What should we do about cyber-
attacks?Eli Dourado
Research FellowDirector, Technology Policy Program
The infosec landscape
• Era of mega-hacks• Increasingly state-based attacks• Espionage, not cyber-war• U.S. Federal government
particularly vulnerable
The OPM hack• Began on May 7, 2014• Exfiltration in July/August and
December 2014• 22 million current and former
federal employees’ data compromised
• Discovered on April 15, 2015• Massive, but not isolated
What should we do?
• Spend more?• A cybersecurity sprint?• An information sharing program?• Something else?
Information sharing
• CISPA introduced in 2011• Concern from civil libertarians• CISA introduced last year• Civil libertarians still concerned• Would information sharing work?
Information sharing programs already
exist• DHS/IP National Infrastructure Coordinating Center (NICC)
• “Dedicated 24/7 coordination and information sharing operations center that maintains situational awareness of the nation’s critical infrastructure for the federal government.”
• http://www.dhs.gov/national-infrastructure-coordinating-center
Information sharing programs already
exist• DHS/CS&C National Cyber Security and Communications Integration Center (NCCIC)
• “Shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.”
• http://www.dhs.gov/about-national-cybersecurity-communications-integration-center
Information sharing programs already
exist• DNI Cyber Threat Intelligence Integration Center (CTIIC)
• “Oversees the development and implementation of intelligence sharing capabilities…to enhance shared situational awareness of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests.”
• https://www.whitehouse.gov/the-press-office/2015/02/25/presidential-memorandum-establishment-cyber-threat-intelligence-integrat
Would CISA work?
• Do we need 21 information sharing programs instead of 20?
• Is CISA really about national information security?
What should we do instead?
• Prioritize security over SIGINT
• Responsibly disclose vulnerabilities
• Two-factor auth at all agencies with penalties for noncompliance
• Limit the use of private contractors
• Reform the CFAA to
allow security research
• Reform the CFAA to allow active defense
• Support strong encryption
• Eliminate duplication
• Security audits of open source software
The bottom line
• We need federal humility• A marathon, not a sprint• A priority, not an afterthought• There is no silver bullet
Thank you.