The cyber security recommendations of Blair and Huntsman’s report on Chinese IP theft
May 22, 2013
Instead of rehashing the Commission on the Theft of American Intellectual Property’s account of the billions in IP stolen by Chinese hackers every year — something you’ve read about ad nauseum — we’ll cut straight to the chase and give you its recommendations.
(The private commission — loosely affiliated with the National Bureau of Asian Research — was led by Dennis Blair, who served as President Barack Obama’s first director of national intelligence, and former Utah Governor Jon Huntsman, who served as U.S. ambassador to China from 2009 through 2011.)
Basically, it recommends that U.S. businesses invest in cyber defenses that allow them to monitor their networks in real-time, buy technology that could freeze someone’s computer if they access stolen documents with it. The commission stops short of recommending that private businesses hack back against cyber thieves but warns such actions may be necessary in the future.
Here are those suggestions in greater detail.
First up, it recommends corporations hire what amount to full-time IT security guards who patrol their networks — assisted by automated systems that scan for software behaving strangely, a telltale sign of malware — looking for intruders. This is pretty much the only way to deal with advanced hackers, who will find their way through any firewall or cyber Maginot Line.
Despite their limited utility against skilled and persistent targeted hackers, computer security systems still need to maintain not only the most up-to-date vulnerability-mitigation measures, such as firewalls, password-protection systems, and other passive measures. They should also install active systems that monitor activity on the network, detect anomalous behavior, and trigger intrusion alarms that initiate both network and physical actions immediately. This is a full-time effort.
Organizations need network operators "standing watch" who are prepared to take actions based on the indications provided by their systems, and who keep a "man in the loop" to ensure that machine responses cannot be manipulated. Organizations need to have systems-software, hardware, and staff-to take real-time action to shut down free movement around the house, lock inside doors, and immobilize attackers once the alarms indicate that an intrusion has started.
The report also recommends that companies purchase software capable of quickly analyzing email attachments and links to malicious websites to weed out well-crafted spear-phishing emails before a human is tricked into opening them.
Next, the report encourages businesses to tag their data, allowing them to be tracked if stolen — kind of like Find My iPhone for intellectual property — or even loading data with self-destruct devices or software that locks the computer of an unauthorized user.
"Companies should consider marking their electronic files through techniques such as ‘meta-tagging,’ ‘beaconing,’ and ‘watermarking’," reads the report. "Such tools allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event that they are stolen."
It goes on to say that a "file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved."
Significantly, the report does not recommend that companies hack back against their cyber adversaries, despite calls from some in the private sector who want to be allowed to do just that (yours truly has been in the room for plenty of conversations with private IT security types who have called for this). While it may be nice to punch back at a hacker and take down his or her networks or even computers, there’s a big potential for collateral damage, especially if the hackers are using hijacked computers belonging to innocent bystanders.
"The de facto sanctioning of corporate cyber retribution is not supported by established legal precedents and norms," states the report. "Part of the basis for this bias against ‘offensive cyber’ in the law includes the potential for collateral damage on the Internet. An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network systems of an innocent third party. The challenges are compounded if the hacker is in one country and the victim in another. For these reasons and others, the Commission does not recommend specific revised laws under present circumstances."
That last sentence echoes numerous U.S. government officials, including House Intelligence Committee Chair Rep. Mike Rogers, who warn against companies hitting back at their enemies in cyberspace.
Still, the document states that while it doesn’t recommend hacking back, U.S. law may need to be changed in the future to allow such actions if Chinese theft of American IP continues unabated.
The Commission considered three additional ideas for protecting the intellectual property of American companies that it does not recommend at this time. In the future, if the loss of IP continues at current levels, these measures ought to be considered.
Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves.
Currently, Internet attacks against hackers for purposes of self-defense are as illegal under U.S. law as the attacks by hackers themselves. As discussed in the cyber recommendations above, if counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft. These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking theses activities in the first place.
The Commission is not ready to endorse this recommendation because of the larger questions of collateral damage caused by computer attacks, the dangers of misuse of legal hacking authorities, and the potential for nondestructive countermeasures such as beaconing, tagging, and self-destructing that are currently in development to stymie hackers without the potential for destructive collateral damage.
It goes on to urge lawmakers to clarify exactly what aggressive steps businesses can take to defend their intellectual property while defending against full-on cyber vigilantism. It also calls on Congress to pass legislation, such as the Cyber Information Security Protection Act, allowing businesses to rapidly share intelligence on cyber threats with each other and the government without fear of lawsuits. It also calls on the government to ensure that the Pentagon, the Department of Homeland Security, and other law enforcement agencies have the legal authority to use very aggressive cyber deterrence systems to protect national security and critical infrastructure networks from attack.
Here’s the whole report: