The National Academies Press

Currently Skimming:

Targeting Third-Party Collaboration--Geoff A. Cohen
Pages 313-326

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 313... ... servers will resolve domain names by querying independent registrars for the current IP address. Packets will be processed by operating system and application software written by independent software vendors, configured by and installed by system integrators on hardware built by yet different companies.1 At the same time, it is difficult -- perhaps prohibitively so -- to reliably attribute attacks to a specific actor. Read the entire page →
From page 314... ... Other examples include software vendors that introduced vulnerabilities; ISPs that failed to perform adequate ingress filtering; hosting services that turned a blind eye to illicit activity or invalid addresses; sovereign nations that neglect to enforce cybercrime laws or refuse to offer cooperation with foreign investigative services, and so on. Further, we consider the problem of such attacks as they happen in peacetime; we don't consider the appropriate reaction to attacks during declared armed conflict, or in the escalatory stage immedi ately before major conflict erupts. Read the entire page →
From page 315... ... Classic examples include "dram shop" laws that attempt to reduce drunk driving by threaten ing sanctions against proprietors of bars. More recent examples include the Unlawful Internet Gambling Enforcement Act (UIGEA) Read the entire page →
From page 316... ... CALEA The Communications Assistance for Law Enforcement Act (CALEA) of 1994 requires telecom munications carriers -- which later court decisions and executive branch guidance make clear include broadband Internet service providers and Tier 1 carriers -- to cooperate in enabling law enforcement access to their networks for monitoring communication, that is, "wiretapping." This statute is only questionably wide enough to allow investigation into security breaches such as botnet activity or hacking, but provides an important precedent and template for future statutory language requiring networking infrastructure companies to cooperate with law enforcement. Read the entire page →
From page 317... ... This legal regime could be changed by legislation, creating an enormous economic pressure on software vendors to improve the security of their software. The argument for exposing vendors is that the software marketplace has failed to provide adequate security, due to many factors including the illiquidity of the software market (especially the market for operating systems) Read the entire page →
From page 318... ... A more extreme version of this claim is a legal principle that the government has an affirmative responsibility for assuring the security of private infrastructure. Shared Affirmative Responsibility for Security A broader principle is that all actors in the software marketplace, including vendors, network infra structure operators, resellers, and corporate and individual users, have an affirmative responsibility to take reasonable and timely measures to assure the secure and legal operation of their systems and services. Read the entire page →
From page 319... ... INSTRuMENTS OF POLICy Here, we discuss potential actions against third parties -- the "retaliation" for allowing cyberattacks to take place. Of course, the presumption is that these entities are not actually malicious actors, or they would be facing criminal investigation instead. Read the entire page →
From page 320... ... Another example is the Knujon project to examine the complete DNS records. Previous projects to try to inspect the Domain Name System ran against the sheer scope of the task: nearly 120 million registered domain names in the top five generic top-level domains. Read the entire page →
From page 321... ... For example, Romania was traditionally a haven for cybercrime, but under pressure from the EU and threatened with the withdrawal of technological assistance from richer countries, it became a signatory to the Convention on Cybercrime and is report edly cooperating more with foreign investigations.15 Network Operators Network operators play a special and challenging role, as they are both in the best position to monitor for security failures and to intervene rapidly and effectively when they occur, but at the same time do not want to be in the business of individually inspecting and approving customers or traffic. To require network operators to monitor the content of traffic would be a significant burden, although it may be that they are doing much of this already for law enforcement purposes. Read the entire page →
From page 322... ... If a network attack occurs which uses spoofed IP addresses, then any network that transmitted such networks and failed to apply ingress or egress filtering, then it is potentially a target of a retaliatory action by the government. Such security requirements are, for example, required by the Payment Card Industry Data Security Standard.17 (More broadly, this is a useful example/model for how private industry could develop stronger security practice requirements, and create a supporting audit/certification regime) Read the entire page →
From page 323... ... Unflattering parallels will undoubtedly be drawn with China's man date for computer manufacturers to install Green Dam, its Internet filter that would prevent access to sites containing content on, for example, pornography and democracy. (The parallels may be deeper: some security researchers hypothesized that due to security flaws in Green Dam, it would become compromised by malicious actors, and the population of all connected PCs in China could become an enormous botnet.) Read the entire page →
From page 324... ... And yet knowledge of bad actors isn't encoded into the system in any way; there is, for example, no easy way for end-users to know that they have visited a site which is known to host malware, that is registered through a registrar that is known to work with spammers, that is using a certificate generated by a certifying authority in a country known for protecting hackers, and so on. A legal/technical framework that consistently applied standards of liability for negligence and safe harbors for responsible actions could conceivably raise the level of secure behavior across the system, rather than simply playing whack-a-mole against particularly extreme bad actors such as McColo or Waledac. Read the entire page →
From page 325... ... Improved security will also have spill-over benefits to other nations. If large operating system vendors, for example, improve the security of their product for U.S. Read the entire page →

From page 313...

... servers will resolve domain names by querying independent registrars for the current IP address. Packets will be processed by operating system and application software written by independent software vendors, configured by and installed by system integrators on hardware built by yet different companies.1 At the same time, it is difficult -- perhaps prohibitively so -- to reliably attribute attacks to a specific actor.

Read the entire page →

From page 314...

... Other examples include software vendors that introduced vulnerabilities; ISPs that failed to perform adequate ingress filtering; hosting services that turned a blind eye to illicit activity or invalid addresses; sovereign nations that neglect to enforce cybercrime laws or refuse to offer cooperation with foreign investigative services, and so on. Further, we consider the problem of such attacks as they happen in peacetime; we don't consider the appropriate reaction to attacks during declared armed conflict, or in the escalatory stage immedi ately before major conflict erupts.

Read the entire page →

From page 315...

... Classic examples include "dram shop" laws that attempt to reduce drunk driving by threaten ing sanctions against proprietors of bars. More recent examples include the Unlawful Internet Gambling Enforcement Act (UIGEA)

Read the entire page →

From page 316...

... CALEA The Communications Assistance for Law Enforcement Act (CALEA) of 1994 requires telecom munications carriers -- which later court decisions and executive branch guidance make clear include broadband Internet service providers and Tier 1 carriers -- to cooperate in enabling law enforcement access to their networks for monitoring communication, that is, "wiretapping." This statute is only questionably wide enough to allow investigation into security breaches such as botnet activity or hacking, but provides an important precedent and template for future statutory language requiring networking infrastructure companies to cooperate with law enforcement.

Read the entire page →

From page 317...

... This legal regime could be changed by legislation, creating an enormous economic pressure on software vendors to improve the security of their software. The argument for exposing vendors is that the software marketplace has failed to provide adequate security, due to many factors including the illiquidity of the software market (especially the market for operating systems)

Read the entire page →

From page 318...

... A more extreme version of this claim is a legal principle that the government has an affirmative responsibility for assuring the security of private infrastructure. Shared Affirmative Responsibility for Security A broader principle is that all actors in the software marketplace, including vendors, network infra structure operators, resellers, and corporate and individual users, have an affirmative responsibility to take reasonable and timely measures to assure the secure and legal operation of their systems and services.

Read the entire page →

From page 319...

... INSTRuMENTS OF POLICy Here, we discuss potential actions against third parties -- the "retaliation" for allowing cyberattacks to take place. Of course, the presumption is that these entities are not actually malicious actors, or they would be facing criminal investigation instead.

Read the entire page →

From page 320...

... Another example is the Knujon project to examine the complete DNS records. Previous projects to try to inspect the Domain Name System ran against the sheer scope of the task: nearly 120 million registered domain names in the top five generic top-level domains.

Read the entire page →

From page 321...

... For example, Romania was traditionally a haven for cybercrime, but under pressure from the EU and threatened with the withdrawal of technological assistance from richer countries, it became a signatory to the Convention on Cybercrime and is report edly cooperating more with foreign investigations.15 Network Operators Network operators play a special and challenging role, as they are both in the best position to monitor for security failures and to intervene rapidly and effectively when they occur, but at the same time do not want to be in the business of individually inspecting and approving customers or traffic. To require network operators to monitor the content of traffic would be a significant burden, although it may be that they are doing much of this already for law enforcement purposes.

Read the entire page →

From page 322...

... If a network attack occurs which uses spoofed IP addresses, then any network that transmitted such networks and failed to apply ingress or egress filtering, then it is potentially a target of a retaliatory action by the government. Such security requirements are, for example, required by the Payment Card Industry Data Security Standard.17 (More broadly, this is a useful example/model for how private industry could develop stronger security practice requirements, and create a supporting audit/certification regime)

Read the entire page →

From page 323...

... Unflattering parallels will undoubtedly be drawn with China's man date for computer manufacturers to install Green Dam, its Internet filter that would prevent access to sites containing content on, for example, pornography and democracy. (The parallels may be deeper: some security researchers hypothesized that due to security flaws in Green Dam, it would become compromised by malicious actors, and the population of all connected PCs in China could become an enormous botnet.)

Read the entire page →

From page 324...

... And yet knowledge of bad actors isn't encoded into the system in any way; there is, for example, no easy way for end-users to know that they have visited a site which is known to host malware, that is registered through a registrar that is known to work with spammers, that is using a certificate generated by a certifying authority in a country known for protecting hackers, and so on. A legal/technical framework that consistently applied standards of liability for negligence and safe harbors for responsible actions could conceivably raise the level of secure behavior across the system, rather than simply playing whack-a-mole against particularly extreme bad actors such as McColo or Waledac.

Read the entire page →

From page 325...

... Improved security will also have spill-over benefits to other nations. If large operating system vendors, for example, improve the security of their product for U.S.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

Targeting Third-Party Collaboration--Geoff A. Cohen Pages 313-326

Targeting Third-Party Collaboration--Geoff A. Cohen
Pages 313-326