‘Bad Guys’ Winning Cyber War, FCBA Panelists Say

"The bad guys have software that can get into 90 percent of PCs,” said Phil Mellinger, chief security officer at Trusted Knight, a company that helps clients defeat newly developed malware attacks. A lot of this started from “ex-KGB guys that turned criminal,” he said. Russian organized crime syndicates have begun outsourcing a lot of the work to the Chinese, he said: Cyberattacks are incredibly difficult to prevent. “All you have to do is click on the wrong website one time and you're infected,” he said.

"The bad guys have actually gotten ahead of the entire security industry” by getting into the “fundamental brick” of PCs, said Mellinger. By using rootkit technology, hackers install software that is impossible to clean because it’s running even before the rest of the operating system boots up, he told us. The dirty code is invisible, hiding somewhere in the system. “There’s actually nothing that you can do to get rid of it,” other than reinitializing the computer from scratch, he said. The other option, he said, is just living with the infection, but blocking the nefarious software from logging key-presses or sending data.

The Cyber Intelligence Sharing and Protection Act (CISPA), an information-sharing bill passed by the House, “doesn’t really have much of a chance of getting passed by the Senate,” said John Heitmann, co-chairman of Kelley Drye’s telecom practice group. But the cybersecurity threat is very real, he said: Many people see the threat as potentially causing no less damage than if countries were launching ballistic missiles at the U.S. The executive order identifying infrastructure at the highest risk of attack seemed “designed to catalyze legislation,” said communications litigation and constitutional-law attorney Megan Brown of Wiley Rein. Heitmann agreed that the executive order was intended as “placeholder” intended to spur and crystallize legislative issues. Any congressional debate will have to balance the government’s need to share information with privacy protection for corporate America, he said.

There’s a need for federal oversight, Brown said, because without it states will step in and that could make it tough for companies. The burgeoning interest of state regulators is “a consequence of the vacuum of federal direction,” she said: There is a “numerosity of regulators that are going to breathing down their neck.” Without an overarching federal policy, states will get involved, and “that’s a problem” because then companies could have to comply with 50 different sets of regulation, she said.

Stealth malware has “surpassed policy, regulatory and technological controls,” Mellinger said in a handout he passed out to attendees. It’s something he’s never seen before, he told the conference: There are no potential standards or technical solutions to solve this problem. “Let there be no doubt -- assume PCs/devices are compromised,” he said. “This means that any organization that contains PCs/devices is also likely compromised.” -- Matthew Schwartz

FCBA Retreat Notebook

FCBA had to hold a “special historic sequester seminar” during its retreat last weekend, President Laura Phillips told attendees. In practice and as expected (CD May 17 p6), that meant that officials from the FCC and NTIA were nowhere to be found. “The FCC, like all agencies, made decisions, and they cut travel budgets,” said Stan Zenor, FCBA executive director: The association had invited all of the bureau chiefs, and usually “several” attend. “One or two of them wanted to come up on their own funds, but there’s OPM regulations against that,” Zenor told us of the Office of Personnel Management. “They cannot conduct official business with personal funds,” even though they're members of the FCBA anyway, he said. The chiefs notified the association that they couldn’t come 3-4 weeks ago, and Commissioner Jessica Rosenworcel’s office just notified FCBA in the past week, Zenor said. Commissioners can travel, but because there’s no continuing resolution yet, that was an issue precluding Rosenworcel from coming, Zenor said. That canceled the planned hourlong “conversation” with her, he said. “It’s one of those things.” -- MSS

--

The No. 1 obstacle to adoption of mobile payment systems is consumer concern about security, which is “bizarre,” said CEO Jason Oxman of the Electronic Transactions Association, which represents the payments industry. “Everyone in this room knows that the phone is much more secure than the plastic card.” The plastic credit card is “cassette-tape technology,” he said Saturday at the FCBA retreat. “It would take a 14-year-old 30 seconds to counterfeit.” Consumer reluctance isn’t the only thing to blame for lackluster adoption, Oxman said. “There’s a merchant issue as well.” To accept mobile payments, merchants have to upgrade their point of service equipment, he said. That ends up being a limiting factor, as there’s a “chicken and egg question” about whether merchants should upgrade to accept mobile payments, or wait until more consumers demand it, he said. Mobile payments will be helped by a mandated move to EMV chips, panelists said. The chips, built into credit cards, are more secure than the old magnetic stripe. Cards with the chips are compatible with near field communication technology, which is used in mobile devices, said Oxman. So as merchants move to EMV by October 2015, that should help spur mobile adoption, he said. The term EMV comes from the names of the credit card companies that began the process of developing the standard: Europay, MasterCard and Visa.