How Trump will handle digital security is a big cyber mystery

Open communication needed between government, private industry to maintain safety

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A sus­pi­cious death relat­ed to a British spy. Accu­sa­tions of trea­son. Arrests—including one, dur­ing a meet­ing, where the sus­pect was marched out with a bag over his head. Elec­tion inter­fer­ence and ‘Kom­pro­mat.’

These are some of the things that, while hang­ing in the air, weren’t men­tioned by the Trump admin­is­tra­tion last week as it took cau­tious steps into man­ag­ing the cyber world.

Like almost every­thing in the cyber-spook world, the Trump administration’s first step into com­put­er secu­ri­ty is now shroud­ed in mys­tery, intrigue and speculation.

Relat­ed pod­cast: Mon­i­tor­ing email to stem insid­er threats

Tues­day, Jan. 31, Pres­i­dent Trump’s team trot­ted out for­mer New York City May­or Rudy Giu­liani and oth­er experts at an event mark­ing an exec­u­tive order Trump planned to sign, show­ing how he want­ed to get tough on com­put­er security.

Then, with­out expla­na­tion, the order sign­ing was can­celed, leav­ing the cyber com­mu­ni­ty to guess at what it all means. On the sur­face, Trump’s exec­u­tive order and the spy-nov­el-like intrigue hap­pen­ing in Russia’s cyber world have noth­ing to do with each oth­er. It’s hard not to con­nect them, however.

Here’s a quick score­card to catch you up on what’s going on:

Russ­ian arrests

Three, or pos­si­bly four, Rus­sians with ties to law enforce­ment have been arrest­ed and charged with trea­son. One sus­pect was grabbed at a meet­ing and had a bag thrown over his head in a clear show of force.

Anoth­er sus­pect, Rus­lan Stoy­anov, was a researcher at respect­ed anti-virus firm Kasper­sky Lab, and pre­vi­ous­ly worked in Moscow’s cyber crime unit. He had stopped crime rings that were tar­get­ing Russ­ian banks. I have been told he is accused of snoop­ing on and shar­ing data with out­side entities—perhaps the Unit­ed States, though that isn’t clear. My source request­ed anonymi­ty, but oth­ers have con­firmed that basic sto­ry. Bri­an Krebs has report­ed painstak­ing amounts of addi­tion­al detail.

sh_trump_putin_dolls_300It’s easy to con­nect these arrests with the accu­sa­tions of Russ­ian med­dling in U.S. elec­tions, but there are oth­er expla­na­tions. For one, Russ­ian offi­cials are upset that secret infor­ma­tion keeps mak­ing its way to a blog called Shal­tay Boltay (Hump­ty Dump­ty) in Rus­sia that’s a bit like WikiLeaks.

Mean­while, a for­mer KGB offi­cial was found dead a few weeks ago in his car under mys­te­ri­ous cir­cum­stances. The man, Oleg Erovinkin, report­ed­ly was a source for Christo­pher Steele, the for­mer British spy who authored the noto­ri­ous dossier of alleged­ly embar­rass­ing infor­ma­tion about Pres­i­dent Trump.

Trump’s review

When Trump assem­bled the folks who will be in charge of mak­ing U.S. com­put­er sys­tems safer, none of this came up.

On the sur­face, a draft ver­sion of the order that was wide­ly shared showed it would pri­mar­i­ly call for a 60-day review of the most crit­i­cal U.S. net­works, includ­ing mil­i­tary com­mand and con­trol sys­tems. It also asked for a review of America’s cyber ene­mies, a review of com­put­er secu­ri­ty edu­ca­tion, and asked for pro­pos­als to cre­ate incen­tives for pri­vate firms to improve their security.

It is unclear why the pres­i­dent didn’t sign the order as planned. The draft order got, expect­ed­ly, mixed reviews from the indus­try. “What I like about it is that it cre­ates a sense of urgency and seri­ous­ness that we real­ly have to dou­ble down on secu­ri­ty,” said Erik Giesa, vice pres­i­dent of prod­ucts at Tem­pered Net­works, dis­cussing the draft order.

Morey Haber, vice pres­i­dent of tech­nol­o­gy at BeyondTrust, was far more crit­i­cal. “We already do all this (vul­ner­a­bil­i­ty assess­ment). The only dif­fer­ence is that it’s (to be) report­ed to the pres­i­dent,” he said. Pri­or to BeyondTrust, Haber spent 10 years as a con­trac­tor pro­vid­ing vul­ner­a­bil­i­ty assess­ment to the Depart­ment of Defense. “It’s almost a knee-jerk reac­tion, sim­i­lar to the ban of cer­tain coun­tries for immigration.”

Haber point­ed out that most hacks involve the human ele­ment, like an employ­ee respond­ing to a phish­ing email. “We should be mak­ing sure the front doors are locked before we change the com­bi­na­tion on the safe,” he said. “We should be tar­get­ing the low­est hang­ing fruit, like phish­ing emails, USB sticks left in park­ing lots.”

New pro­to­cols?

Per­haps because of this kind of feed­back, the order was delayed. Or some­thing entire­ly unre­lat­ed is the cause.

Giesa said this moment in time gives the admin­is­tra­tion an oppor­tu­ni­ty to suc­ceed where oth­ers have failed. “This isn’t some­thing new. After the (Office of Per­son­nel and Man­age­ment) hack, Oba­ma signed an exec­u­tive order … but what I’ve seen from the gov­ern­ment in the past is you get high-lev­el guide­lines, but there isn’t a lot of pre­scrip­tions. They might say you need encryp­tion, for exam­ple. Well, no kid­ding,” he said. “The time is now to get very specific.”

The inter­net has suf­fered from a “fun­da­men­tal flaw” since its ear­li­est days, Giesa said—the use of IP address­es to authen­ti­cate com­put­ers, which makes it easy for machines, and crim­i­nals, to lie about who they are. Chang­ing that will require a very heavy-hand­ed imple­men­ta­tion of new pro­to­cols that define how com­put­ers talk to one anoth­er. Per­haps Trump’s admin­is­tra­tion could lead that charge, Giesa said.

On the oth­er hand, it’s impor­tant to under­stand how dif­fer­ent inter­net secu­ri­ty is from oth­er kinds of secu­ri­ty. The “weapons” of cyber space are main­ly con­trolled by civil­ians. Instead of bombs stored in silos that the gov­ern­ment can secure, “cyber bombs” can be hacked servers, pri­vate com­put­ers, even webcams—as we all learned last year when an army of zom­bie web­cams knocked a large por­tion of the inter­net offline. They can­not be secured with­out mas­sive efforts and coop­er­a­tion by pri­vate industry.

Shar­ing intel

And that brings us back to the Russ­ian hacks. Nat­u­ral­ly, pri­vate firms are reluc­tant to share infor­ma­tion with gov­ern­ment offi­cials and with one anoth­er. Many see this very expen­sive and dif­fi­cult research as com­pet­i­tive advan­tage. Still, infor­mal exchanges hap­pen all the time. Secret cyber heroes res­cue us from dig­i­tal dooms­days on a reg­u­lar basis, in con­ver­sa­tions we’ll nev­er hear about or see in a press release.

Often, these involve “hack­ers” with a past, who have spent time in the murky world between white and black hat. That’s pre­cise­ly why they know what’s going on. But that also can make them very “shy” when speak­ing to law enforcement.

You can bet Russ­ian cyber experts are get­ting more shy by the minute. That hurts every­one except the criminals.

But it’s a good reminder of how hard U.S. offi­cials must work to keep the infor­ma­tion flow­ing between pri­vate indus­try and gov­ern­ment work­ers fight­ing to keep our water dams and pow­er grids safe. That’s going to take a lot more than an exec­u­tive order.

More sto­ries relat­ed to U.S. cybersecurity:
How secure will ‘the cyber’ be under Trump?
Don’t expect Trump to leave inter­net rules, reg­u­la­tions intact

Posted in Cybersecurity, Featured Story