The United States is less than a week away from electing a new president. Cybersecurity has played a large part in the news leading up to the election — hacked and leaked political emails and probing of election databases — and yet there hasn’t been a lot of discussion on how to resolve the problems. As someone who has been closely following all the events and the activities in the cyber underground for many years, I’ve got some perspective on cybersecurity that could help the new leader address the issues.
- 1. Hackers come in all shapes and sizes, and frequently have full-time jobs in addition to hacking on the side. For example, an 18-year-old kid (and full-time student) hacked the Pentagon in the agency’s recent bug bounty program. That said, the more profitable hacking becomes, the more likely it is that hackers quit their day jobs to make their living hacking ethically for bounties or maliciously on the Dark Web.
- Nation-state attacks that are being discovered are on the rise. Sophisticated attacks have always happened, but we’re now seeing more proof of those. The goal of these attackers is to defeat cybersecurity measures and to tamper with or steal data. Moreover, unlike other types of crime, attribution of a cyber-attack is nearly impossible when the attacker is smart – even when an investigation managed to prove that the source of a given attack was a particular government as opposed to some rogue hacker group. This makes cyber-attacks even more appealing as there is a lot to gain with minimal risk. As more things become connected (cars, houses, cities), the potential gain for hacking grows.
- Government agencies need to re-think their networks. Ideally, the government should block off communications from a threat actor to prevent direct data exfiltration. The common way to do that is to create air-gapped networks (which aren’t connected to the Internet). As such, a threat actor residing on a network device will have to make significant efforts to get the data to the attacker’s Command and Control (C2) server. In essence, the threat is contained to a single network segment. The downsides? First, it’s very hard to work with air-gapped networks so it would require a solution that mimics the idea of an air-gapped network. Second, segmenting the network won’t help in cases of ransomware where the malware can block access to the computers on the network segment it resides on. For cases such as ransomware, instead of re-thinking networks, it requires re-thinking files, and work in a similar manner, i.e., block the abusing file handling processes.
- Cybersecurity policies should be on the national agenda. Cybersecurity should be a consideration just like the physical security and the well-being of citizens, workplaces and infrastructure. To aid security research I would advise creating a regulatory requirement that researchers give companies 90 days to fix vulnerabilities after they have disclosed them to the company. The legislation should define the grace time and the consequences for violating these rules, which would allow software makers enough time to patch the vulnerability while still placing them under a deadline. It’s important here to understand the motivation underlying why those researchers bring vulnerabilities into the limelight. They work hard to find each vulnerability and ultimately do so in order to benefit, whether in the form of monetary compensation (by selling vulnerabilities on the underground cyber-market or to bounty programs), or in the form of recognition and praise. When a vendor goes silent after being informed by a researcher of a vulnerability, the researcher is placed in a tough spot. Many researchers do not want to have to sell the vulnerability they found on the underground cyber market to reap their reward. On the other hand, if the vendor is not responsive, it leaves the researcher without a legitimate avenue to achieve recognition. Legislation that mandates a 90-day vulnerability disclosure window would go a long way toward making sure software makers are held accountable for imperfect code. It would also help ensure consumer safety, and encourage researchers to continue finding vulnerabilities and disclosing them in a responsible manner.
- International agreements won’t be effective. A general misconception is that legislation can stop cyber-attackers (whether from a nation-state or financially motivated cyber attackers). For example, if we look at the Wassenaar Agreement, the pact tries to specify that vulnerabilities are akin to weapons, in order to stop the trading of vulnerabilities. Such a proposal is problematic, and ineffective to say the least. The reason is that such an agreement actually increases the prices of vulnerabilities in the cyber underground market, since it increases the researcher’s risk. People who directly sell to the underground market will find whatever ways they can to bypass the regulation. More so, such changes could even lead to the eradication of third-party bug bounty programs whose participants rely on exchanging vulnerability information as part of research and disclosure. As a result, over time, “play-it-safe” researchers might be more tempted to go the underground route, ironically defeating the actual purpose of such a regulation. To summarize, if a global nuclear treaty didn’t work, we cannot assume that a global cyber treaty would work. Especially given that cyber activities are difficult to attribute to a specific nation-state.