Testifying on cybersecurity before the Senate Judiciary Committee

I’ll be testifying this morning before the Senate Judiciary Committee’s subcommittee on crime and terrorism. My testimony will touch on the Attribution Revolution in cybersecurity, the need to move from attribution to creative forms of retribution, and the need to give victims more leeway to investigate the hackers who attack them. Here are some excerpts:

That is why I will focus my remarks today on what is shaping up to be an “attribution revolution.” The theory is simple. The same human flaws that have left our networks ever more exposed to attack are undermining our attackers’ anonymity. This is what I like to call Baker’s Law: “Our security may be toast. But so is theirs.”

As numerous recent reports show, attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers. Their remote access tools are full of vulnerabilities. These are openings that private researchers – from Mandiant and Trend Micro to SecDev and the Citizen Lab – have exploited; they’ve traced cyberattacks to the command and control computers used to carry them out, then to homes and offices of the hackers that perpetrate them. These reports have identified individuals and institutions closely associated with hacking US companies and agencies. They’ve found the universities where the hackers trained. They’ve found the hackers’ names and instant message addresses . Using these clues, researchers have even tracked the hackers down and called them up for comment. They’ve found the companies that employ the hackers today. In at least one case, hacking victims in the Republic of Georgia have turned the tables and used their attackers’ malware to take an attacker’s picture with his own desktop camera.

The attribution revolution has truly begun.

But attribution is only half of the formula if we want to deter cyberespionage. The other half is retribution. Once we identify our attackers, we need to persuade them to choose another line of work.

That does not necessarily mean that we should rely exclusively or even primarily on the Department of Justice or the Federal Bureau of Investigation. We must look beyond traditional criminal prosecutions to deter cyberespionage.

This brings me, finally, to the role that private companies should play. I’ll be blunt. We can’t rely exclusively on the Federal Bureau of Investigation. … We need better ways to draw on the resources of the private sector and their investigators.

Right now, however, the Justice Department is doing more to hurt than to help companies that want to respond aggressively to the theft of their secrets and their intellectual property.

Let me give you one example. Suppose that a private investigator finds that data is being exfiltrated from his client to a particular command and control server. If the server is in the United States, the investigator may be able to persuade the owner, who is probably himself a hacking victim, to grant access to the server. This happens a lot, and it has great value, especially for attribution. The investigator may be able to identify the attackers and even recapture some of the stolen data.

But what if the hackers get wise and move the server to another location that they actually own? Can the investigator follow them to that other server and use what he knows about the gang’s passwords to get access to the evidence and the stolen data stored there?

Not according the United States Department of Justice, which has begun actively and publicly discouraging any investigations that do not rely on the consent of the network owner, even when the network owner is the hacker himself. Recently, an anonymous Justice Department spokesman told Bloomberg BNA that intruding on an attacker’s network would be both bad policy and “likely a violation” of the Computer Fraud and Abuse Act.

This is unfortunate in so many ways that I can understand why the spokesman insisted on anonymity.

Here’s a link to the whole thing: Download S Baker- Crime and Terrorism SubCommittee Testimony 5-7-13 – Attribution Revolution.  (And, yes, I bowdlerized Baker’s Law for the august halls of Congress.)