US Section 702 - or how the US plans to reclaim dominance over the threat intelligence market segment
The US Government appears to have recently introduced a new surveillance and wiretapping legislation, known as US Section 702, which aims to track down and prosecute cybercrime researchers. This group includes OSINT analysts as well as threat intelligence analysts on their way to obtain access to national security and classified cyber attack information and possibly use it for research or their own purposes.
What is US Section 702?
According to the recently released DNI Infographic:
“Section 702 is a key provision of the FISA Amendments Act of 2008 that permits the government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information. The government uses the information collected under Section 702 to protect the United States and its allies from hostile foreign adversaries, including terrorists, proliferators, and spies, and to inform cybersecurity efforts.”
OPSEC is the way forward
It appears that with or without the US imposing sanctions against security researchers, who also include vendors capable of obtaining access to sensitive or classified national security cyber threat information, researchers should consider becoming more OPSEC (operational security) aware on their way to bringing their experience to the market.
Basic precautions in terms of what the US intelligence community describes as "4th party collection" include the use of proper and nation-state attack vectors and VPN service providers who can ensure that proper zero-knowledge online backups and basic OPSEC procedures are implemented. Such procedures include the proper use of network-based and hardware-based firewalls to ensure that their networks and endpoints don't become victims to a nation-state launched CNE (computer network exploitation) attack practices.
From the perspective of the US government imposing sanctions against legitimate and high-profile cybercrime researchers and threat intelligence gathering vendors, a central clearing house type of information repository should be taken into consideration. Researchers and vendors could then feedback sensitive and classified National Security cyber attack information.
The ultimate goal here would be to make the sharing of information more efficient and improve the situational awareness of the US government in terms of preventing and responding to current and emerging cyber attack threats.
What exactly is the US Government trying to protect?
Based on the published infographic, the US government seeks to launch surveillance campaigns against vendors and security researchers capable of obtaining access to classified national security cyber attack information. It is also possible that they might launch CNE (computer network exploitation) attack campaigns against the used networks and end points, citing the possession of classified information as striking national security issues.
With more vendors and novice security researchers joining the cybercrime research area, including the emerging threat intelligence market segment, it shouldn't be surprising that the information is increasingly becoming publicly obtainable. The researchers would then aim to make it properly accessible and available for fellow vendors to take advantage of, including the US Government.
In yet another manual courtesy of the US DoJ titled "Legal considerations when gathering online cyber threat intelligence and purchasing data from illicit sources for cyber security purposes," the agency is offering practical advice for cyber security practitioners on their way to gather and process cybercrime, as well as threat intelligence-related information.
What is the best solution?
Chasing down legitimate researchers on their way to track down and stop the bad guys instead of building a central clearing house for threat intelligence information might not be the best way to protect the US national security in terms of cyber attacks.
Instead, an industry and academic sector outreach program that includes the establishment of a central clearing house for threat intelligence information should be established, offering potential incentives for researchers and vendors to join the initiative using their own know-how and methodologies for tracking down and monitoring threat actors.