what should we do about cyber attacks?

What should we do about cyber-

attacks?Eli Dourado

Research FellowDirector, Technology Policy Program

The infosec landscape

• Era of mega-hacks• Increasingly state-based attacks• Espionage, not cyber-war• U.S. Federal government

particularly vulnerable

The OPM hack• Began on May 7, 2014• Exfiltration in July/August and

December 2014• 22 million current and former

federal employees’ data compromised

• Discovered on April 15, 2015• Massive, but not isolated

What should we do?

• Spend more?• A cybersecurity sprint?• An information sharing program?• Something else?

Information sharing

• CISPA introduced in 2011• Concern from civil libertarians• CISA introduced last year• Civil libertarians still concerned• Would information sharing work?

Information sharing programs already

exist• DHS/IP National Infrastructure Coordinating Center (NICC)

• “Dedicated 24/7 coordination and information sharing operations center that maintains situational awareness of the nation’s critical infrastructure for the federal government.”

• http://www.dhs.gov/national-infrastructure-coordinating-center

Information sharing programs already

exist• DHS/CS&C National Cyber Security and Communications Integration Center (NCCIC)

• “Shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.”

• http://www.dhs.gov/about-national-cybersecurity-communications-integration-center

Information sharing programs already

exist• DNI Cyber Threat Intelligence Integration Center (CTIIC)

• “Oversees the development and implementation of intelligence sharing capabilities…to enhance shared situational awareness of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests.”

• https://www.whitehouse.gov/the-press-office/2015/02/25/presidential-memorandum-establishment-cyber-threat-intelligence-integrat

Would CISA work?

• Do we need 21 information sharing programs instead of 20?

• Is CISA really about national information security?

What should we do instead?

• Prioritize security over SIGINT

• Responsibly disclose vulnerabilities

• Two-factor auth at all agencies with penalties for noncompliance

• Limit the use of private contractors

• Reform the CFAA to

allow security research

• Reform the CFAA to allow active defense

• Support strong encryption

• Eliminate duplication

• Security audits of open source software

The bottom line

• We need federal humility• A marathon, not a sprint• A priority, not an afterthought• There is no silver bullet

Thank you.