Melissa Hathaway, former White House cybersecurity adviser and senior adviser at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, said the country needs brilliant lawyers to help solve the cybersecurity problem.
She told an audience of legal professionals at a June 1 ABA Standing Committee on Law and National Security breakfast that she was in Europe on May 12 when the global WannaCry ransomware attack hit almost 300,000 computers in 50 countries. Hathaway said hackers manipulated a vulnerability in aging Windows software that had been left unpatched. WannaCry targeted Britain’s National Health Service, Spain’s Telefónica and large corporations such as FedEx. None of the stolen data has been returned or unlocked for its owners, even in cases where the ransom was paid, she said.
The threat of weaponized cyberattacks is growing, Hathaway said, and it’s no longer if, but when and how pervasive. “The (legal) community needs to really start helping us think through the challenges” of how to protect ourselves from such attacks -- especially in the energy, telecommunications and financial systems – the core infrastructure of our economy.
In 2008, following the introduction of Conficker -- a computer worm that targeted the Microsoft Windows operating system and infected U.S. core infrastructure -- the United States government established the Vulnerability Equities Process (VEP) to help determine whether to withhold or disclose information about computer software security vulnerabilities, mostly for intelligence purposes.
Hathaway said for the past 10 years, VEP was weighted in favor of intelligence gathering for national security purposes, but she would like to see that change. She said cyberattacks like WannaCry demonstrate that we can’t risk the damage to our core economies by not disclosing and repairing vulnerabilities – putting our energy, telecommunications and financial systems at risk.
“I think it’s really time now that we actually have to start to think about the Vulnerability Equities Process in reverse, flip it on its head,” Hathaway said. “We really have to start to look at, ‘to what extent is this vulnerability in the core of our economy? If it’s in the core of those (top 50 companies), we have a responsibility to disclose. We should think about if it’s pervasive in our electric, our telecommunications, our financial systems, are we going to disclose in order to ensure that the economic survivability of the country, the health of our GDP and the free flow of goods, services, data and capital across borders continues? We should be thinking about defense second, economy first.”
Hathaway said the government needs to develop a more responsible disclosure process. “I think it needs to be rigorous, and set up like CIFIUS.” The Committee on Investment in the United States is chaired by the United States Secretary of the Treasury, and includes representatives from 16 U.S. departments and agencies, including the Defense, State and Commerce departments, as well as (most recently) the Department of Homeland Security. “That way, all of the important decision-makers are at the table,” Hathaway said.
Hathaway said another challenge is that for 25 years, we have accepted the practice of “field it first, fix it later” from software manufacturers, a practice known more commonly as Patch Tuesday. “All the providers have been given a bye, and they’re fielding poorly engineered products into the core of all of our businesses, and fixing it later,” she said. “Can we afford to do that anymore as we’re moving into the IoT and we have more and more things connected to the internet?” That leads us to consider product liability, and attempting to stop giving the industry a bye.
The forces at stake are two very healthy markets – the information communications technology market, worth $3.5 trillion in 2017, and the cybersecurity market that’s fixing all the bad product, which is worth about $400 billion in 2017. Those two markets will fight rigorously because they don’t want one to be fixed.
“Fixing one will likely eliminate, or at least reduce significantly, their market share over the next several years,” Hathaway said, adding that it must be done – and soon. “We’re making ‘smart’ everything, but it’s really dumb actually, because it’s going to be soon that a 12-year-old can bring down Bank of America, and a 12-year-old can bring down (utility companies), because we’ve fielded the core of our infrastructure with bad products and we’re going to ‘fix it later.’”
Hathaway said lawyers can help figure out the product liability part of the equation. “I don’t have all the answers but we’ve done it in the past,” she said, citing rigorous safety regulations in such areas as the manufacture of food, drugs, electricity and cars, to name a few.
She said an accelerator might be the case of St. Jude Medical, the biggest provider of heart implants and pacemakers in the country. It is recalling 400,000 implants due to a vulnerability that makes it possible to “hack” such devices. The product recall requires surgery to remove the bad implants, and Hathaway said it is likely that some people will die from the surgery.
“We’re going to have to think through this in a responsible way,” Hathaway said. “First, from the government side – the VEP -- because we’re sitting on a lot of things that really actually ought to be released for the greater good of our economy, the defense of the nation and our operational posture. Second, we have to fix the problem now, because the problem’s getting much worse and that’s going to require product liability and all the brilliance in this room to help think through that from a national security perspective -- because it is a national security crisis on the horizon.”