LAS VEGAS — The Justice Department's relationship with the cybersecurity research community has historically been tempestuous, but Leonard Bailey is on a mission to improve it.
That's what brings him here, to the BSides cybersecurity conference. The head of the cybersecurity unit of DOJ’s computer crimes division is extending an open invitation today to ethical hackers to air some grievances and offer policy advice, in a talk called: “Let’s Hear from the Hackers: What Should DOJ do Next?”
Bailey wants to ensure hackers are willing to work with government on improving cybersecurity -- instead of staying away because they're suspicious of government.
“It's about figuring out how to make sure that their ability to help us improve [the nation’s] cybersecurity is not taken off the playing field,” Bailey tells me. “They have a valuable resource and they can be helping everyone.”
This marks a drastic change — in terms of both outreach and attitude -- from previous years. Tensions have soared as ethical hackers accused DOJ of being too quick to prosecute them for benign research aimed at improving cybersecurity -- and of not being transparent enough about the rules for what constitutes a digital crime.
Bailey's office has worked for four years to ease some of these tension points, he said, including by helping develop Copyright Office rules, which make it tougher for companies to use copyright laws to scare off ethical hackers from searching for dangerous bugs in their software, and publishing guidance that clarifies when hackers are likely to fall afoul of the nation’s major anti-hacking law, the 1986 Computer Fraud and Abuse Act.
“[Before], we were building a bridge” of trust, he told me. “Now, we’ve developed some strong relationships where we can have policy discussions.”
Bailey’s likely to run into some serious headwinds, though. While a majority of cybersecurity experts surveyed by The Cybersecurity 202 said this week that the relationship between hackers and government officials has gotten better in the last several years, they also pointed out some major points of conflict.
Most ethical hackers strongly oppose Attorney General William P. Barr’s push to stop companies from offering encrypted communication systems that prevent police from accessing communications with a warrant. And they say the Computer Fraud and Abuse act is still used too broadly to punish hackers — with many pointing to the case of Marcus Hutchins, a British security researcher who helped stem the damage from the massive WannaCry ransomware attack in 2017 but was charged under the CFAA a few months later for developing and selling malicious software.
Bailey acknowledged the conflict. He joked in a 2016 address that when he first met with ethical hackers at the Black Hat cybersecurity conference in 2015 “only half [of the meeting] was being yelled at.” In succeeding years, he says, those conversations have become far less hostile and more productive. Now, he says ethical hackers frequently call him to talk over policy disagreements.
One of the big things Bailey wants to talk with ethical hackers about today is ways they can work with government to help warn young people who are skilled with computers away from criminal hacking or digital vandalism that might land them in trouble with the law.
“Kids who are tech savvy are having earlier and earlier access to valuable tools for learning hard skills like coding, but they may not also be getting information about how to use that power responsibly,” he said.
The Justice Department is examining offering grants for organizations to write ethical hacking curriculum for high schools or community organizations, he said. They’re also looking for ways to reach out to places where they might find tech savvy teens, such as the video gaming community.
But he’s hoping the hacking community will take up the issue, too, and launch its own education efforts.
“It's very difficult for the government to shape a message here, to say ‘hey kids, don't hack.’ That doesn't really have a lot of purchase,” he told me. “So, we’re trying to figure out whether there are ways of leveraging the community to help us with that messaging.”
PINGED: A second election security non-profit has announced it will offer free cybersecurity protections to 2020 presidential campaigns following a May Federal Elections Commission opinion that said non-profits can offer those services without falling afoul of campaign finance laws.
The newly-formed non-profit U.S. CyberDome boasts an all-star board of directors including former Homeland Security chiefs Jeh Johnson and Michael Chertoff and former Director of National Intelligence James Clapper. Defending Digital Democracy, the non-profit that sought the FEC ruling, is run by Robby Mook, Hillary Clinton’s 2016 campaign manager, and Matt Rhoades, Mitt Romney’s 2012 campaign manager.
CyberDome will offer services including protection against password thefts and ransomware using a patchwork of different vendors and technologies, founder Joseph Drissel told Tim Starks at Politico.
“It’s not a question of ‘if’ a campaign will be hacked or trolled, it’s a question of ‘when’,” Drissel said in a statement. The group hopes to expand its services to congressional elections over time.
The FEC also gave the greenlight to a private cybersecurity firm, Area 1 Security, to provide “low- to no-cost” protections against phishing attacks to 2020 campaigns in July.
PATCHED: The Department of Justice indicted a 34-year-old Pakistani man for paying more than $1 million in bribes to AT&T workers to plant malware and surveillance software on corporate computers and devices, Forbes’ Thomas Brewster reports.
The malware allowed Muhammad Fahd to collect confidential data that helped him to unlock phones and sell them on the black market for far more than he would have earned for locked phones. Fahd and the employees he bribed unlocked 2 million phones over the five years they ran the scam -- defrauding AT&T of tens of millions of dollars. The malware didn't allow Fahd access to consumer data, Brewster reported.
Fahd, who was extradited to the U.S. from Hong Kong this month, faces up to 20 years in jail.
PWNED: Senate Democrats’ campaign fundraising arm left a server containing the email addresses of 6.2 million Americans exposed, researchers told TechCrunch's Zack Whittaker. The decade-long exposure highlights how campaigns are collecting more and more data about their donors but not sufficiently improving their security at the same time.
Researchers at the security firm UpGuard found the unprotected data hosted on Amazon cloud storage without a password in July. After tracing the data back to the Democratic Senatorial Campaign Committee, researchers notified the organization and the DSCC secured the data. (Amazon founder Jeff Bezos owns The Washington Post.)
The data was stored in files dated to 2010 that included "Clinton" in the name, suggesting campaign campaign staff may have collected the data during fundraising efforts for Hillary Clinton's 2010 Senate run, Whittaker reports. DSCC denied the claim to TechCrunch but did not disclose how it collected the data or if the data had been accessed while exposed. The server contained private and government email addresses.
"If political data can be exposed for 10 years, the risk created by that data has an unknown half-life," researchers at UpGuard wrote in a blog post. Researchers could not determine if hackers accessed any of the data while it was unsecured.
"A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place," DSCC spokesperson Stewart Boss wrote in an email.
Correction: This article originally misstated what data the exposed Democratic Senatorial Campaign Committee server contained. It contained private and government emails.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- The Black Hat USA conference takes place through August 8 in Las Vegas.