A cybersecurity guru who works for the U.S. Central Intelligence Agency's venture capital arm has suggested a wholesale solution to the problem of malicious hacking: Treat vulnerabilities as if they are disease outbreaks and make cures publicly available at government expense. This is a brute force approach that would change the rules of what is currently a game of cops and robbers.
Dan Geer, chief information security officer at In-Q-Tel, a CIA-funded nonprofit that looks for new tech to satisfy the agency's needs, outlined his idea in a keynote speech to the Black Hat USA cybersecurity conference in Las Vegas. Geer's timing is spot on: as he spoke, anxiety was spreading about an alleged Russian hack affecting more than 1 billion website accounts, with the company that discovered it only willing to share information with paying customers.
On Tuesday, the New York Times reported the claim by Milwaukee-based Hold Security that a Russian hacker group had accumulated "the biggest cache of stolen data" -- 1.2 billion unique username and password combinations and more than 500 million e-mail addresses, and Hold had a cache mirroring the bits and bytes.
To me, the story was suspect. It claimed that an unidentified security expert, asked to inspect Hold's database, pronounced it genuine, but it's hard to believe anyone would have been able to check through hundreds of millions of user records to reach that conclusion, and a random check wouldn't suffice to back up Hold's alarming numbers. Next, the story said the hackers were using their data "to send spam on social networks like Twitter," and charging fees for that -- a low-rent activity ("The Dark Web equivalent of boiling the bones for stock", as Russell Brandom put it on the Verge) suggesting the data is no good for more serious stuff such as credit-card theft.
Finally, the article said that "the hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia," a bit of geographic ignorance that did not help the whole story's credibility (the only Russian region bordering on both Kazakhstan and Mongolia is the South Siberian republic of Altai, which is decidedly not part of Central Russia).
More seriously, Hold Security wouldn't name any of the affected sites (although Twitter would obviously be one) and said it planned to charge $120 per month for checking whether a website was affected by this and other similar hacks. That's as clear a conflict of interest as there could be. The hacker collective itself, if it exists somewhere on the Mongolian border, wouldn't mind charging a few hundred thousand people a subscription fee for regular checks against stolen credential databases: That would deliver a much higher revenue than spammers' orders even could.
Under rules suggested by Geer, such behavior would not be possible because the finders of major vulnerabilities or hacks would be under an obligation to make their data public. "The Verizon Data Breach Investigations Report says that between 70 percent and 80 percent of breaches were discovered by unrelated third parties, not by the victim," Geer said. "The victim might never know if those who do the discovering were to keep quiet."
That begs the question of who, except malicious hackers, would bother to look for security bugs once opportunities to make money from the work became constrained. Geer's answer is that the U.S. government should try to corner the market in vulnerability information, paying significantly more than the next bidder. "In effect, zero the inventory of cyberweapons," Geer said.
Governments, including the U.S., are already major buyers on that market, but they often keep the data to themselves, sometimes in hopes of using it in their own cyberattacks. There's a chance they would still do that even if they were legally required to release the information to the public, but, conspiracy theories aside, governments do have obligations to taxpayers. Comprehensive programs to purchase and publish hackers' work would do more to plug security holes than corporate bug-bounty programs. Microsoft, for all its wealth, won't pay more than $100,000 for Windows vulnerabilities, and criminals stand to make much more from exploiting them.
Geer's idea is somewhat utopian, but his influence in the intelligence community means it may eventually gain a degree of acceptance. That would be a good thing: The scale of recent breaches, from the Target affair, which cost the company $110 million, to Chinese industrial espionage, suggests that cybersecurity threats are a national security matter deserving of a systemic response rather than ad-hoc patches.
To contact the writer of this article: Leonid Bershidsky at firstname.lastname@example.org.
To contact the editor responsible for this article: Mark Gilbert at email@example.com.