Cyber Round Up: Reworked NYS Cyber Regs; Obama Officials on Trump’s Cyber EO; DC’s Security Camera’s Hacked at Inauguration
Reworked N.Y. Cybersecurity Regulation Takes Effect in March (Bank Info Security): New York’s controversial cybersecurity regulations will take effect March 1, 2017. A recent article discussed the revised regulation and how it is the first of its kind. NY Governor Andrew Cuomo stressed that the state is the financial capital of the world, and information security is crucial. The regulations include obligations such as requiring financial and insurance institutions to retain a Chief Information Security Officer, report cybersecurity incidents within 72 hours, and use multiple factors for authentication, the article says. The requirements posed by the bill are a scaled back version of what was originally proposed, according to the article, after a widespread push back from the industry that said the burdens of implementation were too steep. The full article and analysis of the regulations can be found here.
Obama officials: There’s hope for cybersecurity under Trump (CSM): While debate swirls around the multiple draft versions of President Trump’s cyber security Executive Order, some people say there is no reason to worry. In fact, according to a recent article, former Obama officials say there’s hope for cyber security under Trump and that his draft EO borrows many ideas from the Obama administration. One important component, according to the article, is the directive ordering DOJ and DHS to collaborate on the protection of critical infrastructure. Other analysts say that the coherent cyber policies through both administrations represent an effective transition on this topic, the article says. The full report can be read here.
- Cyber security expert weighs in on DC security camera hack (Fox 5 DC): Reports suggest that prior to election day, the nation’s capitol had its system of security cameras hacked, although officials are saying little to nothing about the “who” and “how”. According to one recent article, infiltrating a system such as DC’s security cameras is not as complex as one may think. Anup Ghosh, who is the founder and CEO of Virginia antivirus company, said that one email can do the trick, the article reported. The DC hack was reported to be ransomware, but officials say that no money was paid to the hackers. The full article can be read here.
Cyber Round Up: Clippinger on Blockchain; Microsoft wants ‘Digital Geneva’; House Chairman paints bleak cyber picture
- Blockchain, Burning Man, and the Future of Governance: A Conversation with John Clippinger (Forbes): An article this morning by Robert Wolcott, Co-Founder and Executive Director of the Kellogg Innovation Network at Northwestern University, discusses Wolcott’s conversation with John Clippinger, who is the founder of the Institute for Data-Driven Design and a research scientist at MIT. One topic of the conversation was blockchain and Clippinger’s view of governance in the digital age. The summary of the discussion talks about the numerous sources that Clippinger develops his views of governance, which include the belief that everyone is a stakeholder in the digital age and the approach shouldn’t be top down. The article cites blockchain as an area in which Clippinger was ahead of the curve, and a way to involve all the necessary stakeholders in governance. The full summary, which includes a video of the conversation, can be found here.
- Microsoft president touts ‘Digital Geneva Convention’ during cybersecurity keynote speech (Washington Times): An article earlier this week reported that Brad Smith, Microsoft’s president, called for world leaders to establish a cyber version of the Geneva Convention to protect individuals from state sponsored cyber attacks. The article said that Smith emphasized how Geneva Conventions have been added and modified to adapt with the times, and another one is needed now in the digital age. The article quotes Smith as also stressing the need for technology companies to play a role in this new Digital Geneva, just as the Red Cross plays a role in existing conventions. The full article can be found here.
- DHS chairman paints bleak cybersecurity picture (Threat Post): Another report coming out of the RSA Conference this week in San Francisco says that some government officials are not too confident in the nation’s cyber security. Rep. Michael McCaul (R-TX), the chair of the House Committee on Homeland Security, says that we are in the fight of our “digital lives” and we are not winning, the article says. McCaul echoed the popular calls for cooperation between the public and private sectors, and stressed that offensive cyber tools are far outnumbering those on the defensive side. Notably, McCaul also called for the creation of a stronger cyber agency within DHS. The rest of McCaul’s comments can be read here.
Cyber Round Up: IBM turns Watson into cyber weapon; Army introduces cyber fast track; Details on China’s new cyber law
- IBM Turns Watson Into A Cybersecurity Weapon Amid White House Interest (Forbes): IBM’s large investment into its cognitive software Watson has expanded into the cyber security field, a recent report says. Watson has the ability to read millions of documents and huge quantities of information and produce an analysis that humans cannot, the article said. This ability is now being applied to some organizations’ cyber needs, as 50 of IBM’s customers have been using the technology this way. IBM touts the program as being able to add a layer of defense and proactively find breaches and hacking attempts that would otherwise go unnoticed, according to the article. IBM is offering a free trial followed by what would be a premium software upgrade, and hopes that the Trump Administration could be a potential business partner moving forward. The full article can be read here.
- U.S. Army Introduces Cyber Fast Track for Civilians (AFCEA): A blog post yesterday suggests that the U.S. Army is taking steps to increase its cyber work force. The post explained that the program could potentially allow for civilians to bypass some requirements and be directly commissioned into the service with a rank as high as colonel. The Department of Defense as a whole has asked the service branches to submit ideas for the future, but the Army is expediting the process, the article said. The Army’s recent bug bounty program showed the need for better cyber security. The article also said that which skill sets will be targeted requires further discussion. The full article can be read here.
- China Reveals More Details on Its Impending Cyber Security Law (Forbes): Late last year, China passed a long awaited cyber security bill that added requirements for “network operators” including the implementation of internal security systems. An article yesterday went more in depth explaining what the details of the law consist of. The Cyber Administration of China first requires a review of critical structure information systems, the report says. The new details about the law also show that China will have a Network Security Inspection Committee, and expand on security requirements for systems affecting public interest and national security. The full article summarizing the new information can be read here.
Americans don’t trust institutions to protect their personal data, but neglect cybersecurity in own lives – Pew Report
The Pew Research Center recently released an in depth report analyzing how the average American feels about cybersecurity. The study consisted of several surveys regarding how Americans feel on certain cyber issues. The report says that 64% of Americans have personally been involved in a major data breach. As a result, about half of Americans do not trust either the government or other websites to be able to protect their personal information. Perhaps not surprisingly, the report also revealed that many Americans do not follow good cyber security practices in their own lives, particularly with mobile devices. The report also suggests that cyber security is not a top priority for many Americans. The full report is included below.
Cyber Round Up: Revised Cyber Executive Order; FBI says no change to encryption policy; FTC to test control over IoT manufacturers
- Trump cybersecurity order morphs into 2,200-plus-word extravaganza (The Register): The revised version of President Trump’s Executive Order on cyber security has broken the mold, a recent report says. Executive Orders are normally concise and set forth general policy objectives, but this one is over two thousand words and calls for 10 different reports, the article said. The author compared this draft to one from President Obama, which was very long at over 3,000 words, but only called for 3 reports. The article suggests that the detail oriented order reflects policy making by those with little experience. The full article, which explains each report ordered, can be found here. The text of the draft was posted by Lawfare and can be read here.
- FBI official: No immediate change to encryption policy under Trump (The Hill): Anyone hoping for changes to the government’s encryption policy shouldn’t hold their breath, a report earlier this week said. FBI attorney James Baker said that changes have been discussed, but no major policy adjustments are expected in the near future. In 2015, during the heat of the Apple v. FBI debate, Trump called for Apple to aid the FBI in its investigation. The article was written following an encryption event hosted by CSIS, where there was a consensus between panelists about encryption needing to be addressed in advance of another incident like the San Bernadino shooting. The full article can be read here.
- Federal Trade Commission Case Will Test Its Power in Internet of Things Space (National Law Review): Recent action in federal court in California will test the ability of the Federal Trade Commission (FTC) to regulate manufacturers of Internet of Things devices, an article today said. The FTC filed a complaint in the Northern District of California against D-Link and its US subsidiary, the article said. The complaint alleges that D-Link failed to take reasonable steps to protect its devices from “widely known and reasonably foreseeable risks of unauthorized access.” While the complaint does not allege any actual harm arising from the security lapses, if the FTC prevails, IoT device manufacturers would suffer a big loss, the article suggests, because the mere existence of security flaws could render them liable. The full commentary can be read here.
Cyber Round Up: NSA Contractor Indicted for Data Theft; NATO releases new cyber guidelines; DHS to showcase cyber products;
- NSA contractor indicted over mammoth theft of classified data (Reuters): A former contractor for the National Security Agency was indicted on charges of willfully retaining national defense information, a report yesterday said. The data theft could be the biggest ever, according to the article, but it is unclear what, if anything, was done with the information. Harold Thomas Martin had been taking classified information for over 20 years, the report said, and faces 20 criminal counts, each with a maximum of 10 years in prison. Martin worked for Booz Allen Hamilton, the same contractor that employed Edward Snowden. The full article can be found here.
- NATO releases new guide for international cyber laws (The Hill): NATO released the first major revision to the Tallin Manual yesterday, a report from The Hill said. The guidelines are the closest thing to a rule book for applying international laws to the world of cyber, the article suggested. While the first version focused on appropriate statecraft during times of war, the new edition has added legal analysis on peacetime. The full article can be read here, and more information about the Tallin Manual itself can be found here.
- DHS scientists to show AI-backed cybersecurity at RSA conference (CyberScoop): DHS officials will be participating at the RSA conference next week to showcase some of their new cybersecurity technology, a report earlier this week said. Much of the technology is backed by Artificial Intelligence and is said to be market ready. The technology was developed as part of DHS’s Transition to Practice program, where the department finds technology in the private sector labs and helps develop them to find gaps in the commercial cybersecurity market. The full article, including an explanation of some of the products, can be found here.
- Big changes in Trump’s cybersecurity executive order (CNN): Reports Tuesday that President Trump would be signing an Executive Order addressing cyber policies ultimately ended with him just discussing the content of the order with his lead advisers, according to a CNN article. The report says that major changes are coming to the way the U.S. does cyber, including consolidating responsibility within one government office. Trump said that agency officials will be held accountable for their agency’s cyber security, the report suggests. The EO also calls for better coordination with the government, military, and schools, suggesting that the cybersecurity problem today has a component that can be fixed with increased education. A draft of the Executive Order obtained by CNN is included in this post. The full text of the article can be read here.
- Politicians should stay out of cybersecurity market (R Street): Discussion of the development of an insurance market for cyber security has led to a call by some for politicians to stay out of the way, an op-ed piece yesterday suggested. The opinion laid out some instances where ransomware attacks have held institutions hostage, and the institution ultimately end up paying the price to regain control of their systems. Cyber insurance has value for the secondary and tertiary costs of a breach, the author said, including consumer notification, credit monitoring, fines, and even business interruption. The author argues, however, that only the wealth of knowledge and flexibility available in the private markets are enough to properly manage the cyber insurance industry, not government officials. The full text of the article can be found here.
- Mozilla confirms half of web is encrypted − but does that mean greater security? (Computer Business Review): A recent article questioned whether increased encryption is really good for security. Mozilla announced after a two week study that about half the internet is now encrypted, the article said, meaning content was being delivered through HTTPS instead of just HTTP. The article quotes experts who argue that encryption creates tunnels that simply provide a hiding spot for those with malicious intent if businesses are not prepared enough. The article presented one compelling statistic, which showed that some experts believe as much as 70% of future attacks will occur through encryption. The full article can be found here.
Several weeks ago, this blog reported on a letter advocating that now President Trump consider using blockchain. That post included a guide to blockchain and how it works, particularly in its most common form of bitcoin.
Apparently the Chinese find merit in that idea, as a recent report says that they have begun to utilize blockchain technology. An article from Reuters says the Chinese government is pushing blockchain in order to combat fraud in its financial sector and to make things more transparent. Demand for the technology doubled last year and is expected to continue to grow. The article also says that the Chinese are playing catch up to Western markets that are further along in blockchain investments. Chinese banks and headhunters are offering salaries of up to $175,000 for tech executives that know how to implement blockchain, according to the article. The full text of the article can be found here.
2009 v. 2017 in Cybersecurity: Comparing Recommendations for 44th and 45th Presidencies from The Center for Strategic and International Studies
The Center for Strategic and International Studies (CSIS) produced a cybersecurity report in December 2008 for the 44th Presidency (CSIS-44) and built on that to produce a report in January of 2017 for the 45th Presidency (CSIS-45). What follows is a limited comparison between the two reports.
Policy: CSIS-44 touted increase use of private-public partnership and the various benefits that could be derived therefrom. CSIS-45 recognizes the cold hard reality that those partnerships simply failed to materialize and that delivered very little (if any) value to our cybersecurity posture. CSIS-45 goes so far as to say that this type of approach that “encourages” cooperation is doomed to fail since it neither mirrors market realities nor is there any stick (ergo the private sector will only act if market forces dictate action or if action is mandated via regulations, etc.).
Another lesson learned from CSIS-44 was the attempt to focus on authentication and digital identities. CSIS-45 acknowledges that programs such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) were grandiose in vision and lackluster in practice.
One other area covered here is the need for a national data breach policy. CSIS-45 postulates that a federal data breach policy will enhance security since entities will understand their requirements and the policies and procedures they must implement.
Take-away: that ideas and vision are wonderful however if there is no mechanism for regulation or enforcement they are unlikely to come to fruition. Thus, the current Administration needs to recognize the bounds and limits of its influence and work with (rather than against) the legislative branch to effect the best possible outcomes. With respect to the national data breach legislation – I agree that is important, however, I don’t think it is as significant a cybersecurity issue as CSIS-45 postulates. Not everything that moves from the state level to the federal is wiser or more efficient. In some respects, states and localities may have more flexible and tailored data breach notification rules than trying to create a one-size-fits-all. A single standard would certainly be easier but it is not clear how data breach notification rules applied federally will in and of itself create a higher level of cybersecurity. For instance, what if a locale currently has a very strident data breach policy and the federal policy is less stringent. In such a case, wouldn’t the result be decreased cybersecurity?
Encryption: CSIS-45 includes several paragraphs on encryption and discusses the need to balance the national security implications of privacy, security, and innovation. One would have thought that the various issues surrounding the infamous clipper chip coupled with the latest FBI/iPhone “all-writs-act” court case would have made encryption a more prominent topic not only in CSIS-45 but so too would have warranted at least a mention in CSIS-44. With respect to breaches and exfiltration of PII, one could argue that encryption is at the very heart of any discussion; however interestingly enough while some specific vulnerabilities are raised, scant attention is paid to this.
Cyber Round Up: Senate approves tech bills; Microsoft survives appeal; Russia arrests top cyber expert accused of treason
- Senate panel approves slew of tech bills (The Hill): A Senate committee approved seven technology focused bills yesterday, according to a recent report. The Senate Commerce Committee’s first action in the 115th Congress included a stamp of approval on a bill related to the Internet of Things, the article said. The Developing Innovation and Growing the Internet of Things (DIGIT) Act is one of Congress’ first efforts to address the challenges posed by connected devices. The article says that the one component of the bill is the development of a working group to help establish best practices for IoT products moving forward. The full text of the article can be found here. The bill can be read in its entirety on the right.
- Microsoft victory in overseas email seizure case is upheld (Reuters): Microsoft survived in an appeals court yesterday as a split court refused to review its decision not to force Microsoft to turn over emails in a drug investigation, Reuters reported yesterday. The 2d Circuit’s split 4-4 was a win for privacy advocates, the article suggested. The court held last summer that Microsoft would not be required to turn over emails stored in Ireland, as they were beyond the reach of domestic warrants authorized by the Stored Communications Act. The dissenting opinions in the case said the location of the files is irrelevant because Microsoft is a U.S. company. The full article can be found here, and the opinion is included below.
- Russia arrests top cyber security expert amid allegations of treason (The Telegraph): Reports today claim that a top cyber security official at a Russian-based firm has been arrested for alleged involvement in bribery from foreign officials. The article says that Ruslan Stoyanov, the head of Kaspersky Lab‘s computer incident investigations team, confirmed the arrest but distanced the firm itself from the allegations. Mr. Stoyanov previously worked for the Russian government’s cyber crime unit in the early 2000’s, the article says. The scheme involves an attempt to bribe a government official who was also arrested, although the foreign nation allegedly involved is unknown, the article reports. The full details of the event can be found here.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Christopher W. Folk
is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.
Ryan D. White
Ryan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.
Anna Maria Castillo
is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- Cyber Round Up: Reworked NYS Cyber Regs; Obama Officials on Trump’s Cyber EO; DC’s Security Camera’s Hacked at Inauguration
- Cyber Round Up: Clippinger on Blockchain; Microsoft wants ‘Digital Geneva’; House Chairman paints bleak cyber picture
- Cyber Round Up: IBM turns Watson into cyber weapon; Army introduces cyber fast track; Details on China’s new cyber law
- Americans don’t trust institutions to protect their personal data, but neglect cybersecurity in own lives – Pew Report
- Cyber Round Up: Revised Cyber Executive Order; FBI says no change to encryption policy; FTC to test control over IoT manufacturers
- 2009 v. 2017 in Cybersecurity: Comparing Recommendations for 44th and 45th Presidencies from The Center for Strategic and International Studies on
- Trump Should Try Blockchain (And “Blockchain for Dummies”) on
- Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing? on
- Report: Commission on Enhancing National Cybersecurity on
- NY: Governor Cuomo Announces new Cybersecurity Regulations on
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010