Skip to main content

Featured

What Motivates Young Cybercriminals?

In the world of cybercrimes, the majority of cybercriminals always seek financial gain, but this is not the primary motivation. Aside from the advanced sophistication of state-sponsored incidences, the young cybercriminal venturing into the dark side boils down to their ego. Adolescent criminals seek out recognition among their peers eager for a sense of success in an effort to prove themselves.

Many seek out popularity within internet hacking communities driven by a feeling of accomplishment they compromised a target. This provides them with a rush, a demeanor to develop their skills further becoming tragically involved with organized crime immersed in their addictive and dangerous sphere of influence.

Others find inadequate employment opportunities and thus are lured into the dark side to learn a skill as a matter of survival by participating in online hacking groups. They are easy prey for organized crime and state-sponsored groups to recruit indoctrinating them into …

Is Cybersecurity Legislation a Disaster?


The current legislation making its way through Congress is riddled with controversy, it is called the Cybersecurity Information Sharing Act or CISA. At the heart of the matter is all the major breaches that have occurred and are endlessly escalating in sheer size and complexity. With many industries being affected, the idea of sharing intelligence has surfaced in the discussions. The current political climate it seems tears the best intentions along political ideological lines and that weakens the legislation with the end result not striking a proper balance with respect to security and privacy.

In an effort to understand what’s at stake is to review the history of this legislation as it was discussed with the government and industry decades ago leading up to its current form. All of the controversies revolves around the sharing of security intelligence by industry who is reluctant based on liability exposure and the federal government reluctant to share their intelligence gathering methods. It all boils down to the privacy of the data and how the data can be sanitized by sharing it with regards to understanding malicious hackers and their methods.

In two of my previous articles serving as points of reference “The Evolution of Security Intelligence” and “Security and Privacy Can I Have Both?” addresses the technology architecture of sharing data and the politically charged issues surrounding security and privacy from a legal perspective.
CISA is a bill that is seemingly being rushed into law without due diligence with regards to privacy and has been vigorously opposed by many civil liberty organizations as well as the technology industry giants. With this in mind along with the National Security Agency’s (NSA) debacle with Edward Snowden has created an atmosphere of mistrust between the public and private industrial complexes. Simply put, the federal government can never be trusted as custodians of this shared information.

The U.S. Federal Government a Stunning Hypocrite

Many information security experts dispute that insufficient information sharing is a fundamental cause of cybersecurity problems. I must point out that most cyber attacks are not the work of brilliant malware executed by hacker masterminds. The majority of attacks are targeted against known, defensible weaknesses. Public and private entities already routinely share information about cyber threats where the government is involved in all breaches from state-sponsored attacks, a requirement as we have seen them investigate many high profile breaches that affect and/or lead to national security. Also, many federal agencies mishandle the information they receive as demonstrated by the government’s General Accounting Office (GAO) own investigation findings and the recent massive data breach suffered by the Office of Personnel Management (OPM) where over 21 million PII records were compromised.





One of the most compelling problems I see with this bill is it does nothing to address breach disclosure laws that are currently in force in 46 states to varying degrees. These laws are not uniform with regards to consumer protection. Some states exempt companies from reporting breaches depending on the level of exposure of the data and others do not.

Liability Immunity for Corporate America

Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) has to prepare a pipeline and share a company's report which may include customers' personally identifiable information (PII) with the NSA and other spy agencies. The Senate bill is coming out of the Intelligence Committee, not the Commerce Committee has had a substantial amount of amendments. A key one that failed would have required the removal of PII before a company shares information about threats.

To address this, many major corporations demanded legal immunity from criminal prosecution and all civil lawsuits should PII be compromised with sharing. Immunity from liability does in fact severely weaken security and privacy simply by encouraging private industry to seek a legal way out of instituting proper security infrastructure and standards should a breach occur. This bill does nothing too encouraging companies to increase their own cybersecurity standards. To be blunt, CISA ignores it all and offloads responsibility to a generalized public-private secret information sharing network. The bill itself is completely voluntary on the private sector and it does not compel anyone to participate in such sharing.

Many companies don't even realize they've been attacked, either because they're not investing in security infrastructures or services to identify breaches or they're not analyzing the data they've collected. This is quite profound and a well-known fact the lag time of discovering a breach is rather long. It is one of the major dilemmas facing information security, detecting the breach, finding out how long it has been going on and what information has been exfiltrated from an organization. This bill is seen as the ticket for companies to offload their data to the feds in exchange for liability immunity. It will allow perhaps a minimal security infrastructure investment, if any, towards safeguarding their crown jewel data at the expense of the taxpayer.

What Are Other Nations Doing?

The European Union

The new cybersecurity law that is in progress will force all internet firms and technology giants to comply with strict security requirements, including having to report data breaches to governments that are part of the EU. Unlike the U.S. CISA bill, the terms of the Network and Information Security Directive which was originally proposed by the executive body of the EU in 2013 to counter security threats will a much stronger law than CISA addressing cloud computing providers, search companies, and even social networks that can be held liable under the same security requirements as companies operating in industries that the EU deems critical to protect. These could include the energy, transportation, and finance industries. The law does not provide any immunity provisions or make it voluntary.

Russia

Russian legislation in effect basically calls for foreign companies to set up data centers in Russia if they want to do business in Russia in which Russian data is being used. Google has reportedly moved some of its servers into the data centers of Russian telecom Rostelecom to comply with the law. No doubt in a quasi-totalitarian regime the Russian government has the unconditional right to raid those servers at any time regardless of how they spin it that it is not. The law compels all PII data and transactions down to the actual clicks on a link to keystroked information entered on any website. In other words, everything from the clicks registered when someone views an online ad, to data generated from sensors in connected cars could be considered PII. A U.S. company doing business in Russia could be held liable under the new Russian law and because many global businesses are intertwined that is a compelling compliance law to deal with.

Russian President Vladimir Putin signed the law in July in an effort to prevent Russian citizens from getting hacked, although some human rights activists believe it was designed to give government more control of Internet use in the country.

The problem is that this stringent data law will damage Russia’s manufacturing and services industries and make foreign businesses think twice about investing in the country, according to the European Centre for International Political Economy, which published the report. Of course one can argue their approach is similar to the far weaker “voluntary” U.S. CISA law making its final rounds in Congress, that privacy is not a consideration when it comes to harvesting PII data.

China

There is a boat where we have Russia (Pete) and China (Repeat) sitting in it when Pete falls out who’s left? The Chinese law closely follows Russia’s security law with foreign companies having to store Chinese data within China, although special exemptions could mean that it’s a case-by-case situation depending on the company involved.

Web companies and Internet service providers operating in China will also face stiffer security requirements, such as aiding the Chinese government with criminal or national security investigations. They may even have to let authorities annually audit them to determine if there are security risks the Chinese government would like to know about.

Let me add more to it that the law also compels companies to allow a full audit of their code in order to conduct business in China. IBM has recently agreed to let China review some product source code in a secure room, according to two people briefed on the practice, making it the first major U.S. tech company to comply with Beijing’s recent demands for a stronger hand in foreign technology there.
The difference between the Chinese law and Russia’s is that China will allow outside tech companies to apply for special exemptions that could allow them to hold Chinese data outside of the country.
It is difficult to fathom the complexity of securing PII data globally let alone the ineptness of the U.S. government and other governments struggling to come up with a sound common sense approach where all could agree, all they have done is agree to disagree. In other nations, in particular, Russia and China their laws reflect a draconian approach, it is our way or the highway. Such is the global political climate as we live in it struggling with security and privacy that has its roots and driven by each nation’s ethnic culture.

As I view the global political spectrum the culture is very evident. The upcoming U.S. law is completely pro-business and voluntary in exchange for immunity from prosecution, the EU law corals businesses with their liabilities, while on the other end with Russia and China who dictate and compel what businesses must do.

In my opinion, a productive way to manage cybersecurity risks created by these attacks would be to build a set of laws and regulations that incentivize companies to proactively invest in the resources to remove known vulnerabilities. These laws must have universal impact allowing governments to share vital information. As we seen ISIS and other terror groups widely use the internet to wage war on other nations for political or economic gain.