Skip to content

Point of View: Senate Stalls Cybersecurity Bill

    
Point of View: Senate Stalls Cybersecurity Bill

The rush to "do something" about cyber security issues is leading both legislators in industry to ridiculous place.

Most people's knee-jerk reaction when thinking about cyber security is that we should go after the attackers.  The thinking is that we should identify them, block them, and go after them.  That sort of makes sense, until you consider that there are huge number of them, they're totally anonymous, and the history of law-enforcement against hackers has only ever taken a few off the street.  We're still not even 100% sure who attacked Sony.

So if you can't go after the attackers directly, maybe government could help companies defend against hackers. Except actually defending them is really hard. Imagine a cattle rancher with 1,000,000,000 miles of barbed wire fencing (see my recent dark reading piece on how the typical financial organization has 1 billion lines of code) to keep out cattle rustlers.  And golden cows. That's a lot to monitor and defend.  And barbed wire is totally inadequate for the job.

What if government facilitated sharing of information about attacks in progress so that once one company detects an attack, others can block it. Well, that might work if we were actually any good at detecting attacks, but it turns out most attacks go on for months or years before being detected. So the vast majority of these attackers are never going to get identified by the first company which means that sharing information about the attack won't help. 

Nothing wrong with sharing a little information, but don't think that this is going to make us any more resilient against attack. And we have big real problems to deal with.  In the meantime, companies are up in arms, or at least pretending to be up in arms, alleging that it's this kind of sharing might expose them to antitrust issues, lawsuits, or privacy issues.   They want liability protection in case they're sued. These are the kinds of objections lawyers raise when companies don't actually want to do something. Sharing information about cyber security is a burden, and as I mentioned, there's not a lot of value. 

The information shared is  IP addresses and domains of suspected attackers and compromised computers.  According to the most recent Verizon DBIR report, a lot of this information comes from honeypots. These are systems placed on the Internet to trick hackers into attacking them, and thereby gathering information about their sources and methods. Real attackers are likely to focus their attacks, not blindly scan the Internet, so their information is unlikely to be in the honeypots, and therefore won't get shared.

Technically, there are problems with the bill, like defining (18) SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.  The problem is that most vulnerabilities don't involve a security control. In fact it's the absence of a security control that is the vulnerability. So this would let a lot of companies off the hook for their sloppy software development practices 

All the arguing about information sharing legislation is not a total waste, but almost. The crisis really isn't that we're not sharing information, the crisis is that we have huge numbers of systems that are basically totally unprotected against cyber attack. We need to create a software market that rewards ranchers who put appropriate protections in place for their herd.  That's a problem we are never going to solve with information sharing. 

But there is a role for government in fixing the dreadful state of the software market. Currently security is an afterthought. We need to change the incentives so that software companies are encouraged to produce secure code.  I'm not a fan of liability or taxation regimes.

How about some legislation that requires companies to disclose some basic facts about the security of their software. Things like: was security testing done, where developers train in security, are basic defenses in place, and are components free of known vulnerabilities. Many other industries have labels and data sheets that disclose this kind of information, why not software? This is a powerful, nonintrusive way for government to use market forces to help fix the security of our nation’s infrastructure.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.