The document discusses options for addressing increasing cyber attacks, particularly against the US Federal government. It notes several existing information sharing programs between government and private sectors. While a new program called CISA is proposed, the document questions if another program is needed given existing overlap. Instead, it suggests prioritizing security over surveillance, responsibly disclosing vulnerabilities, enforcing two-factor authentication, limiting contractors, and allowing security research to strengthen defenses long-term through a strategic, systematic approach rather than an urgent "sprint".
HTML Injection Attacks: Impact and Mitigation Strategies
What Should We Do about Cyber Attacks?
1. What should we do
about cyber-attacks?
Eli Dourado
Research Fellow
Director, Technology Policy Program
2. The infosec landscape
• Era of mega-hacks
• Increasingly state-based attacks
• Espionage, not cyber-war
• U.S. Federal government particularly
vulnerable
3. The OPM hack
• Began on May 7, 2014
• Exfiltration in July/August and
December 2014
• 22 million current and former federal
employees’ data compromised
• Discovered on April 15, 2015
• Massive, but not isolated
4.
5.
6. What should we do?
• Spend more?
• A cybersecurity sprint?
• An information sharing program?
• Something else?
7.
8.
9. Information sharing
• CISPA introduced in 2011
• Concern from civil libertarians
• CISA introduced last year
• Civil libertarians still concerned
• Would information sharing work?
10. Information sharing
programs already exist
• DHS/IP National Infrastructure
Coordinating Center (NICC)
• “Dedicated 24/7 coordination and
information sharing operations center that
maintains situational awareness of the
nation’s critical infrastructure for the
federal government.”
• http://www.dhs.gov/national-
infrastructure-coordinating-center
11. Information sharing
programs already exist
• DHS/CS&C National Cyber Security and
Communications Integration Center (NCCIC)
• “Shares information among the public and
private sectors to provide greater understanding
of cybersecurity and communications situation
awareness of vulnerabilities, intrusions,
incidents, mitigation, and recovery actions.”
• http://www.dhs.gov/about-national-
cybersecurity-communications-integration-
center
12. Information sharing
programs already exist
• DNI Cyber Threat Intelligence Integration Center
(CTIIC)
• “Oversees the development and implementation
of intelligence sharing capabilities…to enhance
shared situational awareness of intelligence
related to foreign cyber threats or related to cyber
incidents affecting U.S. national interests.”
• https://www.whitehouse.gov/the-press-
office/2015/02/25/presidential-memorandum-
establishment-cyber-threat-intelligence-integrat
13.
14. Would CISA work?
• Do we need 21 information sharing
programs instead of 20?
• Is CISA really about national
information security?
15. What should we do
instead?
• Prioritize security over
SIGINT
• Responsibly disclose
vulnerabilities
• Two-factor auth at all
agencies with penalties
for noncompliance
• Limit the use of
private contractors
• Reform the CFAA to
allow security research
• Reform the CFAA to
allow active defense
• Support strong
encryption
• Eliminate duplication
• Security audits of open
source software
16. The bottom line
• We need federal humility
• A marathon, not a sprint
• A priority, not an afterthought
• There is no silver bullet