WASHINGTON — Representatives from Microsoft, Symantec, Congress and the FBI came together in Washington this week to discuss a shared vision for the future of private sector cybersecurity in the U.S. — and disagree over what that means for private consumer encryption.
The panel went over present and future ways the government and private sector can come together to tackle cyberattacks like those recently launched against Anthem, Sony, JPMorgan Chase, Home Depot and Target — several of which resulted in millions of dollars in damages, and the compromise of tens of millions of consumers’ personal and financial data.
According to FireEye, such attacks go undiscovered for a median of 229 days, and McKinsey & Company has found attacks cost the average company $3.5 million. The Ponemon Institute reported in 2014 that cybercrime costs the U.S. economy $3 trillion annually.
“The threat is increasing substantially,” acting assistant director of the FBI’s Cyber Division James Trainor told the crowd gathered at the Microsoft Innovation and Policy Center on Thursday. “We would get a major data breach every two to three weeks that we would work — and now, it’s closer to every two to three days.”
“This is increasingly becoming the threat of our lifetime,” Texas Republican representative and Chairman of the House Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee John Ratcliffe said.
Before coming to Congress, Ratcliffe served as a federal attorney in the George W. Bush administration, and sat on the Attorney General’s Advisory Subcommittee on Terrorism and National Security.
“We are entering an age when some of our biggest threats will take place from folks sitting at a computer terminal half a world away,” Ratcliffe said.
In addition to touting Microsoft’s Digital Crimes Unit and Cybercrime Center — which the company opened in Redmond, Washington in 2013 to work collaboratively with the government to investigate, share and build tools to defend against cyber threats — panelists agreed that sharing threat data across the private and public sector was one of the most promising new ways to defend against future attacks.
One of the ways the government is trying to facilitate such sharing is through legislation like Ratcliffe and House Homeland Security Committee Chairman Michael McCaul’s National Cybersecurity Advancement Protection Act, which authorizes the government to enter into cyber-threat data sharing relationships with private companies.
The bill passed the House earlier this year with an incredibly broad bipartisan 355-63 vote.
“Up until now, one of the main problems in dealing with cyber threats and specifically with cyber crime, has been the inability of companies… Frankly either were unwilling or unable to share cyber threat information because of concerns of liability. Concerns of violating people’s privacy, and violating federal privacy laws, or losing their own sensitive propriety business information,” Ratcliffe said.
Ratcliffe pointed out that one of the core reasons for information sharing revolves around hackers’ commonly sharing and using similar or the same malicious code in a broad range of attacks against multiple targets.
“In some cases, it’s simply as easy as clicking copy and paste,” Ratcliffe said.
Though all the panelists agreed that sharing information is a valuable tactic, that agreement spread across a broad spectrum of opinion about how much sharing is healthy — and in the case of private companies, where it becomes unhealthy for the security and privacy of consumers.
“It really is about partnerships, whether its law enforcement and international partners as well as the private sector,” Trainor said. “Most of the infrastructure that we pursue adversaries on, or are the victims of crime, are private industry and private property, so it really requires a lot of cooperation and understanding of the equities for the victims, as well as the companies that can help assist us.”
“It takes a village, almost, when you look at what is happening,” senior director of global accounts and strategic partnerships for Microsoft’s Digital Crimes Unit Patti Chrzan said.
Chrzan added that with four billion people in the world not yet connected to the Internet, cybercrime is an area of focus for criminals that will continue to grow into the foreseeable future.
“It’s a very delicate balance that requires strategic partnership across many actors, and yet you have to hold it close enough to make sure that you’re not tipping your hand as well.”
“It’s a tool in the toolkit, first and foremost, and it is important — but it’s not the silver bullet,” vice president of global government affairs and cybersecurity policy for Symantec Cheri McGuire said.
McGuire added that though she supports the National Cybersecurity Advancement Protection Act, it’s important that such legislation take care to minimize the sharing of data in order to safeguard the privacy of customers and the intellectual property of companies.
In the case of default end-to-end user encryption, which the FBI has been criticizing Google and Apple for over concerns it will help criminals conceal their online and mobile activity from law enforcement, the panelists divided further.
“We do not build back doors into our products,” McGuire said. “The debate’s that’s ongoing right now around building back doors into encryption is frankly something we are not willing to entertain. I don’t think there’s a finer point that I can put on it than that.”
“We think that there needs to be some function for law enforcement, some ability for law enforcement, to go through the judicial branch to seek court authorization to acquire this information,” Trainor said. “It is a problem for law enforcement, for sure. The more prevalent that it becomes used by bad actors, the more challenging it is for us.”
“Quite frankly, our mission is to keep the country safe from national security actors, from criminal actors — that is substantially inhibited by the use of some of these products.”
In regard to the now well-known reach of National Security Agency surveillance over friend and foe alike, and its chilling effect on international partnerships, Trainor said that the U.S. stands apart because NSA’s activities focus on national security — not industrial and economic espionage — a major surveillance focus for countries like China.
“What is not appropriate is the targeting of U.S. industry for commercial gain,” Trainor said. “The line in the sand is economic gain versus national security protection.”
A final question from the audience pointed out that major companies are often the original culprit in data theft themselves through the brokering and reselling of consumer data, which can often occur multiple times for the same dataset.
“To be fair, there is also an element of this that relates back to how individuals transact as well in terms of online, and all of us have to be much more savvy than many people are today,” Chrzan said while claiming Microsoft does not monetize data, despite reports to the contrary. “I think there’s a balance between what we’re all doing in the private sector, and also individuals as consumers and the need to change practices in terms of systems being up to date, how to transact on the network, how we’re protecting ourselves when we’re at home or in a public place.”
“It’s kind of a bit of a cliche about ‘cybersecurity is our shared responsibility,’ but it truly is,” McGuire said. “We all have a role to play in how much of our personal information we willingly put out, and that’s something both commercial entities and individuals need to be looking at.”