Why someone needs to compel companies to disclose cyberattack details

A flurry of mega databreaches rocked the Internet in 2011. They included RSA, Epsilon, Bank of America, HBGary, the U.S. Chamber (twice), Sony (multiple breaches) and DigiNotar. Meanwhile, the most sophisticated attack campaign yet seen, Duqu, has now likely burrowed deep inside dozens of corporations.

Meanwhile, new variants of tried-and-true consumer attacks — ranging from drive-by downloads, to clickjacking to phishing campaigns — have made the Web as infectious as ever. In this LastWatchdog guestpost Simon Crosby, co-founder and CTO of virtualized security start-up, Bromium, argues that a big part of the problem lies in the good guys’ reluctance to share what they know about how they’ve been hacked. It will probably take new laws to change that, he argues.

Crosby

By Simon Crosby

For the last decade, we have been basking in the benefits of the Internet as a platform for democratization and commerce. Our society is now dependent on Internet connectivity. But we have blithely ignored the need to protect ourselves from its darker side. The public perception of cyber-criminals is of spotty faced, anti-social pranksters.

Unfortunately, we are in an extraordinarily vulnerable position, and every aspect of our on-line society and critical infrastructure is being actively probed for vulnerabilities. This year has delivered more compelling evidence of the potentially crippling economic consequences of cyber-attacks by nation states and wealthy crime syndicates, such as various attacks deriving from China which occurred throughout the year:

  • in February, Chinese hackers broke into the systems of five multinational oil and natural gas companies to steal corporate information
  • in August a highly coordinated five-year campaign launched in China resulted in the hacking of 72 networks including the United Nations and US Government
  • in October, a man in China successfully breached the networks of at least 48 chemical and defense companies stealing design documents, formulas and details on manufacturing processes.

Some loss projections could be  over-hyped. But  it is clear  that the Internet is already a key battleground in international conflicts

Attack details needed

It’s time to get serious about the need to protect our society and our economic and national infrastructure.  None of us want to admit to losses, and we don’t share information about attacks. The only way to change this behavior is to impose legal requirements that place national interest above the interests of a single company.

Just as we require enterprises to comply with accounting regulations such as Sarbanes Oxley to protect all investors, we ought to require them to disclose information relevant to cyber-attacks – successful or not – and we should impose penalties on those that fail to adequately protect individuals or critical infrastructure; after all, technologies do exist that ensure network security.

If a nuclear facility fails due to poor engineering, we have every right to be upset. We need to recognize that an “insecure network” is an example of poor engineering, and define the consequences for those responsible.

Earlier this year, the White House proposed a new national cyber security plan that, in theory, seems to be focusing on appropriate tactics and measures. Among other specifics, the proposal mandates that private companies notify all customers of any and all data breaches and their potential for identity theft. It also would require organizations where breaches would result in the greatest impact to the nation – such as federal networks, power grids, water systems and other critical systems – to maintain the highest levels of network security and submit to annual third-party audits to ensure they are in compliance.

Laws with teeth

To take it one step further, the government needs to also focus on the individual protection of the general public. To do so, any company chartered with ownership of private data that is accessible over the interview needs to be held responsible for the security of that data, and in order to enforce this, there should be heavy penalties and/or fines imposed.

To this end, the government should create both an addendum that defines the minimum standard of protection required by any provider that hosts data, and create a separate law stating the punishment.

The easy part is proposing these changes, the difficulty will lie in the implementation and with how quickly the plan is put in effect and how thoroughly the mandates are followed. Crucially, we must ensure that compliance requirements are not couched in terms of today’s technologies. Leave it to the industry to advance the state of the art as fast as possible to meet the needs of enterprises subject to regulation. We are about to witness a profound change in favor of a more secure infrastructure.

Thanks to hardware-assisted virtualization and trusted execution, I am confident that in 2012 we will see security technologies that are a thousand times more robust, and whose creation is the result of the positive benefits of the Internet.

About the essayist: Simon Crosby is the co-founder and CTO of Bromium. Prior to co-founding Bromium, he was the CTO of the Data Center and Cloud Division of Citrix, which he joined after the acquisition of XenSource where he was founder and CTO. Previously, he was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust. He was a member of faculty at the University of Cambridge Computer Laboratory and Fellow of Fitzwilliam College.