Security experts last week warned that controversial cybersecurity legislation endorsed by the White House could do little to prevent hacking attacks.
The Cybersecurity Information Sharing Act (CISA) would allow banks, data brokers and even Facebook to secretly share the information of private citizens with the US federal government in a move the bill’s proponents have characterized as a trade-off for greater security.
However, the approach comes at the cost of defense, said Dan Kaminsky, cofounder of cybersecurity firm White Ops and keynote speaker at Black Hat, the annual conference of information security experts that took place in Las Vegas last week.
Illustration: Yusha
“My feeling is that all of this stuff is really a distraction,” Kaminsky said.
He said the government’s focus on collecting the data of people who might be hackers and testing established problems diverts valuable resources from fixing those problems and keeping hackers out.
“There’s only so much oxygen,” Kaminsky said. “The dual approach of ‘let’s hack more things’ and ‘let’s analyze more data’ is a distraction from ‘let’s build secure systems.’ We need funding and attention on that. We need people working on systems that don’t leak data. I don’t know how else to say it. People are saying: ‘Things are on fire — let’s get better cameras to take photos of it!’ No, let’s put out the fire.”
The bill continues to meet with opposition: Its co-sponsor, Republican Senator Richard Burr, said the Senate might not be able to vote on the bill before its summer recess, as planned.
“Cybersecurity is an important national security issue and the senate should take up this bill as soon as possible and pass it,” a White House official said earlier in the week.
GOVERNMENT INEPTITUDE
Privacy Forum cofounder Lauren Weinstein said that after a series of high-profile failures, the federal government’s data security track record could use some work before the public hands over vast quantities of personal information. Weinstein said CISA does not address the way the data would be handled as rigorously as necessary.
“Details are absolutely crucial especially when it comes to the sordid history the federal government has had protecting the kind of stuff you’d expect them to protect,” Weinstein said. “I mean, how many examples do you need to have of the basic inability of the government to protect what you’d think would be the most sensitive information out there? We had a young guy clean out NSA with a thumb drive. Then they say they’re going to ask for all this additional information and we’re supposed to believe they’re going to protect that.”
Weinstein also said hackers are easy to misidentify by nature.
“The whole structure of cyberattacks is that you never know where they’re coming from,” he said. “We’re still largely at a point where it’s hard to tell if a particular cyberattack is a result of a state-sponsored military operation or a 13-year-old in a basement in Cleveland.”
Collecting the browsing data of every teenager in Cleveland, Ohio, would seem to be the wrong solution, but Steve Ward, of security company iSight Partners, said that knowledge of multiple cyberattacks is sometimes the best way to determine who exactly is behind any one of them.
“One thing that can often help us ... would be the source of domains used in attacks,” Ward said. “You see a specific e-mail address connected to six different server infrastructures. You see that in one attack and then you see it another, and then you know you’ve got a single adversary that’s hitting, say, oil, gas and healthcare.”
Of course, that is the problem in a nutshell: Hackers — perhaps nation-states, perhaps individuals — have stolen troves of information from the US government’s Office of Personnel Management, schematics for the F-35 fighter jet from Lockheed-Martin, and sundry credit card numbers from Target customers, PlayStation users and many, many others, often posted on easy-to-find blogs that simply list one set of personal data after another.
Dave Levine, a fellow at Princeton University’s Center for Information Technology Policy, said that information sharing is hard to improve, given the reticence of companies to share (or admit the existence of) trade secrets.
A major trouble with CISA is “the interest in government in trying to solve problems that do not have much of a legal solution,” Levine said.
“It’s better for the government to encourage the private sector to be more robust in increasing cybersecurity standards within corporations,” he said.
NETWORK SECURITY
Both Levine and Kaminsky praised US government efforts to make networks harder to break into. Levine noted a recent push by federal agencies for multifactor authentication during the White House’s “cybersprint.” Kaminsky said government agencies had been “a lantern in the darkness” when the National Institute of Standards and Technology developed standards to avoid “cache poisoning attack” — better known (after its discoverer) as the Kaminsky Bug.
Kaminsky said the solution must be to make more secure systems.
“We’re not gonna hack our way into networks that can’t be hacked, we’re not gonna get leaks from networks that leak less,” he said. “The government’s role is not to be the biggest, baddest hacker in the room.”
Those networks, he said, might need to be built by government employees, because there is not sufficient profit motive for the public sector to generate them quickly enough for Kaminsky’s taste.
“When does someone ever tell you there’s not enough bureaucracy?” he said. “There’s no bureaucracy that’s focused on making more secure technology. Wouldn’t it be nice if there was some sort of department? Of defense?”
Even Ward, who is much more enthusiastic about information sharing that Kaminsky, said that the wide variety of information supplied by so many different companies covered by CISA means that cross-referencing becomes very difficult.
“Let’s say CISA passed,” Ward said. “Google gives up all their data, Facebook gives up all their data. OK, great! That’s not information, that’s just data.”
Not everybody loves government-sponsored security protocols, but they at least keep citizen data private.
“I’d rather have the government running technology than fighting encryption tooth and nail,” Kaminsky said. “That’s the weirdest thing. We’re in a world that needs more security and we’ve got people saying: ‘Perhaps the Internet is too secure!’ Only in DC could that happen.”
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing