Rep. Ted Lieu (D-California)
“The OPM hack was a very large wake-up call to the federal government that it has to do a much better job protecting cyberspace,” says Rep. Ted Lieu, the California Democrat whose own alarm clock had been set for a little earlier.
Lieu has long been visible in the effort to bring cybersecurity to prominence on the legislative agenda – first in the California state legislature and then in the U.S. House of Representatives. In recent months, he's called for the resignation of OPM Director Katherine Archuleta, petitioned Congress to remove the responsibility for security clearance data from OPM's grasp (“you wouldn't ask the Agriculture department to protect nuclear codes”), and traveled to China to discuss cybersecurity, among other issues.
In a Congress often criticized for its lack of technical prowess and inability to get things done, Lieu stands out not only for his efforts to bring cybersecurity front and center, but also his seemingly deep understanding of tech issues.
Of course, with a degree in computer science from Stanford, Lieu has a leg up on his fellow lawmakers, some of whom brag that they don't use email and only a handful of whom have similar degrees. From his perch within the House Committee on Oversight and Government Reform's Information Technology Subcommittee, Lieu has kept alive the spark of his boyhood interest in technology. “I've always been fascinated with computers,” Lieu told SC Magazine when we caught up to him the week after his trip to China. “I had an Apple II and did some hacking as a kid.”
When he graduated from Stanford, he fully intended to put his computer science degree to work, but about four years in he “came to the conclusion that it was just too hard,” he says. “There were far too many far smarter than me in computer science.”
The un-ambiguity of code was a challenge. “Either the program works or it doesn't,” says Lieu, who went on to obtain a law degree. “In law you get to make another argument.”
He's found plenty of “shades of gray” to ply as a lawmaker, first in the California State Senate and now in the U.S. House where he has distinguished himself as a knowledgeable legislator dedicated to upping the country's game when it comes to both security and privacy.
Even if Congress was more technically astute than many of its members claim, locking down cybersecurity would be no easy task. Lawmakers are challenged to craft meaningful legislation around technology that moves “at a lightning pace,” Lieu notes. “We are not nimble, we are not nuanced. By the time we craft a law that by definition is going to be broad, the technology likely would have changed.”
A law that is too narrow and too prescriptive would paint the country into a very small corner from which it would be difficult to emerge. “I would generally oppose very rigid standards that would have to have an act of Congress,” says Lieu, noting that regulators have an easier time because their policies and regulations can be reversed, changed and modified more quickly. We should have a light touch when it comes to tech legislation, he says.
The success of even sound cybersecurity policy lies far outside Congress's reach and depends on reigning in (largely unreliable and unpredictable) humans. “Humans make mistakes,” Lieu says. Hackers are very good at getting people to give up information, noting that users aren't keen on security measures that may seem inconvenient. There needs to be a whole cultural shift, he says, that convinces employees they're “being bothered because this is important.”
The U.S.'s cybersecurity posture is also affected by outside forces, with nation-states keen on infiltrating public and private sector systems to snatch sensitive information. Lieu and the contingent of Democrats that visited China recently discussed just that shortly after the two countries inked a pact to hamper intellectual property theft. “China is a developed country in many parts and [its companies] have secrets to protect.
While the California congressman says the U.S. – with its recent Cyber Sprint and a new hire to head OPM – has made strides in cybersecurity, more needs to be done. In 2016, he says government must undergo a massive upgrade of cybersecurity, defining it across all agencies, create a new security clearance database outside the authority of the OPM, and implement a full culture shift that makes security a priority.
“There also needs to be a single person at a high level responsible for cybersecurity at agencies,” says Lieu. And, he adds, that person should be given the authority to issue mandates to agencies and review their reports to see if they follow through.
The government, too, has to tread carefully so that in its zeal to safeguard Americans from external and internal attacks, it doesn't trample the Constitution. “If there is a program, no matter how good it is, if it's not Constitutional, I won't support it,” says Lieu. – Teri Robinson
Katie Moussouris, chief policy officer, HackerOne
Beginning as far back as the mid-90s, when she was managing data analysis and bioinformatics projects at MIT, through stints at Symantec and Microsoft, where she specialized in application security, enhanced risk assessments and in 2013 convinced the company to institute a “bug bounty” program to pay researchers for detecting security flaws in its software, Katie Moussouris has exercised leadership with a "pit bull persistence," as one ally put it.
Formerly a hacker, Linux developer and self-professed persistent disruptor, Moussouris is currently chief policy officer at HackerOne, a San Francisco-based platform provider for coordinated vulnerability response and structured bounty programs. She oversees the company's philosophy and approach to vulnerability disclosure, advises customers and researchers, and works to "help make the internet safer for everyone." It's been reported that her company has detected and mitigated more than 10,000 bugs, including flaws in the code of Twitter, Yahoo, WordPress and Dropbox.
And her belief in the transparency on which her firm is based extends to her advocacy for the rights of security researchers in our new age where the rules are quickly changing. Nowhere is this more evident than in global treaties and best practices, including the Wassenaar Arrangement, a two-decade-old export control agreement among 41 countries — including Russia, E.U. members and the United States. The voluntary regime originally sought to share data on transfers of conventional weapons. But, legislators are currently proposing extending the language to include software and tools used by security researchers and penetration testers. The proposed amended controls, says Moussouris, would interfere with the export of security research and technologies. Indeed, other critics express dismay at the meddling of the U.S. Commerce Department's Bureau of Industry and Security (BIS), saying the proposed changes would cripple – if not outright kill – the cybersecurity industry. In effect, if the proposals are accepted, a U.S. security researcher who discovers a bug in a foreign company's software would be obliged to obtain a license before notifying the firm – a big roadblock for bug bounty hunters.
In the July 16 issue of Wired, Moussouris penned an article, "You Need to Speak Up For Internet Security. Right Now.," in which she warned of the disaster to come – particularly to the security community – should the proposed changes take effect: "The entire Internet ecosystem and everyone who uses technology will suffer the chilling effect on research and advances in defense." Rather, in a plea to rally support during a comment period for the proposed changes, she called for a letter writing campaign that would "support the innovations that built the internet, not stifle them by passing laws of noble intention but profoundly flawed implementation."
"Security research and vulnerability disclosure is vital to keeping us all stay safe online and in our daily lives, as more devices and vehicles become connected to the internet," Moussouris tells SC Magazine. "As long as humans write code, there will always be software vulnerabilities, and we need to draw from the global community when it comes to defense."
It is key, she says, that organizations are prepared to work with researchers who discover vulnerabilities in their code or infrastructure, and that legislation provide a safe harbor for friendly hackers and encourage this vital security research. The recent exemption provisions in the Digital Millennium Copyright Act (DMCA) for security research and reverse engineering is a positive example of this type of positive legal change, she explains. Governments, she says, can help further by encouraging industries that it regulates to adopt ISO 29147 Vulnerability Disclosure and ISO 30111 Vulnerability handling processes.
These standards, she says, will help new and existing technology deal with vulnerabilities, as critical infrastructure, vehicles and medical devices add more software and connectivity to the internet.
“The FDA was introduced earlier this year to Katie Moussouris and to her extensive accomplishments in the field of vulnerability disclosure and vulnerability process handling," says Suzanne Schwartz, director, emergency preparedness/operations and medical countermeasures in the FDA's Center for Devices and Radiological Health. "Her expertise and innate understanding of the challenges encountered within different communities and among diverse stakeholders with respect to vulnerability disclosure has been of great benefit to the FDA in further evolving our thinking and our approach to medical device cybersecurity within the healthcare and public health sector. We greatly appreciate the insights she has shared with us to date and indeed look forward to working together with her and other researchers as we continue our efforts.”
Michael Sulmeyer, director of the Belfer Center's Cyber Security Project at the John F. Kennedy School of Government at Harvard University collaborated with Moussouris on a project he runs at the Belfer Center to reduce the national attack surface in cyberspace. "Katie has become the go-to expert for helping institutions work through the pain and promise of disclosing their vulnerabilities," he says. "She takes her work seriously – but not herself – making her a fantastic colleague. If we listen to Katie, we should all be a little bit safer at the end of the day.”
And, as far as her advocacy to block the proposed changes to the Wassenaar Arrangement, Moussouris explains to SC that the proposed alterations add a broad class of technology to control the export of software that can be used in both lawful interception and in surveillance in order to achieve the stated goal of protecting human rights. "Unfortunately, it also included broad language that swept up tools and techniques that will hinder defenders, who use these tools and techniques to test the security of their systems."
In particular, the focus on "intrusion software technology" is tackling the wrong end of the issue, she says, and is too broad to be effective without fundamentally hindering internet defense and vulnerability disclosure itself. "We will end up needing so many exceptions to the export rules, that the Wassenaar language will be unenforceable as written. We must review this language with experts in vulnerability disclosure and attack tools and techniques in order to correct this."
Vulnerability coordination across multiple vendors on the internet, like the case of Heartbleed or Stagefright, is an area that requires more organizations to work together to share vulnerability information before attacks occur, she says, adding that coordinated deployment of patches and mitigations will become more important as complex integrated software, hardware and services are faced with the problem of not just fixing the vulnerability but testing and deploying updates.
"The Android ecosystem is an example, reminding me of the Windows ecosystem before Windows Update existed," she says. "Business models that leave out how their products will be serviced for security updates after release are like people who go out to eat, but say they can't afford the gratuity. Perhaps they should have stayed home. Security today has less of a zero-day problem and more of a patch deployment problem." – Greg Masters