The cyber attack against the USA, launched while the American presidential election campaign was in full swing, disabled some of the world's leading websites, including Twitter, PayPal, Reddit, NetFlix, CNN and others for many hours. While the attack had focused primarily on the Eastern coast of the USA, disruptions were experienced by users worldwide. An investigative analysis of the attack determined that it was a DDoS (Distributed Denial of Service) type attack aimed against the servers of one of the leading DNS (Domain Name System) server suppliers in the USA – Dyn. These days, a DNS server constitutes a primary node in computer communication, as, simply put, it enables matching of the domain name to the IP that provides access to the desired destination. Disabling this matching capability will practically deny access to the surfing destination by registering the address in its domain configuration. In the case of the aforementioned attack, hackers flooded Dyn's servers with multiple requests that resulted in an overload which denied service to other requests, thereby denying the option of accessing the desired website.
Army of Robots
Whereas today's security products can identify the use of fictitious IP addresses, in order to overcome this obstacle, hackers generate multiple requests that appear to be 'legitimate' and employ multiple IoT (Internet of Things) devices such as web cameras, smart home devices and so forth, which they regard as easy to hack into. According to cyber investigators, the hackers carried out hacking attempts using default passwords of the type manufacturers provide with the purchase of such a product. Once they succeeded in hacking into the device, they injected a web robot (bot) whose function was to send an unlimited number of requests to the DNS server so as to overload it. It is estimated that in the context of this attack, more than 10 million infected devices were employed. This created a whole 'army' of robots dispersed worldwide. A single organization will find it extremely difficult to cope with an attack on this scale and scope, and it was often argued that the current security systems are not sufficiently effective to provide a solution for such attacks. This recent cyberattack was one of the most substantial and extensive attacks the world has experienced thus far, in terms of the use of multiple devices and new technology as well as with regard to the extent of its influence in countries on different continents.
This example demonstrates that cyber attacks are a routine phenomenon and that they are becoming increasingly more global and complex. Today's cyberattacks consist of a mix that combines technologies, different attack methods and 'small' attacks through different devices, systems and organizations that are not associated with one another for the most part, which jointly form one major attack. In the aforementioned attack, the hackers took advantage of the fact that the suppliers, as well as many organizations, were keen to connect as many home electrical appliances to the Internet as possible, without planning and with no in-depth information security examinations. This was further exacerbated by the careless behavior of the users, who had failed to change the default passwords of their devices, which made it possible for the hackers to access them, plant Internet robots and eventually launch the attack against Dyn. The use of multiple small, pinpoint devices conceived by the users as 'harmless' enabled the hackers to evade advance detection and combine the individual devices to stage one massive attack.
On the Alert
It is reasonable to assume that if every one of the elements involved (the end user, the Internet suppliers, the DNS server provider and the manufacturers) had issued alerts regarding each and every cyberattack, even the smallest one, that had taken place or that was in progress, or had reported weaknesses, it would have been possible to draw a comprehensive map that would have indicated suspicious behavior patterns that might have provided a hint of the type of expected attack, or at least would have allowed the various elements involved to initiate such preventive activities as securing the devices and changing the passwords. Accordingly, a timely alert issued to the relevant organizations could have reduced the scope of the attack and possibly even prevented it altogether.
However, reports regarding cyber attacks and/or weaknesses are not very frequent these days and many organizations avoid such reporting, among other things – as they are concerned about such implications as possible damage to their reputation, disclosure of trade secrets, violation of their privacy and a situation where the government might use the information they reported against them. Whereas cyberattacks take place within the internal systems of the organization, third parties normally do not have the ability to identify such attacks and in fact, spotting them depends on the voluntary reporting by the organization being attacked. For this reason, legislators have attempted to address the question of how companies and/or individuals may be compelled to share information and report cyberattacks.
The NIS Directive (the Directive on Security of Network and Information Systems) was endorsed in July 2016. According to this directive, every operator of vital infrastructures in the vital sectors of European Union countries, such as energy (electrical corporations), transportation, banking, stock exchange trading, health (hospitals) and so forth, and all key suppliers of digital services such as search engines (Google) cloud computing services (Amazon), E-commerce service suppliers (Ebay), social platforms (Facebook) and others, are compelled to report any cyber incident that could have a significant influence on the security of that organization or could inflict substantial damage on the service it provides. The relevant organization in each sector will normally have a CERT – a Cyber/Computer Emergency Response Team. The report should include, among other things, the number of parties affected or damaged, the duration of the attack, the geographic boundaries of the attack, the severity of the damage sustained by the vital service, the influence the attack had on the economy and the company, and other data. Unlike suppliers of vital services who are bound by a mandatory duty to report such data, organizations where the suppliers of the digital service do not have access to the information that must be included in the report are not bound by the same mandatory duty to report.
This directive expands the duty to report cyber attacks, which in the past was confined only to cases where legally-protected private information had been damaged, to include cases where the organization as a whole had been damaged. It applies the duty to report and share information to an extensive range of private organizations, as opposed to the past, when that duty had applied mainly to communication and Internet service providers. At the same time, the directive does not apply a general duty to report cyber attacks per se, it does not offer an incentive mechanism to encourage voluntary reporting and does not provide a solution for reporting "minor" cyber incidents which eventually might evolve into one major attack.
In 2003, the USA issued National Security Directive No.7, which orders the private and public sectors dealing with critical infrastructures to share information regarding threats, vulnerabilities and cyber incidents. This directive extended the term "critical infrastructures" so that it would apply to "key resources" as well, namely – resources that are essential to the minimum operation of the economy and the government, controlled by public and private organizations such as banks. The directive authorized the US Department of Homeland Security as the organ in charge of implementation. Through the power granted by this order, dedicated organs were established within various sectors, such as FS-ISAC, the Financial Services Information Sharing and Analysis Center.
However, this failed to provide a solution for the types of attacks not aimed at the critical infrastructure sector, which do have a dramatic effect on the company, as we have seen in the aforementioned example. So, in 2015, President Barack Obama issued Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, which aimed to establish a mechanism that would enable anyone – private companies, NGOs, law enforcement agencies and others – to share information regarding any cyber threat and incident, as well as to cooperate regarding the ways to cope with those threats and incidents. For this purpose, the order prescribed the establishment of non-government organizations (ISAO – Information Sharing & Analysis Organizations), which should be relevant for each sector (for example, R-CISC, the Retail Cyber Intelligence Sharing Center). These organizations will be guided by and cooperate directly with the US Department of Homeland Security and would even receive budgets from it. The sharing of information will be carried out while maintaining the parties' privacy and keeping all trade secrets confidential.
However, this executive order failed to alleviate the companies' concerns regarding the possibility of the authorities using the information they reported against them, as well as their concerns regarding damage to their reputation. So, still during the same month, a cybersecurity information sharing law was enacted which institutionalized the aforementioned mechanism, and in the matter of reporting, it authorized private organizations to monitor information systems they own, and even systems owned by other organizations, subject to authorization and consent in writing from that organization, for the purpose of preventing, detecting and analyzing cybersecurity threats. In order to encourage those organizations to do so, they were offered protection against any legal action they might face at any tribunal as a result of information monitoring or sharing or as a result of measures taken to prevent attacks. In the event that such action were to be filed, the court should reject it if the defendant had not been negligent and had not abused the mechanism, and provided they had upheld the provisions of the law. Additionally, the statute imposes restrictions on the state's right to use information reported for cybersecurity purposes in order to investigate and prosecute offenders for such criminal activities as wrongful impersonation, identity theft, espionage, violations involving censorship, trade secrets, actual death threats, a significant personal injury or damage to the economy, as well as anything connected with terrorism and the use of weapons of mass destruction.
It should be noted that this statute augments and complements other statutes associated with the duty to report cyber incidents where legally-protected information had been damaged, as is the norm in 47 countries. In Israel, on the other hand, there are no statutes that compel or regulate reporting of cybersecurity incidents or sharing of information. In order to promote information sharing, the government established a voluntary mechanism in the context of the national CERT (Cyber Emergency Response Team). Any organization wishing to share information can contact the national CERT and agreements will be signed between that organization and the national CERT that would regulate information confidentiality, what may be done with such information and so forth. Additionally, an infrastructure for sharing secure information is currently being established. In order to boost the confidence of parties wishing to share information, the national CERT declares that the information will be used for the accomplishment of the CERT's objectives exclusively, and that the national CERT does not serve as an enforcement agency (for example, against the attacker or against the sharing party). Additionally, contrary to the USA and Europe, there is no duty to report cyber incidents that include damage to legally-protected information. Moreover, a bill that suggested that this duty become mandatory was rejected. At the same time, it is currently evident that certain sectors have come to understand the importance of sharing information, and in the context of the regulator's authority, they support sharing of information and reporting of cyber incidents. For example, Directive 361 by the Bank of Israel demands that the commercial banks report all internal and external cyber incidents to the Banking Supervision Department, based on Directive 848 which is confidential, and it is not currently clear how this directive is being implemented and what its implications are.
The US arrangement seems to be the most comprehensive arrangement as it is not restricted to certain organizations, to a certain sector or to a certain type of attack, and as it offers the most effective incentive for information sharing. In fact, it balances between the need to share information in order to enhance nationwide cybersecurity and the potential damage to organizations owing to the possible disclosure of their vulnerabilities.
Admit Ivgi, Attorney-at-Law, owner of the AI-LAW firm, specializes in law, technology, cyber and information. She is a researcher of cyber law at the universities of Tel-Aviv and Haifa, she lectures on this subject and had worked for RSA as an analyst and investigator of Internet fraud.