This image provided by the Twitter page of @fendifille shows a computer at Greater Preston CCG as Britain’s National Health Service is investigating “an issue with IT” Friday May 12, 2017. (@fendifille via AP)
In May, North Korea’s WannaCry virus encrypted hundreds of thousands of devices across the world, halting production at companies, slamming hospital infrastructure, and causing serious problems.
In a press conference Tuesday, Tom Bossert, the White House’s Homeland Security Advisor, and Assistant Secretary for Cybersecurity and Communications Jeanette Manfra officially attributed the attack to North Korea and called for increasing “collective defenses.”
It was a call for cooperation and action against a global antagonist. As Manfra put it, “a company can’t single-handedly defend itself against a nation-state attacker.” But the announcement also brought up a suite of issues for companies as they step into an increasingly murky cybersecurity landscape.
A U.S. company is not the U.S.
The White House officials made one thing clear: an attack on a U.S. company was not tantamount to an attack on the U.S. as a country. (In reverse, this does not apply, as many countries direct private citizens to carry out attacks at their behest.) But at the same time, Manfra said, “our adversaries are not distinguishing between public and private, so neither should we.”
This may sound like doublespeak, but it’s a good illustration of how complicated cyber-issues are today. “Cyber norms” are not in place yet. Cyber norms, according to Alex McGeorge, head of threat intelligence at cybersecurity firm Immunity Inc., are essentially a framework for what is acceptable and unacceptable behavior. (Akin to a regular norm like how corporate espionage is frowned upon generally, but state-run espionage is generally accepted as common practice.)
“Cyber norms are really interesting because how each country views them is very different,” said McGeorge. For example, the U.S. can’t make a private citizen hack on its behalf, but in China, he says, it’s common practice. “The establishment of cyber norms is the next great challenge of the next few decades.”
Figuring out what’s normal is just the first hurdle, however. Deciding how to respond is the next problem. According to Larry Johnson, CEO of CyberSponse and a former lead cyber investigator with the U.S. Secret Service and Treasury, criminal acts by states usually flow out of law enforcement and into State Department diplomacy.
For example, in the past, when North Korea was counterfeiting U.S. currency (“they were buying the same ink and paper because they could go to the suppliers as a nation-state,” said Johnson) — the case was closed and the State Department resolved the matter diplomatically, with North Korea making concessions.
Another option is to not interfere and collect intelligence. “You let the criminal activity go so you can gather intelligence,” said Johnson.
Are companies on their own? Sort of.
The US government exploits gaps in companies’ security for intelligence collecting. According to Bossert, only 10% is kept for intelligence gathering and the rest is given to companies so they can patch them and keep their customers’ data safe. (WannaCry was made from a leaked NSA tool, which itself came from the 10% of vulnerabilities the government uses.)
This is 90/10 framework of ethical disclosure of bugs is another example of a contentious cyber norm, and it has been in debate since the ‘90s. “We have a lot of smart people and little headway,” said McGeorge. “It’s going to continue to be a murky issue but now with more people with less tech expertise [start getting involved].”
Besides continuing to turn over most of the vulnerabilities the government finds and notifying companies when they’ve been hacked, it’s not clear what the public-private cooperation will look like, even though Bossert and the DHS have promised to help.
Some companies might want help in terms of more aggressive action against North Korean hackers, but it’s also possible that it might be done with a heavy — and unwelcome — hand, though Bossert stressed the voluntary nature and robust privacy and liability protection.
What the help will look like and whether companies want the help may turn into a thorny issue. According to McGeorge, companies are asking themselves: “Is this going to entail DHS dispatching a team of nerds to my network?” If you’re Apple or Google, you might not want this. “Someone else might have a different opinion, though,” he said.
One reason you might not want to call the feds if you don’t have to, Johnson, the former Secret Service lead cyber investigator, told Yahoo Finance, is because a cyber incident might turn into a PR disaster.
“Once you call the government, all bets are off that you won’t be front page of [the Wall Street] Journal or the [Washington] Post saying you were hacked or breached because of lousy security,” said Johnson. “I think that’s a big part of it.”
For now, nothing is getting simpler.
“DHS isn’t telling companies that they’re on their own,” said McGeorge. But how they will help hasn’t been fleshed out. And what are the laws to protect you from the government when the feds are helping?”
If there’s one silver lining, however, it’s that McGeorge views Bossert and Manfra as being very competent with a good understanding of the complexity of these issues.