On May 6, the media was full of warnings about an immediately pending cyberattack called “OpUSA.” Homeland Security said “The attacks will likely result in limited disruptions and mostly consistent of nuisance-level attacks against publicly accessible web pages and possibly data exploitation.” This seems a bit late in coming, as the OpUSA threat was made on the Web weeks ago. The threat statement online listed 140 banks as targets and rambled on about U.S. war crimes in Iraq, Afghanistan, and Pakistan. The government said that the attack would come from “Anonymous-linked hactivists in the Middle East and North Africa.”
This government action should strike one as comical. What kind of cyber defense is the announcement that there is going to be an attack that no one can keep from happening? Unless we had a mole among the attackers, we wouldn’t know what the technical means the attackers were using until after they attack. If we did have a mole, what would be the point of announcing the information publicly? The hackers would just change their modus operandi. I guess DHS has to show that it’s doing something.
The OpUSA warning is an excellent example of where we stand vis-à-vis cybersecurity. There is no technical defense prior to cyber attack unless the attacker uses the same means twice. No serious (or even casual) attacker would do that. The great bulk of the public discussion of cybersecurity remains in the realm of defense, nonetheless.
All sorts of commentators have moved on to the theoretical notion of cyber offense as the only cyber defense. Cyber offense means finding out who attacked one and neutralizing the attacker, either electronically or by other means. However, no one in the U.S. is committing cyber offense. The private sector is barred by law from going after attackers. It has the motivation and means to do it, but those things can’t be utilized. The private sector would like the government to commit cyber offense on its behalf. The government, for its part, may have the expertise, but it’s stuck in the rut of only gathering and aggregating information on private sector cyber attacks.
Remember that the government wishes to rely on private sector for reporting if it’s been attacked, after which the government will (a) tell you and others that you were attacked and (b) perhaps what to do if the exact same attack occurs again, which it never will.
If the government is still at step one of cybersecurity--information sharing about attack--it appears that it cannot even manage that. On April 18, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). It was dead on arrival in the Democratic Senate, due to White House opposition.
You’ll hear various explanations for this. CBS News says “because language in its current draft suggests that companies like Facebook, Google and Twitter, share information with the federal government without a warrant.” Huffington Post says that the House bill doesn’t “sufficiently protect privacy and civil liberties, ensure that a civilian department--not an intelligence agency--is the primary point of entry for cybersecurity information sharing, and provide narrowly tailored liability protections that would allow the private sector to respond to threats.”
The Hill says “the final version of the bill did not satisfy the White House's key principles because it would allow companies to share cyber threat information directly with the military, including the National Security Agency (NSA), without being required to remove personal information from that data first.” The Hill also says that the current bill doesn’t require companies to remove information on the identity of a specific person before sharing the threat information: “CISPA requires the government to strip that personal information from the cyber threat data it receives from companies instead.”