The Flaws in Obama’s Cybersecurity Initiative
President Obama’s new raft of proposals aim to address the growing concern that America is not taking tough-enough action against the increasing cybersecurity problem of nation-states and criminals (usually criminal gangs) attacking U.S. consumers and organizations. The evildoers’ motivation for doing so is most often money, but intellectual property is also being filched, and the internet is also being used for anything from identity theft to illicit political objectives.
The cornerstones of the proposal are to:
Prohibit the sale of botnets and similar tools
Give the courts the power to shut down networks assembled for cybercrime such as those involved in “distributed denial of service” (DDOS) attacks
Protect companies that share information with the government about computer threats from liability
He also calls for better cooperation between companies and the government when tackling cybercrime.
The problems are certainly real. We are losing on the battleground of cybersecurity. For example, the gains that IT contributed to the GDP of the Netherlands in 2014 were wiped out by the even larger cost of cybercrime. Cybercrime has now become widespread enough to be a drag on growth in many countries. By some estimates, it costs between $500 billion to $1 trillion worldwide. That’s bigger than the GDP of 75 countries combined.
But how much can any government do to address the problem of cybercrime? And will these proposals do anything to fix the situation in the U.S.? Many of the criminal gangs (and certainly nation-states) lurk beyond U.S. jurisdiction – or at least, beyond the capacity of law enforcement to track them down in large numbers. Therefore, criminalizing many of the activities and products associated with cybercrime is likely to have more symbolic value than actual effect.
This is a limitation that would be faced by any country’s government, except perhaps the one where the crooks live. Russia, for example, has an exploding underground cybercrime industry. Trend Micro’s findings are that you can buy a botnet outright for about $700, or rent one for an hour for $2 – enough time to do serious damage. Trojans that let you spy on incoming and outgoing texts will run you $350.
Every country now has its own special wares to peddle. Brazil is apparently the place to go if you’re in the market for some banking malware. China’s gangs have their own special portfolio to sell. In terms of the competition between Russia and the United States, the homes of the biggest criminal hosts, Russia is winning bigtime. In three months in 2012, Russia’s share of malicious hosts rose by around 10%, and the United States lost 10% of its bad boy computers. There’s ample evidence that for every cybercriminal activity that gets squashed in the United States, an offshore competitor takes it – at cheaper rates. And even those rates are falling fast as more players and countries compete for their share of the pie.
In other words, Obama’s proposals are tackling a problem that was already diminishing in the U.S. The bad guys that really cause problems for Americans (and everyone else) are beyond the long arm of the law.
But what of the part about encouraging companies to share information about cyberthreats with the U.S. Department of Homeland Security by offering them “targeted liability protection”? That has to be a good thing, right? Well, the thing is that it’s already happening. In the United States, many company groups already share information – without government involvement – concerning cyberattacks and threats.
Each of these industries is dealing with its own kind of ugly crook, looking to use its specialized expertise to exploit vulnerabilities peculiar to that industry. The Retail Cyber Intelligence Sharing Center has been up and running since last year, when some 30 large retail companies got together and decided to share information on threats with each other. The oil and gas industry are doing something similar through ONG-ISAC (an acronym likely brought to us by the spawn of the same marketing-savvy engineers that coined TCP/IP and PCMCIA). And FS-ISAC does the same thing for the financial services industry, a particularly important sector for Willie Sutton reasons.
It makes sense for companies to form their own cybersafety industry groups to combat their particular threats. Individual companies are also putting great effort into safeguarding their value, though the facts about and nature of their work is often secret.
A bigger issue is that cybercrimes are grossly under-reported and fear of liability is only one part of the problem. Companies just don’t see the governmental resources available to successfully prosecute the kinds of cybercrime they experience, and the track record probably supports that view. Why share information with the government if it won’t help your situation?
There are also hosts of not-so-wacky conspiracy theorists who worry about any governmental involvement with the internet. (Some of them actually think the government is using it to snoop on us!) They also worry that if Congress passes a bill when prompted by a crisis, there are almost always additional consequences: usually giving the government more power than we would like.
Nevertheless, a few things make this part of the proposals much more palatable. First, there are many cybercrimes that aren’t just industry specific. Lots of nasty stuff would simply fall through the cracks if left to individual industries. We might not see innovations and changes that affect all of us, and we not might be as good at communicating new general threats more publicly.
For example, the fastest growing malware targets smartphones. With the right hack, your phone can be used to bug you or see what its camera sees. Not a great sales pitch for a conflicted phone industry. How about cars getting hacked? What about Skype-enabled TVs peering into thousands of homes and the streams being sold on the dark web? We might want companies to share that kind of information with the government – and us – without too much fear of reprisal.
Probably more important than our internet-of-everything gadgets are the power, water, sewage, manufacturing and transportation networks. A surprise, broad attack might put us, if only temporarily, somewhere between now and the Middle Ages. And even though governments are trying hard to protect this infrastructure, we’d probably want any hint of a private breach likely to be correlated with a broad-scale, warfare-like attack shared centrally (sooner rather than later).
In summary, I believe Obama’s proposals are well-intentioned. Information sharing is, on balance, a good thing. They at least start to address a set of problems that will impact the next generation even more than ours and may be the basis for some fundamental research. But I just doubt that they will be very effective in combating cybercrime.
So what is the answer? We know it is a global problem requiring a global solution. We know we need more global cyber capacity to fight cybercrime. International cooperation is critical. Global information sharing is also important – and we are doing some of it. A better understanding of the psychology of how insiders are coaxed, blackmailed, or tricked into sharing access to their computer systems would help organizations defend themselves. Good technology exists and will help, if we use it. Most important is education: Everyone – individuals, employees, companies, and boards of directors – needs to understand the new dangers.
One of the best results of Obama’s initiative may be to put the cybercrime issue a little higher on everyone’s agenda. If it spurs more good guys to learn and focus on the challenges, this second-order effect may have the greater impact.