How Trump will handle digital security is a big cyber mystery
Open communication needed between government, private industry to maintain safety
By Bob Sullivan, ThirdCertainty
A suspicious death related to a British spy. Accusations of treason. Arrests—including one, during a meeting, where the suspect was marched out with a bag over his head. Election interference and ‘Kompromat.’
These are some of the things that, while hanging in the air, weren’t mentioned by the Trump administration last week as it took cautious steps into managing the cyber world.
Like almost everything in the cyber-spook world, the Trump administration’s first step into computer security is now shrouded in mystery, intrigue and speculation.
Related podcast: Monitoring email to stem insider threats
Tuesday, Jan. 31, President Trump’s team trotted out former New York City Mayor Rudy Giuliani and other experts at an event marking an executive order Trump planned to sign, showing how he wanted to get tough on computer security.
Then, without explanation, the order signing was canceled, leaving the cyber community to guess at what it all means. On the surface, Trump’s executive order and the spy-novel-like intrigue happening in Russia’s cyber world have nothing to do with each other. It’s hard not to connect them, however.
Here’s a quick scorecard to catch you up on what’s going on:
Three, or possibly four, Russians with ties to law enforcement have been arrested and charged with treason. One suspect was grabbed at a meeting and had a bag thrown over his head in a clear show of force.
Another suspect, Ruslan Stoyanov, was a researcher at respected anti-virus firm Kaspersky Lab, and previously worked in Moscow’s cyber crime unit. He had stopped crime rings that were targeting Russian banks. I have been told he is accused of snooping on and sharing data with outside entities—perhaps the United States, though that isn’t clear. My source requested anonymity, but others have confirmed that basic story. Brian Krebs has reported painstaking amounts of additional detail.
It’s easy to connect these arrests with the accusations of Russian meddling in U.S. elections, but there are other explanations. For one, Russian officials are upset that secret information keeps making its way to a blog called Shaltay Boltay (Humpty Dumpty) in Russia that’s a bit like WikiLeaks.
Meanwhile, a former KGB official was found dead a few weeks ago in his car under mysterious circumstances. The man, Oleg Erovinkin, reportedly was a source for Christopher Steele, the former British spy who authored the notorious dossier of allegedly embarrassing information about President Trump.
When Trump assembled the folks who will be in charge of making U.S. computer systems safer, none of this came up.
On the surface, a draft version of the order that was widely shared showed it would primarily call for a 60-day review of the most critical U.S. networks, including military command and control systems. It also asked for a review of America’s cyber enemies, a review of computer security education, and asked for proposals to create incentives for private firms to improve their security.
It is unclear why the president didn’t sign the order as planned. The draft order got, expectedly, mixed reviews from the industry. “What I like about it is that it creates a sense of urgency and seriousness that we really have to double down on security,” said Erik Giesa, vice president of products at Tempered Networks, discussing the draft order.
Morey Haber, vice president of technology at BeyondTrust, was far more critical. “We already do all this (vulnerability assessment). The only difference is that it’s (to be) reported to the president,” he said. Prior to BeyondTrust, Haber spent 10 years as a contractor providing vulnerability assessment to the Department of Defense. “It’s almost a knee-jerk reaction, similar to the ban of certain countries for immigration.”
Haber pointed out that most hacks involve the human element, like an employee responding to a phishing email. “We should be making sure the front doors are locked before we change the combination on the safe,” he said. “We should be targeting the lowest hanging fruit, like phishing emails, USB sticks left in parking lots.”
Perhaps because of this kind of feedback, the order was delayed. Or something entirely unrelated is the cause.
Giesa said this moment in time gives the administration an opportunity to succeed where others have failed. “This isn’t something new. After the (Office of Personnel and Management) hack, Obama signed an executive order … but what I’ve seen from the government in the past is you get high-level guidelines, but there isn’t a lot of prescriptions. They might say you need encryption, for example. Well, no kidding,” he said. “The time is now to get very specific.”
The internet has suffered from a “fundamental flaw” since its earliest days, Giesa said—the use of IP addresses to authenticate computers, which makes it easy for machines, and criminals, to lie about who they are. Changing that will require a very heavy-handed implementation of new protocols that define how computers talk to one another. Perhaps Trump’s administration could lead that charge, Giesa said.
On the other hand, it’s important to understand how different internet security is from other kinds of security. The “weapons” of cyber space are mainly controlled by civilians. Instead of bombs stored in silos that the government can secure, “cyber bombs” can be hacked servers, private computers, even webcams—as we all learned last year when an army of zombie webcams knocked a large portion of the internet offline. They cannot be secured without massive efforts and cooperation by private industry.
And that brings us back to the Russian hacks. Naturally, private firms are reluctant to share information with government officials and with one another. Many see this very expensive and difficult research as competitive advantage. Still, informal exchanges happen all the time. Secret cyber heroes rescue us from digital doomsdays on a regular basis, in conversations we’ll never hear about or see in a press release.
Often, these involve “hackers” with a past, who have spent time in the murky world between white and black hat. That’s precisely why they know what’s going on. But that also can make them very “shy” when speaking to law enforcement.
You can bet Russian cyber experts are getting more shy by the minute. That hurts everyone except the criminals.
But it’s a good reminder of how hard U.S. officials must work to keep the information flowing between private industry and government workers fighting to keep our water dams and power grids safe. That’s going to take a lot more than an executive order.
More stories related to U.S. cybersecurity:
How secure will ‘the cyber’ be under Trump?
Don’t expect Trump to leave internet rules, regulations intact