Two former government cyber officials are working on a new way for industry to measure whether the Trump administration’s surge in offensive hacking operations is successfully deterring U.S. cyber adversaries or just egging them on.
Jason Healey, a White House cyber official during the Bush administration, and Neil Jenkins, an Obama administration cyber official in the Homeland Security Department, are developing a program for tech companies to track the pace and severity of digital strikes against U.S. targets as well as other factors such as whether the attack was especially brazen, reckless or globally destabilizing. The Cyber Threat Alliance, a coalition of top tech companies that share cyberthreat information and where Jenkins is chief analytics officer, is likely to take on the task of measuring the attacks.
If the resulting data shows U.S. adversaries are becoming more aggressive, Healey and Jenkins hope the government will change course before cyberspace becomes more unstable.
“A lot of us see this as an incredibly high-risk strategy,” Healey, a senior research scholar at Columbia University, told me of the Trump policy. “If you punch the other guy harder, he might just punch you back harder. It might be worth it, but the only way we’re going to be able to figure that out is if we pay attention in a more disciplined manner.”
Healey and Jenkins plan to release the formal framework at the International Conference on Cyber Conflict in Tallinn, Estonia in May and shared a draft version with me last week.
The project highlights concerns among researchers and industry about the Trump administration's decision in August to significantly loosen the reins on military and intelligence agencies launching retaliatory hacking operations, a move that national security adviser John Bolton said was aimed at imposing a “disproportionate cost” on adversary countries that hack U.S. targets.
The battleground in cyberspace is effectively private companies’ computer networks -- and any increase in global conflict could cost them millions in breaches and increased cyber defense costs. As a result, high tech companies have been more forward about policy advocacy in cyberspace than in other national security sectors. Microsoft, for example, has proposed a Digital Geneva Convention to restrain government’s from hacking other nation’s companies.
Already, companies that are part of CTA -- which include Cisco, Symantec and McAfee -- have increasingly been using shared threat information to attribute hacking campaigns to government-linked threat groups in Russia, China, Iran and elsewhere, Jenkins told me. He says it would be relatively easy to take that analysis one step further to measure the pace, severity and other aspects of the attacks.
Jenkins has spoken with member companies about using the measurement framework, but they haven’t all committed to it yet, he told me. The plan will be to release public reports about the group’s findings but not the underlying data, he told me.
Jenkins and Healey are also hoping the government could also be a partner on the program. Based on their own informal conversations with military and civilian officials, they believe the government is not measuring the policy’s effectiveness internally, they told me. The White House did not respond by press time to a query about whether they're measuring the program's effectiveness.
Congressional Democrats have also said they plan to do oversight to ensure Trump’s more aggressive cyber policy doesn’t backfire.
There are some limits to what the framework could track. First off, there’s not a lot of apples-to-apples data from before the Trump policy shift, which will make it difficult to determine whether an increase or decrease in adversary hacks is due to the Trump policy or just part of the normal ebb and flow of hacking operations.
Second, while Bolton has said publicly that U.S. Cyber Command is doing more offensive hacking than it used to, researchers don’t know precisely how much hacking CYBERCOM is doing or against who or when. So, if researchers see a drop in hacks coming from North Korea, for example, they won’t know for sure that it’s because the hackers were cowed by an increase in U.S. offensive operations.
Finally, the framework may show correlation but not causation. An uptick in Chinese hacking, for example, may be sparked by U.S.-China trade tensions or other factors separate from how frequently or severely the United States is striking back in cyberspace.
Despite those caveats, Healey and Jenkins believe they can glean enough information to assess whether the offensive hacking campaign is doing more harm than good, they told me.
“We’ll measure what we can measure, which is the punches coming at us,” Healey told me. “If the attacks on us go sharply up, then it doesn’t rule out that it’s working the way they’re thinking it will, but it certainly makes it a lot less likely.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The partial government shutdown is weakening the security of several government websites. The England-based Internet services firm Netcraft found that the Transport Layer Security certificates of several .gov websites have expired and not been renewed, according to FCW's Mark Rockwell. Those certificates aim to help secure communications between browsers and a website's host server. As a result, several government websites are inaccessible or blocked on popular browsers. “As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens,” Netcraft said.
However, as TechCrunch's Zack Whittaker noted, most major government websites are still up and running. “Most government certificates aren’t set to expire for many more months,” Whittaker wrote. “Also, any government website hosted on cloud.gov, search.gov or federalist.18f.gov won’t get certificate errors, as these domains automatically renew their certificates every three months with Let’s Encrypt.”
PATCHED: A voluntary Privacy Framework being developed by the Commerce Department’s National Institute of Standards and Technology (NIST) should urge organizations to think about privacy from the the beginning of a product's development cycle, according to comments from a group of cybersecurity-focused companies. The framework should also encourage companies to share information for security purposes, according to the comments from the Cybersecurity Coalition — whose members include AT&T, Intel, Symantec and other companies.
NIST should also promote “healthy” privacy practices “such as storing data only for as long as necessary and only for its intended purpose,” according to the group. Additionally, the Cybersecurity Coalition said NIST should ensure that the forthcoming privacy guidelines can work with the institute's Cybersecurity Framework. Although the deadline for submitting comments to NIST is today, the timeline for the development of the Privacy Framework could be affected by the government shutdown.
PWNED: Chinese telecommunications giant Huawei fired a Chinese employee who was detained in Poland on suspicion of spying, The Washington Post's Anna Fifield reported. Huawei said in a statement that Wang Weijing, who also goes by Stanislaw Wang, brought the company “into disrepute” and sought to distance itself from him. “Huawei has decided to terminate the employment of Mr. Wang Weijing, who was arrested on suspicion of breaking Polish law. His alleged actions have no relation to the company,” Huawei said. A Polish citizen employed by the European carrier Orange and who used to work for a Polish intelligence agency was also detained. Several countries including the United States, Australia and New Zealand have moved to block Huawei from involvement in their 5G networks over security concerns, my colleague noted.
Now, Polish authorities could consider enacting a ban on the use of Huawei's products by public bodies, according to a Polish senior government official, Reuters's Anna Koper and Justyna Pawlak reported. “The Polish government could also look to tighten legislation to allow the authorities to limit the availability of products made by any company deemed to pose a threat to security,” Reuters reported.
— A report from the Defense Department Inspector General found that the agency has not yet addressed 266 cybersecurity vulnerabilities in its networks, Nextgov's Jack Corrigan reported. Most of the Pentagon's cybersecurity weaknesses were discovered in the past year, but two vulnerabilities dated back to 2008. “Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” the inspector general said, as quoted by Corrigan. The IG report was a summary of several reports issued between July 1, 2017, and June 30, 2018, that identified cybersecurity issues at the Pentagon.
— A thief managed to enter two State Department buildings in Washington and Arlington and stole dozens of cellphones and other pieces of electronic equipment, but almost all the devices were recovered, The Post's Carol Morello reported. “The State Department said it does not believe the purloined phones contained any classified material,” my colleague wrote. A suspect, whom Arlington police identified as Joel Enriquez-Bueno, was arrested after allegedly trying to sell the equipment in a Virginia restaurant.
Carol reported that more details were known about the incident that occurred in Rosslyn. “Police said a man had ‘piggybacked’ into the secure building at 9:35 a.m., slipping in behind someone else, made his way to an upper-floor suite and allegedly stole 53 electronic devices, including 44 cellphones that were a combination of private and government-owned phones,” my colleague wrote. “It is unclear why so many phones were in one place, but government employees often check their phones before entering secure areas.”
— Special counsel Robert S. Mueller III’s investigation into Russian interference in the past U.S. presidential election is expected to feature prominently in the confirmation hearing of William P. Barr, Trump's nominee for attorney general, according to The Post's Devlin Barrett, Matt Zapotosky, Karoun Demirjian and Tom Hamburger. “At the hearing, Barr intends to publicly repeat his pledge not to interfere with or shut down Mueller’s work, but is determined not to make broader or more specific promises about how he will approach the Russia investigation or any ethics review of his involvement in it, according to people preparing him for the hearing,” my colleagues wrote. Barr's confirmation hearing starts tomorrow and is scheduled to last two days.
— More cybersecurity news from the public sector:
— Google said it asked T-Mobile and Sprint not to sell the location data of users of the Google Fi phone plan to third-party companies, Motherboard's Joseph Cox reported. Google Fi uses infrastructure from T-Mobile and Sprint in the United States. Motherboard reported last week that T-Mobile, Sprint and AT&T sold their customers' location data to third parties. “We have never sold Fi subscribers' location information,” a Google representative told Cox in a statement. “Google Fi is an MVNO (mobile virtual network operator) and not a carrier, but as soon as we heard about this practice, we required our network partners to shut it down as soon as possible.”
— More cybersecurity news from the private sector:
- The Brookings Institution hosts a discussion titled “How China and the U.S. are advancing artificial intelligence.”
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats tomorrow.
- S4x19 industrial control systems security conference in Miami Beach, tomorrow through Thursday.
- The Council on Foreign Relations holds a panel discussion titled “Hacking and the Internet of Things” on Thursday.
- ShmooCon hacker conference in Washington on Friday through Sunday.
Lawmakers stick to their spin, despite new questions about Trump and Russia:
Timelapse: Watch snow blow into D.C. from the roof of The Washington Post:
D.C. area dogs, kids take advantage of first snowfall: