Hacker News new | past | comments | ask | show | jobs | submit login
U.S. Senate to probe whether legislation needed to combat cyber attacks (reuters.com)
37 points by ArkanExplorer 10 days ago | hide | past | favorite | 61 comments

Legislation is required to reverse the posture of the NSA from offense to defense. Nothing else will help until that is done.

NSA’s posture has been both for at least twenty years. They have separate divisions and everything.

The issue of course is that their missions are out of alignment with respect to fixing vulnerabilities, and we've seen red team capabilities prioritised such that harm came to the vulnerable. Generally, defending an intentionally security-impaired infrastructure is going to be a lot of additional, probably costly work.

The US federal government have been spending 90% of their cyber security budgets on offense and only 10% on defense[1].

Practically speaking, what more could legislation and budget increases require of the US federal government to increase spending on defensive measures? Some ideas (without judgement on the pros and cons):

* Educate: produce more hardening guides and product-specific educational material more often for more products.

* Invest: run free or heavily subsidized training courses and conferences, provide sought-after internships, fund more academic research, fund open source project security improvements.

* Develop: produce new standards, produce new open source software products (previous examples: SELinux, Ghidra, etc) and encourage their uptake.

* Detect and advise (software developers): reverse engineer, fuzz, debug and find vulnerabilities in software products and advise developers immediately of any security issues discovered.

* Detect and advise (network end users): scan all US Internet Address ranges for not so much vulnerabilities, but bad practices or misconfigured and/or weakly configured services. For example, scan for and detect domains with an e-mail service that doesn't support DMARC, then send advisory notices to the operator educating them on the benefits of implementing better security for the service. For example, scan for and detect home security cameras that are exposed to the Internet with default passwords, then send advisory notices to the owner suggesting they secure their home security cameras.

* Increase domestic surveillance: tap international and domestic exchanges and/or require "metadata" to be recorded in bulk to allow an instruction detection system to be created across the entire country, allowing better visibility and traceability of incidents back to their origin, and the ability to advise private companies of incidents at the earliest possibility.

* Increase international surveillance and offensive measures: more aggressively hunt down, monitor and disrupt international cyber crime groups.

I would argue most of the above with the exception of investment and some limited development and detection/advisory are unlikely to have much impact due to:

* Historical issues of Dual_EC_DRBG[2], NIST elliptic curve rigidity[3] and other involvements with standards organisations and groups have all but burnt any bridges that used to exist. Standards organisations and implementers are highly dismissive of contributions from the NSA and NIST as neither organisation are trusted.

* Increased centralisation of Internet infrastructure into Amazon EC2, Microsoft Azure/Office 365/Teams, Google Cloud/Google Docs/Gmail/etc, etc allows attackers to easily launch an attack within the same data centre as the target. Vendors such as Amazon, Google and Microsoft are now solely in control of the ICT operations of massive segments of the US economy and end users just have to trust these vendors with much reduced ability to control and audit security of the service provided. As a result of increasing centralisation, there is little investment occurring in "on-premises" solutions including e-mail gateways, VoIP systems, document storage system, etc.

* Increased reliance on transport over Secure HTTP results in raw network traffic revealing less and less information on possible intrusion attempts (all traffic starts to just become TLS connections from A to B and it is much harder to ascertain from an outsider perspective whether that traffic is suspicious or not).

[1] https://www.reuters.com/article/us-usa-cyber-defense-idUSKBN...

[2] https://en.wikipedia.org/wiki/Dual_EC_DRBG

[3] https://safecurves.cr.yp.to/rigid.html

What would a defensive NSA look like? I picture them openly accessing all US networks claiming they were "boosting defense" rather than secretly infiltrating them.

The NSA has a lot of resources at their disposal. If they wanted to, they could be like a better version of Project Zero: https://googleprojectzero.blogspot.com/p/about-project-zero....

I think the only issue would be maintainers too suspicious to accept patches from the NSA.

Offense is much more appealing and also much simpler, unfortunately.

An unconventional approach could be to make it a severely penalized, strictly enforced, federal crime to pay ransom.

(Of course, a year or so pre-warning of this kind of law would be required to allow for companies to lock their data down.)

I don’t think criminalizing the victims recovery attempt is the best way to solve this.

Compare this to a street crime: One might say that muggers would be deterred if it were illegal for their victims to cooperate; if you have to fight back instead of handing over your wallet. But, at what cost for the victims?

If we don’t think that companies are doing enough to protect their systems, then we should pass laws that require certain demonstrable standards at all times. We shouldn’t wait for them to become a victim before the law requires them to do anything. It’s too indirect and situationally unaware of a solution.

I think laws should be written so it’s easy to know when you’re in compliance, and easy to know when you’re not. “Don’t get hacked” is basically an impossible moving target, particularly for small organizations. “Follow these best practices” is a much more reasonable standard. And we already have government organizations that put together standards for this, all lawmakers need to do is cite them.

Companies could just use intermediaries, transfer the money to somebody that transfers it to the hackers. They could even do it fairly openly: They're not paying "ransom", they're paying a "consultancy fee" for assistance in dealing with the issue.

That's not to say it shouldn't also be made illegal or in some other way difficult to pay (they could, for example, ban crypto currency use for the purpose of paying ransoms, or whatever-- just tossing out ideas)

Banning ransoms alone isn't going to work. Companies already have liability for things like customer data breaches, and that hasn't eliminated them. We also need some sort of legal framework-- especially for large pieces of infrastructure-- for defining appropriate security procedures that must be followed. Also tie it to the ability to get government subsidies/grants etc. That's how it works in Higher Education: If colleges don't adhere to to DoE regs, they simply can't accept financial aid money given to students by the government. It's actually something that's audited with fines levied on a regular basis. Few schools if any ever lose the ability to get aid, but that's because the regs are enforced and fines are high enough to hurt.

Really though I don't think you can stop this completely. We might say "every company can afford to get security right" etc., but they won't: Some will barely even try, others will simply be unlucky and out of 3,000 employees, one will slip up. The nature of this sort of attack is that on defense, you have to be 100% successful all of the time or you're done, and always having a perfect record is not a realistic expectation for all organizations.

The problem is that for the hackers, this is a low risk, inexpensive, high reward process. As much as security has to improve, so does that equation. If there was a physical attack that shutdown the pipeline it would easily be labelled an act of terrorism, and these should be seen the same way, with the same level of resources used to go after anyone involved in these attacks.

If the colonial pipeline hadn't paid the ransom there would be pandemonium on the east coast as people were forced to ration gas. I don't see how that helps. As long as computers exist they will be hacked. Spending more on security can help but can't stop it.

Colonial Pipeline ended up restoring data using their own backups anyway. They paid $5 million dollars for a decryption tool that was so slow that their own IT team was able to restore service sooner.


The article says they used backups to help restore the system. That tells me that the backups weren't fully up to date, and that the missing info was worth 5 million.

Isn’t it already extremely difficult to know whether you’re committing a felony by paying a ransom? You’re sending millions of dollars in bitcoins to an unidentified group of known felons; if they are (or are affiliated with) a group dedicated to the violent overthrow of a government, then congratulations, you’ve just provided material support to a terrorist organization.

The US Treasury Office of Foreign Assets Control specifically warns about the legal risk you take by paying a ransom here: https://home.treasury.gov/system/files/126/ofac_ransomware_a...

“The [US government] is the world’s biggest terrorist organization.” –Noam Chomsky

Source: https://youtube.com/watch?v=vRbnPA3fd5U

The same could be achieved by banning the formal exchange of cryptocurrencies in the USA.

If you can't buy the coins, you can't pay the ransom.

All you get at that point is the right people using it to prosecute the honest people.

I think it would just give CEOs who want to do the right thing (and not pay) legal cover to tell the board of directors "Nope, not paying — the company is going to be shut down for a month. Deal with it, I'm not going to jail."

What if it was more than a month? What if it was.. permanent?

Then they totally failed at continuity planning, backups... a whole lot of things.

And it would give CEOs who want to do the wrong thing an avenue to destroy competitors under the table.

You could always hire a bunch of shadowrunners to destroy your competitor's computer system, but I don't know what that has to do with ransomware.

But hey, I guess you could use cryptocurrency to pay the runners.

This has always been true... and always been illegal.

All that guarantees is ransomware attacks morph into existential threats. You're locked out of your data with no recourse.

Translating to plain language: bureocrats are evaluating the possibility to ban encryption and cryptocurrencies under the veil of combating cyber attacks.

I mean cryptocurrency is indeed what made ransomware possible.

I'd argue they make it less risky. Ransomeware has been around since the 90s, just not nearly as prevalent as it was harder to do without getting caught. They could easily instead demand somebody mail cash/money order to an abandoned address or mail forwarding service.

Not that "easily." Moving that much cash around requires a lot of manual effort and some skill at money laundering.

By removing that need, cryptocurrency makes ransomware scalable. And as Paul Graham and other Silicon Valley types have said a thousand times, scalability is the difference between a modest mom-and-pop operation and a rapidly growing enterprise.

You are correct in that handling that volume of physical cash is likely more difficult than I implied, though I don't think removal of cryptocurrency from the equation removes the ability to scale.

In my mind, the catalyzing effect of a cryptocurrency in this context is from:

1. The ability to move something of value digitally

2. The thing of value being resistant to governmental control--crypto can't be easily seized, but a US bank account can.

There may be other properties of crytocurrency that make it useful for ransomware, but I doubt there aren't other vehicles that could be used--though alternatives are likely less lucrative due to the overhead in laundering your ransomeware payment into hard currency.

Collecting a ransom in physical cash is extremely risky for criminals! Law enforcement knows where you are at a specific time.

I have never heard of ransomware that predated cryptocurrency; could you share a link to an article?

It's a fascinating topic! Wikipedia has a pretty detailed entry on the topic and reports the earliest known ransomware attack to be as early as 1989[1][2]!

1. https://en.wikipedia.org/wiki/Ransomware#History

2. https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)

Interesting! I am a bit struck by how low the early ransoms seemed to be (looks like they were around $200 or less) even when they gained access to anonymous remote payment methods in ~2005 (e.g. eGold and Liberty Reserve).

It’s also interesting that all of those early anonymous remote payment methods have been significantly altered specifically to nerf their utility for extortion and scamming.

Or just like those offshore scammers who have a million different avenues (like gift card numbers), or just a wire transfer to an offshore account.

To be frank, it was the invention of bridges that enabled most of the crime. Bridges and round wheels. Humans lived happily in harmony with nature before that.

Correction: bureaucrats plan to let K-street write some legislation they dont even read but vote for because rider number 57 is for donor number 5, while the staffers who do the actual work will quietly grease the wheels so they can go work on K-street and make 4 times as much a few years down the road.

What Im getting at is we have a fundamentally broken legislative branch, and until that is fixed, nothing addressed via legislation will be uncorrupted by it.

Maybe they can fund improving of standards and, for example audits of widely used open source projects. Also some give some protection for people who find vulnerable systems: legal threats should not be an acceptable response to reporting security issues. I understand that the government is interested in having security holes to exploit, but you need to choose. A program to fix municipal and state IT systems security should help too.

reverse the terrible ITAR legacy

fund foundational security and mandate its use by government agencies and suppliers

Agreed. I wrote about this last week: https://news.ycombinator.com/item?id=27389993

In reality, though, the Continental attack is likely to provoke a reaction as counterproductive as the reaction to 9/11 was.

> foundational security

Can you tell us what that means?

I suspect the Bell-LaPadula model would be part of it


Much research was funded, and solutions were found long, long ago, to many of our current "problems".

It's mind boggling that the government needs to require this. What bureaucrat is refusing some IT person from requesting the funds doing this?

Literally all of them. Security is a cost center, and non bureaucrats salaries are minimized as much as possible until you are left with "warm body to fill chair". Even the NSA doesn't pay well, compared to private sector.

The gap between the security and defense seems to be becoming smaller. If some of the defense budget was put towards cyber defense, I bet we could see some drastic improvements.

I'm wholly aware the private sector pays better, but in the grand scheme of pay/average citizen, they still make decent salaries. In that regard, why is upper management ignoring IT security at a base-line level of at least rotating backups? Like even that is pretty cheap and you can revert systems back within a day or two with a few days of lost work. Nobody is saying have a top tier security team.

I was on a temporary pentesting contract at a Fortune 500 company, and the reason for ignoring security came down to cost. Our contact in their IT department said that when they were trying to get the budget to fix their longstanding security issues, they were told that it's cheaper to accept occasionally getting hacked than it is to fix things. They said that public relations people at big companies had pushed the "the bad guys attacked us, it could have happened to anyone" narrative so well that besides a few day dip in stock prices, there would be no negative financial impact on the company. The average person thinks of getting hacked like being robbed at gunpoint, where it can happen to anyone through no fault of their own.

In terms of dollars and cents that makes complete sense.

Real security is extraordinarily expensive. Very rarely is that compatible with shareholder value.

> Even the NSA doesn't pay well, compared to private sector.

On the other hand, I bet it's pretty fun working for the NSA: https://en.wikipedia.org/wiki/NOBUS

From what little I’ve heard, the NSA is not different from other public sector work.

It's very hard to get raises or promotions on all the bad things that would have happened, had your actions not entirely prevented them. Much better to devote those resources to new initiatives or "transformations" or whatever, ideally ones that can be tied directly to higher revenue, while doing just enough about security that you can't be accused of being unusually lax if something goes wrong (and since all your peers are very lax, for the same reasons, this isn't much).

Mandatory bug bounty programs with a minimum 1k payout. Open to US residents and foreigners alike.

At what level of scale? Is this for all businesses, including my weekend startup? What qualifies for a bug?

You could likely do this for any publicly traded company, but the qualifiers for what constitutes a bug would take some time to define.

Implement a national wide zero-trust hierarchy?

I am always worried non-programmers don't sufficiently understand how pathetic it is that we limp along with bloated Unix and other accidents of history that were never retired. And this lassies-fair approach to cleanliness and reducing complexity both makes us more vulnerable and less productive.

Why single out Unix and not, you know, Windows?

No good reason :) Unix is older but yes Windows has all the complexity problems to a much worse degree.

I use Unix every day but rarely Windows so I sometimes don't remember it. Our industry self-congradulates on not using Windows like those untechnical normie companies or whatever, but then forgets that other than being FOSS (most of the time), Unix has all the same problems just to a lesser degree.

Maybe this is the transition plan we need; first ban Windows in prod for things important enough that government is going to take on the costs if something goes wrong.

Then, at some later point, ban Unix too for all the same reasons, just less magnitude.

And replace them with what?

seL4? Fuchsia? Something else new?

We've known for now that proper capability-based security is both more safe and more productive (global state is just hard). We just need to put it into practice.

Exactly -- Windows is the biggest vector for malware, by orders of magnitude.

Because most IT infrastructure is based on some form of Unix?

Linux fans really like to play up the "Windows is so insecure!" rhetoric, but it isn't really true. Linux and the common systems implemented on it, for instance, have had plenty of vulnerabilities. Windows gets an especially bad rap pretty much only because it is the most common Desktop OS, but Desktop Windows and Desktop Linux have the same giant gaping security problem: the human being using them.

Everything you say is true, but that wasn't my point. The OP said

> ... how pathetic it is that we limp along with bloated Unix and other accidents of history that were never retired.

So, why single out Unix? Is Unix more bloated than Windows? I doubt it. Is it more of an accident of history than Windows? No. Is it more in need of being retired than Windows? I think it would take someone with an axe to grind to say so.

And that's what my comment was about: Trying to expose that axe being ground.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact