As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary
The Department of Homeland Security has become the unlikely hero of the new White House campaign to stop cybercrime-- this, despite a history of mismanagement and the looming cutoff of its funding. To succeed, the big bureaucracy will have to inspire trust and compete against similar efforts by the tech industry.
Cybercrime is just too easy. Often, hackers don't have to be innovative. They can take an attack — copy and paste it.
"If they work fast enough, they can get these pieces of malware into an operation fairly quickly," says John South, chief security officer at Heartland Payment Systems.
His company fell prey to one of the biggest credit cards hacks in history. "It was well north of — probably north of a hundred million."
The attackers used a piece of malicious software that had already hit others. That was in 2008.
Since then, financial companies have gotten better at alerting each other. But, for other industries and across these industries, the alert system is pretty bad, South says.
Homeland Security's Vision Statement
This big problem could be a big opportunity.
Imagine a place — a super-smart digital collection bin — where every company, every local and state government agency could submit a warning: We got hit by this line of code; don't let it happen to you.
The Department of Homeland Security is working to build just that.
"We have to do the one thing the adversary can't. And that is connect all the dots — from what the private sector sees, what we in government see, and put it together and make it available to every computer on the planet that needs to be protected," says Phyllis Schneck, deputy undersecretary for cybersecurity.
Just a handful of federal rules require sectors like banking and health care to report hacks, and most breaches go unreported.
Homeland Security is working on a new, automated system for public and private entities to use — a shared language to share threat information, like specific lines of malware, and the unique IP addresses of attacking computers.
"You picture two tin cans and a string. We just want everyone to have the same string and the same type of can," Schneck says.
It's a technical fix, from an agency not known for technical prowess.
A recent Senate report says that DHS "struggles with its own information security"; that it doesn't warn others about known threats "nearly as quickly" as private companies, like Google, do; and that it failed to patch Transportation Security Administration servers, leaving biometric data on 2 million Americans exposed.
Schneck says DHS is improving. "I think that DHS is still a very young organization, and every year I think we add new capabilities," she says.
A Political Solution
"The alternative to having DHS do the cybersecurity work is that a lot of user data is going to end up in the hands of a military intelligence agency," says Greg Nojeim, a privacy advocate with the Center for Democracy and Technology.
While the National Security Agency is more competent, Nojeim says, it also has a conflict of interest. When its teams discover holes in software, they don't always tell the software maker. Nojeim says they leave customers at risk of a criminal hacker, just so they can stockpile those holes and exploit them for espionage.
"DHS doesn't have that internal conflict of interest," he says.
A Counteroffer , From Facebook
The department also doesn't have buy-in from Silicon Valley — at least not yet.
And alternative data banks are popping up in unexpected places. For example, Facebook is starting a social network for corporate hacking victims.
At a recent tech insider conference in San Francisco, Facebook Chief Security Officer Joe Sullivan was on stage, recruiting several hundred people. He asked the question on many people's minds: "How do I do this sharing in a way that doesn't undermine the trust I'm building with the people who use my service?"
Facebook says it does not provide cyberattack data to Homeland Security and is not participating in the evolving federal initiative.
It has become a divisive development for tech companies implicated in aiding the NSA surveillance program PRISM. Google and Yahoo say they too are not collaborating with Homeland Security on new initiatives to pool data.
Meanwhile Microsoft, which says it currently shares information on security threats with the federal agency, declined to comment on whether it plans to participate participate in the new initiative. Apple did not provide details on its involvement with Homeland Security, though its CEO, Tim Cook, headlined a White House event to unveil the effort.
Sullivan describes the private sector effort that Facebook is leading as "something, hopefully without controversy, that just is 100 percent positive contribution."
The platform, called ThreatExchange, has its own Facebook page — which, so far, has several dozen likes and shares.
Homeland Security officials are traveling the country, talking to companies, trying to beat that.
Copyright 2020 NPR. To see more, visit https://www.npr.org.