to the Joint Cyber Defense Collaborative, the JCDC announced just this week. Industry reaction we've seen so far to that initiative continues to be broadly positive. Bruce Byrd, General Counsel, at Palo Alto Networks (an early JCDC industry partner) credits the Government with recognizing the value of what industry can bring:
"Strong collaboration is key to preventing or mitigating the type of national cyber incidents we’ve seen proliferate over the last year. The Joint Cyber Defense Collaborative (JCDC) is focused on doing just that -- bringing together technology leaders from across the private and public sector. Palo Alto Networks applauds the administration for establishing the JCDC, and for recognizing the innovative tools that private industry can bring to the mission. We’re proud to deepen our existing collaborative partnership to jointly protect our digital way of life.”
Bassam Al-Khalidi, CEO of Axiad, commented on the initiative's importance, given growing cloud adoption:
"A joint initiative to improve cloud security has never been more important. The recent move of our applications and systems to the cloud has made organizations more agile, but as recent hacks have shown can be increasingly dangerous when businesses store confidential data on the cloud. If a hacker gains access to your broader system through host jumping, it’s game over. As new initiatives like the Joint Cyber Defense Collaborative are introduced it’s important to look at dedicated virtual private cloud options to defend against this threat. Virtual private clouds offer the option to utilize the agility and usability of the cloud and store key material in approved FIPS140-2 Level 2 hardware security module. For government and defense organizations, this could be an essential step in improving their cloud security.”
Omri Iluz, CEO of PerimeterX, approves of the private sector's willingness to cooperate with government:
“As a Silicon Valley-based provider of security solutions that help digital businesses safeguard their revenue-generating cloud apps, we applaud efforts for the private sector to work together with government to combat all forms of cyberattacks. Starting with critical infrastructure is a great and important first step. Ransomware in particular creates a long-lasting, wide-ranging road to cybercrime, especially fraud, that crosses industry lines. While these data breaches may originate in one industry, they expose credentials that are then used by cybercriminals to take over access to systems and accounts in the form of account take-over (ATO) and credential-stuffing attacks that further damage consumers and negatively impact businesses of all kinds. This initiative is a significant movement in the ongoing fight against cybercrime.”
Vanessa Pegueros, chief trust & security officer, OneLogin, also sees public-private partnership as essential to the evolving security environment:
"I applaud this effort. These complex challenges require a strong public-private partnership. We should not allow the divisions between government and the private sector to inhibit us from combating these attacks against American interests. We need to bring the best minds together and exert the proper resources and focus to address this crisis.”
Trevor Morgan, product manager, comforte AG, takes the initiative as a recognition that no single technology or approach is adequate to the complexities of cybersecurity:
“The launching of the Joint Cyber Defense Collaborative—a cooperative initiative between the US government and highly influential tech companies announced by the Department of Homeland Security—emphasizes a harsh truth about cyberattacks, especially as they are directed at cloud-based resources and data. This is a multi-dimensional problem, so no single process or technology can stem the tide of attacks we are witnessing. The DHS is signaling that we need collaborative efforts between government and industry, and that we need diverse representation among different tech companies in order to promote new and better ways to combat cyberattacks in the cloud. Pointing to the response as a 'whole-of-nation' effort rightfully drives the issue home—everybody and every organization is a potential target, and everybody and every organization can contribute to the battle against cloud-based cyber threats. The goal of this collaborative effort is to fill up that cybersecurity toolbox which every enterprise needs with the right methods, processes, and best practices, rather than to single out a sole “silver bullet” which doesn’t really exist. Collaborative efforts like this may be the first step in turning that mounting tide of damaging attacks.”
Chris Hauk, consumer privacy champion, Pixel Privacy, approves, but notes that collaboration would require strict boundaries around the sharing and use of personal information:
“I applaud the effort to improve our nation's defense against cyberattacks by the bad actors of the world, be they independent or government-supported. However, I am wary of any alliance between the government and private tech companies. There will need to be strict information sharing rules put into place to guarantee that there will be no sharing of private data about US citizens between the tech firms and the government.”
Paul Bischoff, privacy advocate, Comparitech, sees potential for an advance in threat intelligence:
“Better threat intelligence will play a key role in combating cyberattacks in the future. By sharing information about emerging attacks and vulnerabilities, everyone can be more secure. Cloud providers are a great place to start because most of the internet is hosted on the cloud, so they are on the front lines of many attacks. My question is how effective will this be? Most vulnerabilities are already published publicly on CVE sites, for example. How will this initiative improve on what we have and help us to formulate better incident response plans? Another issue is that most cloud providers don't enforce a minimum set of security standards for their customers. Customers are given the tools and are then responsible for securing their own data. How will guidance from the Joint Cyber Defense Collaborative actually trickle down to end users?”
Roger Grimes, data driven defense evangelist at KnowBe4, is pleased that the whole-of-nation approach involves outreach to industry:
"This is fantastic news and I applaud Director Easterly and CISA for continuing to aggressively reach out with an all hands on deck approach to fighting ransomware and getting better cybersecurity. Microsoft has fantastic, first-hand experience about the issues and attacks their users are facing. They can use their data to put the right solutions in the right places in the right amounts against the right things. Anything these businesses can contribute to improve our defenses is wanted.
"It is going to take all of us rowing together in the same direction to fight our digital foes. This is yet another step in the right direction."
Ilia Kolochenko, Founder of ImmuniWeb, also sees considerable scope for industry participation:
“CISA’s collaboration with the private sector is key to suppressing the now-surging ransomware and similar cyber-attacks. Most ransomware campaigns involve phishing, watering hole and drive-by-download attacks that can be detected and stopped if we know the continuously evolving patterns and creative techniques that intruders use to hide malicious payload and bypass security controls. Private companies like Microsoft and Google have virtually unlimited technical capacities to analyze threat intelligence data and implement built-in protection into their free and commercial products.
"For example, Google is doing a great job with spam filtering in Gmail, however, millions of malicious emails still manage to end up in user inboxes. Once Google gets more threat intelligence from CISA, Amazon and Microsoft it will likely block most of those emails sent to infect victims with ransomware. Joint security awareness campaigns are likewise invaluable to reduce the efficiency of social engineering and phishing campaigns that aptly exploit human weaknesses. The more collaboration we have in the industry and the more data is shared with law enforcement agencies, the faster we will curb ransomware.”
On becoming a harder target for foreign adversaries.
As we’ve seen, US National Cyber Director Chris Inglis addressed an Atlantic Council audience about the scope of his new position and his goals for the nation’s cybersecurity. In addition to cultivating long-term workforce and technical resilience and applying his budgetary influence wisely, he hopes to establish “common standards and common practices” across the Federal Government and to align public and private priorities and capacities.
To this end, a Bureau of Cyber Statistics, he said, would help the country “understand where [risk is] concentrated, where it cascades, what causes it, and more importantly, how to address it”—just as national databases on crime and employment inform policy decisions in other spheres.
Cybercrime data bill introduced in US Senate with bipartisan sponsorship.
Maui Now says the Better Cybercrime Metrics Act introduced yesterday by a bipartisan cohort of US Senators would mandate FBI reporting on cybercrime statistics and ask other law enforcement bodies to notify the FBI about cybercrimes. The bill would also direct the National Academies of Science to develop a cybercrime catalogue and would add cybercrime questions to the Census Bureau’s annual National Crime Victimization Survey. At present, Maui Now says, “there are no comprehensive metrics on the scale and impact of cybercrime in the United States, or on law enforcement efforts against them.”
Vulnerability disclosure policy paying off for the Feds?
CISA’s 2020 vulnerability disclosure program (VDP) mandate for Executive Branch agencies is already allowing security researchers to beat APTs to the punch, Forbes reports. Earlier this year, Sakura Samurai cybersecurity volunteers uncovered “a number of serious security holes” in State Department assets, which the agency then remediated. Sakura Samurai co-founder John Jackson said his team will keep “feeling out how these organizations react” to disclosures to ensure the white hats “stay safe legally.”