StopBadware Blog

Bridging the awareness gap: the need for better communications in the anti-malware space (Part 2)

Posted on January 24, 2012 by ccondon

This is the second half of a two-part blog post. For exposition, see “Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1).”

One person who read The New York Times’ first piece on Dr. Epstein’s battle with Google’s security warnings remarked on the Times’ follow up piece that “The day is fast approaching (or may have already passed) when the problem surmounts any attempt to solve it…when the utility of the Net is overwhelmed by ubiquitous evil.” The despair is understandable, but I don’t believe in throwing in towels—and neither does StopBadware. Technology will continue to evolve on both sides of the malware battle, but the real hard part here isn’t technological—it’s creating a fundamental shift in social behavior. Thus, we come to the crux of the issue as I see it. To create awareness and effect behavioral change that mitigates the malware problem, better communication isn’t just desirable; it’s absolutely and undeniably essential.

So, what to do? A by-no-means-complete list of suggestions:

Better branding and clearer explanations on interstitial malware warnings. I take it for granted that malware warnings exist for a good reason and that highly experienced blacklist operators like Google have false positive rates so low they’re basically negligible. If I see a warning, I run the other way. I know at least three different places to look for warnings before I navigate to a site directly. I’m a product of my work environment (and, harkening back to yesterday’s whole “litigious society” bit, I’m liable for what I, as an employee of a security organization, expose my work computer to—and like many others employed by nonprofits, my work computer also happens to be my personal computer, so this liability is round-the-clock). That said, even I get confused by the various warnings. It’s inordinately difficult to figure out who’s issuing a warning, where to go for more information about the source of that company’s warnings, and perhaps most importantly, why a malware warning looks so little like anything else that particular company produces. When I explain to people who’s issuing various warnings, my explanations are frequently met with suspicion: “This doesn’t have the same colors or look like anything else (insert company) makes.” No kidding. If I were a webmaster unfamiliar with malware warnings and I encountered one of these ambiguous interstitial pages whilst navigating to my own site, I’d suspect foul play, too. Yes, claiming clear and decisive ownership of blacklists and/or malware warnings is unsavory; so was the need to maintain/issue them in the first place, but far-sighted companies like Google, Mozilla, and others did it for the good of their customers anyway. Anti-malware technology continues to evolve; malware warnings need to evolve, too.

Clearer differentiation between PC security and website security. When I explain to family and friends what I do, I’m perplexed when almost nobody understands the difference between protecting a website and safeguarding a computer. StopBadware employees see this lack of understanding frequently: owners of compromised sites don’t understand that their desktop anti-virus does nothing to protect (or detect malware on) their websites. Within the security community, the differentiation is often simply assumed. Clarification costs a measly extra sentence or two, if only we could program ourselves to consistently ask whether it might be beneficial.

Better information, in more places, more often. On a recent Partners Forum call, someone in our partner community had the inspired idea of coordinating a website security awareness day, on which participating security (or non-security) organizations would post on their blogs about the pervasiveness of site compromise and how to both prevent and deal with it. The security community can do a lot to bridge the understanding gap merely by talking about how and why site compromise occurs. That said, “teachable moment” information for webmasters might prove much more effective. For instance: highlighted “Security” sections of control panels and other site management applications; security tutorials for new customers who sign up for blogging platforms, web hosting, and other website services; clear, easy-to-understand information about malware websites on social media sites where users are frequently sharing links and creating trends.

Reiterate, reiterate, reiterate. Also, reiterate. We’re as guilty of this omission as anyone else. An occasional blog post or compelling mainstream media article on the unfortunate prevalence of hacked sites isn’t enough to make a real dent in the awareness problem. If those in the security space want to see a collective light bulb start to flicker, whether it hangs over the heads of webmasters or resellers or end users, then the most important strategy is repetition, pure and simple.

Man up, and own up. 2011 was widely hailed as the Year of the Data Breach. Smart companies caught on eventually that silence was anything but golden as PR strategies went; those who immediately acknowledged security breaches and provided quick support to customers were lauded as upstanding organizations who valued honesty and put the welfare of their customers above their own fear of losing face. Fair enough—so why should admitting to a site compromise be any different? Over the past year and a half, we’ve seen warnings issued about major university websites, the London Stock Exchange, the photography section of National Geographic, and even The New York Times website. This is definitively not a phenomenon limited to small-time websites with feckless owners who bask in their own ignorance. We encounter some brave people from time to time, and many of them are consumer webmasters; they acknowledge what happened, advise their visitors to heed the warnings until the problem is resolved, and then post their stories afterward. If every webmaster with a compromised site posted a short narrative about his or her experience—heck, if even a small fraction of them did—the amount of time spent explaining malware warnings and what they mean would probably be cut in half.

On that last point, it’s worthwhile to mention that high-traffic sites in particular have a golden opportunity to promote some real understanding after they’re compromised. Big-name sites that are warned about, however transiently, can make lemonade by turning their misfortunes into social change leadership. Can you imagine the results if high-traffic websites, like The New York Times or Comcast (whose corporate page was briefly blacklisted by Google last week), posted a short explanation and linked to information about website compromise after the fact? As StopBadware friend and BadwareBusters moderator Redleg says, “Your silence is a hacker’s best friend.” That goes for the big guys, too. Disclosure isn’t a strategy for survival in this case; it’s a strategy for transcendence.

In the security world, aphorisms to the effect of “You can’t secure the end user” (or, as it were, the consumer webmaster) are commonplace. As the sole non-techie in an office full of computer security fanatics, this frequent and largely impractical dichotomization of IT consumer vs. IT expert annoys me more than it does my colleagues. In the current climate, essentially everyone is at risk. Sites belonging to or run by the experts are as liable to be hit with a malvertising campaign or other compromise as a novice blog. At StopBadware, we consider webmasters to be an underserved constituency. Many of them are grappling in the dark when it comes to security, not because they’re inept but because website security is a space with so little consistent illumination. Expecting site owners like Dr. Epstein to know how to respond when suddenly faced with a malware warning is a bit like peering through a tiny peephole in a mile-long fence. What you can see is not all there is, but it can seem like it if you never knew there was another side of the fence to begin with.

In the wake of his ordeal, the single most courageous and far-reaching action Dr. Epstein could choose to take is to tell his visitors—or The New York Times—how he cleaned up his site and why his first instinct was to blame (and then sue) instead of to believe there was really a problem. A reasonable explanation of the factors that led him to believe he was being wronged by Google could go a long way toward illuminating which parts of the awareness problem need to be tackled first. From where I sit, his reaction wasn’t without logical foundation, even if the legal foundation was absent.

Posted in Uncategorized | Leave a comment

Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1)

Posted on January 23, 2012 by ccondon

Recently, The New York Times published a story chronicling a webmaster’s fight with Google over a security warning Google had issued about his website. The main character in this story, Dr. Robert Epstein, woke up one day to a slew of emails from Google informing him that his site had been compromised, and that Google had begun showing a warning page to users who attempted to visit the site. Dr. Epstein, like so many website owners before him, became enraged at Google, convinced that the company had blacklisted his site in error. Unlike most webmasters in his situation, Dr. Epstein “responded to Google’s e-mail, this time copying Larry Page, Google’s chief executive; David Drummond, Google’s legal counsel; Dr. Epstein’s congressman; and journalists from The New York Times, The Washington Post, Wired and Newsweek.” He maintained that his site was harmless, accused Google of incompetence, and demanded that the warning be removed. Google informed him that his site was still infected and, of course, refused to remove the warning.

At StopBadware, stories like this are familiar—particularly to me, the resident communications specialist. I spend the first hour of most mornings clearing out our contact email inbox, responding to webmasters just like Dr. Epstein—logical, irrational, and everything in between—whose sites have been compromised by badware and blacklisted by Google (or our other data providers). They get to us by clicking a “for more information” link in the warnings; this is how I end up with pages of emails threatening to sue StopBadware, threatening to sue Google, and/or desperate for help understanding what happened and how to fix it. As misguided as the threats are, I can sympathize; they are not entirely unreasonable responses, for reasons I’ll explain a bit later on.

A follow up New York Times piece, titled “Readers and Experts Weigh In on a Site Owner vs. Google,” boiled commenters’ reactions down to two basic opinions on the issue: the first is that webmasters alone are responsible for the security of their sites; the second is that Google (and by extension other entities who own and operate blacklists) somehow “owes” its users help, or at least some two-way mechanism for dialogue, where blacklists are concerned.

For the record, we’ve always maintained that site owners are responsible for the security of their sites. And we’re squarely on the side of Google in this particular case: our executive director investigated Dr. Epstein’s site himself, as documented in the Times’ follow up post. The site was compromised. Visitors who ignored the warning (and visitors are able to ignore warnings, whether they’re from Google, Firefox, or several other browser makers who use Google’s blacklist to warn users of potentially harmful sites) would have been automatically redirected to a malicious Indian site. Moreover, while Dr. Epstein’s site is no longer on Google’s Safe Browsing blacklist, Google diagnostics indicate that Dr. Epstein’s site functioned as an intermediary for the infection of several other sites—two of which are presumably still infected and remain on Google’s blacklist.* And one further point: Google is a private company, and the warnings they issue themselves are, I believe, native only to their products (Chrome, Google Search, etc.). Other browsers that issue warnings do so because their makers have decided independently that protective measures are desirable and necessary. This is a conclusion that has been reached time and again by disparate companies because malware became a widespread enough problem that it couldn’t be ignored.

Okay, so what’s the problem here? Dr. Epstein was wrong, Google was right, site owners are responsible for their own site security, end of story. Right? Not quite.

The problem is that Dr. Epstein, like the webmasters filling the contact inbox I empty every day, probably had no idea malware infection was something he even needed to prevent on his website. He might never have heard of a “harmful site” before a strange screen and a shower of emails informed him that he was operating one. That lack of awareness is more than just his problem; it’s a collective problem, whether you own a website or not.

In a wired, fluid, and (let us admit) highly litigious society, the assumption of responsibility is a tricky and often risky thing. Individuals and organizations can register and set up a blog or website in a matter of minutes, and rarely in those minutes does anyone or anything freeze the process and give those unsuspecting people a lecture about website security. When end users visit a compromised site, malware frequently installs instantaneously and with few (if any) visible signs; in most cases, site owners certainly don’t want their visitors put at risk, but we’re visual creatures, and it’s hard to believe in the legitimacy of something we can’t see and whose damage we can’t accurately assess. And finally, there’s a pervasive stigma around assuming responsibility for website hacks, even after infections have already been verified and addressed. Denial upon notification, silence upon resolution: this, it seems, is the norm.

Over the past year and change, I’ve populated a list of ways communications can improve in the anti-malware space and, in doing so, reduce the awareness gap that poses such a problem. Tomorrow, part two of this article will enumerate some key ways industry and the public sector (for starters) can evolve their communications approaches.

*At time of writing

Posted in Uncategorized | Tagged awareness, blacklist operators, communications, stopbadware, webmaster education | 5 Comments

State of the Net 2012: It’s SOPA, But Not Just SOPA

Posted on January 19, 2012 by imeister

It was my privilege to spend Tuesday in Washington, DC for the Congressional Internet Caucus Advisory Committee‘s State of the Net Conference 2012, which definitely reflected the degree to which PROTECT-IP and SOPA loom large over the American Internet policy landscape, and to which many policy-shapers from across the political spectrum have woken up to how critical sound Net policy really is. There was a lot to love: the debates were full-throated, civil, and constructive; both panelists and attendees were clearly engaged and happy to be there; and if Paul Brigner of the MPAA is to be believed, the superlaser on the SOPA Death Star, pointed squarely at the integrity of the global DNS, is going offline as soon as the bill hits the Senate floor.

There was also a surprising and very welcome amount of attention paid to section 230 of the Communications Decency Act. StopBadware has spilled some ink in the past over the degree to which the CDA at once protects Net infrastructure intermediaries in a valuable way, but, as drafted, does much to discourage self-policing when dealing with malware reports. In particular, Brian Cute (late of ICANN and now head honcho of Public Interest Registry, the stewards of .org) and John Morris (late of the StopBadware board and now at NTIA, the legal stewards of the root zone) spoke eloquently of the urgent need for infrastructure stakeholders to take good netizenship seriously, notwithstanding the current statutory status quo. For StopBadware, there was a lot to love.

My one big wish coming out of the conference, though, is that policymakers display somewhat more willingness to reframe the debates around SOPA, DNSSEC, CDA 230 (and various other wonky acronyms) in terms of service abuse. The problem that undergirds “rogue sites” (a term I have never heard used more times than in the opening plenary), whether they be fake pharmaceuticals, malware distribution, or “dedication to copyright infringement” (whatever that really means) is one of accountability. I believe, unreservedly, that when domain names or hardware under US jurisdiction is used to abuse the laws of the United States, the legal personality responsible for that abuse, or part of the problem, should be held to account in an Article III court. We need the real deal, with every due process protection imaginable, and with hefty, easily collectible default penalties if they ignore the court. In my view, holding intermediaries like domain name registrars, web hosting providers, and other infrastructure operators responsible for obfuscating or evading this bedrock principle of Western law is an important element of achieving this state of affairs. SOPA’s liberal construction of U.S. jurisdiction is, in this very limited sense, the right idea. It’s also important to maintain an accurate and universal directory of domain name owners and IP address lessees, with protections for owner anonymity but the ability to pierce its veil for good cause shown. (No more paper airplanes, please! We believe in anonymity too!)

So why doesn’t SOPA, or whatever alternative DC policymakers are considering, address the issue of domain name accountability head on? Why has Congress not laid out a statutory structure to govern disputes over Internet “land” when disputes over real property are some of the best understood legal frameworks anywhere? The solution could be deceptively simple. (As I’ll explain in a subsequent post, we’ve had the tools to fix this since the heyday of Anglo-Norman law.) Not that government intervention is necessarily required – yet.

This is where my question to Dr. Crocker, the chairman of ICANN, about WHOIS comes into play (as tweeted here). ICANN has the (bureaucratic and necessarily glacially-paced) tools to fix the accountability problem, as their own WHOIS Review Team has elegantly pointed out. But WHOIS records continue to list fake addresses or junk data, many registrars can’t be bothered to do anything about it (since they’re effectively on the take), and ICANN itself seems insufficiently motivated to use the tools at its disposal to force the issue. I hope to attend ICANN’s next public meeting in Toronto in October to observe and, if so permitted, to make the case for real WHOIS reform.

All told, however, it is an unambiguously positive development that the US government has made cybersecurity a legislative and executive priority, and StopBadware very much looks forward to working with everyone at the policy table to secure a safer Internet in 2012.

Posted in Uncategorized | Tagged icann, pipa, policy, sopa, state of the net | 1 Comment

StopBadware welcomes SiteLock as first new partner of 2012

Posted on January 18, 2012 by ccondon

2012 is well underway, and we’re kicking it off with another new partner: We extend the warmest of welcomes to SiteLock LLC, a leading provider of website security and website malware scanning services, and a company with whom we’re very excited to continue working. SiteLock will be joining the StopBadware Partner community as a Sponsoring Partner.

As many of you know, one of our core programs here at StopBadware is our independent review process, whereby website owners whose sites have been blacklisted by our data providers can request a review from us. Our team manually tests blacklisted sites, checking for false positives and other mistakes. this process promotes fairness and transparency for both blacklist operators and the webmasters whose sites are affected, and it’s extremely important to us to maintain the quality of our reviews. The website testing process for independent reviews is necessarily rigorous and time-consuming; happily, as part of the new partnership, SiteLock is providing StopBadware with highly customized malware scanning technology that will help us more quickly and accurately detect malware and streamline our independent reviews. This is great news for us, for our data providers, and for website owners.

We’ll doubtless work together in many different ways over the coming months, and we can’t wait to let you all know how we’re combining forces to make the Internet safer. Welcome, SiteLock!

SiteLock has a press release about the new partnership available at http://www.prweb.com/releases/malware/scanning/prweb9112336.htm

Posted in Partners | Tagged partner, sitelock, stopbadware | Leave a comment

New blog platform

Posted on January 9, 2012 by Maxim Weinstein

Thanks to the work of our determined developer, Matt, and our talented technologist, Isaac, our blog migrated today to a new server and new blogging platform. As a result, our RSS feed may repeat a bunch of recent items. Sorry for the inconvenience, and please let us know if you encounter any other problems!

Posted in Uncategorized | Tagged stopbadware | 2 Comments

2011 Staff Reflections: Tech Policy Wish List

Posted on January 3, 2012 by imeister

2011 saw the U.S. Congress finally begin the task of explicitly addressing cybersecurity (as a general matter) through legislation, rather than foisting the responsibility on executive agencies like the FCC with little explicit statutory mandates. Regrettably, the two signature pieces of cybersecurity legislation currently before Congress, PROTECT-IP/SOPA and the Cybersecurity Information Sharing and Protection Act (CISPA), are fatally flawed. The former conflates the concerns of intellectual property rightsholders with unquestionable cybersecurity threats such as malware distribution; the latter provides virtually no guidance on the controversial question of what information should be considered cybersecurity information, and does little to promote data sharing within the broader cybersecurity community. 2011 also saw ICANN’s WHOIS policy review team recently produce what is sure to be a foundational document addressing the growing problem of establishing accountability for domain name holders and the registrars who serve them. My wish list for 2012:

Congress should revisit PROTECT-IP and CISPA with an eye towards addressing the problem of badware websites, and creating civil causes of action that allow motivated cybersecurity researchers to seek the suspension or revocation of domain names being used for malicious purposes.
The FCC should use its statutory authority to promote greater data sharing among firms with cybersecurity data and an interest in maintaining the integrity of their networks, and should consider imposing sanctions on ISPs and hosting providers who act with reckless disregard for the health and safety of their networks.
The Department of Commerce, as the legal guardian of the global DNS, should strongly encourage ICANN to adopt the recommendations of the WHOIS policy review team and act with all deliberate speed to improve the accuracy of the WHOIS system and the accountability of those who disregard it.

In cybersecurity practice, 2011 also saw a number of high-profile botnet takedowns: Rustock in March, Coreflood in April, and DNSchanger in November, among others. The FBI has successfully modeled a public-private partnership that places the government in the driver’s seat, draws on private sector expertise, and submits disputes about the legality of malware distribution to the appropriate judicial authorities. This is cause for celebration and substantial hope. In 2012, I hope that other companies well placed to assist the DoJ and FBI will go out of their way to do so, following Microsoft’s lead.

Tagged 2012, policy, reflections | Comments Off

StopBadware’s 2011 Checklist

Posted on December 29, 2011 by ccondon

Last year, we posted a checklist of key accomplishments in our first year as a standalone organization. Our 2010 checklist included a lot of numbers—like the millions of users and webmasters who learned about badware via our educational pages or read our Tips for Cleaning & Securing Your Website—and while those numbers are still important to us, 2011 has been much more about engaging collaboratively with the security ecosystem to define new ways of thinking about the badware problem—and its solutions.

StopBadware’s 2011 Checklist

By the numbers: Nearly 5 million people searching for information on preventing, identifying, and getting rid of badware found that information on our website. Those millions of people came from 211 countries and territories and spoke 204 different languages. Over 900 webmasters on our community forum, BadwareBusters.org, asked for and received help getting rid of bad code that had compromised their websites. Our blog flourished, and our social media following grew by an average of 55%. And if that weren’t enough, we also processed over 16,000 independent review requests from webmasters whose sites ended up on our data providers’ blacklists.
We gained eight new partner companies this year, and all of them are fantastic, responsible, forward-thinking organizations dedicated to making the Web more open and secure: thanks for the great year, Verizon, Qualys, SoftLayer, Sophos, and Tucows! The other three we can’t yet tell you about yet (though you’re welcome to guess!), but look for announcements very soon. We also completely revamped our Partner Program so as to better engage and recognize our Partners. Have a look.
We published our inaugural State of Badware report, which analyzed badware trends, identified systemic weaknesses in the security ecosystem, and discussed key ways industry and policymakers could evolve to make the Internet more resilient to badware. It also leapt tall buildings in a single bound.
With advice from our cross-industry working groups, we developed and released two sets of industry best practices. Yep, count ‘em. Two: Best Practices for Web Hosting Providers: Responding to Badware Reports, and Best Practices for Reporting Badware URLs. These best practices were a big first step for us in creating a collaborative, realistic industry standard that helps both reporters and report recipients streamline the badware reporting process, from detection to cleanup.
We commissioned a legal white paper on web hosting provider liability for malicious content from Harvard’s Berkman Center for Internet & Society; this helps allay hosting provider concerns about taking good faith steps to address badware on their networks.
We launched the We Stop Badware™ Web Host program to recognize web hosting providers who are committed to security and to drive adoption of our web hosting best practices among the responsible hosts of the world. The program now has 28 participating providers from 13 countries across five continents. It’s a big step, both for us and for the hosting industry.
We started a pilot reporting project, in which we reported URLs from our community feed in accordance with our Best Practices for Reporting Badware URLs. A research publication on the statistical results of this project will be forthcoming in 2012, but even preliminary results indicated that our initial foray into reporting was yielding a positive outcome.
We made appearances! Our executive director graced multiple panels and conferences with his badware-busting wisdom, a few of us rocked out and raised badware-awareness (badwareness?!) at HostingCon in San Diego, and we hosted our first-ever dinner in the Bay Area to get an in-depth discussion going on the badware threat and what industry players can do to combat it.
We got an award! Thanks to the ever-obliging Online Trust Alliance for bestowing us with the Online Trust Leadership Award for excellence in collaboration. We’re digitally blushing.

We also physically moved this year: we left our beloved shared office in Harvard Square and hustled on over to the Cambridge Innovation Center, where espresso flows freely and start-ups of all stages huddle in iPad-controlled conference rooms. Staff Technologist Isaac regularly abuses snack privileges and our raconteur Caitlin still can’t figure out how to use the office phones, but we have an office of our very own and two white boards on which we’ve already reinvented the Follow Friday Twitter hashtag. It’s from here that we’ll continue to build StopBadware and expand our badware karate chopping capabilities; with our amazing StopBadware Partners, hard working staff and intern, and lofty Board of Directors, the future is looking bright! 2011 has clearly been a big year for us (yeah yeah, we know—we said that last year, too). We’re feeling like 2012 will be even better.

We’re entering the New Year with our strongest group of StopBadware Partners yet. There’s still much to be done; if you’re interested in joining the discussion and the action in our partner community, let us know. We also welcome individual donations to help us continue and expand our existing programs.

Posted in Uncategorized | Tagged 2011, badware, community, research, stopbadware | 1 Comment

Come work for StopBadware!

Posted on December 28, 2011 by Maxim Weinstein

StopBadware has an opening for an experienced software developer with Ruby on Rails and MySQL expertise!

See the full job description here, and please share it with anyone you know in the Boston/Cambridge area that might be interested!

Tagged jobs, stopbadware | Comments Off

A Nightmare Before Christmas

Posted on December 23, 2011 by Maxim Weinstein

‘Twas the night before Christmas, when all thro’ the house
Not a sound could be heard, ‘cept the click of a mouse;
The browser was open to Facebook, where else?
As friends posted updates about kittens and elves;

The children were nestled all snug in their beds,
While visions of smartphones danc’d in their heads,
And my wife at her laptop, and I at my desk,
Had just settled our brains for a much needed rest—
When out of my speakers there arose such a clatter,
I suspended a chat to see what was the matter.

To a shiny new window I shifted my gaze,
But then it was gone, leaving me in a daze.
The glare of the screen and the whir of the drive,
Made me think I was safe, and my PC alive;

When, what to my wondering eyes should appear,
But a dialog box, which just filled me with fear,
With a little old message, so simple and spare,
I knew in a moment it must be malware.

“Your files are hostages, don’t start to doubt,
And you’ll pay us a ransom to get them back out.”
“My Word docs, my e-mails, my photos and Quicken,
appointments and bookmarks and music, all missin’!”

“To Facebook Security, to the search engines too,
I need a solution! Please, someone, come through!”

As soon as it happened, I asked myself why,
And I thought it all through, then I said with a sigh,
“You never did update your browser or Flash,
and you still click on links that offer free cash.
You use anti-virus that’s three years too old,
and you click through the warnings, no matter how bold.”

But now it was too late to beat up myself,
I needed the help of some friendly elf.
And then in a twinkling, I saw in a post
Just what to do if your files were toast.

As I followed directions, my fingers were crossed,
I just hoped and prayed that all was not lost.
An hour passed, and then it was three,
I rebooted again, and my files all were free!

Embarrassed, I posted my tale on my Wall,
to serve as a warning for friends one and all.
“You’re lucky,” said one, “some malware is worse.”
Lucky or not, this stuff is a curse.

So with that I learned a good lesson or two
about patching my software and thinking things through
before clicking on links that just don’t make sense
and backing up files before things get tense.

Now I leave you with this as I turn out my light—
A safe Christmas to all, and to all a good night.

Posted in Uncategorized | 82 Comments

Cybersecurity data sharing: you’re doing it wrong

Posted on December 9, 2011 by imeister

One aspect of cybersecurity that StopBadware routinely emphasizes as essential to collective defense against malware is data sharing. As we’ve pointed out in the past, there are few incentives favoring, and many opposing, the sharing of malware attack-related data among private ecosystem participants like ISPs and web hosting providers, which makes tackling malware threats collaboratively prohibitively difficult. Apparently, data sharing problems are on Congress’s mind as well. Last week, the House Intelligence Committee considered and passed HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011, one of Congress’s most visible efforts to confront computer security issues, which specifically addresses the sharing of “cyber threat intelligence”. Unfortunately, the bill’s sponsors appear to perceive all forms of cyber threat intelligence — everything from a RSA-style infiltration to a blind SQL injection — as (a) presumptively classified and in desperate need of control and (b) something from which private companies like ISPs and web hosting providers need protection.

First off, it seems the height of ridiculousness to assert that the intelligence community requires Congress’s special permission to share information with important private sector infrastructure companies (like telcos and ISPs) if it possesses information that demands action. Federal intelligence and law enforcement agencies share, and are certainly not statutorily barred from sharing, malware- and cyberattack information with private parties already; specifying a system of temporary security clearances presumes that the disclosure of much of such information will place the national security of the United States in jeopardy. So either the status quo is somehow a dangerous threat to our nation, or the bill’s solution is in search of a problem.

Moreover, the bill fails to address the actual collective action problem at the core of malware data sharing. By allowing companies to specify how malware data is shared with other private parties, the broader cybersecurity community, whose operations dwarf those of the federal government, need not be materially enriched in any way. In essence, the government seeks to establish a cybersecurity clearinghouse that need enrich only itself. The government should provide additional resources and tools to companies willing to make common cause with one another in the cybersecurity fight, not reward companies that share data — which is very loosely defined by the bill, is exempt from the Privacy and Freedom of Information Acts, and may include PII and customer-created content — with it and it alone.

Secondly, the bill takes the extraordinary step of immunizing all participating companies from any criminal or civil liability as a result of sharing information or failing to act on information they receive. Content providers like ISPs and hosting providers are already immunized for failure to take action on malware reports under section 230 of the CDA as courts have interpreted the law; further grants of immunity should be conditioned on at least a minimal standard of accountability for gross negligence in the handling of such data.

The Washington Post has reported that in response to objections from privacy advocates and concerns from the White House, the bill has been amended to include protections against coercive data sharing practices and oversight by the intelligence community Inspector General. It’s a step in the right direction, but does little to cure the bill’s other flaws, including facilitating sharing of irrelevant, private information and use of data submitted for purposes other than cybersecurity defense. While increased sharing of cybersecurity information within the Internet ecosystem is a laudable goal, Congress should seriously consider an approach that emphasizes data sharing within the private sector, and better protect the general public from abuse.

Tagged congress, cybersecurity, data, policy, sharing | Comments Off