Recently, Tim Maurer, Ariel Levite, and George Perkovich of the Carnegie Endowment for International Peace released a white-paper with a broad new proposal regarding the offensive cyber operations conducted by nation states, in an attempt to address acknowledged interdependent risk issues within the global financial system.
Dave Aitel is an offensive security expert and the CEO of Immunity, Inc., which conducts vulnerability research, penetration testing tool development and security tests for corporate and government clients. Prior to founding Immunity in 2002, Aitel served for six years as a security scientist at the National Security Agency and was a security consultant for @stake. Aitel has been named one of "The 15 Most Influential People in Security" by eWeek Magazine and has delivered keynote addresses at BlackHat and DEFCON. He is a co-author of “The Hacker’s Handbook,” The Shellcoder’s Handbook” and “Beginning Python," and founder of the Infiltrate offensive security conference."
Subscribe to this Lawfare contributor via RSS.
The vulnerability equities process (VEP) is broken. While it is designed to ensure the satisfaction of many equities, in reality it satisfies none—or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities.
“Lawful hacking” is an interesting and potentially very useful future path for law enforcement and the intelligence community. But lawyers and policymakers rushing to address potential problems are getting ahead of the technology.
This week, Senator Sheldon Whitehouse called for the creation of a cybersecurity “militia” to strengthen US defense. He suggested reexamining a “militia model that lets ordinary citizens come to their country's aid". Whitehouse’s remarks represent a growing focus on exploring mechanisms to incorporate civilian involvement and “active defense” into traditional government activities.
On Monday, Paul Rosenzweig suggested a number of areas in which the recently formed Commission on Enhancing National Cybersecurity should focus in charting the US government’s path forward. While I agree the government must rethink strategic policy choices, Rosenzweig is putting the cart before the horse.
The Department of Justice’s recent indictment of seven Iranian Revolutionary Guard hackers is a problem for the security community. The criminal charges—which name the seven Iranian hackers the US claims were responsible for penetrating a New York dam and disrupting US banking websites in 2013—expose inconsistencies in national cyber policy that will impact future operations.