It will come as no surprise to anyone who has followed related issues for any length of time that the infamous Unit 61398 is back in business. The name-and-shame approach orchestrated by the government and elements in the security industry had the desired effect…for about five minutes. The significance of the aforementioned effort was not the naming of a discrete element of a state organ, but in the public release of heretofore confidential technical data, or “indicators of compromise.” IOCs have value, which is why despite efforts to make them easy to share/disseminate, people hold on to them like money (which if you discovered them and have a sufficient customer base, they are). They do so up until they are not worth money, at which point making them public is a nice way to help increase the customer base. This is called “business” and there is nothing wrong with that.
What IS wrong with how we have been trying to combat this problem?
Nobody Cares if They’re Outed. The excuse that worked the last time will work every time right up until we re-engineer the Internet. Everyone who wants to hold their breath waiting for that to happen go stand over there.
We Do Not Wield a Big Enough Club. Sanctions? In a globalized economy? See “excuse” above. Anywhere you go to get international consensus on such things is populated with the very people you want to punish (or those who are aligned with them). That leaves unilateral action, and as has been documented in the past, actual victims don’t care enough to rock the boat, and those who pay the price (minuscule as it is) have no advocacy.
No One Will Adhere to an Agreement. Digital weapons are not nuclear weapons. There is no meaningful analog between the two no matter how many cold warriors try to recycle their ideas. Governments only talk about agreements because it’s “how things are done.” Never mind the total and complete inability to make them actually work in the real world.
What might actually make a difference?
IOCs Want to be Free. There is an argument to be made that the closer you hold an IOC the better chance you can learn more about who it is tied to, what their goals are, etc., which is fine except that the vast majority of victims don’t want to fund your private intelligence analysis project, they want the pain to go away. The more IOCs are made public in a timely fashion the faster other victims can ID problems, and potential victims can tune defenses. That is contributing to security, not growing your security business.
Remove or Reduce Risk Deferment. As long as businesses can insure their way out of liability or pass along the cost to consumers, there is no incentive to take security seriously. When breaches negatively impact the bottom line the glaring shortcomings of security solutions-as-usual will shine through. Security has not kept pace with the corresponding technology it purports to protect:
(Courtesy of my friend Gunnar at 1raindrop.typepad.com)
…and that won’t change without some kind of external stimulus.
Work at Scale. There will never be enough cyber cops; legal action is only a deterrent if you’re within reach of a federal agent; investigating a breach in accordance with generally accepted practices only means you’ll solve 2013’s crime in 2018; working solo is great for profits, bad for security. The effect of things like botnet takedowns may not be long-lasting when compared to the work that goes into them, but that won’t always be the case. Aggressive defensive actions may only ever get to near-peer status to offense ones, but at this point it isn’t even a contest, which is a shame given how long people have been pointing out problems.