A clear framework for defending cyberspace will require some attitude adjustment by both government and the private sector.
At the recent Black Hat Federal IT security conference in Arlington, Va., former White House cybersecurity adviser Paul Kurtz called for a public discussion of what he called taboo subjects. If we are to have a comprehensive cybersecurity strategy, he said, we must begin thinking about how to effectively integrate the intelligence community and military services into the program.
A new war, somewhat akin to the Cold War, is simmering online, but the nation has yet to develop a strategic plan for using military and intelligence resources in defending its information infrastructure. This is not to say that the intelligence community is not gathering large amounts of information or that the Defense Department is not developing the capacity to defend itself, and retaliate, online. But intelligence data has not been integrated into the overall picture of what is going on online, and there are no protocols for determining what constitutes an act of cyber warfare and what the appropriate response would be, Kurtz said.
“We need to have a public discussion,” he said, on sharing intelligence with law enforcement and the private sector and on the use of military weapons in cyberspace.
At the same conference, some companies demonstrated tools that enable secure information sharing, using cryptographic techniques that allow data mining across multiple databases without compromising privacy. Andrew Lindell, chief cryptographer at Aladdin Knowledge Systems, showed how to ensure privacy on both sides of the search so that data is not unnecessarily exposed to the searcher and the searcher does not have to reveal what he is looking for.
“It’s a trivial solution,” possible with commercial technology, Lindell said.
Technology is the easy part of data sharing, however. The hard part is trust and attitude. For instance, it would be easy to set up a system to allow the Transportation Security Administration to search airline passenger lists blindly. In this scenario, TSA would see only the names of passengers who also appear on the No-Fly list without revealing the list's contents to the airlines. But it is more difficult to imagine TSA agreeing to a scheme that prevents it from going through the passenger lists as it pleases.
That is the shoal on which so many data-mining schemes have foundered: the inability to protect privacy. To share data in a meaningful way, agencies must be willing to accept reasonable restrictions on the data they receive, granting law enforcement, the private sector and individuals the privacy they have a right to expect. Both sides must be willing to give reasonable access to its information, so that other parties can make use of it.
If both sides are willing to accept restrictions and share data, they might be able to create the kind of visibility needed to effectively respond to cyber incidents. Until then, the possibility of inappropriate military retaliation — with either cyber or physical weapons — for a perceived cyberattack will make cyberspace and the real world much more dangerous than they need to be.
NEXT STORY: Kaminsky embraces DNSsec, reluctantly