It's worth mentioning the history of 'coordination' or 'bringing into line' between the public sector and the private sector here, especially gleischaltung[0].
I'm not trying to make a direct comparison, but the executive branch's "calls for them to hand over more data" are fundamentally about totalitarian surveillance and control. That may not be the goal, stated or otherwise, but make no mistake: the effect is the same.
It's worth considering how we might feel if Russia or China were calling for something like this.
"The best propaganda is that which, as it were, works invisibly, penetrates the whole of life without the public having any knowledge of the propagandistic initiative." -Goebbels
It's also interesting to see that Microsoft is one of the first to obey (a voluntary "order") - the first company to ever participate in the PRISM program, and the one we know most about for its "cooperation" with the NSA from Snowden's documents.
Whatever the debate about the "old" and the "new" Microsoft, Microsoft has definitely remained the same when it comes to happily giving its user data to the government, even when not obligated by the law to do so. Sometimes they excuse themselves with the argument "that it's the law". Well this time it's not the law, Microsoft. So what's your excuse now?
Everything else in this thread so far seems really negative (with ample justification) of even the idea of sharing this data.
But, personally I wish there was something like the CDC for this type of "cyber" crime.
If there's a 1000% increase in cryptolocker like ransomware showing up, I would actually like the FBI to investigate.
If DDOS extortion schemes are being systematically targeted against companies big and small - that would seem to call for a government response.
At the very least if we just collectively knew more about all of the attacks that were happening I feel as if responses could be improved.
If someone can DDOS Ford's website and demand $1000 to call off the deluge and Ford pays it - this would seem to make all of us more vulnerable. If it had to be reported maybe it would help.
"Cybersecurity industry veterans said Obama's anticipated order would be only a modest step in one of the president's major priorities - the defense of companies from attacks like those on Sony and Anthem Inc.
Obama has proposed legislation to require more information-sharing and limit any legal liability for companies that share too much. Only Congress can provide the liability protection through legislation."
The bottom line is that all Obama is really doing is not only promoting data sharing between the government and key private corporations, but effectively indeminifes them from obtaining and processing such data.
"Businesses are unlikely to share a lot of timely and "actionable" cyber intelligence without liability relief, said Mike Brown, a vice president with the RSA security division of EMC Corp."
> It is one step in a long effort to make companies as well as privacy and consumer advocates more comfortable with proposed legislation that would offer participating companies liability protection, the White House said.
Companies get protection and individuals get the CFAA; they want information about attacks shared and information about vulnerabilities hidden. Almost makes sense if you don't work in tech.
Hey so I work for one of the orgs that uses cyber threat data to catch bad guys, and I can help explain a bit about what "cyber threat data" actually is.
Obviously the caveat here is I'm speaking as an individual with experience and not really as a rep for my company, but I see a lot of misinformation about what kind of information "cyber threat data" actually is, so I'd like to help clear the air a bit.
Also keep in mind I'm a developer, not a guy "in the field".
Edit:
Just for a little background, I can give you guys some examples of what this "cyber threat data" actually looks like. My company came up with this format called an "IOC", or "Indicator of Compromise" that can be fed into network and endpoint detection tools to search for threats.
You've got FileExtension, FileFullPath, PID, EventLogItem, DriverItem, and so on.
It's not like this information can't be identifiable, as it's not anonymized, but it's just plain unfair to say this is your email address, social security number, browsing habits, or anything like that. This isn't data about you.
Why does there need to be secrecy and indemnity for corps sharing non-PII data? Everything I've heard about these CISPA-esqe sharing schemes is that the gov wants to have corps share potentially unmasked data with the gov AND with each other without risk of getting in trouble for privacy violations.
Secrecy mostly because it's live intel -- these aren't your run of the mill hackers, they'll adapt. If you publish your intel each month publicly, they'll just make sure to run your intel against their latest malware and make sure you can't detect them.
Indemnity I'm not fully versed on (I'm just a dev, and this is more of a law area), but I get the idea that they want to be able to say, "Block these domains, and watch out for these email addresses -- they're spear phishing addresses" without getting in trouble for sharing those email addresses in the first place.
After all, if we're hunting for hackers, and the hackers end up being users of your website, do the hackers suddenly get immunity from being detected? If I see "l33th4x0r12345" as a user on my system, and I know that user just tried a bunch of XSS on my support staff, I'm going to want to let other groups know that "l33th4x0r12345" is a bad actor.
This is a valid question, and honestly I'm not sure.
Once you're asking this question though, you've gotten past the point I think a lot of folks are hung up on, and that's the content of the intel.
I'd just like to get folks to a point where they're understanding that their mother's maiden name isn't getting blasted through the cybersecurity world.
How many businesses have access to that list or even know it exists? Every single business in the U.S. needs to get smarter about online security, and a big part of that is getting useful information about modern lines of attack. A few private arrangements are not going to do the job.
The fundamental problem is that there are few limits on why a customer or investor can sue a company. Getting hacked is obviously a material impact on a business, and so public disclosure of a hacking often leads to lawsuits.
There is an entire industry of lawyers who look for any excuse to sue companies; they often get "go-away" settlements even if there's not much to the case. It's just cheaper for the company than a trial.
So, this creates a strong incentive for companies to never ever reveal any cybersecurity problem unless they are compelled to do so by law. As a result, most of the current systems for sharing real-time cybersecurity info are private, invite-only, your-buddy-has-to-invite-you type affairs.
The government is not a private company and can't be sued for revealing cybersecurity information. So it could collect the detailed threat info and share it widely--helping security teams get smarter faster.
The hard part is that details of intrusions and hacks almost always include data that could be characterized as personally identifiable (since every attack has a person behind it somehow). So the hard part is setting a legal standard that keeps data usefully specific, while protecting everyone else's privacy.
Sure thing citizen, strong privacy regulations will be written into the secret laws and looked over in secret by a secret judge appointed to a secret court, we're the government elected in democratic fashion so you know you can trust us.
This article doesn't seem consistent to me. The title and first paragraphs sound more like an order to create this organization to facilitate the sharing of data and to encourage companies to participate, but does not require companies to participate.
And then I read:
>The move comes as big Silicon Valley companies prove hesitant to fully support more mandated cybersecurity information sharing without reforms to government surveillance practices exposed by former National Security Agency contractor Edward Snowden.
Is this order a mandate or encouragement/facilitation to participate? Is he going to withhold liability protection to companies who do not participate?
I've spent years, decades in various such corporate environments, and I've repeatedly had to push -- with very mixed success -- to have clear security problems even acknowledged, much less addressed.
Ultimately, the success or failure in this has come down to the particular individuals involved. While the person in the next chair, as solidly vested in their career at the same institution, could never essentially be brought to real understanding and effective activity, much less pro-activity.
All this has left me with very little sympathy for the institutions involved. Many of the current "problems" were known and addressable years ago -- decades ago, in their fundamentals.
All that remains, for me, is the fear that as opposed to real, technical solutions that also maintain diversity, we are going to substantially get another "rubber hose" (and lead pipe) solution. Fear of the consequences.
And, deeply vested interests for whom there are no consequences.
Start looking for the next, hopefully truly distributed physical layer. Our current layer is in the process of getting thoroughly owned by those with the money and guns (cops and thugs).
P.S. Just to be clear, I'm not a "black hat" nor "dark net" kind of guy, in terms of my interests and activities. I am someone who has benefited significantly from the diversity and open communities found on the Internet. Things I fear are in the process of being throttled.
This is a good place for this, one of my favorite quotes from the century before last:
"Next in importance to personal freedom is immunity from suspicions, and jealous observation. Men may be without restraints upon their liberty: they may pass to and fro at pleasure: but if their steps are tracked by spies and informers, their words noted down for crimination, their associates watched as conspirators, who shall say that they are free? Nothing is more revolting to Englishmen than the espionage which forms part of the administrative system of continental despotisms. It haunts men like an evil genius, chills their gaiety, restrains their wit, casts a shadow over their friendships, and blights their domestic hearth."
The freedom of a country may be measured by its immunity from this baleful agency. Rulers who distrust their own people, must govern in a spirit of absolutism; and suspected subjects will be ever sensible of their bondage."
The Constitutional History Of England Vol II(1863), pg. 288 [0]
This is a great quote, and really relevant to the issue at hand.
We're technically free to roam about and talk to whoever we want, but our steps are tracked (obsessively) and our communications are kept on the record (indefinitely).
By the logic of this quote, the US is not a free country. I tend to agree.
What a pantload. This order is about DHS "legally" having access to corporate data instead of the usual method of tapping network pipes while also protecting those corporations from lawsuits.
What the current administration is doing is incredibly dangerous. It's starting to conflate the espionage policy with the "cyber security" one, as if they were one and the same thing.
Therefore it ends up asking companies for stuff like more access to people's data and backdoors in encryption or in operating systems. Why? Because that's what's needed for espionage, but not if you are actually serious about "cybersecurity". In fact, any cybersecurity policy should pretty much be the opposite of an espionage policy.
That's completely unrelated to cyber threat intelligence, except in situations like spear phishing, where the government (or anyone else trying to protect against attacks) might want to know what domains the attempts originated from or where the malicious links point back to.
Your linked article is completely irrelevant to this conversation. Why do you think they're related? Because the government is involved in both, and both have to do with the Internet?
> What the current administration is doing is incredibly dangerous. It's starting to conflate the espionage policy with the "cyber security" one, as if they were one and the same thing.
That conflation is as old as the assignment of both cybersecurity and intelligence functions to the NSA, and predates this administration. It is inaccurate to say this administration is starting to conflate those two things, though its perhaps furthering the long-standing conflation.
I just finished reading "Zero Day to Stuxnet" and I'm really wary of this. The US government has groups that protect its citizens against cyberthreats and also groups that exploit vulnerabilities. Those groups apparently communicate with each other. If there is an ongoing operation that exploits a vulnerability, some groups can veto its dissemination. How long would it be before the exploitation group starts mining this kind of data to find a way to attack an enemy? On top of that there is strong evidence that defense contractors are selling these exploits to governments for use. What's to stop data collected this way from being shared with those contractors?
I'm not trying to make a direct comparison, but the executive branch's "calls for them to hand over more data" are fundamentally about totalitarian surveillance and control. That may not be the goal, stated or otherwise, but make no mistake: the effect is the same.
It's worth considering how we might feel if Russia or China were calling for something like this.
[0] https://en.wikipedia.org/wiki/Gleichschaltung edit: quotation is from poorly-titled BBC article