Opinion: Judith Germano recently wrote an article in Forbes entitled “Proposed NY Cybersecurity Regulation: A Giant Leap Backward?” We covered these Proposed Department of Financial Services Regulations (“DFS”) in a couple of previous posts; “N.Y. Regulators Consider Cybersecurity Requirements for Banks and Insurers” and “New York: Proposed Regulations for Cybersecurity come up Short” and some of the insights in Germano’s article are similar to positions that we posited. However, our analysis differed in a few key areas. Germano’s article states that mandates imposed at the state level make things too difficult for businesses, resulting in a patchwork of rules and regulations that vary across jurisdictions. Germano also argues that this makes it difficult to do business and that trying to keep track of these myriad regulations is fractured and ineffective.
President Obama’s Commission on Enhancing National Cybersecurity that was created earlier this year released its final report yesterday. One article discussing the report said it consists of 16 recommendations, including further cooperation between the government and private sector, a cyber security ambassador to the international community, and more “top-down” solutions to cyber that remove the burden from the general public. The full 100-page report, as well as a statement from President Obama, can be seen or downloaded below.
Cyber Round Up: Obama Cyber Security Commission to Release Final Report; Amazon Unveils Cyber Security Service; US and Israel Aim to Cooperate on Cyber Research
- Obama cybersecurity commission to present final report Friday (The Hill): Today will be the final piece of work from President Obama’s Cybersecurity Commission, an earlier report stated. The commission, which was created earlier this year by an Executive Order, has held six meetings on cybersecurity. It consists of 12 experts from the public and private sectors as well as academia. The report, which addresses six different threats and potential solutions, will be posted on this site once it is released to the public after it is presented to the President. The full text of the article can be found here.
- Amazon Cloud Computing Division Unveils New Cyber Security Service (WSJ): Amazon has launched a service to help counter attacks like the one last month that crippled websites across the U.S., a recent report says. AWS Shield will now protect customers from DDoS attacks. Amazon has two different products, the report says, and the standard version will be included for free. The more advanced version will cost a minimum of $3,000 per month, according to the article. The program will monitor incoming web traffic and utilize anomaly algorithms to detect attacks in real time. The full text of the article can be here.
- House Passes US-Israeli Cybersecurity Legislation (HPN): The House has passed two bills to further research collaboration between the United States and Israel. A report says that the two bills, United States-Israel Advanced Research Partnership Act (H.R. 5877) and the United States-Israel Cybersecurity Cooperation Enhancement Act (H.R. 5843), have both made it through the House and now await a vote in the Senate. An advisory board consisting of members from both the U.S. and Israel will provide guidance to DHS as to research topics and requirements. The legislation can be seen below; the full text of the article can be found here.
Over the past several weeks, this site has commented on the extensive debate over proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure. A summary of the changes and commentary can be found here.
The amendments are set to take effect later this week on December 1. A proposal in Congress is seeking to delay that effective date until January 1, 2017 in order for further review. The DOJ responded to the criticisms earlier today in a blog post. The response stressed two major points, which mirrored the thoughts of this author’s original post above. The amendments only alter the procedure of the rule regarding venue, and they do not lower the standard for obtaining warrants. The full DOJ response is attached below.
Cyber Round Up: New Cyber Incident Notification Guidelines; NIST Addresses IoT Connectivity (Full Reports Included)
- US-CERT Updates Cybersecurity Incident Notification Guidelines (Health IT Security): The US Computer Emergency Readiness Team has announced new guidelines that will go into effect on April 1, 2017. The guidelines apply to all government entities at the federal, state and local levels, the article said. The court defined an incident as something that “actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system,” or one that “constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” The guidelines set a 7 day reporting requirement, and provided 7 steps for agencies to follow. The full guidelines are attached. The text of the article can be found here.
- NIST Focuses on Cybersecurity of Connected Devices (EDM Digest): The National Institute of Standards and Technology (NIST) recently addressed the security of connected devices. An article discussing the report said that engineering solutions to the problem are “essential.” The report stressed the increasing frequency and severity of attacks on connected devices, and the article suggested that 2017 will be even worse. The article set forth the NIST report’s four main categories, including the following: Agreement process; Organizational project-enabling process; Technical management process; and Technical Process. DHS also recently released an IoT strategy. Both reports are attached. The full article can be found here.
Cyber Round Up: Trump’s National Security Pick a Cybersecurity Hawk; McCain calls for Cyber Committee; Three Mobile Hack exposes six million
- Trump’s national security pick is a cybersecurity hawk (PC World): An article late last week analyzed President-elect Trump’s choice for national security adviser, Lt. Gen. Michael Flynn, and his views on cybersecurity. The article labeled Flynn as a cybersecurity hawk and discussed his strong views on the matter. The report says that Flynn has called U.S. cyber capabilities “underwhelming.” It also discussed Flynn’s view that a cornerstone of a strong cyber policy is offensive capability. Flynn also believes, according to the article, that in order to be successful one must have an unfair advantage, and for the U.S this means gaining a technological advances over other nations that have been passing the U.S. The full text of the article can be found here.
- McCain dismisses Russian impact on election, stresses need for cyber committee (The Hill): Senator John McCain commented on the role of Russian hacks throughout this past election cycle, but also went a step further. A report yesterday laid out McCain’s plans for a cybersecurity committee. According to the report, McCain said that cybersecurity has crossed jurisdictional lines and is too important not to have its own home. The existing committees cannot, on their own, adequately address the issue, the report suggested. The article also stressed the Senator from Arizona’s view that it was “disturbing” that Admiral Rogers has testified to Congress before stating, “I don’t know what I don’t know.” The full text of the article can be found here.
- Three Mobile cyber hack: six million customers’ private information at risk after employee login used to access database (The Telegraph): One of the largest cellular provides in the UK announced the potential damage from a recent cyber hack. An article late last week said that Three Mobile admitted that hackers were able to access a massive customer database through an employee’s login. Six million people’s names, addresses, DOBs, but no financial information was compromised, the report said. The article cited company officials who said the hackers were upgrading customer’s devices and then intercepting the phones, presumably to sell. This hack follows the release of the UK’s most recent cyber initiative, and comments from the Chancellor that companies have a duty to protect private information. The full text of the article can be found here.
In addition to the Rule 41 Amendments recently discussed by this blog, the DoD has clarified cybersecurity guidelines for government contractors. The rule requires “adequate security”, which is normally equated with the NIST standards, and also establishes a reporting requirement for any time a contractor’s networks are penetrated. A detailed analysis of the rule, including its implications for export control, can be found here. The full text of the regulation is below.
Justice Department’s Role in Cyber Incident Response (CRS Insight): in this article, Kristin Finklea discusses the role of the justice department in the context of cyber incident response. The article indicates that criminals and malefeasors are continuing to turn to and leverage the internet in the context of criminal activities. This raises a number of issues given their ability to conceal their identities and obfuscate their locations, according to the article. The article goes on to state that the Presidential Policy Directive (PPD) on U.S. Cyber Incident Coordination (PPD 41) outlines the government’s response to significant cyber incidents. According to the article, PPD-41 includes the following criteria to be used to determine whether an incident is significant or not:
- likely to cause demonstrable harm to:
- national security interests,
- foreign relations,
- economy of the US,
- public confidence in the US,
- civil liberties,
- public health,
- safety of the American people
The article also states that PPD-41 directs the Department of Justice to perform the role of the lead agency directing the threat response by acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force (NCIJTF). According to the article, PPD-41 also describes threat response as being comprised of:
- appropriate law enforcement and national security investigative activity at an affected entity’s site to include:
- collecting evidence,
- gathering intelligence,
- providing attribution,
- linking related incidents,
- identitfying additional affected entities,
- identifying threat pursuit,
- disruption opportunities,
- developing and executing courses of action for mitigation of immediate threats,
- facilitating information sharing and operational coordination with asset response
One key challenge facing the FBI Cyber Investigations is in moving from a reactionary position to a more proactive role aimed at prevention cyber events, according to the article. The article indicates that the FBI has established an initiative identified as the Next Generation Cyber (NGC) cyber initiative. The primary focus areas for the NGC are:
- strengthening the NCIJTF,
- building the FBI’s cyber workforce,
- developing cyber task forces (CTFs) throughout the FBI’s 56 field offices and adding expertise in computer/network intrusion investigations,
- increasing information sharing and enhanced coordination with private sector entities.
The complete article can be found here.
In The Lame Duck, How Congress Makes Cybersecurity A Non-Partisan Priority (Forbes): Cybersecurity could be a major legislative focus of the lame duck Congress, a recent report suggests. The article says that the long series of recent events has Congress scrambling, mostly in the form of proposed amendments to the National Defense Authorization Act. The report says that one change would be raising the priority level of Cybersecurity to Combatant Command level. The report says that may still not be enough, however, as critical vulnerabilities will still exist. The full text of the article can be found here.
- OMB tries again to define a major cyber incident (Federal News Radio): A recent article discusses a government attempt to create clearer guidelines in the cyber realm, including what a “major incident” is. The definition comes from FISMA guidance to agencies for 2017. The report defines a major cyber incident as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” The author of the report believes this is a fairly high standard. The full text of the article can be found here.
- What Trump’s Win Means for Cybersecurity (Wired): Recent commentary on this website discussed the cyber policies of each Presidential candidate. Now that the votes are in, a weekly collection of articles from Wired focused on post-election cyber. The post discussed some of the implications of what cyber will mean under President-Elect Trump, including the potential for increased surveillance. The article makes clear that the potential for increased surveillance was made possible by President Obama. The report also suggests the potential for more attacks from foreign nations. The full article can be found here.
Cyber Round Up: Testimony Before US House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks”
This round up includes links to testimony provided by technology professionals in advance of the Congressional Hearing on the security of the Internet of Things (“IoT”) scheduled for November 16, 2016.
Common Background: In October, there was a widespread distributed denial-of-service attack (“DDoS”) that impacted multiple websites such as Pinterest, Reddit, PayPal, and Twitter. The attack leveraged a known exploit and general lack of cybersecurity hygiene in use within the devices commonly referred to as IoT devices to cause the domain name service provider Dyn to go offline which resulted in dozens of websites becoming unreachable as hosts were not able to properly resolve IP address to domain names.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Anna Maria Castillo
is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review.
Christopher W. Folk
is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing?
- Report: Commission on Enhancing National Cybersecurity
- Cyber Round Up: Obama Cyber Security Commission to Release Final Report; Amazon Unveils Cyber Security Service; US and Israel Aim to Cooperate on Cyber Research
- DOJ Responds to Rule 41 Criticisms
- Cyber Round Up: New Cyber Incident Notification Guidelines; NIST Addresses IoT Connectivity (Full Reports Included)
- NY: Governor Cuomo Announces new Cybersecurity Regulations on
- Cyber Round Up: Obama Cyber Security Commission to Release Final Report; Amazon Unveils Cyber Security Service; US and Israel Aim to Cooperate on Cyber Research on
- Rule 41 Amendments– Why There’s No Reason to Panic on
- Opinion: Bruce Schneier “Understanding the Role of Connected Devices in Recent Cyber Attacks” on
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010