<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="post-copy">
<p>
<blockquote type="cite">The news of CMU’s possible assistance in
compromising Tor’s most critical feature, anonymity, presents
an opportunity for many to attack the integrity of CERT/CC and
the researchers at the Software Engineering Institute. Bruce
Schneier and others have been quick to point out that this
incident has erased (or at least greatly diminished) CERT/CC’s
hard-earned reputation as an honest broker. It is certain to
be a warning to other CSIRTs around the world that they should
transparently define their relationships with law enforcement
agencies.</blockquote>
</p>
<p>From Just Security (legal):<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.justsecurity.org/28343/fbi-stop-undermining-norms-root/">https://www.justsecurity.org/28343/fbi-stop-undermining-norms-root/</a><br>
</p>
<p>Reports surfaced last month suggesting that Carnegie Mellon
University (CMU) <a
href="https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html">has
been helping</a> the FBI crack Tor, the secure browsing
application used by privacy-conscious Internet users for both
legal and illegal activities. Normally, an academic institution
assisting law enforcement in fighting crime wouldn’t raise any
eyebrows, particularly if that assistance came in the form of
responding to subpoenas. But this isn’t your average case.
Beyond the complicated (and unclear) set of facts involved, CMU
houses the Computer Emergency Response Team Coordination Center
(CERT/CC), one of the world’s most important hubs for
coordinating information about various cybersecurity
vulnerabilities and attacks.</p>
<p>More than a month after the news first broke, the details are
murky at best. Tor has <a
href="https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users">alleged</a>
that the FBI paid CMU to crack the system’s anonymity feature in
exchange for payment. CMU’s <a
href="https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html">own
statement</a> about the incident says that many of the media
reports have been inaccurate, but acknowledges that the
university — and by extension CERT/CC — complies with valid
subpoenas that it receives (as it must). It also said that it
receives “no funding for compliance.” The FBI has <a
href="http://www.forbes.com/sites/thomasbrewster/2015/11/18/fbi-cmu-tor-million-dollar-payment-innacurate/">said</a>
that reports on the payment are inaccurate, but stopped short of
saying no payment was made. And Tor has <a
href="http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research/">responded</a>
by saying that these vague responses raise a whole host of
questions on their own.</p>
<p>The public saga leading up to the recent accusations began in
July 2014, when Ed Felten, the then-director of Princeton’s
Center for Information Technology Policy, <a
href="https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/">noted</a>
that CERT/CC researchers at CMU had submitted a presentation
abstract to organizers of the Black Hat security conference
discussing a new vulnerability they had found in Tor. The timing
of CERT/CC’s pitch to Black Hat aligned with a large-scale
attack on Tor that lasted from January to July 2014, during
which CERT/CC researchers shared only “hints” about the
vulnerability they had discovered. As for the abstract, it was
abruptly withdrawn in July when CMU failed to approve the
content of the talk for public release.</p>
<p>Eyebrows were again raised in January 2015, <a
href="http://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attack-on-tor-to-decloak-crime-suspects/">after
the arrest</a> of a man who allegedly helped run Silk Road
2.0, a large online trading post on the dark web whose visitors
often use Tor to access the site. At the time, some speculated
that his arrest was tied to the attack against Tor in the first
half of 2014.</p>
<p>Most recently, in mid-November, Tor accused CMU of accepting
payment and assisting the FBI — in ways that indicate a warrant
was not involved — to “attack hidden services users in a broad
sweep, and then sift through their data to find people.” These
allegations are hugely problematic for CERT/CC. As an <a
href="http://www.cert.org/about/">entity that espouses</a> to
be “a trusted, authoritative organization dedicated to improving
the security of computer systems and networks,” finding and not
disclosing vulnerabilities is a good way to undermine that
trust. Exploiting those vulnerabilities is even worse.</p>
<p>But let’s take a step back for a moment. Why, beyond the
obvious privacy concerns raised by Tor, is this such a big deal?
<span id="more-28343"></span></p>
<p>CERT/CC, and indeed the Computer Security Incident Response
Team (CSIRT) <a
href="https://www.newamerica.org/cybersecurity-initiative/csirt-basics-for-policy-makers/">community
as a whole</a>, is a pillar of global cybersecurity. (CSIRT is
another term often used to describe the type of organization
CERT/CC is.) Generally, CSIRTs are responsible for receiving,
reviewing, and responding to computer security incident reports
from a set of clients, which can include government agencies,
private companies, security researchers, and ordinary Internet
users.</p>
<p>Since the late 1980s, CERT/CC, as the name suggests, has been a
major coordination center for global CSIRT activities. As as
result, it has access to a wide array of incident information
and vulnerabilities, which could, hypothetically, be used to
help crack Tor’s anonymity feature. In addition, the
organization — initially funded as a DARPA project and <a
href="http://www.cert.org/faq/">still funded</a> with federal
money — is largely transnational in nature and serves as the
secretariat for national CSIRTs, more than 100 of which are
distributed across the globe.</p>
<p>CSIRTs are increasingly referenced in international discussions
as a key component in efforts to build global capacity to combat
cybersecurity threats and develop norms of behavior among
nations in the cyber realm. For example, the United Nations
Group of Governmental Experts on cybersecurity <a
href="http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174">suggested</a>
this summer that special teams authorized to respond to
cybersecurity incidents, such as CSIRTs, should not be used to
“engage in malicious international activity” and should not be
the target of attacks. If CSIRTs are to be held out as off
limits, they need to be impartial (like, say, <a
href="http://time.com/3713226/red-cross-cyberspace/">the Red
Cross</a>) and cannot be political actors, lest they become
legitimate targets.</p>
<p>CERT/CC, and many other CSIRTs around the world, collect
information that can be very useful for both identifying and
capturing criminals. They <a
href="https://www.newamerica.org/cybersecurity-initiative/csirt-basics-for-policy-makers/">rely
heavily</a> on the trust incident reporters and vulnerability
researchers have in the CSIRTs, trust that is garnered after
developing close ties with the constituencies they serve. When a
CSIRT is discovered, or even rumored, to be acting in a way that
is negligent or undermines network security of perfectly legal
services, this bond of trust is fractured. Less trust means less
information for CSIRTs.</p>
<p>To pour salt on the wound, the controversy around the latest
story undermines the effectiveness of CERT/CC both to carry out
its own duties and to assist the FBI in the future. Though it is
often not explicit in documentation, a relationship between
CSIRTs and law enforcement agencies is often assumed. Indeed,
such cooperation can be helpful for both law enforcement and
CSIRTs. Law enforcement can obtain important technical
information about incidents from CSIRTs, which in turn helps law
enforcement identify and pursue cyber-criminals. On the
flipside, some industries (particularly in the US) have close
relationships with law enforcement that result in law
enforcement becoming an important reporter of incidents to the
CSIRT. But if these two types of bodies are to have close
working relationships, they should follow explicit and
transparent guidelines in accordance with due process. If the
FBI is engaging with CSIRTs to essentially break a feature of
Internet security en masse, it is making its own life more
difficult down the line by removing the legitimacy of a key ally
in cyber criminal investigations.</p>
<p>To be clear: This is not an indictment of CSIRTs working with
law enforcement. As I explain in detail with my colleagues
Isabel Skierka, Mirko Hohmann, and Tim Maurer in <a
href="https://static.newamerica.org/attachments/11916-national-csirts-and-their-role-in-computer-security-incident-response/CSIRTs-incident-response_11-2015.d66cfc29c2d642258110859b27a649b1.pdf">our
recent report</a>, cooperation between CSIRTs and law
enforcement is not necessarily a bad thing. A comprehensive
approach to addressing cybercrime would ideally meld the
technical expertise and access CSIRTs have painstakingly
developed with traditional law enforcement expertise found in
agencies like the FBI. In fact, many national-level CSIRTs
actually sit within law enforcement, intelligence, or national
security organizations or have formal liaisons with those
agencies.</p>
<p>Indeed, most in the CSIRT community seem ready to accept that
CSIRTs have reached a point in their maturity where a formal,
transparent relationship with law enforcement is practicable.
This is because the quandary facing CSIRTs is one that has
pervaded the American intelligence community for decades: Some
activities simply do not pass the front-page test; meaning that
some actions, when they come to light, will hurt the reputation
of the organization. As New America Cybersecurity Fellow and
Georgia Tech professor Peter Swire <a
href="https://www.newamerica.org/new-america/the-declining-half-life-of-secrets/">wrote
earlier this year</a>, the half-life of secrets is
diminishing, and interactions like CERT/CC’s with the FBI are
likely to become known much sooner than they would in the past.
For the CSIRT community, which relies so heavily on trust for
effectiveness, keeping their relationships with the government
secret will be both extremely difficult and may undermine their
reputations once they come to light.</p>
<p>The news of CMU’s possible assistance in compromising Tor’s
most critical feature, anonymity, presents an opportunity for
many to attack the integrity of CERT/CC and the researchers at
the Software Engineering Institute. <a
href="https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html">Bruce
Schneier</a> and <a
href="http://blog.cryptographyengineering.com/2015/11/why-tor-attack-matters.html">others</a>
have been quick to point out that this incident has erased (or
at least greatly diminished) CERT/CC’s hard-earned reputation as
an honest broker. It is certain to be a warning to other CSIRTs
around the world that they should transparently define their
relationships with law enforcement agencies.</p>
<p>Regardless of how fault should be apportioned in this
particular instance, the news comes as part of a larger trend in
the CSIRT community. Once relatively apolitical, these technical
teams are undergoing a process of politicization. National level
CSIRTs, many of which once resided outside of government in
academic institutions and non-governmental organizations, are
being pulled into government structures. At the same time, their
relationships with law enforcement agencies are becoming closer
and (to those outside of the agencies) more opaque.</p>
<p>What can be done to protect the credibility and neutrality of
these important pillars in the network security ecosystem? The
recommendations we outline in our report provide a roadmap:</p>
<ul>
<li>The first step to protect trust in these teams is to reverse
the recent trend and <em>not</em> place them under the
control of law enforcement and intelligence agencies. Such
agencies are incentivized to use the tools at their disposal
to investigate crime, collect intelligence, and pursue threat
groups, and thus will often disregard the apolitical
information coordination role CSIRTs play.</li>
</ul>
<ul>
<li>Second, CSIRTs and law enforcement must more transparently
define the terms of their cooperation, including how and under
what circumstances they interact. They should also clearly
define what kinds of information and expertise are exchanged
and what direction(s) shared information flows.</li>
</ul>
<ul>
<li>Third, for CSIRTs to remain trusted brokers, they must
clarify their mandates and missions. Traditionally, a CSIRT
has placed remediating damage from incidents and returning
systems to operation as top priorities. Is this still the
case, or is CSIRT expertise being poured into combating
cybercrime and assisting law enforcement agencies in
developing tools and methods to discover criminals?</li>
</ul>
<p>Finally, though not included in our recommendations in the
report, to recover the trust it has recently lost, CERT/CC’s
mission and role needs to be clearly defined by the organization
itself, its funders, its partners, and its constituency. Is it
essentially a second US national CSIRT alongside the Department
of Homeland Security’s <a href="https://www.us-cert.gov/">US-CERT</a>,
or is it something closer to a private CSIRT that plays a role
in maintaining global cybersecurity? If it is a global,
non-government CSIRT, transparently defining its relationship
with law enforcement, intelligence, and other political actors —
both inside and outside the US — is all the more important.</p>
<p>In the end, the actions of the computer security professionals
at CERT/CC who allegedly aided the FBI are somewhat
understandable. Their overarching goal is to secure computer
systems. The traditional CSIRT approach focuses on technical
identification and remediation of incidents, in addition to
promoting technical measures to protect systems from attacks in
the first place. The goal of law enforcement bodies in
cybersecurity is to lend a helping hand in preventing attacks
from taking place by rounding up the likely and past
perpetrators. That aligns with the CSIRT community’s goal. But
the allegations of the researchers’ work (the cybersecurity
applicability of which is dubious at best) to crack Tor
demonstrate the damage that can be done when when a CSIRT’s
interaction with law enforcement is not openly and strictly
governed.</p>
<p>The controversy surrounding this story represents something
much larger than the alleged incident. CSIRTs are meant to be
apolitical actors concentrating on computer and network
security. The ramifications of politicization and muddied
mandates could permeate up to states’ efforts to develop
international norms of behavior in cyberspace, like those <a
href="https://ccdcoe.org/2015-un-gge-report-major-players-recommending-norms-behaviour-highlighting-aspects-international-l-0.html">outlined</a>
by the UN Group of Governmental Experts, that rely on the
integrity and independence of global CSIRTs. By undermining
these norms before they take root, the FBI, and by extension the
US government, undermine their own efforts to promote an open
and secure cyberspace through norms for responsible state
behavior.</p>
</div>
About the Author<br>
<br>
Robert Morgus is a Policy Analyst with New America’s Cybersecurity
Initiative and International Security Program. You can follow him on
Twitter (@robmorgus). <br>
<pre class="moz-signature" cols="72">--
RR
"You might want to ask an expert about that - I just fiddled around
with mine until it worked..."</pre>
</body>
</html>