On February 1st and 2nd, Chief Information Officers from the world’s biggest companies attended an invitation-only conference in Half Moon Bay, California. The two-day event was organised by the Wall Street Journal, and was a chance for a number of guest speakers to communicate with corporate CIO’s to ‘identify key challenges.’
Amongst those invited to this year’s conference was Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security (DHS). On the second day, Ozment disclosed to Rebecca Blumenstein (deputy editor in chief of The Wall Street Journal) that the DHS is preparing to enforce the CISA legislation that was passed in October 2015. Specifically, the sharing of relevant cybersecurity information across corporate bodies to counteract cyber attacks. Corporate data collection and distribution, which is the main reason that CISA was passed.
It is also true, that it is this same sharing of public data that has made so many IT specialists, cybersecurity experts and digital privacy campaigners, vocal in their condemnation of the US government’s overreaching and intrusive policies.
Ozment, on the other hand, seems to believe that the outcome will be all glitter and unicorns for everyone involved. Taking his time to outline how the process might work, Ozment created a scenario where an employee receives a phishing email designed to let a hacker in. Ozment then explains that thanks to CISA there are now options that allow companies to share any hack data with the wider community, in this case, to get the word out about the phishing email. In theory, this would create a united cross-corp front against cybercrime. As Ozment sees it, companies that suffer attacks could share any suspected IP addresses from where the problems originated, allowing DHS to warn suspected further targets.
Whereas once it might have been considered akin to corporate misconduct to allow private customer data to simply be passed on to third parties. Now the tables have turned, and it is instead a legal requirement for companies to share the private communication of US citizens. The outcome, a complete erosion of the US citizen’s right to privacy – all made possible – thanks to the specially granted no-liability assurances contained in the pages of CISA.
Despite those liability assurances from the US government, however, only 58% of the CIO’s in attendance at this week’s conference actually think CISA will increase corporate cooperation with government agencies. The reason for wanting to keep busybody government agencies’ out of an already delicate situation? The common knowledge that the US government has a proven track record of being useless at cyber security itself. The FBI, for one, admitted that it is not very good at cyber security. Or last year’s fiasco, when 22 million identities were stolen from The Office of Personnel Management.
Despite a bad image, Ozment and the DHS fervently believe that they can alter the common perception and convince companies to cooperate in the cyber-crackdown. Seemingly sincere in their efforts to convince firms that CISA is about implementing security, and not forcing corporations to help the US spy program.
In order to actually be able to change public opinion, the DHS has been working hard behind the scenes to produce a set of Information Sharing Specifications (new systems to add legitimacy) – and enable the implementation of the CISA legislation.
Trusted Automated eXchange of Indicator Information (TAXII) and the Structured Threat Information eXpression (STIX), are two of those systems. STIX focuses on semantics and seeks to create a coherent and intelligible language for sharing cyber threats. TAXII is a messaging system for propagating cyber security knowledge quickly and efficiently across corporate bodies.
Despite a general emphasis on better cybersecurity for all, Ozment has admitted that when the DHS launches the new system (in two weeks), it will only be cooperating with a select few companies. With that in mind, it is hard not to wonder whether some corporations have got something that the DHS wants to access more than others. It will certainly be interesting to find out what companies are the first ones involved.
Not surprising at all, if those particular firms turn out to be Internet Service Providers, telecoms and other communication companies. All three of which would fit nicely into the government’s plan to force firms to help snoop on citizens with man-in-the-middle attacks. Do not forget that US intelligence agencies have been immensely vocal in their condemnation of encryption – which they think should come with built in exploits – so that they can always spy on everyone.
No matter which way you look at the rhetoric that has been driving US policies, at its heart it displays a spectacular disregard for proper cybersecurity. A fact that makes the US look more than a little disingenuous, when it later comes along in a TAXII, and attempts to convince people that security is a top priority. Consider this; encryption – the thing that could actually improve security and reduce cyber attacks – is considered a total nono by US intelligence. Whereas CISA is definitely not a snoopers charter, and all to do with cyber security. Why do they bother?