When you advocate for cooperation and then act unilaterally, does that make future overtures more or less likely to resonate?
WASHINGTON — The United States said on Wednesday that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia.
A big ‘win’ right?
For as long as I can remember, and I’ve been doing this a long time, the government has been preaching the importance of “public-private” partnerships and “information sharing.” Those are two things that have basically been in every national strategy or policy document dealing with cybersecurity since we started making them. But this latest action really makes one wonder what the point of establishing a supposedly mutually beneficial relationship with the government actually is, if they’re just going to do whatever they want, regardless of your considerations.
The government accessing private systems without system owner knowledge to take action is not new. It is of course perfectly legal, but then so is asset forfeiture, but that doesn’t always make such actions right or just. The government has no earthly idea what your IT infrastructure looks like, operates, or supports. They have no idea if their actions could cause problems. Problems they’re not going to have to deal with. And should the people responsible for these systems find themselves called on the carpet for the actions of a third party who just happens to work for the Department of Justice, the number of SACs or AUSAs who show up to advocate on their behalf is likely to be zero.
It is not as though there isn’t a public-private threat-response model with a track record that could have been used instead. Somehow the courts, cops, and industry all managed to work together – confidentially and leak-free – to thwart the actions of bad actors. It’s been going on for years. In fact, the government could have gotten a two-fer if it had gone down this path: The rapid elimination of a threat, and proof positive that collaboration has value.
Instead, we have industry adding “Rule 41” to their incident response playbooks, and deleting InfraGard meetings from their calendars.
Working with public information, at this early date, we don’t really know the full impact of these actions. Digital exigent circumstances used to be half a joke in the early days, but speed could very well have been of the essence and the risks justified. I think any fair critic would be happy to change tack were that proven true. And having been in government I know the level of effort a (flaming) hoop jumping that had to take place for this action to become reality.
But no one who has spent any length of time in this business can look at these developments and not think that there are other models we need to consider beyond martial and enforcement. Just because the modern industry’s roots can be traced there doesn’t mean that’s where its future lies. Maybe that’s civil defense, maybe that’s public health, maybe it’s something else. But if we don’t start exploring them in earnest, the only thing I know we can look forward to is more unilateral action “for the public good” at the expense of enterprises and careers.