It was another exciting week in cybersecurity. Last Friday, February the 13th, the White House and Silicon Valley leaders met at Stanford University for a discussion on cybersecurity and consumer protection. The meeting focused on measures that could be taken to improve information sharing between government and the private sector on cyber-threats. The meeting highlighted the ever-changing nature of the cybersecurity challenge and the ease at which criminals have leveraged the Internet for illicit profits.
As if an exclamation mark on the summit, Kaspersky released a report on the group it dubbed Carbanak. Kaspersky alleges that the cyberheist yielded over a billion dollars from more than a hundred banks in several dozen countries. Using social engineering techniques, the criminals were able to insert malware on to the networks of multiple banks. The malware allowed for remote monitoring of employees’ actions and computer activity. After monitoring the practices used by the banks, the criminals were able to inject fraudulent transactions and orders that mimicked the banks’ routine practices. The fraudulent transactions sent money to offshore accounts and front companies. The criminals limited their thefts from any particular bank to about a hundrer million dollars to lessen the risk of detection and then moved on to other victims.
Circling back to the White House summit, President Obama signed a second executive order on cybersecurity issues. This order builds upon some of the lessons learned from the 2013 executive order on critical infrastructure protection. The new order calls upon the Secretary of the Department of Homeland Security to work with industry to establish Information Sharing and Analysis Organizations (ISAOs) to exchange cybersecurity threat and mitigation information between private sector organizations and the government. These voluntary organizations could be established on sectorial or geographic lines as deemed most desirable by the participants. This model has previously been used by DHS in the homeland security arena with the critical infrastructure Information Sharing and Advisory Centers (ISACs) which were established along sectorial interests and date back to the Clinton Administration.
The need for an executive order once again highlights the lack of legislative action in this critical area. Critical liability and anti-trust concerns are not alleviated by the executive order. The ISAOs are only voluntary efforts. It will be important to watch the developments over the next few months as standards are being established. The challenge of protecting privacy was also highlighted in the policy section of the order:
“Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.”
Fundamentally this is another important step. Let’s hope it is successful.