Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.
The Internet is the digital Wild West, more so now than ever before.
The past two years specifically have been a vortex of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts. And these are only the highlights of what has been publicly reported.
Despite the increasingly dire headlines, there's hope yet for the Internet. It begins with an improved public/private model — backed by legislation — for policing cybercrime and helping American businesses defend themselves.
Step 1: One Focused Agency For American individuals and businesses, there is no clear answer on who leads the fight on cybercrime — or who leads interagency collaboration. In federal law enforcement, there are numerous agencies within the Departments of Justice and Homeland Security that investigate cybercrime, among them: the FBI, Secret Service, Homeland Security Investigations (HSI), and Office of the Inspector General (OSI). In addition, you can also add state and local police agencies to the web of confusion — and that's still before considering the overlap with intelligence (ODNI/NSA), military (DIA or NCIS), and international (Interpol/Europol) agencies.
Certainly, there has been progress toward industry partnership in the past decade. Both the Secret Service and FBI have created cybersecurity-focused entities (the Electronic Crimes Task Forces [ECTF] and InfraGard, respectively). However, the limitations on law enforcement information sharing make these groups less effective, blunting their ability to further affect cybercrime.
Equally responsible for the marginal success in prior efforts is the lack of NSA participation. It is clear that the NSA has the most visibility into malicious cyber activity and is the most informed organization in America (and probably the planet) on adversary cyber activity.
We need an organization within the NSA — modeled on the UK's National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ, the British NSA equivalent) — that is focused solely on helping American individuals and businesses defend themselves. The NCSC provides timely guidance on threats, ranging from phishing to malware to fraud, and shares technology with the private sector directly. Similarly, America needs a well-informed cybersecurity guidance resource to fill the current void.
History has shown that businesses are ill equipped for sustained defense from well-funded and motivated attackers. Sophisticated enemies, with seemingly endless time are using the cyber domain to continuously victimize American businesses at will. The cost of doing business should not include fending off nation-state-sponsored offensive cyber campaigns.
The answer begins with Congress legislating a new organization, modeled after the NCSC, owned by the NSA, and mandated to share all possible threat guidance and defensive technology with American businesses. The goal: to increase America's cybersecurity awareness and resilience.
Step 2: Retain and Invest in Government Talent We need America's best and brightest in public service defending America from cyber enemies. Employee compensation and training budgets must increase across the board.
The problem is that government salaries and the General Services Administration (GSA) schedule have not kept pace with private sector salaries for employees with cybersecurity skills. This is equally true across military, intelligence, and law enforcement agencies.
Government employees increase their skills, learn tradecraft, and then depart for the private sector because the opportunity costs are too great for them and their families to stay in government service. Ultimately, a government retirement plan can't compete with a 30% (or more) private sector salary increase.
Related to training, police officers are generally the first line of support for individual victims. But when the phone rings, it's frustrating for officers trying to take a report or advise on next steps. All law enforcement agencies should have sufficient budget for cybercrime training, and an NSA-led agency like the NCSC should lead the way on training these officers.
Congress must revise the GSA schedule for federal employees in cybersecurity concentrations, and earmark funding for police training across all agencies because, as a nation, we can't afford to continually lose our most talented people to the private sector.
Step 3: Empowering the Private Sector The private sector has the knowledge and skills to be a force multiplier for law enforcement. Network defenders and researchers typically have better tools and data than law enforcement on cyber malfeasance. The current problem for the private sector is trust, or the lack thereof, with law enforcement. Specifically, private sector collaborators need protection from having the law wielded against them as a result of their efforts.
The past 15 years are a testament to the success of proactive private sector volunteers and working groups — DNS Changer is a great example. It was created to tackle dire cyber threats and assist with attribution.
A primary impediment to increased cooperation is the Computer Fraud and Abuse Act (CFAA) (18 US Code §1030), signed in 1986 and, to a lesser extent, Section 1201 of the Digital Millennium Copyright Act (DMCA) (17 US Code §1201). These two laws indiscriminately lump in valid cybersecurity research along with the most reprehensible of cybercrimes. The CFAA criminalizes "exceeding unauthorized access" to websites, which allows site owners to unilaterally prevent any investigation of potential vulnerabilities through prohibitions written in to terms of service.
Similarly, the DMCA penalizes almost any circumvention of copyright protections (including encryption protocols), which is often necessary to carry out security research. These federal laws are being augmented by state laws, such as legislation recently passed in Georgia, that perpetuates these oversights.
Revised legislation should reaffirm Fourth Amendment digital rights and also encourage law enforcement to share cybercrime case details (not national security cases or cases that began from a counterintelligence nexus) with the private sector where relevant. Legislative efforts should also creatively provide law enforcement with improved investigative tools (again, while reaffirming the Fourth Amendment), increase law enforcement budgets for training, and encourage all nations to adopt similar definitions for "unauthorized access." Additionally, we should encourage more legislation like the Internet of Things Cybersecurity Improvement Act of 2017 that provides specific security research exemptions.
As a society, we have an incredibly skilled and willing modern-day private sector that has been diligently working behind the scenes toward a safer Internet. This is the reason that global malware attacks are relatively muted. For example, large-scale attacks like the Storm and WannaCry worms were poised for maximum destructive impact before the private sector intervened. Congress should do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them and vice versa.