As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary : All Tech Considered The Department of Homeland Security, an agency repeatedly criticized for internal mismanagement and bloat, is the cornerstone of the new White House initiative to fight cybercrime.
NPR logo

As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary

  • Download
  • <iframe src="https://www.npr.org/player/embed/388339059/388665936" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary

As Homeland Security Steps Up Cybercrime Fight, Tech Industry Wary

  • Download
  • <iframe src="https://www.npr.org/player/embed/388339059/388665936" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

STEVE INSKEEP, HOST:

The Department of Homeland Security runs out of money at midnight on Friday. We've been tracking Republican efforts to use agency funding to get President Obama to change his immigration policies. The huge agency is, at the same time, expanding its portfolio to include cybersecurity. NPR's Aarti Shahani reports on the challenge.

AARTI SHAHANI, BYLINE: Cybercrime is just too easy. Often, hackers don't have to be innovative. They can take an attack, copy and paste it.

JOHN SOUTH: If they work fast enough, they can get these pieces of malware into an operation fairly quickly.

SHAHANI: John South is chief security officer at Heartland Payment Systems, which fell prey to one of the biggest credit card hacks in history.

SOUTH: It was well north of - probably north of 100 million.

SHAHANI: And it was an attack that had already hit others, meaning it was known - not new or novel. That was 2008. Since then, financial companies have gotten better at alerting each other, but other industries and across industries - the alert system is pretty bad.

SOUTH: I would say that's probably - sums it up fairly accurately.

SHAHANI: This big problem could be a big opportunity. Imagine a place - a super-smart digital collection bin, where every company, every local and state government agency, could submit a warning. We got hit by this line of code. Don't let it happen to you. The Department of Homeland Security is working to build just that.

PHYLLIS SCHNECK: That's what this is. This is the rock star center.

SHAHANI: Phyllis Schneck is a deputy undersecretary for cybersecurity.

SCHNECK: And we have to do the one thing the adversary can't. And that is connect all the dots, from what the private sector sees, what we in government see and put it together and make it available to every computer on the planet that needs to be protected.

SHAHANI: This is a vision statement - an aspiration. Just a handful of federal rules require sectors like banking and healthcare to report hacks. And most breaches go unreported. Homeland Security is working on a new automated system for public and private entities to use - a shared language to share threat information like specific lines of malware and the unique IP addresses of attacking computers.

SCHNECK: You picture two tin cans and a string - we just want everyone to have the same string and the same type of can.

SHAHANI: It's a technical fix from an agency not known for technical prowess. A recent Senate report says Homeland Security struggles with its own information security. It doesn't warn others about known threats nearly as quickly as private companies like Google do. It failed to patch TSA servers, leaving biometric data on 2 million Americans exposed. Schneck says they're improving.

SCHNECK: I think that DHS is still a very young organization, and every year, I think we add new capabilities.

SHAHANI: Greg Nojeim is a privacy advocate with the Center for Democracy and Technology.

NOJEIM: The alternative to having DHS do the cybersecurity work is that a lot of user data is going to end up in the hands of a military intelligence agency.

SHAHANI: While the National Security Agency is more competent, Nojeim says, it's also got a conflict of interest. When its teams discover holes in software, they don't always tell the software maker. Nojeim says they leave customers at risk of a criminal hacker just so they can stockpile those holes and exploit them for espionage.

NOJEIM: DHS doesn't have that internal conflict of interest.

SHAHANI: Homeland Security also doesn't have buy-in from Silicon Valley, at least not yet.

(SOUNDBITE OF ARCHIVED RECORDING)

JOE SULLIVAN: And so we decided to build what we now call Threat Exchange.

SHAHANI: Joe Sullivan is the chief security officer at Facebook.

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: And we got it going pretty quickly.

SHAHANI: The company we turn to to friend and like and post is starting a social network for corporate hacking victims - yes, Facebook. Sullivan's onstage at a tech insider conference in San Francisco, recruiting a couple hundred people.

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: How do I do the sharing in a way that doesn't undermine the trust I'm building with the people who use my service?

SHAHANI: Facebook says it does not provide cyberattack data to Homeland Security and is not participating in the evolving federal initiative. Instead, as Sullivan tells the audience...

(SOUNDBITE OF ARCHIVED RECORDING)

SULLIVAN: Means that we could launch something, hopefully without controversy, that just is a 100 percent positive contribution.

SHAHANI: The platform, called Threat Exchange, has its own Facebook page, which so far has several dozen likes and shares. Homeland Security officials are traveling the country, talking to companies, trying to beat that. Aarti Shahani, NPR News, Silicon Valley.

Copyright © 2015 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.