U.S. cyberattacker sanctions program causes stir on social media

News roundup: President Obama's executive order allowing sanctions on cyberattackers has been met with mixed reaction. Plus: Threat intelligence perception versus reality; healthcare breach consequences; Verizon tosses supercookie.

President Barack H. Obama issued an executive order Wednesday authorizing the Secretary of the Treasury to impose sanctions on individuals and entities responsible for cyberattacks against the United States.

What was momentarily mistaken for an April Fools' Day joke was quickly both praised and criticized across social media, and the long-term consequences of the sanctions program were ultimately questioned.

Special Assistant to the President and Cybersecurity Coordinator Michael Daniel explained the who, what, where, when and how of the executive order in a blog post.

Under the executive order, Treasury Secretary Jack Lew can impose sanctions on any cyberattacker involved in or responsible for cyber-related activities, including:

  • Harming or compromising the provision of services in a critical infrastructure sector;
  • Disrupting the availability of computers/networks (for example, through a distributed denial-of-service attack);
  • Misappropriating funds, resources, trade secrets, financial data, etc., for commercial or competitive advantage or personal financial gain; and
  • Receiving or using trade secrets stolen by cyberattackers.

Sanctions include freezing the cyberattacker's assets, preventing cyberattackers from doing business with United States companies, and restricting cyberattackers from entering the country or accessing the U.S. financial system.

Many see the executive order as beneficial and necessary. CrowdStrike Inc. co-founder and CTO Dmitri Alperovitch called it a "huge leap forward" in the effort to punish cyberattackers threatening national and economic security.

Others were a bit more skeptical about the program, wondering what repercussions the U.S. may face because of it.

Some questioned what effects it would have on security researchers and ethical hackers that often appear to be cyberattackers.

Errata Security Researcher Robert Graham also noted that Obama's executive order is just a preview of things to come.

And, of course, people took time to find some humor in the situation.

In other news

  • A Ponemon Institute LLC report released Tuesday reveals organizations recognize the importance of threat intelligence for enterprise defense, but question its reliability. The Importance of Cyber Threat Intelligence to a Strong Security Posture, commissioned by Webroot Inc., surveyed 693 IT and IT security practitioners in the U.S., 61% of which are in the Fortune 1,000, Global 2,000 and the Forbes Largest Private Companies list. Sixty-seven percent of respondents said they felt the benefits of threat intelligence outweighed the costs, and more than 50% believe it is essential to a strong security posture. Yet threat intelligence satisfaction is low due to the facts that data is not timely and does not provide enough context to make it actionable, and because users are concerned with the trustworthiness of data sources.
  • A survey from TransUnion Healthcare released last week found that 65% of respondents would avoid a healthcare provider if it had experienced a data breach. The study, which surveyed 1,228 U.S. consumers, revealed 73% of patients between the ages of 18-24 and 36% of patients over the age of 55 would switch providers if theirs experienced a breach. The survey also concluded that 77% of users expected to be notified within three days of the breach or less. Those polled also expected to receive one year of free credit monitoring after a breach (72%), a dedicated phone hotline for breach-related questions (59%), and a dedicated website with additional details (55%).
  • Verizon Wireless is now allowing users to opt out of -- and remove -- the controversial persistent cookie the company came under fire for last fall. Verizon added the undeletable unique identifier to the Web traffic of its mobile users as part of a marketing program in October. The company updated its Relevant Mobile Advertising Program Tuesday to reflect the changes. Verizon announced in January an opt-out option for the marketing program, but customers were unable to delete the identifier. As of Tuesday, Verizon updated its systems and no longer inserts the unique identifier after a customer opts out of the program. However, Jacob Hoffman-Andrews, senior staff technologist for the Electronic Frontier Foundation, believes Verizon's actions aren't enough. "Verizon should discontinue its header injection program," Hoffman-Andrews told the New York Times, "or at a minimum make it opt-in." Customers can opt out of the program by calling 866-211-0874 or visiting the company's website.

Next Steps

Learn more about surviving cyberwar and the risks of cyberterrorism

Explore how threat intelligence can give enterprise security the upper hand

Uncover how to avoid a healthcare data breach

Dig Deeper on Government information security management