Group items tagged

The United States should be prepared to use every military option, including nuclear retaliation, in response to a huge computer attack, an independent Department of Defense task force said. But the nation must determine whether its nuclear arsenal can withstand computer hackers, the Defense Science Board warns in a newly declassified report obtained by the Tribune-Review. In a full-scale cyber war, the board's experts say, the United States' weapons could be disabled or turned against its troops. "It would have to be extreme," Paul Kaminski, chair of the Science Board and a member of the President's Intelligence Advisory Board, said about the kind of attack that might trigger a nuclear response. "It would have to be the kind of attack that we would judge would be threatening our survival." The United States must assume that computer attacks will be part of conflicts, said the report from the task force made up of civilian experts with government advisers. Yet, the report said the country cannot be confident that its military's computer systems would still work under attack from a sophisticated adversary nation with a full range of military and intelligence options.

Some steps to increase computer defenses could be done "relatively inexpensively," said Brian Hughes, the Science Board's executive director. The report suggests the military segregate some weapons - such as 20 bombers out of a fleet of hundreds - from integrated computer networks. The planes would lose some capability but remain operational if a computer attack grounded the rest of the fleet. Other proposals include adding to the number of "cyber warriors," which Defense plans to do, and spending more time playing war games with launching and defending computer attacks. The military must be ready to launch potentially hundreds of simultaneous, synchronized computer attacks even as it defends against them.

Imagine you are the target of a phishing attack: Someone sends you an email attachment containing malware. Your email service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your email company please share all your emails with the government? Knowing more about you, investigators might better understand the attack. Normally, your email provider wouldn’t be allowed to give this information over without your consent or a search warrant. But that could soon change. The Senate may soon make another attempt at passing the Cybersecurity Information Sharing Act, a bill that would waive privacy laws in the name of cybersecurity. In April, the US House of Representatives passed by strong majorities two similar “cyber threat” information sharing bills. These bills grant companies immunity for giving DHS information about network attacks, attackers, and online crimes.

Sharing information about security vulnerabilities is a good idea. Shared vulnerability data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future. I’ve spent most of my career fighting for researchers’ rights to share this kind of information against threats from companies that didn’t want their customers to know their products were flawed. But, these bills gut legal protections against government fishing expeditions exactly at a time when individuals and Internet companies need privacy laws to get stronger, not weaker. 

Worse, the bills aren’t needed. Private companies share threat data with each other, and even with the government, all the time. The threat data that security professionals use to protect networks from future attacks is a far more narrow category of information than those included in the bills being considered by Congress, and will only rarely contain private information. And none of the recent cyberattacks — not Sony, not Target, and not the devastating grab of sensitive background check interviews on government employees at the Office of Personnel Management — would have been mitigated by these bills.