April 09, 2015 IT SECURITY

The Protecting Cyber Networks Act

By Chad F. Walter

After reading a recent USA Today article related to the House Intelligence Committee’s new bill – The Protecting Cyber Network’s Act – my initial thought is, “What is the real motivation?”.  Is it protecting consumers, the companies or shifting power to more favorable political arms?

First of all, I actually don’t have any problems with intelligence agencies targeting individuals suspected of launching illegal cyber attacks.  If the surveillance is based on credible, legal suspicion, observe away!  I also don’t have an issue with taking immediate action against an malicious hacker. We all know that just “preventing” the hack isn’t sufficient.  In today’s world of automated, multi-faceted cyber attacks, you have to attack and take out the criminal source to stop the criminal activity.  Incidentally, targeting a criminal before they commit another crime is not a violation of their civil liberties.

Let’s not discount the value of forensics, learning the hack capabilities and execution vectors, and then blocking the hack.  These are vital towards protecting citizens from the impact of any hack.  It’s also important to share this information with other agencies and the cyber security community so the hack itself may be identified and controlled in the wild.  Timing is critical in sharing threat information, and the speed of knowledge transfer definitely needs to be addressed.

Now, onto the issue I personally have with this article and the proposed bill.  It appears that we’re trying to target unpopular agencies instead of addressing the real problem namely which agency is best equipped to assist me in breach resolution and protection?  This isn’t a power play.  It isn’t a political issue.

This is simply, “Who’s best suited to protect me, my company and my interests legally and criminally?”

If someone robs you of personal property, you dial 911 and local police are dispatched because (a) the crime falls under their jurisdiction; and (b) they’re better suited to handle the situation.  Similarly, we need a singular law enforcement agency to call for cyber breach, attack or suspect activities.  This agency needs to be solely focused on cyber crime and be capable of taking immediate action.  The designated agency will then have the authority to work with any other federal or international agencies to strategize, execute and co-ordinate follow through activities.

The Protecting Cyber Networks Act

Examples of these processes exist in today’s “traditional” criminal activity.

There is a chain of command within the investigative and apprehension process.  I highly suggest we follow that model in creating law enforcement processes related to cyber crime.  It’s also important to note that many local/state police departments and FBI offices have cyber crime units which, with better funding and training, could be connected to the existing 911 system.  Consequently, they’d be far better equipped to respond immediately than, say, the Treasury Department.

Unfortunately, politics, power and the egoistical need for control keep getting in the way of logic.  I’m deeply concerned that this new bill will just increase the current cloud of confusion, and do more to protect the cyber criminal than solve its intended goals.