Botnet Laws Urged; DHS Awareness Work Criticized
SAN FRANCISCO -- Security professionals attacked as misguided Homeland Security Department emphasis on increasing awareness to fight botnets. A senior FBI agent agreed on an RSA Conference panel late Tuesday that federal legislation is needed to battle botnets -- armies of thousands of zombie consumer or business PCs subverted for nefarious purposes ranging from spam and fraud to denial of service attacks and, in theory, terrorism. But the FBI official didn’t go as far as consultant and author Ira Winkler, who argued that the U.S. should ban from the Internet computer users who don’t take security precautions.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
DHS efforts were talked up by Jordana Siegel, acting deputy director for outreach and awareness in the department’s National Cyber Security Division. October 2007 was “our most successful” cybersecurity month ever, with endorsements from the Canadian government as well as Congress, she said. Siegel also cited the March Cyber Storm II security exercise and Homeland Security’s cooperation with other governments to promote a “holistic” approach to cybersecurity.
But Winkler mocked the “awareness month,” likening the effort to recruiting people to show up at a fire “and spit on it.” No one knows if education stops botnets, he said, urging the government outlaw leaving one’s computer open to misuse, much as it requires the wearing of vehicle seatbelts. “We need to hold users responsible,” he said: “Yes, blame the users at some point” if they endanger others. ISPs and backbone operators also should be legally accountable for not taking reasonable precautions, Winkler said. But “you're not going to get” legislation “until there’s a major disaster” -- which is unlikely from a botnet -- “or a congressman is personally affected,” he said.
“Banks are starting to talk about” botnets, a pattern that might drive passage of user responsibility laws the way auto insurers’ efforts drove adoption of seatbelt mandates, said Joe Telafici, operations vice president at McAfee’s Avert Labs. Siegel acknowledged that awareness efforts aren’t “the full answer” but said they educate policymakers and PC users.
The Computer Fraud and Abuse Act is all federal officials can bring to bear on botnets, and it has needed updating for years, FBI Supervisory Special Agent Matthew Fine said. he suggested changing the law’s $5,000 minimum financial loss threshold, which he called difficult to achieve. Fine, who works in Washington, D.C., said he’s encouraged that malicious hackers are getting harsher punishments, some being sentenced to four to five years in prison. “That’s a good thing,” he said. “It sends a message that the courts are not messing around with this.”
Whether DoJ’s “attempts to smoke the bot operators out” last year in Operations Bot Roast 1 and 2 made “a dent” in use of the technique “is for you to determine,” Fine said. The second roast improved on the first by sharing more information with businesses, he said. “I'm sorry to report that it did not make a dent in my work flow,” Telafici said. “The problem today is many orders of magnitude worse than it was last year or the year before that.” Botnets see use for a widening range of purposes, including click fraud and phishing, and are using technologies beyond the original Internet Relay Chat, including HTTP, instant messaging and peer to peer networks, where they are harder to detect, he said. Referring to a cybercrime organization, Winkler said “when they start putting the Russian Business Network in jail, I'll be impressed.”
The Internet’s open architecture and the domain name system’s liberality encourage use of botnets and “we have so few tools to deal with it,” Telafici said. Zombie networks are so easy to create and financially attractive that “telling the kids not to do it is bound to fail,” he said. “If we don’t fundamentally change how profitable this is,” people can’t be discouraged from using botnets for crime.
“It’s going to take a lot more than technology and education and law enforcement,” Telafici said. It will take consideration of the privacy costs of network monitoring and a fundamental change in how convenient the Internet is to use, he said. “We're going to have to learn to live with this at some level,” like armed robbery. -- Louis Trager
RSA Notebook…
Homeland Security’s top cybersecurity official said the U.S. had made “tremendous strides” since he took office in fall 2006, “which is not to say we don’t have much more to do.” Greg Garcia, assistant secretary for cyber security and communications, cited progress in “people, process and technology” in a brief presentation Wednesday at the RSA Conference in San Francisco. “We are going to momentum accelerate” toward cybersafety, he said. The Centers of Academic Excellence that the department and the National Security Agency sponsor added 12 colleges this school year, making 86 total in 34 states and the District of Columbia, he said. And 12 graduates involved in scholarship-for-service programs are joining Garcia’s National Cyber Security Division and at US-CERT, he said. A Cross-Sector Cyber Security Working Group is following up on 17 government- business plans issued in May 2007 identifying vulnerabilities by industry, with commitments to minimize the risks, Garcia said. And his organization offers businesses and universities technological and educational tools and is working to reduce the number of points of entry into government networks and improve early-warning systems, as described Tuesday at the conference by Homeland Security Secretary Michael Chertoff (WID April 9 p1). Last month’s Cyber Storm II attack exercise proved “how critical vendors are” in crises, due to their knowledge of their products, Garcia said. He said it also showed the need to develop relationships between people in related entities weave them into the work of security coordinating bodies like industry information sharing and analysis centers. An “after-action report” coming in late summer or early fall will detail lessons from the exercise and suggested improvements, Garcia said. Cyber Storm showed that despite better communication, “there were still some shortfalls” in speed and breadth, said Randy Vickers, deputy director of US-CERT. It also raised questions about how to integrate cyberbulletins into national emergency alerts without “causing havoc,” he said. Cyber Storm showed that “public-private partnerships” are easy to talk about but “really hard to do in reality,” said Paul Nicholas, a senior security specialist at Microsoft. Cyber Storm demonstrated a need to add Internet security drills, he said. -- LT
----
This year may see Congress pass a few cybersecurity bills despite a short session and electoral distractions, the staff director of the House panel on the topic said Wednesday. And a commission is trying to pave the way for fast action by the next administration, said Jacob Olcott. He is cybersecurity subcommittee director of the House Homeland Security Committee. Cybercrime and breach notification bills don’t have a “very good chance of making it out of committee” this Congress, Olcott said at the RSA Conference in San Francisco. Other bills could make it through, he said, citing a Federal Information Security Management Act update and a measure coming this month from subcommittee Chairman James Langevin, D-R.I. on Department of Homeland Security information handling. The Commission on Cyber Security for the 44th Presidency is writing recommendations intended to let the next president “hit the ground running” in the cyber space, Olcott said. Langevin is one of the chairs of the group, which the Center for Strategic & International Studies set up. The others are Rep. Michael McCaul, R-Texas, a Microsoft executive and a retired Air Force general. April 2007 Homeland Security Committee hearings on vulnerabilities to “the digital insider” have had results, Olcott said. DHS officials are being held accountable and contract practices reformed so “the foxes are not guarding the hen houses.” Olcott predicted more controls on handling of information by electrical utilities, chemical makers and other “critical- infrastructure” industries. In the House, “everybody and nobody” is in charge of cybersecurity, Olcott told his audience of information security professionals. His committee shares responsibility with those on government reform, intelligence, the armed services, commerce, the judiciary and others, he said, calling the mixed oversight “a good thing and a bad thing.” The subject is too big for one committee, but work lags if a panel lacks expertise, doesn’t deliver legislation or falls short on oversight, he said, not naming names. Industry people shouldn’t assume that members of Congress, even those directly involved in cybersecurity legislation, have any expertise, Olcott said. “Some of our members don’t even use computers,” he said, declining to identify any.