Sergey Nivens - Fotolia

IT regulators and practitioners need common language

There needs to be greater understanding between lawmakers and technologists to ensure regulations do not have unintended consequences, says a US computer security researcher and bug bounty pioneer

When technical concepts are abstracted into workable language for regulation and laws, typically a lot is lost in translation, according to Katie Moussouris, founder and CEO of Luta Security.

“This is what happened with the [multi-national] Wassenaar Arrangement [on export controls for conventional arms and dual-use goods and technologies],” she told Computer Weekly.

Moussouris was among the official advisors to the US delegation to ask for changes to the Wassenaar Arrangement that resulted in the publication of new export control rules for computer network intrusion software in December 2017.

“It was only when I could go and show them side-by-side the language that they were using to describe what they wanted to export control was the same language I used in the Microsoft mitigation bypass bounty. I explained to them, that certain export controls effectively cut off the potential of Microsoft finding out about these things until they are exploited in the wild.

“These are things that take a very long time to fix. They are architectural-level changes so regulators and law makers need to know who to reach out to for expertise. And it can’t be someone who is ‘familiar' with the technology it can’t even be someone who worked in only one element of the industry.

“It has to be someone who is able to balance how something will affect the ecosystem for large-scale operations, including what kind of burden it will place on the technical practitioners, with how it will affect smaller-scale operations and individual threat models.”

Moussouris, who helped create Microsoft’s first bug bounty programme and the HackerOne’s Hack the Pentagon programme, believes it is important to have a common language between law makers, regulators, technologists and the cyber security community.

Educating policy makers

Like other members of the cyber security community, she is on a mission to educate policy makers and regulators as well as people in local government.  

“The election system in the US, for example, is run by volunteers, so rather than romanticising voting machine hacking type of stuff, we should be focusing on the security of the overall ecosystem of the machines.

“This includes the tallying centres and the machines and devices used by the poll workers who may be using their own devices, which are not very secure and could be affecting the overall results of elections,” said Moussouris.

Another area of concern, she said is governments that are trying to make sure there are backdoors in encryption.

“On the one hand, that harms the big picture ecosystem. We saw this in the crypto wars 20 years ago when the effect of restricting strong encryption was that it forced all the browsers to be able to downgrade their encryption and set the stage for the early commercialisation of the internet to be very insecure, which was an unintended consequence.

“Today, there is not only still that danger that weakening encryption will degrade the overall security of the internet , but on the other hand we are also not taking into account the different kinds of threat models such as domestic violence.”

Secure devices a threat

Secure devices and secure phones especially are threats when it comes to domestic violence victims, said Moussouris. “Having the ability to have strong encryption and software that is used to protect your communications if you are in a domestic violence situation is vital, especially when your physical device could be in the hands of your abuser.

“So there is the broad ecosystem threat model and there is the individual threat model of privacy and safety. And if we overlook both ends of the spectrum when we are creating regulation we are essentially regulating insecurity,” she said.

When Moussouris joined HackerOne in 2014, she identified the importance of doing policy work. “I was seeing a tsunami of policy and regulation, including the Wassenaar Arrangement, so I knew we were about to regulate out the possibility of doing vulnerability coordination and incident response worldwide.

“And that’s in fact what [the Wassenaar Arrangement] was until we got the exemptions put in, but it took us two years to undo because of the rhythm of how these meetings work and getting all stakeholders on board and it has to be 100% agreement,” said Moussouris.

According to Moussouris, the US delegation’s first meeting with the Wassenaar Plenary was about why the language needed to change and why the US could not simply put the exemptions is was asking for in the domestic implementation of the export control.

“This [meeting] was basically painting a picture of global incident response and vulnerability coordination to show that it was not something any one of our countries could handle domestically, which is why it had to be set at the Wassenaar level,” she said.

Read more about incident response

  • Making the most of incident detection and response.
  • Ensure incident response in the face of inevitable messaging leaks.
  • Crafting a cyber security incident response plan, step by step.
  • High performing UK companies with a high level of cyber security maturity are leading in cyber resiliency, but most have to work on operationalising incident response plans.

The US delegation used the example of WannaCry. “We said a lot of the analysis was unfolding in real-time on Twitter. Command and control samples were being exchanged by researchers from all over the world who didn’t know each other.

“This is typical of incident response. This is just how we as a community have grown up and how we work, and so while they thought they had regulated something very specific and that it wasn’t going to interfere with defence and was only going to catch the software and technology they meant to catch, that was a mistake because they did not have people who were working at scale and they did not have people advising them who knew what incident response looked like in the real world,” said Moussouris.

According to Moussouris, an important element to heading off regulations that actually end up making the internet less safe is to have more technology practitioners willing to learn the lingua franca of the regulators.

“We can’t come in guns blazing saying ‘you are all wrong’ and ‘please stop and wipe that off the books’. That is not how it works. Once it has got to that level, you know that you have to work within their constructs. So going in with an attitude that they did this out of pure ignorance or malice is not productive.”

Instead, she said technologists have to go in with the attitude that everyone wants the internet to be safer and that we as they still have a lot to learn about how national security and regulations work in the real world.

“And these are the types of things that I feel like the law makers and the regulators absolutely need more of our help, but at the same time we need ambassadors coming to us as well to teach us about the rhythm of regulation and where we should have influence.”

Interaction with military and government

For this reason, Moussouris said she is spending less time at traditional security conferences in favour of events where she can interact with people in military and government circles who are in a position to read a technical summary and make laws, policies, alliances and strategic decisions.

“I am making sure that I am focusing my efforts on educating this audience about the nuances of the practical world. I need to ensure these audiences get more than a hand wave in understanding this stuff,” she said.

The EU Bug Bounty programme is another example of the fact that more work needs to be done along these lines, said Moussouris.

“The EU heard loud and clear that they should try the bug bounty idea and they decided they were going to focus it on Open Source that is used in governments and they decided to target it through surveying the governments and asking them what open source software they depend on for the purposes of the bug bounty programme,” said Moussouris.

“But they never put it in the budget to add more maintainers [of the open source code] and the maintainers were not really aware that they were being targeted by the bug bounty programme as potential contributors.

“So EU leaders are hearing only half of the message. I want to make sure that more technologists who have experience in working at scale and marginalised groups are involved so that they interact with both  ends of the spectrum to understand the true threat models and the ways that technologists and incident responders really work.”

Read more on IT legislation and regulation