As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary | KERA News

As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary

Feb 24, 2015
Originally published on February 24, 2015 10:40 am

The Department of Homeland Security has become the unlikely hero of the new White House campaign to stop cybercrime -- this, despite a history of mismanagement and the looming cutoff of its funding. To succeed, the big bureaucracy will have to inspire trust and compete against similar efforts by the tech industry.

Cybercrime is just too easy. Often, hackers don't have to be innovative. They can take an attack — copy and paste it.

"If they work fast enough, they can get these pieces of malware into an operation fairly quickly," says John South, chief security officer at Heartland Payment Systems.

His company fell prey to one of the biggest credit cards hacks in history. "It was well north of — probably north of a hundred million."

The attackers used a piece of malicious software that had already hit others. That was in 2008.

Since then, financial companies have gotten better at alerting each other. But, for other industries and across these industries, the alert system is pretty bad, South says.

Homeland Security's Vision Statement

This big problem could be a big opportunity.

Imagine a place — a super-smart digital collection bin — where every company, every local and state government agency could submit a warning: We got hit by this line of code; don't let it happen to you.

The Department of Homeland Security is working to build just that.

"We have to do the one thing the adversary can't. And that is connect all the dots — from what the private sector sees, what we in government see, and put it together and make it available to every computer on the planet that needs to be protected," says Phyllis Schneck, deputy undersecretary for cybersecurity.

Just a handful of federal rules require sectors like banking and health care to report hacks, and most breaches go unreported.

Homeland Security is working on a new, automated system for public and private entities to use — a shared language to share threat information, like specific lines of malware, and the unique IP addresses of attacking computers.

"You picture two tin cans and a string. We just want everyone to have the same string and the same type of can," Schneck says.

It's a technical fix, from an agency not known for technical prowess.

A recent Senate report says that DHS "struggles with its own information security"; that it doesn't warn others about known threats "nearly as quickly" as private companies, like Google, do; and that it failed to patch Transportation Security Administration servers, leaving biometric data on 2 million Americans exposed.

Schneck says DHS is improving. "I think that DHS is still a very young organization, and every year I think we add new capabilities," she says.

A Political Solution

"The alternative to having DHS do the cybersecurity work is that a lot of user data is going to end up in the hands of a military intelligence agency," says Greg Nojeim, a privacy advocate with the Center for Democracy and Technology.

While the National Security Agency is more competent, Nojeim says, it also has a conflict of interest. When its teams discover holes in software, they don't always tell the software maker. Nojeim says they leave customers at risk of a criminal hacker, just so they can stockpile those holes and exploit them for espionage.

"DHS doesn't have that internal conflict of interest," he says.

A Counteroffer, From Facebook

The department also doesn't have buy-in from Silicon Valley — at least not yet.

And alternative data banks are popping up in unexpected places. For example, Facebook is starting a social network for corporate hacking victims.

At a recent tech insider conference in San Francisco, Facebook Chief Security Officer Joe Sullivan was on stage, recruiting several hundred people. He asked the question on many people's minds: "How do I do this sharing in a way that doesn't undermine the trust I'm building with the people who use my service?"

Facebook says it does not provide cyberattack data to Homeland Security and is not participating in the evolving federal initiative.

It has become a divisive development for tech companies implicated in aiding the NSA surveillance program PRISM. Google and Yahoo say they too are not collaborating with Homeland Security on new initiatives to pool data.

Meanwhile Microsoft, which says it currently shares information on security threats with the federal agency, declined to comment on whether it plans to participate participate in the new initiative. Apple did not provide details on its involvement with Homeland Security, though its CEO, Tim Cook, headlined a White House event to unveil the effort.

Sullivan describes the private sector effort that Facebook is leading as "something, hopefully without controversy, that just is 100 percent positive contribution."

The platform, called ThreatExchange, has its own Facebook page — which, so far, has several dozen likes and shares.

Homeland Security officials are traveling the country, talking to companies, trying to beat that.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

STEVE INSKEEP, HOST:

The Department of Homeland Security runs out of money at midnight on Friday. We've been tracking Republican efforts to use agency funding to get President Obama to change his immigration policies. The huge agency is, at the same time, expanding its portfolio to include cybersecurity. NPR's Aarti Shahani reports on the challenge.

AARTI SHAHANI, BYLINE: Cybercrime is just too easy. Often, hackers don't have to be innovative. They can take an attack, copy and paste it.

JOHN SOUTH: If they work fast enough, they can get these pieces of malware into an operation fairly quickly.

SHAHANI: John South is chief security officer at Heartland Payment Systems, which fell prey to one of the biggest credit card hacks in history.

SOUTH: It was well north of - probably north of 100 million.

SHAHANI: And it was an attack that had already hit others, meaning it was known - not new or novel. That was 2008. Since then, financial companies have gotten better at alerting each other, but other industries and across industries - the alert system is pretty bad.

SOUTH: I would say that's probably - sums it up fairly accurately.

SHAHANI: This big problem could be a big opportunity. Imagine a place - a super-smart digital collection bin, where every company, every local and state government agency, could submit a warning. We got hit by this line of code. Don't let it happen to you. The Department of Homeland Security is working to build just that.

PHYLLIS SCHNECK: That's what this is. This is the rock star center.

SHAHANI: Phyllis Schneck is a deputy undersecretary for cybersecurity.

SCHNECK: And we have to do the one thing the adversary can't. And that is connect all the dots, from what the private sector sees, what we in government see and put it together and make it available to every computer on the planet that needs to be protected.

SHAHANI: This is a vision statement - an aspiration. Just a handful of federal rules require sectors like banking and healthcare to report hacks. And most breaches go unreported. Homeland Security is working on a new automated system for public and private entities to use - a shared language to share threat information like specific lines of malware and the unique IP addresses of attacking computers.

SCHNECK: You picture two tin cans and a string - we just want everyone to have the same string and the same type of can.

SHAHANI: It's a technical fix from an agency not known for technical prowess. A recent Senate report says Homeland Security struggles with its own information security. It doesn't warn others about known threats nearly as quickly as private companies like Google do. It failed to patch TSA servers, leaving biometric data on 2 million Americans exposed. Schneck says they're improving.

SCHNECK: I think that DHS is still a very young organization, and every year, I think we add new capabilities.

SHAHANI: Greg Nojeim is a privacy advocate with the Center for Democracy and Technology.

NOJEIM: The alternative to having DHS do the cybersecurity work is that a lot of user data is going to end up in the hands of a military intelligence agency.

SHAHANI: While the National Security Agency is more competent, Nojeim says, it's also got a conflict of interest. When its teams discover holes in software, they don't always tell the software maker. Nojeim says they leave customers at risk of a criminal hacker just so they can stockpile those holes and exploit them for espionage.

NOJEIM: DHS doesn't have that internal conflict of interest.

SHAHANI: Homeland Security also doesn't have buy-in from Silicon Valley, at least not yet.

(SOUNDBITE OF ARCHIVED RECORDING)

JOE SULLIVAN: And so we decided to build what we now call Threat Exchange.

SHAHANI: Joe Sullivan is the chief security officer at Facebook.

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: And we got it going pretty quickly.

SHAHANI: The company we turn to to friend and like and post is starting a social network for corporate hacking victims - yes, Facebook. Sullivan's onstage at a tech insider conference in San Francisco, recruiting a couple hundred people.

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: How do I do the sharing in a way that doesn't undermine the trust I'm building with the people who use my service?

SHAHANI: Facebook says it does not provide cyberattack data to Homeland Security and is not participating in the evolving federal initiative. Instead, as Sullivan tells the audience...

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: Means that we could launch something, hopefully without controversy, that just is a 100 percent positive contribution.

SHAHANI: The platform, called Threat Exchange, has its own Facebook page, which so far has several dozen likes and shares. Homeland Security officials are traveling the country, talking to companies, trying to beat that. Aarti Shahani, NPR News, Silicon Valley. Transcript provided by NPR, Copyright NPR.