Off-Topic: The Questions Congress Should have Asked...
If anyone follows the politics of U.S. Cybersecurity, you should definitely check out the recent U.S. House of Representatives Permanent Select Committee on Intelligence’s Hearing on Cybersecurity. Rep. Ruppersberger and Rep. Rogers made some very candid statements in their opening remarks that you don’t typically hear in public forums. As usual, General Hayden was also able to bring an informed and unique perspective to the proceedings. In the coming weeks, I’m sure we will hear a lot of commentary about the statements these gentlemen made regarding the foreign adversaries targeting the U.S.. Personally, it’s getting harder and harder for me to get excited just because a government official mentions the the words “China” and “espionage”! Thus, I’m not going to bore you with a litany of quotes. Instead of stamp collecting quotes, I wanted to focus on another important component of the conversation which is often overlooked. I’m talking about the actions and attitudes in the commercial security sector that are helping to exacerbate the problem. Congress had a unique opportunity to ask hard questions of two companies whose profit driven policies toward information sharing has potentially put numerous other companies and government organizations at risk. In many ways, these decisions seem in stark contrast to the comments made by their executives during the hearing. Thus, I’ve decided to post the questions that I would have liked to have seen addressed by Art Coviello and Kevin Mandia:
- In the statements today, we heard a lot of commentary about the importance of sharing threat information. Would each of you begin by characterizing examples of how your companies share threat information? (FYI: Horrible proprietary data formats don’t count as contributions) Does your company view sharing threat information as a marketing decision? Would your company ever make a profit-driven decision not to share threat information? What if that decision meant other companies or government organizations would continue to be victimized?
- Let’s assume that a large security company was targeted by a nation state adversary attempting to exfiltrate sensitive authentication technology that could be used to compromise other organizations. Should that security company be forthright with their customers about the nature of the information that was exfiltrated? By withholding details, would that company be knowingly putting its customers at a disadvantage for determining the proper mitigation strategy and give the adversary the time and opportunity to weaponize that information? Is the willingness to acknowledge the risk only after it has been used against your customers the type of threat information sharing we should all be aspiring to?
- Alternatively, let’s assume that during the course of an investigation an incident response company determines that sensitive information (intellectual propert, ITAR, etc) was actively being exfiltrated from another company or government organization. Should that incident response company hold that threat information hostage from the third-party in exchange for a incident response contract? Should that incident response company have the authority to make the decision to allow victims to continue to bleed for the sake of generating business leads? (ie. Was there any doubt who the pastebin dump was talking about?)
While I’m sure there are organically grown forums, based on personal trust relationships, for sharing threat information, I’m also pretty confident that these forums are not being run by people that work at organizations like our hypothetical examples. With increasing frequency it seems the only time commercial security companies share threat information about advanced adversaries is for marketing opportunities or when they want to prove their “ShadyRat” analysis is better than their competitors. These are probably not the market forces General Hayden was hoping for and not the organizations I would be looking to for leadership in finding real solutions.
