Practically speaking, what more could legislation and budget increases require of the US federal government to increase spending on defensive measures? Some ideas (without judgement on the pros and cons):
* Educate: produce more hardening guides and product-specific educational material more often for more products.
* Invest: run free or heavily subsidized training courses and conferences, provide sought-after internships, fund more academic research, fund open source project security improvements.
* Develop: produce new standards, produce new open source software products (previous examples: SELinux, Ghidra, etc) and encourage their uptake.
* Detect and advise (software developers): reverse engineer, fuzz, debug and find vulnerabilities in software products and advise developers immediately of any security issues discovered.
* Detect and advise (network end users): scan all US Internet Address ranges for not so much vulnerabilities, but bad practices or misconfigured and/or weakly configured services. For example, scan for and detect domains with an e-mail service that doesn't support DMARC, then send advisory notices to the operator educating them on the benefits of implementing better security for the service. For example, scan for and detect home security cameras that are exposed to the Internet with default passwords, then send advisory notices to the owner suggesting they secure their home security cameras.
* Increase domestic surveillance: tap international and domestic exchanges and/or require "metadata" to be recorded in bulk to allow an instruction detection system to be created across the entire country, allowing better visibility and traceability of incidents back to their origin, and the ability to advise private companies of incidents at the earliest possibility.
* Increase international surveillance and offensive measures: more aggressively hunt down, monitor and disrupt international cyber crime groups.
I would argue most of the above with the exception of investment and some limited development and detection/advisory are unlikely to have much impact due to:
* Historical issues of Dual_EC_DRBG, NIST elliptic curve rigidity and other involvements with standards organisations and groups have all but burnt any bridges that used to exist. Standards organisations and implementers are highly dismissive of contributions from the NSA and NIST as neither organisation are trusted.
* Increased centralisation of Internet infrastructure into Amazon EC2, Microsoft Azure/Office 365/Teams, Google Cloud/Google Docs/Gmail/etc, etc allows attackers to easily launch an attack within the same data centre as the target. Vendors such as Amazon, Google and Microsoft are now solely in control of the ICT operations of massive segments of the US economy and end users just have to trust these vendors with much reduced ability to control and audit security of the service provided. As a result of increasing centralisation, there is little investment occurring in "on-premises" solutions including e-mail gateways, VoIP systems, document storage system, etc.
* Increased reliance on transport over Secure HTTP results in raw network traffic revealing less and less information on possible intrusion attempts (all traffic starts to just become TLS connections from A to B and it is much harder to ascertain from an outsider perspective whether that traffic is suspicious or not).
I think the only issue would be maintainers too suspicious to accept patches from the NSA.
(Of course, a year or so pre-warning of this kind of law would be required to allow for companies to lock their data down.)
Compare this to a street crime: One might say that muggers would be deterred if it were illegal for their victims to cooperate; if you have to fight back instead of handing over your wallet. But, at what cost for the victims?
If we don’t think that companies are doing enough to protect their systems, then we should pass laws that require certain demonstrable standards at all times. We shouldn’t wait for them to become a victim before the law requires them to do anything. It’s too indirect and situationally unaware of a solution.
I think laws should be written so it’s easy to know when you’re in compliance, and easy to know when you’re not. “Don’t get hacked” is basically an impossible moving target, particularly for small organizations. “Follow these best practices” is a much more reasonable standard. And we already have government organizations that put together standards for this, all lawmakers need to do is cite them.
That's not to say it shouldn't also be made illegal or in some other way difficult to pay (they could, for example, ban crypto currency use for the purpose of paying ransoms, or whatever-- just tossing out ideas)
Banning ransoms alone isn't going to work. Companies already have liability for things like customer data breaches, and that hasn't eliminated them. We also need some sort of legal framework-- especially for large pieces of infrastructure-- for defining appropriate security procedures that must be followed. Also tie it to the ability to get government subsidies/grants etc. That's how it works in Higher Education: If colleges don't adhere to to DoE regs, they simply can't accept financial aid money given to students by the government. It's actually something that's audited with fines levied on a regular basis. Few schools if any ever lose the ability to get aid, but that's because the regs are enforced and fines are high enough to hurt.
Really though I don't think you can stop this completely. We might say "every company can afford to get security right" etc., but they won't: Some will barely even try, others will simply be unlucky and out of 3,000 employees, one will slip up. The nature of this sort of attack is that on defense, you have to be 100% successful all of the time or you're done, and always having a perfect record is not a realistic expectation for all organizations.
The problem is that for the hackers, this is a low risk, inexpensive, high reward process. As much as security has to improve, so does that equation. If there was a physical attack that shutdown the pipeline it would easily be labelled an act of terrorism, and these should be seen the same way, with the same level of resources used to go after anyone involved in these attacks.
The US Treasury Office of Foreign Assets Control specifically warns about the legal risk you take by paying a ransom here: https://home.treasury.gov/system/files/126/ofac_ransomware_a...
If you can't buy the coins, you can't pay the ransom.
But hey, I guess you could use cryptocurrency to pay the runners.
By removing that need, cryptocurrency makes ransomware scalable. And as Paul Graham and other Silicon Valley types have said a thousand times, scalability is the difference between a modest mom-and-pop operation and a rapidly growing enterprise.
In my mind, the catalyzing effect of a cryptocurrency in this context is from:
1. The ability to move something of value digitally
2. The thing of value being resistant to governmental control--crypto can't be easily seized, but a US bank account can.
There may be other properties of crytocurrency that make it useful for ransomware, but I doubt there aren't other vehicles that could be used--though alternatives are likely less lucrative due to the overhead in laundering your ransomeware payment into hard currency.
I have never heard of ransomware that predated cryptocurrency; could you share a link to an article?
What Im getting at is we have a fundamentally broken legislative branch, and until that is fixed, nothing addressed via legislation will be uncorrupted by it.
fund foundational security and mandate its use by government agencies and suppliers
In reality, though, the Continental attack is likely to provoke a reaction as counterproductive as the reaction to 9/11 was.
Can you tell us what that means?
Much research was funded, and solutions were found long, long ago, to many of our current "problems".
Real security is extraordinarily expensive. Very rarely is that compatible with shareholder value.
On the other hand, I bet it's pretty fun working for the NSA: https://en.wikipedia.org/wiki/NOBUS
You could likely do this for any publicly traded company, but the qualifiers for what constitutes a bug would take some time to define.
I use Unix every day but rarely Windows so I sometimes don't remember it. Our industry self-congradulates on not using Windows like those untechnical normie companies or whatever, but then forgets that other than being FOSS (most of the time), Unix has all the same problems just to a lesser degree.
Maybe this is the transition plan we need; first ban Windows in prod for things important enough that government is going to take on the costs if something goes wrong.
Then, at some later point, ban Unix too for all the same reasons, just less magnitude.
We've known for now that proper capability-based security is both more safe and more productive (global state is just hard). We just need to put it into practice.
Linux fans really like to play up the "Windows is so insecure!" rhetoric, but it isn't really true. Linux and the common systems implemented on it, for instance, have had plenty of vulnerabilities. Windows gets an especially bad rap pretty much only because it is the most common Desktop OS, but Desktop Windows and Desktop Linux have the same giant gaping security problem: the human being using them.
> ... how pathetic it is that we limp along with bloated Unix and other accidents of history that were never retired.
So, why single out Unix? Is Unix more bloated than Windows? I doubt it. Is it more of an accident of history than Windows? No. Is it more in need of being retired than Windows? I think it would take someone with an axe to grind to say so.
And that's what my comment was about: Trying to expose that axe being ground.