Haoran Yu
CISA & Sony
1 Introduction
The Senate passed the Cybersecurity Information Sharing Act (CISA [1]) of 2015 (S.754—114th Congress (2015-2016)) by vote of 74-21 without 4 pro-privacy Amendments on Oct. 27, 2015. Early in this year, the President of the United States signed the Executive Order--Promoting Private Sector Cybersecurity Information Sharing [2] on Feb. 13, 2015. The Congress and the House seem ambitiously to breed a new cyber law.
The Sony Picture Entertainment (SPE) data breach is often mentioned as the case for the severity of cybercrimes, and a motivation for calling a cyber protection legislation. Even the Verizon described this breach as the “highest-profile hack of the year (2014)” in its Data Breach Investigation Report of 2015 [3].
This article discusses the Administrators’ activities and the connection with the SPE data breach. And mainly focuses on how much this information sharing protocol can benefit for private entities like SPE in the battle against cybercriminals.
2 Background
2.1 The Scale of Possible Breaches
According to the Verizon, their experts predict that there will be 5.4 billion IoT devices by the end of this decade. Which means the year-over-year growth of IoT devices is 28% [4]. According to Internet Live Stats, the Internet users in the world now is around 3.2 billion (http://www.internetlivestats.com/internet-users/). Over this decade, Internet users are sharing more and more information on the Internet. Large-scale data breaches “have become a worryingly common occurrence [5]”. Figure 1 shows how many data records have been compromised in some of the most prominent examples of data theft in recent years.
Figure 1. Large-scale data breaches affect millions of users [5]
2.2 Government Responses
After September 11 attacks, there are a bunch of legislations and executive orders concerning the national security. Homeland Security Act of 2002, enacted since November 25, 2002, created the U.S. Department of Homeland Security (DHS) and the new cabinet-level position of Secretary of Homeland Security. Amended by the National Cybersecurity and Critical Infrastructure Protection Act of 2013, which created the National Cybersecurity and Communications Integration Center (NCCIC). Both of the acts are affected by the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001), which partly expired on June 1, 2015. (reference: Wikipedia)
In 2013, the Enhanced Cybersecurity Services (ECS) program [6] was expanded by DHS in February 2013 by Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) as a voluntary information sharing program [2]. Which “assists U.S.-based public and private entities as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration”. Also, “DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information.” The ECS can be regarded as a prototype of both cyber executive order and the CISA bill. The ECS also describes the “cyber threat indicator”, which will be discussed later.
The recent Cyber Executive Order introduces the development and formation of Information Sharing and Analysis Organizations (ISAOs), which is also promoted by the Secretary of Homeland Security.
Figure 2. Enhanced Cybersecurity Services Program Model [6]
*qualified Commercial Service Providers (CSPs), such as AT&T, CenturyLink, Verizon, and Lockheed Martin.
2.3 The Cyber Threat Indicator
Figure 3 shows the idea of the cyber threat indicator. The likelihood provides an intuitive display on the cyber attack risk in each division for administrators.
Figure 3. Interaction between SICC and CSIRT* for increased situational awareness [7]
* Security Intelligence and Coordination Center (SICC), Computer Security Incident Response Team (CSIRT), Structured Threat Information eXpression (STIX)
2.4 Related Contents and Criticisms of CISA and The Executive Order
Section 3 of the CISA [1]:
“Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote:
(1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments;
(2) the sharing of unclassified indicators with the public;
(3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.”
Section 1 of the Cyber Executive Order [2]:
“private companies…, and other entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.
Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”
A reporter from RT America criticized CISA that: It is using a broad language and “any attempt to really to strengthen the language here make it more specific protect privacy but also perhaps make this more effective failed” [8]
The Post’s editorial dismisses “alarmist claims [CISA that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”. They say: “The notion that there is a binary choice between privacy and security is false.” [9]
Jeff Greene from Symantec said about the Cyber Executive Order: "The proposal will definitely help but we can't lose sight of two important facts: first, there is already significant and important information sharing occurring. Second, information sharing is not a panacea. Instead, it is one part of a larger solution." [10]
Some argues that if the U.S. government couldn't prevent the cyber attacks from China stealing government employees’ personal information [11], how can the government protect private entities by gathering their threats information.
3 The Correlation with The SPE Data Breach
People lose faith to the the U.S. government since the invasion to Iraq. The intention of the U.S. President, who raised the Cyber Executive Order, which is to protect the American citizens and U.S. entities will be questioned, if the FBI’s declaration, that the North Korean is responsible for the SPE attack, is not correct. Since the government raised the public’s concern over their vulnerability while encountering such attack launched by a Nation State. This reminds me the correlation between the Japanese military attack to U.S. army base in Pearl Harbor and the U.S. declaration of War against the Axis; between the September 11 attacks and the USA PATRIOT Act along with its following policies.
3.1 The Perpetrator
The FBI [12] says they have “enough information to conclude that the North Korean government is responsible for these actions”. Their “conclusion is based, in part, on the following”:
-
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
-
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
-
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
The CIO and co-founder at CrowdStrike, Dmitri Alperovitch, agreed that “We have a high-confidence that this is a North Korean operator based on the profiles seen dating back to 2006, including prior espionage against the South Korean and U.S. government and military institutions” [13]
A McAfee report and HP Security report mention that a group calling itself the “Whois” Team which also took responsibility for the destructive Dark Seoul attacks in 2013. As Russian security firm Kaspersky notes, the images used by the Whois Team and the warning messages left for Sony are remarkably similar [13]:
Figure 4. Comparison between Whois Team and SPE’s warning messages [13]
There is another article mentions that Sony Pictures was warned through email days ahead of the impending attack that was to render its internal networks useless on Nov. 24 [14]. Evidence dug from the leaked email inbox of Sony Pictures Entertainment co-chairman Amy Pascal show Pascal, along with five other top-ranking Sony executives including CEO Michael Lynton and President Doug Belgrad, received an email from frank1973.david@gmail.com, subjected with "Notice to Sony Pictures Entertainment Inc." Which is fully says:
We've got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You'd better behave wisely.
From God'sApstls
There is no strong evidence that the Whois Team, the GOP and the God’sApstls are the same group associated with the North Korea, which make the third point offered by the FBI questionable. And if the GOP and the God’sApstls are the same group, which means the SPE attack was not likely to be conducted by a nation state. Besides, the North Korea denied that they had attacked the SPE.
3.2 Information Sharing would not Have Stopped the Sony Attack
Information sharing allows smarter and faster defenses, but its alone won’t significantly reduce security breaches [10]. For SPE, hackers can still use modified signatures to avoid be detected under today’s security protocol. Sony suffered another breach in its PlayStation® network in 2011. The grown budgets for IT implementation after that and aroused cybersecurity threats environment didn't prevent its 2014 breach. Meanwhile, the Enhanced Cybersecurity Services (ECS) program was open since 2013. If SPE could report its warning email which came several days before the attack to the DHS and had a complete investigation on its whole system, the chance of SPE to beat the rap could be higher. The Forbes raised that: “the reality is that far fewer resources are expended on cybersecurity than are actually needed. How many firms can truly claim that all of their data is properly secured, accessible to only parties that actually need it, and that all employee passwords are properly constructed?” [15]
However, if this two attacks and the CISA along with the Obama’s Executive Order can bring SPE a solid anti-cyber-attack strategy and such lessens can be learned by other private entities; besides if the hacker’s malwares and signatures could be shared by cybersecurity providers to find out all the same coding segment and eliminate potential threats. The level of difficulty for operating a cyber attack could remarkably increase.
In case of getting warned, Sony and other companies may not have such intelligence for auditing its whole system, ISAOs can respond to all the alarms. The practice is similar to that of civil aviation’s: once warned, investigations will be conducted. And the reporter would be responsible for an intentional false warning.
Also, Forbes says that the virus found in SPE is similar to the Shamoon virus found years ago, which steals data and wipes it from its lawful hosts, and wrecked havoc at the Saudi oil company, Aramco.” [15] The malware used in this SPE attack could be eliminated if the Bills could be enacted earlier. On the other shows the increased difficulty for hackers.
Congressional Cybersecurity Caucus co-chair Rep. Jim Langevin (D) of Rhode Island said: “While important, information sharing won’t solve everything. … What it will do, though, is enable companies to discover and respond to threats of which they may not have been aware – and provide badly needed situational awareness to the government. It’s a first step, but an important one, and will allow us to broaden the conversation to other important cybersecurity policy matters." [10]
4 Conclusion
In traditional industries, the employees and top executives are less aware of the sophistication of cybersecurity threats. Such losses from the attacks can motivate them upgrading to fix the ecosystem to fit Internet Era. Data shows that the most targeted industry is retailing, both physical stores and e-commerce operators. And payment systems are to be blamed sometimes. The out-of-date payment systems and retailing practices will be replaced. Even the usage of Social Security Number should be updated—not only to prove that you are exactly you, but also to guarantee that anyone else can’t use your credential. Figure 5 shows the classification patterns of recorded data breaches in this decade.
Figure 5. Count of incident classification patterns over time with confirmed data breaches [3]
The overstated Sony Picture Entertainment data breach (The attack was an “unparalleled crime” that was “unprecedented in nature.” [15]) revealed that not only on the vulnerable tech side, but also the organization lacked the human resources needed to make sense of all this collected cyber threat information. To make sure the full use of the human resources: firstly, companies must continuously educate end users; secondly, is to follow basic security precautions. [16]
In my perspective, privacy is not crucial. Privacy was raised in recent centuries, especially after the U.S.’s 1870 Census when Census questions were based on individuals instead of families. And the 1890 Census bred the modern Data manipulation technology (the punched-card tabulation machine). Technology bring us more interconnectivity, which bring us convenience and productivity. Too much attention on the privacy may be counterproductive. On this basis, I agree that the CISA and the Cyber Executive Order are nested in a broader defense network. I think cyber surveillance or monitoring can increase the level of difficulty for committing cyber attacks and indirectly increase the expense of their operations, which can result to a relatively decreased amount of cyber attacks.
5 Further Study
I need to get clear of the network of cyber related Acts and Executive Orders to find a clue of the motivation and depict a blueprint of cyber defense pattern.
I need to find more connections between the SPE breach and the Information Sharing Program.
Co-operating with my classmates to get a deeper understanding from other perspectives.
6 References
[1] S.754 - Cybersecurity Information Sharing Act of 2015, https://www.congress.gov/bill/114th-congress/senate-bill/754
[2] Executive Order -- Promoting Private Sector Cybersecurity Information Sharing https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari
[3] Verizon Enterprise Solutions, 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2015/
[4] Verizon, State of the Market: The internet of Things 2015, http://www.verizonenterprise.com/state-of-the-market-internet-of-things/
[5] Felix Richter, Large-Scale Data Breaches Affect Millions of Users, The Statistics Portal, Aug. 19, 2015 http://www.statista.com/chart/2540/data-breaches/
[6] Department of Homeland Security, Enhanced Cybersecurity Services, http://www.dhs.gov/publication/enhanced-cybersecurity-services-documents
[7] F. Fransen et al., Cyber security information exchange to gain insight into the effects of cyber threats and incidents, Elektrotechnik & Informationstechnik (2015) 132/2.
[8] RT America, Advocates outraged as Senate passes CISA, strikes down pro-privacy amendments, Video published on Oct. 28, 2015 https://www.youtube.com/watch?v=dqim8E29HK8
[9] Brain Krebs, Cybersecurity Information (Over)Sharing Act? Oct. 27, 2015 http://krebsonsecurity.com/2015/10/cybersecurity-information-oversharing-act/#more-32656
[10] Sara Sorcher, Obama's info-sharing plan won't significantly reduce security breaches http://passcode.csmonitor.com/influencers-infosharing
[11] Jim Sciutto, OPM government data breach impacted 21.5 million, CNN Politics, Jul. 10, 2015 http://www.cnn.com/2015/07/09/politics/office-of-personnel-management-data-breach-20-million/
[12] FBI National Press Office, Update on Sony Investigation, Dec. 19, 2014 https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
[13] Brain Krebs, The Case for N. Korea’s Role in Sony Hack, Dec. 23, 2014
http://krebsonsecurity.com/2014/12/the-case-for-n-koreas-role-in-sony-hack/comment-page-1/
[14] Nicole Arce, Sony was Warned of Impending Cyber Attack in Extortion Email, Reveal Leaked Messages from Inboxes of Top Executives, Tech Times, Dec. 9, 2014
[15] Joseph Steinberg, Massive Security Breach At Sony -- Here's What You Need To Know, Forbs.com Dec. 11, 2014 http://www.forbes.com/sites/josephsteinberg/2014/12/11/massive-security-breach-at-sony-heres-what-you-need-to-know/
[16] Mark Jaycox, Congress Should Say No to "Cybersecurity" Information Sharing Bills, Electronic Frontier Foundation, Jan. 8, 2015 https://www.efƒf.org/deeplinks/2015/01/congress-should-say-no-cybersecurity-information-sharing-bills
pg.
Share with your friends: |