We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.
That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:
"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."
In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:
"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.
According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.
Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.
from the protected-from-everything-but-their-own-government dept
The Chinese government is going in for a third pass on its "cybersecurity" law -- one that has little to do with security and everything to do with control.
This is something the government has been working on for a few years now. It's a chance for it to tame the "Wild West" internet, particularly the "West" part of it with all these ideals about free speech and the spreading of information. The third reading, with all alterations and additions appended, will likely be going into effect this week. Human Rights Watch has a long post detailing the law's negative aspects -- which is almost all of them.
Among other things, service providers will be forced to censor "prohibited content." They'll also be required to collect real names and other identifying user information, even if the only service provided is instant messaging.
There's also an information-sharing plan not unlike the one the US government has set up for its cyberwar operations. The difference is that the Chinese government makes no pretense about two-way sharing. It simply demands companies turn over harvested info and other data.
[The law] requires companies to monitor and report to the government undefined “network security incidents,” as well as provide undefined “technical support” to security agencies to aid in investigations, raising fears of increased surveillance. The final draft further specifies that network operators must retain network logs for at least six months and accept government supervision.
"Government supervision" sounds like fun, especially combined with another aspect of the proposed law, which gives the government the legal right to shut down internet infrastructure to respond to "major security incidents."
Earlier versions also demanded local storage of Chinese user data by foreign service providers, with the government's stated intent being to "preserve internet sovereignty" by walling off its citizens from the rest of the connected world. It's unclear whether these demands have survived multiple alterations as the full final version of the cybersecurity law has yet to be released.
That's not the extent of the control the government is seeking to exert. It goes far beyond its attempt to create a siloed Chinese internet. The law also gives the government new options for quashing dissent.
In addition to prohibiting individuals from using the Internet to “endanger national security, advocate terrorism or extremism, [or] propagate ethnic hatred and discrimination,” article 12 of the second draft also prohibits them from “overthrowing the socialist system” and “fabricating or spreading false information to disturb economic order.” The third draft adds to this list, banning the use of the Internet “to incite separatism or damage national unity.”
The law does add in privacy protection requirements for service providers, but its unclear who they're supposed to benefit. Companies must safeguard user info and notify them of data breaches, but the government's logging requirements and "supervision" efforts make it clear it's never going to be locked out of accessing the information companies are supposed to be protecting from outsiders.
China may be a willing partner in the global economy but when it comes to it own citizens, it prefers them as isolated as possible. On one hand, it's more of China being China. On the other hand, these power grabs masquerading as national security upgrades aren't solely limited to governments with long histories of repression. As everyone gears up for the cyberwar, government entities who long for more control of pesky citizens will often find their expansion ideas humored, if not codified.
On Monday evening, you may have seen news of a "big scoop" at Slate by famed reporter Franklin Foer, about how Donald Trump had a server that was "communicating" with a Russian server. Foer, who famously got pushed out of The New Republic for not being very with it on technology on the internet (among other things), makes a really big deal out of some really weak tea. After reading the article (along with another one alleging Russian spies had been "cultivating" Trump) I tweeted out that the evidence on both was super weak. I kept expecting a smoking gun in the Foer piece, but instead got a lot of handwaving and confusion about DNS. Of course, Clinton supporters were quick to jump on the article as some sort of proof, despite the really weak claims.
A lot of Foer's work stems from an anonymous blog post from a few weeks earlier that tries to make a big deal out of some extraordinarily weak connections. The confirmation bias is strong with the folks involved here. The biggest clue? This ridiculous chart that tries to show increased activity between the Trump server and the Russian bank server at key moments, but doesn't actually show that. There seem to be random ups and downs at the conventions, and then a huge spike in the middle of August which corresponds with... nothing. But the researchers and Foer just ignore it. In fact, Foer actually claims that "there were considerably more DNS lookups, for instance, during the two conventions." Except there weren't really.
And, of course, within a few hours, people were debunking basically every aspect of the story. The Intercept notes that at least six other news outlets had been looking into the same story, and none of them felt comfortable pushing a story, because the details just didn't stack up. The first person I saw to debunk it was Naadir Jeewa, who pointed out that the server was maintainted by Cendyn, a marketing company that handles email spam marketing for tons of hotel chains, including Trump. The "connection" from Alfa-Bank, he suggested, was just a typical email scanner attempting to reverse the connection as a sort of anti-spam tool (basically checking if the email server is real). As Jeewa concludes:
Feel sorry for the person at Alfa who stayed in a Trump hotel, forgot to unsubscribe to cheesy emails and might be in a load of trouble
The Intercept actually reached out to Alfa-Bank... and got the hotel spam that it had received from Trump. They also received the similar spam from Spectrum Health (who is included in Foer's story for reasons too pointless to explain). Guess what: spam.
Rob Graham from Errata Security went even deeper in explaining how this was a giant nothing grown out of a reporter getting confused. Cendyn doesn't just control the mail1.trump-email.com domain, but also controls a variety of other hotel domains, including hyatte-concierge.com, reservertravelonline.com, sheratonmenus.com, westinmenus.com, hyattmenus.com, cphollywoodbeach.com (CP = Crown Plaza), hayattproposal.com and a bunch of others as well. It's not Trump using this, it's a marketing company that specializes in spamming hotel customers. From Graham:
This is why we can't have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google's 184.108.40.206, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.
Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.
But Graham also points out that all this fretting about Trump & Russia misses the real story here. The only reason this is a story at all is because some nameless security researchers started abusing the data they were given access to for malware research. Much of what Foer relies on came from an anonymous researcher going by the name "Tea Leaves". But Graham points out that the real story here is how companies are sharing all sorts of information with security researchers under the belief that it will only be used for malware research... and not for spying on what server is connecting to what server:
Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google's 220.127.116.11 public DNS. It's a huge privacy violation -- justified on the principle that it's for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google's service. Sometimes people don't realize how their ISP shares information, or how many of the root DNS servers are monitored.
People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers....
This is another reason why we've pointed out that all the focus on "information sharing" in various cybersecurity bills from Congress was a red herring. Information sharing can lead to all sorts of questionable activity. It's done in these instances for the purpose of spotting malware, but it appears some researchers went looking for weird Trump conspiracy theories and were so invested in those theories that they didn't even realize how ridiculous it was when looked at in the light of day -- and also forgot that they're not supposed to reveal they have access to this info.
Yes, of course, we're at the very peak of the political silly season and lots of people are looking for big breaking stories. But it would be nice if we could keep them in the realm of reality.
As you know, last week, large chunks of the internet spent hours writhing on the ground and totally inaccessible thanks to a giant DDoS attack that appears to have been launched via a botnet involving insecure DVR hardware (which can't be patched -- but that's another post for later). Of course, whenever this kind of thing happens, you know that some people on the politics side of things are going to come up with dumb responses, but there were some real whoppers on Friday. I'm going to focus on just two, because I honestly can't decide which one of these is dumber. I'll discuss each of them, and then you guys can vote and let us know: which of these is dumber.
On Friday she went on CNN to discuss a variety of things, and the first question from Wolf Blitzer was about the DDoS attacks, and her answer is the sort of nonsense word salad that is becoming all too common in politics these days, but where she appears to suggest that if we'd passed SOPA this kind of attack wouldn't have happened. She's not just wrong, she's incredibly clueless.
Here's what she said:
Wolf, you don't know who is behind this, you do not know if it's foreign or domestic. What I do know is over the years we have tried to pass a data security legislation. There's been bipartisan agreement in the House. It has not moved forward in the Senate. We also know that a few years ago we tried to do a bill called SOPA in the House which would require the ISPs to do some governance on these networks and to block some of the bad actors.
And of course, there were all of the cyberbots that took out after us that were trying to say 'no you can't do that you're going to impede our free speech.' We said 'no we're trying to keep the roadway clear and to keep some of these bad actors out of the system.'
So, what you have now, whether it is foreign or domestic, no one knows. No one knows who has released some ransomware, spyware, malware into the system that is cau... and bear in mind also this malware can live on your system for a year or much longer before it is detected.
And that is how you've had some of these extensive data breaches because the malware gets into the system, it rests there, it is pulling information and at some point, it activates. And as I tell my constituents, be careful what websites you go to, be careful what emails you open because you may be unintendedly inviting that malware or spyware into your system.
Okay, so. Almost nothing that is said above has anything to do with the DDoS attack. Not at all. Not the "data protection" bill, which is basically about requiring companies to reveal breaches to those impacted. But most certainly not SOPA, which had nothing whatsoever to do with anything having to do with cybersecurity or online attacks or DDoS. And "cyberbots"? Is she implying that the millions of people who spoke out against SOPA were some sort of fake bots? SOPA wouldn't have done anything to stop this kind of attack at all. It had nothing to do with this issue in any way shape or form. Not that Wolf Blitzer seems to know or care about any of that as he just accepts that answer and moves on.
So that's the first dumb response. Now the second: the IANA transition. We've been discussing this for years, and as we've explained, the transition is a good thing in taking an argument away from countries like Russia and China who have been trying to get more control over internet governance, by dropping an almost entirely superficial connection between the fairly minor IANA function and the US Commerce Dept. The transition happened a few weeks ago and nothing on the internet has changed, nor will it, because of this transition. It's a non-story. But, Ted Cruz tried to make it a story and now it's become a partisan thing for no good reason at all. And thus, given an opportunity, partisan sites are blaming the IANA transition for the DDoS:
Today there was a major attack on a part of the Internet that few people pay any attention to. It’s critically important though, and any disruption threatens both our prosperity as Americans, but also our freedom to communicate with each other.
This is a great reminder of why President Obama’s Internet handover plans are so threatening to our way of life.
Probable foreign attackers effectively took thousands of companies off of the Internet today by attacking a major Domain Name Service (DNS) provider: Dyn. This two-hour outage surely cost many people, very much money.
What is DNS, and why is it so important? Put simply, DNS is the system that tells people how to find you online. It converts the names of servers and sites, into numbers that the Internet Protocol can find. It’s an essential service of the commercial Internet.
And yet Barack Obama is trying to hand control of DNS over to the Chinese and the Russians. Ted Cruz has been warning people about this, and so have I. People tend to tune it out, because it sounds like a very technical, obscure issue that isn’t very important.
Well, first of all, newsflash: the transition happened three weeks ago, and Neil Stevens at Red State is so concerned about this he didn't even notice. Damn. Sneaky Obama. Second, the hand over of the IANA functions has absolutely nothing to do with a DDoS attack or what it would take to prevent it. Yes, there are some ridiculous aspects to the DNS system, some of which are managed by ICANN. But (1) the IANA transition has nothing to do with "handing control" over to the Chinese or Russians (in fact, it's the opposite -- it takes a big argument away from the Russians and Chinese that they had been using to try to seize more control, and actually makes it much more difficult for them to take control by making sure nationstates actually have very little say in internet governance). And (2) the IANA transition has fuck all to do with DDoS attacks.
Both of these examples seem to be completely clueless, technically illiterate people using real problems (the fragility of DNS systems, the massive unsecured bot-infested systems out there, the ease of taking down important systems, overly centralized critical systems), and using them to pitch some entirely separate personal pet complaint or project. But both are completely ignorant. The only question is which one is worse:
Currently, the NSA has responsibility for protecting U.S. government IT systems that carry classified or sensitive data — like the Department of Defense’ massive intranet known as NIPRNet.
It's a clear case of cyber envy. The DHS gets all the good stuff, including a first look at any juicy data turned over to it from the government's one-way "information sharing" program.
But the security of most civilian federal IT systems — and the private sector networks that support the functioning of vital industries like banks and telecoms — are the responsibility of DHS’ Office of Cybersecurity and Communication…
The DHS is supposed to vet and minimize this information before passing it along to federal cybersecurity partners like the NSA. The NSA, however, isn't used to seeing unminimized data. Nor is it content to hang out underneath the DHS's cybertable and wait for it to toss it a bone. So, it's proposing a revamping of the federal government's cyber strategies so that they align more closely with what the NSA apparently feels should have been done in the first place.
“I’m now firmly convinced that we need to rethink how we do cyber defense as a nation, possibly even going so far as that we unite pieces of those three organizations into one organization that does it on behalf of the whole government,” said Curtis Dukes, the NSA’s deputy national manager for national security systems.
Yeah! That's how a partnership is supposed to work: the NSA seated in the same room with the DHS and law enforcement agencies, with everyone comparing the size of their information silos. Excellent. Dukes says he might be a "bit biased" in placing the NSA on equal footing with domestic security and law enforcement agencies, but cyber lives are at stake, dammit!
Dukes said the “bad news” was, with every cyber intrusion becoming a potential crime scene, meaning the FBI had to be involved, and with the DHS in charge, “as we orchestrate across those three department and agencies what we find is that we’re suboptimal and by the time we actually respond to an intrusion, it takes hours to days and by then in cyber time, the adversary has already met their objective.”
Figuring out under whose authorities an incident response should be run meant giving the enemy a head start, he said. “By the time we fill out the paperwork that would allow NSA to provide assistance, it’s typically days to a week before we can actually respond,” he added.
Wonderful. Exigent circumstances but for domestic snooping.
The NSA wants first access to private sector communications and data because the current method takes too long to get the data into the NSA's hands. That's the pitch. Never mind the fact that the NSA is supposed to be an intelligence service tasked with collecting FOREIGN communications and data. Never mind the fact that the agency exploited post-9/11 terrorism fears to become a domestic surveillance agency that turned the Third Party Doctrine into a loophole to be exploited in bulk. Never mind that it simply makes more sense to route domestic security-related data to the the domestic agencies (DHS, FBI, etc.) for several reasons, not the least of which are (at least) two Constitutional amendments (First, Fourth).
But there you have it: the NSA is lobbying for first peek at shared data from US companies, and it's claiming its only interest is better cybersecurity. And it's making this pitch while glossing over the fact that it is not -- and never has been -- a domestic law enforcement agency. Somehow, it still feels it's entitled to act like one and engage in even more domestic snooping.
from the putting-out-fires-by-burning-the-house-down dept
As we've been noting there have been growing calls for the Obama Administration to publicly scold Russia for hacking the DNC, and to dole out some kind of righteous punishment for this unseemly behavior. Calls on this front have ranged from launching larger cyber offensives or even a brick and mortar military response. We've noted repeatedly how this is stupid for a multitude of reasons, since hacking "proof" is (if the hacker's any good) impossible to come by, with false-flag operations consistently common.
Despite the obvious dangers of escalation, the U.S. press seems pretty intent on helping the intelligence community justify doing exactly that. Countless outlets are breathlessly passing along the idea that we simply must "retaliate" for Russia's behavior, willfully ignoring that the United States wrote the book on nation state hacking and lacks the moral high ground to lecture anyone on cybersecurity. As Snowden and other whistleblowers should have made abundantly clear by now, we've been hacking allies, fiddling in Democratic elections, creating indiscriminately dangerous malware and worse for decades.
Led by our bad example, we've cultivated a global environment in which nation state operators hack one another every second of every day to keep pace with the United States. As such, the idea that the United States is an innocent daisy nobly defending its untarnished honor from uncivilized international ruffians is absurdly, indisputably false, yet this concept sits at 90% of the reporting on this subject. Case in point: eager to get the escalation ball rolling, the CIA last week used NBC to make the case for a renewed cyber-warfare campaign against Russia in the coming months:
According to the full NBC report, the CIA is cooking up a rotating platter of different proposals, most of which involve launching similar hack and leak campaigns intended to embarrass Putin and company:
"The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News. Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging "clandestine" cyber operation designed to harass and "embarrass" the Kremlin leadership."
Again though, if you understand that the NSA and its army of private contractors are covertly probing and attacking countless nations day in and day out (allies and enemies alike), the very idea that we'd announce this single counterattack via god-damned NBC should strike you as transparently theatrical and a bit silly. And as some pointed out, the wording of the story seems to strongly suggest we've already obtained plenty of documents that could prove embarrassing to Russia:
Like most news coverage of the Russian hacks, our own responsibility for global cyber war escalation is left entirely unmentioned by a media that fancies itself a truth teller, yet somehow still can't escape the grip of fevered nationalism when covering militarism and cyber warfare. And you'll note the only hesitation from most of the government sources quoted in the article is that our "retaliation" won't be vicious enough:
Sean Kanuck, who was until this spring the senior U.S. intelligence official responsible for analyzing Russian cyber capabilities, said not mounting a response would carry a cost. "If you publicly accuse someone," he said, "and don't follow it up with a responsive action, that may weaken the credible threat of your response capability." President Obama will ultimately have to decide whether he will authorize a CIA operation. Officials told NBC News that for now there are divisions at the top of the administration about whether to proceed.
Good. There should be "divisions." Escalating our cyber-offensive "strategies" resulted in the conundrum we're currently enjoying. And escalation here could prove notably fatal to many given our ongoing proxy war with Russia in Syria. But it's abundantly clear the CIA wants the green light and is getting some resistance from the current administration, encouraging NBC to suggest that escalation could protect the sanctity of the November elections:
"The CIA's cyber operation is being prepared by a team within the CIA's Center for Cyber Intelligence, documents indicate. According to officials, the team has a staff of hundreds and a budget in the hundreds of millions, they say. The covert action plan is designed to protect the U.S. election system and insure that Russian hackers can't interfere with the November vote, officials say. Another goal is to send a message to Russia that it has crossed a line, officials say."
Again though, there is no "line," and any ethical or legal lines that do exist, we obliterated years ago. We've hacked nations aggressively for decades, and are now fanning our collective faces in indignation at the idea that anybody would dare hack us back. We've contributed to escalating cyber-security tensions by being among the most badly behaved nations on Earth, consistently using the resulting threat escalation to justify our ongoing war on encryption, bloated security contractor budgets, and domestic surveillance expansion. It's a vicious, expensive ouroboros of dysfunction.
We've tried escalation as the aggressor, and it consistently makes things collectively, internationally worse, and certainly doesn't stop us from being the targets of these kinds of attacks. That's why we've noted repeatedly that the smart play here is to focus on defense, instead of letting Putin (and our own security contractors and intelligence community) goad us into more idiotic behavior than ever before.
We've noted several times how launching cyberwar (or real war) on Russia over the recent spike in hack attacks is a notably idiotic idea. One, the United States effectively wrote the book on hacking other countries causing all manner of harm (hello, Stuxnet), making the narrative that we're somehow defending our honor from shady international operatives foundationally incorrect. And two, any hacker worth his or her salt either doesn't leave footprints advertising their presence, or may conduct false flag operations raising the risk of attacking the wrong party.
"We obviously will ensure that a U.S. response is proportional. It is unlikely that our response would be announced in advanced. It’s certainly possible that the president could choose response options that we never announce," Earnest told reporters aboard Air Force One.
"The president has talked before about the significant capabilities that the U.S. government has to both defend our systems in the United States but also carry out offensive operations in other countries," he added. "There are a range of responses that are available to the president and he will consider a response that’s proportional."
Yet somehow, once countries began hacking us back, we responded with indignant and hypocritical pouting and hand-wringing. But the reality is we are not some unique, special snowflake on the moral high ground in this equation: we've historically been the bully, and nationalism all too often blinds us to this fact. Long a nation driven to war by the weakest of supporting evidence, hacking presents those in power with a wonderful, nebulous new enemy, useful in justifying awful legislation, increased domestic surveillance authority, and any other bad idea that can be shoe-horned into the "because... cybersecurity" narrative.
And as we're witnessing in great detail, hacking has played a starring role in this nightmarish election, with Donald Trump giving every indication he intends to only ramp up nation state hacking as a core tenet of his idiocracy, and Hillary Clinton lumping Russia, hackers, and WikiLeaks into one giant, amorphous and villainous amoeba to help distract us from what leaked information might actually say about the sorry state of the republic.
Media needs to stop treating Wikileaks like it is same as FOIA. Assange is colluding with Russian government to help Trump.
We're wandering into extremely dangerous territory here. As we saw with Stuxnet's impact on companies like Chevron, the United States' hacking behavior has had very real, negative repercussions for innocent third parties around the globe. Operating from the belief that we're somehow nobly defending ourselves is a falsehood the media consistently perpetuates, making this kind of dangerous digital saber rattling easier than ever for those in power. The U.S. press and public can no longer afford to be so viciously naive as 2016 stumbles drunkenly to its welcome conclusion and hacking becomes the bogeyman du jour for the next administration.
from the OIG-to-Congress:-you-made-this-mess,-now-fix-it dept
The reanimated CISA, redubbed The Cybersecurity Act (a.k.a., OmniCISA) and hurried through the legislative process by stapling its 2000 pages to the back of a "must-pass" budget bill, is still in the processes of implementation. Not much is known about what the law is intended to do on the granular level, other than open up private companies to government surveillance so the USA can beat back "the cyber."
Surveillance aficionados were quick to lean on private companies to start sharing information, but the government needs to be taught new tricks as well. There's plenty of info siloing at the federal level, which keeps the DHS, FBI, and others involved in the cyberwar from effectively communicating, much less sharing anything interesting they might have had forwarded to them by the private sector.
The federal government has been less than successful in securing its own information -- something CISA was also supposed to fix. The DHS's Inspector General has performed a follow-up investigation on the department's implementation of CISA's requirements. For the most part, things seem to be moving forward, albeit in a vague, undefined direction.
The OIG notes that the DHS has put together policies and procedures and, amazingly, actually implemented some of them. Better still, it has moved many critical account holders to multi-factor authorization. Unfortunately, the DHS still has a number of standalone systems that can't handle multi-factor authorization, which will make them more vulnerable to being breached.
That's pretty much the end of the good news. There are still holes in the DHS's data systems at a very critical juncture. From the report [PDF]:
Although the Department has established software inventory policies, not all DHS components used data exfiltration protection capabilities to support data loss prevention, forensics and visibility, and digital rights management. Further, the Department had not developed policies and procedures to ensure that contractors implement data protection solutions.
Then there's this part of the report, which shows that no one truly understands the 2000-page law -- not even the DHS's first level of oversight, which can't even tell what the agency is supposed to be doing to comply with the new law. (h/t Eric Geller)
DHS and its Components can benefit from additional data protection capabilities and policy to help ensure sensitive PII and classified information are secure from unauthorized access, use, and disclosure. We are submitting this report for informational purposes to the appropriate Congressional oversight committees, as required by the Act. Due to a lack of specific criteria, this report contains no recommendations.
This explains why the report is so short: the OIG doesn't have anything to work with. Two thousand pages and yet the Cybersecurity Act's demands and goals remain so vague that all the Inspector General can do is take a cursory look at the DHS's security protocols and see if they've improved. Beyond that, the DHS and its Inspector General have no specifics to guide them and no firm goals to reach. So, the Inspector General's office is doing the only thing it can do: kick the problem over to the legislators who created it.
This is already quite the problem considering the DHS is flying blind with achieving its internal directives. What makes matters worse is the DHS is a clearinghouse for the information and data obtained from private companies -- like ISP monitoring of user activity for "cybersecurity purposes" -- and is in charge of determining whether or not any personally-identifiable information needs to "scrubbed" before it is passed on to other government agencies.
If it doesn't have enough guidance to determine what direction it should be going in securing its own systems, it presumably has far less when it comes to the handling of private sector information. Those privacy protections were stripped during CISA's swift push through Congress and replaced with a DOJ judgment call on whether or not the DHS has performed an adequate scrub before handing over data to the FBI, NSA, et al. "Lack of specific criteria" pretty much defines the government's approach to domestic surveillance -- which is enabled by this law: grab it all now; figure it out later.
The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.
Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.
But they also stick with the party line that actually hacking the election would be difficult:
The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.
Of course, people have been pointing the finger at Russia over these hacks for a while, and according to various reports there's been widespread debate within the Obama administration about making a public accusation. There are two main issues here:
Attribution for computer attacks is really really difficult. No one knows for sure, and there are ways to spoof where attacks come from. There does appear to be quite a lot of evidence pointing back at Russia for these hacks, so it does seem like a safe bet. But that doesn't mean it's definitely them. It would be nice if people gave actual confidence values when they make statements like these, but no one in politics ever does that these days.
The much bigger question is what comes next. There are political benefits and costs to naming Russia. But the big thing here is that by naming Russia, it gives the US government more leeway to do something in response. And, as we warned many months ago, this is a horrifically bad idea. It will only escalate matters and make things worse overall.
As I noted just the other day, cybersecurity should be a defensive game. Going offensive is really, really dangerous, because things will get worse, and we really don't know what the capabilities of the other side(s) truly are. Focus on protecting critical infrastructure, not on some meaingless symbolic strike back.
But, of course, in this day and age, people seem to feel that every action requires some sort of reaction, and in a computer security realm, that's just stupid. But it seems to be where we're inevitably heading. The cybersecurity firms will get wonderfully rich off of this. But almost everyone will be less safe as a result.
We've noted a few times in the past our serious concerns about Hillary Clinton's hawkish and tone deaf views on cybersecurity, in which she wants the US to go on the offensive on cyberattacking, even being willing to respond to attacks with real world military responses. She seems to ignore the fact that the US has a history of being some of the most aggressive players on offense on such things (Stuxnet, anyone?), and doesn't seem to recognize how escalating such situations may not end well at all.
Of course, her opponent, Donald Trump has been totally incomprehensible on cybersecurity during the course of his campaign. There was his first attempt to respond to questions about cybersecurity in which it's not clear he understood the question, and started talking about nuclear weapons instead. Or the time he took a question on cybersecurity and answered by talking about the latest CNN poll. Or, of course, who can forget his debate performance on the topic, where his key insights were that his 10 year old was good with computers and a 400 lb. hacker may be responsible for the DNC hacks.
It appears that the Trump campaign finally decided that maybe Trump should say something marginally coherent on the subject, and sent him out earlier this week with a prepared teleprompter speech, which Trump actually managed to get through without going too far off script. And... it's basically the same kind of bullshit as Clinton -- pushing for more aggressive and offensive cyberattacks.
“I will also ask my secretary of Defense and joint chiefs to present recommendations for strengthening and augmenting our Cyber Command,” Trump said of his cybersecurity plan. “As a deterrent against attacks on our critical resources, the United States must possess, and has to, the unquestioned capacity to launch crippling cyber counterattacks, and I mean crippling. Crippling. This is the warfare of the future. America’s dominance in this area must be unquestioned, and today it’s totally questioned.”
There was also the kind of hilarious claim that the government has not made cybersecurity issues a priority, which is laughable if you've been paying attention to, well, anything in the "cybersecurity" policy space over the past few years. You could say that their priorities within that realm are screwed up. Or that the government seems to mainly use "cybersecurity" as a cloak to hide NSA surveillance efforts. But to argue that it's not been a priority is clearly false.
And, really, having our own side launching "crippling" cyberattacks (as with Clinton's plan) doesn't seem like the most effective plan. These kinds of things only escalate. Being an aggressor here seems particularly shortsighted. Taking out, say, China's internet, may show strength, but for what purpose? Will it really stop Chinese computer attacks on US infrastructure? Doubtful. Cybersecurity is mostly a defensive game, and it should remain that way. Encrypt everything possible. Disconnect critical infrastructure from the wider network wherever possible, and do everything to stop attackers from getting in, taking down, or mucking with systems.
This hawkish talk about offensive attacks in response to inbound online attacks is probably poll-tested to sound good as "being tough," but it's really stupid actual policy.