
Obama to encourage companies to share cyber threat data - randomname2
http://www.reuters.com/article/2015/02/13/us-usa-cybersecurity-exclusive-idUSKBN0LG2GR20150213
======
justcommenting
It's worth mentioning the history of 'coordination' or 'bringing into line'
between the public sector and the private sector here, especially
gleischaltung[0].

I'm not trying to make a direct comparison, but the executive branch's "calls
for them to hand over more data" are fundamentally about totalitarian
surveillance and control. That may not be the goal, stated or otherwise, but
make no mistake: the effect is the same.

It's worth considering how we might feel if Russia or China were calling for
something like this.

[0]
[https://en.wikipedia.org/wiki/Gleichschaltung](https://en.wikipedia.org/wiki/Gleichschaltung)
edit: quotation is from poorly-titled BBC article

~~~
ingler
Apropos, from your link:

"The best propaganda is that which, as it were, works invisibly, penetrates
the whole of life without the public having any knowledge of the
propagandistic initiative." -Goebbels

------
michaelbuckbee
Everything else in this thread so far seems really negative (with ample
justification) of even the idea of sharing this data.

But, personally I wish there was something like the CDC for this type of
"cyber" crime.

If there's a 1000% increase in cryptolocker like ransomware showing up, I
would actually like the FBI to investigate.

If DDOS extortion schemes are being systematically targeted against companies
big and small - that would seem to call for a government response.

At the very least if we just collectively knew more about all of the attacks
that were happening I feel as if responses could be improved.

If someone can DDOS Ford's website and demand $1000 to call off the deluge and
Ford pays it - this would seem to make all of us more vulnerable. If it had to
be reported maybe it would help.

------
randomname2
"Cybersecurity industry veterans said Obama's anticipated order would be only
a modest step in one of the president's major priorities - the defense of
companies from attacks like those on Sony and Anthem Inc.

Obama has proposed legislation to require more information-sharing and limit
any legal liability for companies that share too much. Only Congress can
provide the liability protection through legislation."

The bottom line is that all Obama is really doing is not only promoting data
sharing between the government and key private corporations, but effectively
indeminifes them from obtaining and processing such data.

"Businesses are unlikely to share a lot of timely and "actionable" cyber
intelligence without liability relief, said Mike Brown, a vice president with
the RSA security division of EMC Corp."

------
irq-1
> It is one step in a long effort to make companies as well as privacy and
> consumer advocates more comfortable with proposed legislation that would
> offer participating companies liability protection, the White House said.

Companies get protection and individuals get the CFAA; they want information
about attacks shared and information about vulnerabilities hidden. Almost
makes sense if you don't work in tech.

------
diminoten
Hey so I work for one of the orgs that uses cyber threat data to catch bad
guys, and I can help explain a bit about what "cyber threat data" actually is.

Obviously the caveat here is I'm speaking as an individual with experience and
not really as a rep for my company, but I see a lot of misinformation about
what kind of information "cyber threat data" actually is, so I'd like to help
clear the air a bit.

Also keep in mind I'm a developer, not a guy "in the field".

Edit:

Just for a little background, I can give you guys some examples of what this
"cyber threat data" actually looks like. My company came up with this format
called an "IOC", or "Indicator of Compromise" that can be fed into network and
endpoint detection tools to search for threats.

Here's the website: [http://openioc.org/](http://openioc.org/)

At the bottom are a few links to some examples, where you can see exactly what
"cyber threat data" is, in reality.

[http://openioc.org/iocs/c32ab7b5-49c8-40cc-8a12-ef5c3ba91311...](http://openioc.org/iocs/c32ab7b5-49c8-40cc-8a12-ef5c3ba91311.ioc)

[http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93...](http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc)

[http://openioc.org/iocs/ea3cab0c-72ad-40cc-
abbf-90846fa4afec...](http://openioc.org/iocs/ea3cab0c-72ad-40cc-
abbf-90846fa4afec.ioc)

[http://openioc.org/iocs/72669174-dd77-4a4e-82ed-99a96784f36e...](http://openioc.org/iocs/72669174-dd77-4a4e-82ed-99a96784f36e.ioc)

You've got FileExtension, FileFullPath, PID, EventLogItem, DriverItem, and so
on.

It's not like this information _can 't_ be identifiable, as it's not
anonymized, but it's just plain unfair to say this is your email address,
social security number, browsing habits, or anything like that. This isn't
data about _you_.

~~~
unethical_ban
Why does there need to be secrecy and indemnity for corps sharing non-PII
data? Everything I've heard about these CISPA-esqe sharing schemes is that the
gov wants to have corps share potentially unmasked data with the gov AND with
each other without risk of getting in trouble for privacy violations.

~~~
diminoten
Secrecy mostly because it's live intel -- these aren't your run of the mill
hackers, they'll adapt. If you publish your intel each month publicly, they'll
just make sure to run your intel against their latest malware and make sure
you can't detect them.

Indemnity I'm not fully versed on (I'm just a dev, and this is more of a law
area), but I get the idea that they want to be able to say, "Block these
domains, and watch out for these email addresses -- they're spear phishing
addresses" without getting in trouble for sharing those email addresses in the
first place.

After all, if we're hunting for hackers, and the hackers end up being users of
your website, do the hackers suddenly get immunity from being detected? If I
see "l33th4x0r12345" as a user on my system, and I know that user just tried a
bunch of XSS on my support staff, I'm going to want to let other groups know
that "l33th4x0r12345" is a bad actor.

~~~
unethical_ban
But this is already being done. Look at FS-ISAC - a private email list that
shares IOC and spam data between banks and financial institutions.

What needs to change in the law that isn't currently allowed?

~~~
diminoten
This is a valid question, and honestly I'm not sure.

Once you're asking this question though, you've gotten past the point I think
a lot of folks are hung up on, and that's the content of the intel.

I'd just like to get folks to a point where they're understanding that their
mother's maiden name isn't getting blasted through the cybersecurity world.

------
riskable
I don't know about you but if my personal data is going to be shared with the
government I want some guarantees:

* The data will never end up in some law enforcement database.

* The data will destroyed in a timely fashion (say, after six months).

* Access to the data will be severely restricted. As in, to specific individuals--not whole departments or entire organizations.

* The data will not be aggregated or conjoined with any other data they have about me. Ever.

* Any data collected in this way must never be allowed in a court of law.

* If the data is ever shared all personally-identifying information must be redacted or removed.

These things are much more important than limiting the liability of the
company that shares the data. Get your priorities straight!

~~~
shit_parade
Sure thing citizen, strong privacy regulations will be written into the secret
laws and looked over in secret by a secret judge appointed to a secret court,
we're the government elected in democratic fashion so you know you can trust
us.

~~~
notsrg
Yeah, this. I won't trust them with anything, ever.

------
FLUX-YOU
This article doesn't seem consistent to me. The title and first paragraphs
sound more like an order to create this organization to _facilitate_ the
sharing of data and to encourage companies to participate, but does not
_require_ companies to participate.

And then I read:

>The move comes as big Silicon Valley companies prove hesitant to fully
support more mandated cybersecurity information sharing without reforms to
government surveillance practices exposed by former National Security Agency
contractor Edward Snowden.

Is this order a mandate or encouragement/facilitation to participate? Is he
going to withhold liability protection to companies who do not participate?

------
pasbesoin
I've spent years, decades in various such corporate environments, and I've
repeatedly had to push -- with very mixed success -- to have clear security
problems even acknowledged, much less addressed.

Ultimately, the success or failure in this has come down to the particular
individuals involved. While the person in the next chair, as solidly vested in
their career at the same institution, could _never_ essentially be brought to
real understanding and effective activity, much less pro-activity.

All this has left me with very little sympathy for the institutions involved.
Many of the current "problems" were known and addressable years ago -- decades
ago, in their fundamentals.

All that remains, for me, is the fear that as opposed to real, technical
solutions that also maintain diversity, we are going to substantially get
another "rubber hose" (and lead pipe) solution. Fear of the consequences.

And, deeply vested interests for whom there are no consequences.

Start looking for the next, hopefully truly distributed physical layer. Our
current layer is in the process of getting thoroughly owned by those with the
money and guns (cops and thugs).

P.S. Just to be clear, I'm not a "black hat" nor "dark net" kind of guy, in
terms of my interests and activities. I _am_ someone who has benefited
significantly from the diversity and open communities found on the Internet.
Things I fear are in the process of being throttled.

------
lawnchair_larry
CISPA, attempt 3.

------
randomname2
So basically this is the second coming of the Patriot Act.

------
shit_parade
And the US continues on its way to corporatism and corporate fascism.

[https://en.wikipedia.org/wiki/Corporatism#Fascist_corporatis...](https://en.wikipedia.org/wiki/Corporatism#Fascist_corporatism)

~~~
ingler
This is a good place for this, one of my favorite quotes from the century
before last:

"Next in importance to personal freedom is immunity from suspicions, and
jealous observation. Men may be without restraints upon their liberty: they
may pass to and fro at pleasure: but if their steps are tracked by spies and
informers, their words noted down for crimination, their associates watched as
conspirators, who shall say that they are free? Nothing is more revolting to
Englishmen than the espionage which forms part of the administrative system of
continental despotisms. It haunts men like an evil genius, chills their
gaiety, restrains their wit, casts a shadow over their friendships, and
blights their domestic hearth."

The freedom of a country may be measured by its immunity from this baleful
agency. Rulers who distrust their own people, must govern in a spirit of
absolutism; and suspected subjects will be ever sensible of their bondage."

The Constitutional History Of England Vol II(1863), pg. 288 [0]

by T. E. May

[0]
[http://archive.org/stream/constitutionalhi029622mbp#page/n31...](http://archive.org/stream/constitutionalhi029622mbp#page/n313/mode/2up)

~~~
cryoshon
This is a great quote, and really relevant to the issue at hand.

We're technically free to roam about and talk to whoever we want, but our
steps are tracked (obsessively) and our communications are kept on the record
(indefinitely).

By the logic of this quote, the US is not a free country. I tend to agree.

------
ingler
What a pantload. This order is about DHS "legally" having access to corporate
data instead of the usual method of tapping network pipes while also
protecting those corporations from lawsuits.

------
higherpurpose
What the current administration is doing is incredibly dangerous. It's
starting to conflate the espionage policy with the "cyber security" one, as if
they were one and the same thing.

Therefore it ends up asking companies for stuff like more access to people's
data and backdoors in encryption or in operating systems. Why? Because that's
what's needed for _espionage_ , but _not_ if you are actually serious about
"cybersecurity". In fact, any cybersecurity policy should pretty much be the
_opposite_ of an espionage policy.

~~~
diminoten
What does this have to do with espionage at all? Where do you get this idea
that this is related to people's data at all?

I get the sense you don't know what cyber threat intelligence is, which is
fine, but I recommend learning a little bit more.

~~~
beauzero
Then why is this an issue?
[http://www.mcclatchydc.com/2015/02/11/256304/government-
wond...](http://www.mcclatchydc.com/2015/02/11/256304/government-wonders-
whats-in-your.html)

~~~
diminoten
That's completely unrelated to cyber threat intelligence, except in situations
like spear phishing, where the government (or anyone else trying to protect
against attacks) might want to know what domains the attempts originated from
or where the malicious links point back to.

Your linked article is completely irrelevant to this conversation. Why do you
think they're related? Because the government is involved in both, and both
have to do with the Internet?

You do realize the Internet is a big place, yes?

------
hangonhn
I just finished reading "Zero Day to Stuxnet" and I'm really wary of this. The
US government has groups that protect its citizens against cyberthreats and
also groups that exploit vulnerabilities. Those groups apparently communicate
with each other. If there is an ongoing operation that exploits a
vulnerability, some groups can veto its dissemination. How long would it be
before the exploitation group starts mining this kind of data to find a way to
attack an enemy? On top of that there is strong evidence that defense
contractors are selling these exploits to governments for use. What's to stop
data collected this way from being shared with those contractors?

