Cybersecurity and Cyberwar (35 page)

The government can use its purchasing power, as well as its role as a convener, to bring both transparency and accountability to the supply chain. The overall policy idea is to set up a system, as our colleague at Brookings Darrell West suggests, of “developing agreed-upon standards, using independent evaluators, setting up systems for certification and accreditation, and having
trusted delivery systems
.” NIST has brought together government and industry stakeholders to develop supply-chain risk management best practices that can apply to both federal agencies and private enterprises. Specialized agencies like DARPA have begun to tackle more serious aspects of supply chain risk, such as verifying that the astoundingly complex integrated circuits that drive modern computers do not have malicious components baked in.

The government can also play an important role in better organizing around its power of research, where it is best positioned to tackle cybersecurity questions that individual firms might not be incentivized to explore on their own but all would benefit from, much like the Internet itself. Government-funded researchers, for example, have produced much of what we know today about the structure of cybercrime organizations and are active participants in industry groups such as the Anti-Phishing Working Group. The challenge again is how to better organize and disseminate this research. This is the essence of reframing the approach to reflect the model of public health, as we discussed earlier.

Given the patchwork of authorities, it is clear that more clarification and structure are needed in the government's efforts in cybersecurity, most of all to try to help it catch up its pace. A world where the best-case illustration of government organization is one that takes six months is clearly not ideal. But we also need to recognize that organization can only go so far, without the right incentives and understanding underscoring it.

Shortly after he took office, President Obama called for “the development of a comprehensive approach to securing
America's digital infrastructure
.” It was a powerful vision. The problem was this same goal has been set by every single new resident of the White House dating back to Bill Clinton in the 1990s and still remains unfulfilled. On the other hand, since the world of cybersecurity is not a unified one, why should we expect a single approach to solve all the problems that have emerged, or frankly even to be possible?

For a few weeks, a single blogger was the savior of the Internet. But, as with all superheroes, he actually needed a little bit of help.

In 2008,
Washington Post
reporter Brian Krebs, who blogs at the Security Fix site, became curious about a single company that was poisoning the Internet and why everyone else was letting them get away with it. The company in question was McColo, a web hosting company physically based in California with a client list that, as Krebs wrote, “includes some of the most disreputable
cyber-criminal gangs
in business today.”

After spending four months gathering data on the company and its clients, Krebs then reached out to the large commercial ISPs that provided McColo with their bandwidth to reach the Internet. He presented them with the evidence that McColo was
up to no good
. Within hours he heard back from several, such as Benny Ng, director of marketing for Hurricane Electric, a major Internet provider for McColo. “We looked into it a bit, saw the size and scope of the problem you were reporting and said ‘
Holy cow!
' Within the hour we had terminated all of our connections to them.” Following in Hurricane Electric's footsteps, most of the other major service providers cut off service to McColo over the next two days. McColo was an obvious case of bad action, and service providers wanted nothing to do with it. But then came something that not even Krebs had suspected.
Spam levels
around the entire world instantly dropped by almost
70 percent
.

The McColo case is a good illustration of both how defending against the diffuse global threats of cyberspace requires a coordinated response and how incentives matter greatly. These firms acted promptly after Krebs contacted them because they worried about what hosting a known bad actor would do to their brand. But up to the point when Krebs planned to publicize McColo's actions to the world, they hadn't cared. The bad-acting firm was just another good client generating massive traffic (and thus good business).

Just as we saw with the worst threats in cyberspace, the best defenses against them rely on coordination. While Krebs had started out on his own, he depended on the network of companies that provided Internet service to act, who in turn depended on him to provide the information and intelligence they needed to act on. It's
not enough for single actors or organizations to try to build higher walls or better malware detection on their own. Attackers adapt. Moreover, attackers exploit boundaries of control and responsibility, setting up a collective action problem.

By bringing together the necessary actors and information, Brian Krebs was able to spur effective action, leveraging cooperation against the right fulcrum. While cyberspace seems diffuse and decentralized—simultaneously one of the key advantages and insecurities of the Internet—there are often bottlenecks of control, choke points where the defenders can concentrate resources to gain an advantage. The dependence on large ISPs is one that helped shut down the McColo problem. In turn, payment systems offer another such natural advantage, especially when the malicious action is linked to crime.

The incentives for coordination are the key part to pay attention to solving most any cybersecurity problem. In some areas, as when money changes hands, the incentives are straightforward. In the case of major credit card networks, for instance, they have a natural incentive to avoid interaction with any illegal activity, since it can introduce risks of fraud and disputed transactions that go beyond just regular concerns over brand protection. In 2002, the Visa credit card company set up a system to identify instances when its payment network was being used by questionable sites, such as those hosting child pornography. Visa began terminating their relationships with those networks while at the same time reporting illegal activities to government officials. Within twelve months, 80 percent of the websites they identified as child porn were either shut down or could no longer use
Visa to process payments
.

More illegal activity has thus shifted to alternate payment systems, many of which have been specifically set up to allow individuals to move money around more freely. Payment networks, like the popular PayPal or the now defunct Canada-based Alertpay, allow individuals who can't personally accept credit card payments to conduct commerce. While these firms' business model is built on offering their users ease and flexibility, they still do have an interest in avoiding bad actors that might damage their networks' reputation. For this reason, they often work with “acquiring banks” that process their customers' payments. PayPal has very strict rules and internal monitoring to detect whether its online payment system is
used in nefarious schemes. Indeed, its methods of identifying and tracking down anomalous payments proved so effective that they were later adapted by the CIA and other US intelligence agencies via a firm called Palantir, which was founded by people who had first worked at PayPal. Alertpay, on the other hand, was repeatedly warned by its acquiring banks for dealing with online scams and child pornography sites before being shut down in 2011.

To evade the growing security and control of the payment networks, some bad actors turn to digital currencies. These are alternate currencies that can be traded just like other forms of money, provided that you can find someone in the online world to accept them. Examples range from Bitcoin to the Linden Dollar used in the online world
Second Life
. Proponents of these currencies often make the argument that they are more efficient ways to trade in a virtual world that doesn't have clear national boundaries. Especially compared to developing world currencies, they can be more stable than government-backed money, as well as offer the more than 2.5 billion people in the world who don't have access to traditional banks a way to connect and trade. The problem is that many other users rely on digital currencies to engage in criminal enterprise and launder money.

Here again, though, there are choke points. A key part of their system is the exchange, where users turn their digital bits into more widely accepted currency. Since the days when Al Capone was arrested for tax fraud rather than murder and racketeering, law enforcement has long used more mundane financial laws to go after criminals. When the FBI wanted to crack down on online gambling, it charged the largest website operators not with gambling offenses but with
money laundering
. With digital currencies, the exchange point operators that swap digital currencies for traditional currencies are where law enforcement has focused its efforts so far. While they may be dealing in online digital currencies, these operators still must engage with other financial institutions and have assets in the real world under jurisdictions with financial regulations. This exposure allowed American officials to charge the creators of the alternative currency egold with money laundering.

Defense doesn't just coordinate around natural choke points, but also in the natural and unnatural flows of traffic across the Internet, which is even more important to identifying malicious behavior.

Some malicious behavior is fairly simple to detect. In a distributed denial-of-service (DDoS) attack, the owner of the botnet directs each computer to launch a massive amount of traffic at the target. This traffic rarely looks like the regular patterns associated with browsing, streaming videos, and consumer Internet uses. The ISP can identify botnet behavior without compromising its customers' privacy. Alternatively, a botnet may use a customer computer as a web server to host anything from phishing websites to advertisements for products advertised by spam. This can create more subtle but still detectable patterns. Once a user's machine has been identified, the ISP can take a range of actions, from blocking that particular stream of traffic to quarantining the entire machine from the Internet to prevent further malicious activity.

The incentives for ISPs to act in these instances are what must be cultivated. As Melissa Hathaway and John Savage note, “Precedents are emerging around the world for ISPs to shoulder more responsibility for the
stewardship of the Internet
.” In the United States, this has taken the form of an industry-developed Anti-Bot Code of Conduct. Announced in 2012, this code emphasizes education, detection, notification, and remediation. It is voluntary and will evolve but has the
support of major American ISPs
.

In this coordination, however, tension between law enforcement and threat abatement can warp these incentives. A bank may not care about criminal gangs as long as they are not targeting their customers' accounts. In this case the old joke holds true, they don't need to be able to outrun the bear, just to outrun the other guy. So their focus is mostly on avoiding or mitigating attacks. Law enforcement, on the other hand, is interested in catching the bear. This introduces intermediate goals that differ: capturing evidence and producing public records of the crime. Coordination falls apart when these goals impose a greater cost on the real or potential victim, whether it's preserving forensic evidence or generating bad publicity for its
customers and shareholders
.

Interestingly, this tension between the private sector and public interest neatly flips for attacks against critical infrastructure. Essential industries make the case that national defense is a public good, and therefore they should not have to bear the costs of defending against cyberattacks of a political nature, any more than they should have to provide their own antiaircraft guns to defend
against
an enemy's bomber planes
. Meanwhile, the government has to worry that the public is dependent on infrastructure like power and water plants, where the owners see little incentive in paying real money to secure facilities against a risk that can't be stated at the bottom of a monthly business report. Several major American power
companies have told Congress
that they judge the known loss of revenue needed to take plants offline for just a few hours to upgrade their cyber systems is greater than any unknown cyber risks, which they are not sure they face or would even be defeating.

These situations illustrate how problems are often bigger than any one actor can manage, or is incentivized to manage, on its own. Traditionally, we turn to governments or government-sponsored collaborations for this type of challenge. The government pushes collective action for what no one private actor can solve for itself.

The other path of coordination is via security standards, where the government plays a central role in helping the public and private sectors understand what they need to be doing to secure themselves. Specifically, it brings into the process expertise that lies outside the marketplace. Even if private firms and smaller organizations fully appreciate the need to secure themselves, there is not abundant, trusted information on how to do so. They must deal with various vendors that eagerly offer their own products as the silver bullet solutions. Instead, government can be a lynchpin in coordination by providing the basic standards.

This doesn't always have to be in the form of legal requirements, but can take shape through agenda setting. Building on its technical experience securing national defense networks, the NSA partnered with the private security training company SANS to develop critical security controls. They built a consortium of representatives from the defense and law enforcement communities, information security companies, and even representatives from the UK government's
information assurance agencies
. This public-private partnership developed a set of 20 critical controls, which were then vetted by the larger information security community. These collectively built controls, which lay out the need for such measures as inventories of authorized devices and software, and proper maintenance and analysis of audit logs, give any and every individual organization a set of clear security goals to follow. Government endorsement of these principles, from the statements by the NSA to the
widespread implementation of these controls at other government agency, has lent further weight to the spread of such best practices and coordination.