Want to know the most effective ways businesses defend themselves against hacking? Good luck.
There’s a mountain of marketing material about that and other cybersecurity topics, but a dearth of high-quality, vetted data that researchers can use to draw their own conclusions, cybersecurity academic Tyler Moore tells me.
That’s because most cybersecurity research relies on data from companies about hacking attempts against their clients — and the companies are wary of sharing that data too broadly because of privacy concerns.
But without more public raw data, researchers are only seeing a slice of the pie. And that makes it difficult to draw big-picture conclusions or to give definitive answers to even basic questions -- such as where our greatest digital vulnerabilities are and which defensive measures are most effective at combating them, said Moore, an associate professor of cybersecurity and information assurance at the University of Tulsa.
Moore just completed a two-year, $200,000 project funded by the Department of Homeland Security’s Science and Technology Directorate, which found that only 15 percent of cybersecurity research studies that gathered original data made that data available to other researchers after their work was complete.
That’s far lower than other academic disciplines, where sharing raw data is often a prerequisite for being accepted for publication or to present at a conference, Moore said.
And the lack of public data doesn’t just make it tough to see big-picture problems – it also prevents researchers from vetting each other’s work for errors and it limits the number of people who can do a lot of cybersecurity research to those who can get access to a company’s data, he said.
“The overall state of cybersecurity hasn’t markedly improved over the last decade and it’s arguably gotten worse,” Moore told me. “One of the reasons is we haven’t had the same push for making scientific advances.”
There are ways for companies to become more comfortable sharing their cybersecurity data and for the researchers who partner with those companies to help them get there, Moore said.
For example, companies can anonymize cybersecurity data so there’s close to zero risk that customers could be identified, he said, and the DHS Science and Technology Directorate has created model legal language for those companies to protect themselves against whatever risk remains.
That sort of shift has happened before. Genomic research, for example, also relies on highly sensitive personal information but the National Institutes of Health has figured out ways to collect huge troves of anonymized data that academic researchers can cull for new insights.
There are also tools that function like data black boxes — essentially allowing researchers to conduct studies using data without ever viewing the data itself, which remains encrypted. The company Galois created one version of that technology with money from another DHS Science and Technology grant.
“There are a whole lot of possible barriers that will come to the fore if an organization asks their lawyers about it,” Moore said. “It turns out that many of those risks, on deeper inspection, can be mitigated and overcome. But there has to be institutional will to do it.”
One irony of this problem is that the cybersecurity community has been hyper-focused on information sharing in recent years — but the focus has been on companies sharing hacking threats from the past day or two so they can guard against them.
The government has championed these threat-sharing operations and facilitates them through a set of organizations called information sharing and analysis centers and information sharing and analysis organizations.
That sort of sharing has a clear benefit for companies because it helps them defend against threats that may be coming in the next hour or day. But companies have made less progress on sharing longer-range cybersecurity information that can help address more fundamental cybersecurity challenges, Moore said.
“Much of the information-sharing debate has all been at the operational level, which is definitely important. But research data is also something that needs to be shared,” he said. “If you look at how we’re going to make actual improvements to cybersecurity, it’s going to have to take a longer-range view.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: DHS’s cybersecurity mission is getting short shrift in the Trump White House, which is hyper-focused on immigration, my colleagues Nick Miroff, Shane Harris and Josh Dawsey report.
Former secretary Kirstjen Nielsen’s background was in cybersecurity, but that didn’t interest Trump, who was outraged that she couldn’t reduce southern border crossings, my colleagues report. And with her ouster, former officials worry cybersecurity won’t get the high-level attention it needs.
Here are details from Nick, Shane and Josh: “A former senior administration official said Trump sometimes called cybersecurity ‘the cyber’ and said that dealing with it, or talking about it, would only get you in trouble. He has occasionally joked to aides that the world would be better without computers and other devices after hearing about potential attacks and hacks — and would grow bored during lengthy technological briefings about cybersecurity from Nielsen, former homeland security adviser Tom Bossert and others.”
DHS officials including Cybersecurity and Infrastructure Security Agency director Chris Krebs told my colleagues the department’s cybersecurity mission has not suffered. “We are acutely dialed into our mission,” Krebs said, adding that his agency has more than 2,200 full-time federal employees working on cyberdefense.
PATCHED: A massive hacking campaign nicknamed “Sea Turtle” has compromised 40 organizations across 13 countries primarily in the Middle East and North Africa, according to research released Wednesday by Cisco’s Talos threat intelligence team.
FireEye followed up with a statement shortly afterward, saying with “moderate confidence” that at least some of the hacking could be tied to actors in Iran.
The hacking campaign relied on a technique called DNS hijacking, which undermines the basic address book of the Internet. That’s important because, once DNS is undermined, there’s no guarantee that the website you think you’re sharing information with — even your bank or an employer’s site — is legitimate.
Here’s how Wired’s Andy Greenberg described it: “DNS hijacking targets the Domain Name System, the pillar of internet architecture that translates the domain name you type into your browser, such as ‘google.com,’ into the IP address that represents the actual computer where that service is hosted, such as ‘220.127.116.11.’ Corrupt that system, and hackers can redirect that domain to any IP address they choose. Cisco Talos researcher Craig Williams says the Sea Turtle campaign is disturbing not only because it represents a series of brazen cyberspying operations but also because it calls into question that basic trust model of the internet.”
In this case, “Sea Turtle . . . went so far as to compromise multiple country-code top-level domains — the suffixes like .co.uk or .ru that end a foreign web address — putting all the traffic of every domain in multiple countries at risk,” Greenberg reported.
PWNED: A vulnerability of some kind in the Car2Go app allowed criminals in Chicago to make off with up to 100 Mercedes and other high-end cars in Chicago, according to local news reports.
The company described the multiple thefts as an act of “fraud” rather than a “hack” in a statement, saying no customer information had been compromised. Car2Go did not provide additional details about the nature of the fraud.
Here are details form CBS Chicago TV news reporter Brad Edwards and Car2Go’s response:
The app was not hacked. This is an instance of fraud, isolated to Chicago, and we are currently working with law enforcement. None of our member’s personal or confidential information has been compromised. No other SHARE NOW North American market has been affected.— car2go Chicago joins SHARE NOW (@car2goChicago) April 17, 2019
The company said it's temporarily suspending Chicago service.
We are working with law enforcement to neutralize a fraud issue. No personal or confidential member information has been compromised. As a precaution, we are temporarily pausing our Chicago service. We will provide updates as soon as possible. Apologies for the inconvenience.— car2go Chicago joins SHARE NOW (@car2goChicago) April 17, 2019
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: