Cyber Round Up: White House Breach Linked to Russian Government; New Law Against Cyber Squatting in Nigeria; DHS Probes Cybersecurity Dangers in Medical Devices; New Report Links Cyber Espionage Group to Chinese Intelligence; Justice Official Speaks on Government-Business Cooperation to Improve Cybersecurity
- The Washington Post reports that hackers thought to be working for the Russian government breached the unclassified White House computer networks in recent weeks resulting in temporary disruptions to some services while cybersecurity teams worked to contain the intrusion. However, the article also states that the intruders did not damage any of the systems and that, to date, there is no evidence the classified network was hacked. Nevertheless, sources state that the nature of the target is consistent with a state-sponsored campaign, according to the article. These findings are consistent with recent reports by private security firms which have identified cyber-espionage campaigns by Russian hackers thought to be working for the government. The New York Times reported on some of these recent reports by online experts linking breaches to the Russian government, click here for that full article.
- The Nigerian Senate has passed into law, a seven-year jail term for all kinds of computer-related fraud, computer-related forgery, offences relating to pornography, cyber-stalking and cyber-squatting on October 24, reports 360nobs.com. Read the full article here.
- The U.S. Department of Homeland Security is now looking into at least two dozen cases of possible cybersecurity flaws in medical devices ranging from artificial heart implants to hospital infusion pumps, reports IEEE Spectrum. According to the article, the agency wants to help manufacturers fix software bugs and other vulnerabilities that could be exploited by hackers.
- A highly sophisticated cyber espionage group has been linked to Chinese intelligence according to a report that was issued as a result of a joint effort among private cyber-security companies to identify and counter “a sophisticated advanced threat actor group.” The Diplomat wrote an in-depth article on the findings of the report, stating that the cyber threat, named “Axiom” in the report, is said to have targeted everything from government offices to NGOs and media outlets in a global campaign over the past six years. For the full report click here. For analysis by The Diplomat click here.
- The Justice Department speaks out on the importance of government and private businesses becoming allies in the fight to improve the nation’s cybersecurity, reports the Washington Times. The article quotes John Carlin, assistant attorney general for national security: “The attackers we face range in sophistication, and when it comes to nation states and terrorists, it is not fair to let the private sector face these threats alone.” To read more about the perspective of the Justice Department on this issue, read the full article here. For a look at the same topic from a different viewpoint, former Congressman Tom Davis from Virginia discussed the obstacles standing in the way of Congress creating these connections in an article by ThreatPost; to view that article click here.
The term “offensive cyberspace operations (OCO)” has been added to the official Department of Defense lexicon, and the term is discussed in depth in a newly discovered Department of Defense doctrinal publication by the Joint Chiefs as Staff. How is this term defined and when should the military resort to offensive cyberspace operations? Click here for the full report. See below for excerpts from the report related to offensive cyberspace operations.
According to the report, “offensive cyberspace operations (OCO) are cyberspace operations (CO) intended to project power by the application of force in and through cyberspace.” Like offensive operations in the physical domains, the report states that OCO will be authorized “. . . via an executive order” and “.. . require deconfliction in accordance with (IAW) current policies.”
However, these offensive attacks are not boundless in scope. The report specifically limits such directed military attacks to “military targets” which “. . . by their nature, location, purpose, or use . . . are those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”
Cyberspace attacks are defined as those attacks, according to the report, “. . . that create various direct denial effects in cyberspace (i.e., degradation, disruption, or destruction) and manipulation that leads to denial that is hidden or that manifests in the physical domains.” The report then highlights actions used to create denial and manipulation effects, dividing denial effects into three categories: those that degrade, disrupt, or destroy.
The scope and methodology behind “targeting” is explained in detail throughout the report. According to the report, “. . . cyberspace targets should be nominated, vetted, and validated within the established targeting process, [a process which requires] close coordination within DOD, with interagency and multinational partners, and with key allies.” It is especially important that targeting protocol is followed when it comes to cyberspace operations, as the report warns that “. . . uncoordinated actions could expose or interfere with the actions” of the entities.
In addition to discussing offensive cyberspace operations, the report notes some of the continuing threats in cyberspace as well as the challenges the military faces when it comes to cyberspace operations. Listed below are some of the threats and challenges cited in the report: Continue reading
The UK has a plan to crack down on cyber abuse: quadruple the current sentence. According to a BBC News report, a new amendment to the Criminal Justice and Courts Bill going through Parliament would allow magistrates to pass serious cases on to crown courts, where the maximum sentence would be extended. Under the act, it is an offense to send another person a letter or electronic communication that contains an indecent or grossly offensive message, a threat or information which is false and known or believed by the sender to be false.
BBC News quoted Justice Secretary Chris Grayling describing the purpose behind the new law: “[t]his is a law to combat cruelty – and marks our determination to take a stand against a baying cyber-mob . . . we must send out a clear message – if you troll you risk being behind bars for two years.” This raises the ultimate question: should social media be regulated? If so, to what extent? Additionally, what is the proper balance between regulation and the freedom of speech?
While the United States Constitution creates additional barriers to the passage of similar laws in the States, BBC News noted how supporters of this new law handled the balance between regulation and freedom of speech in the UK. BBC News quoted TV presenter Chloe Madeley on the matter: “. . . threats of any kind must not be interpreted as freedom of speech. Threatening to harm others is extreme and crosses the line of personal opinion into criminal behavior.”
Does it matter that social networking has become the most influential and powerful voice of the people? Ms. Madeley believes it does, and in the article she cites the strength of this new medium as one of the reasons why social networking must now be regulated.
Are there other ways to attack online abuse without resorting to additional laws or increases in sentencing? In the article, Labour MP Stella Creasy states that police and prosecutors need to improve their training on stalking and harassment to deal with online abuse. However, the article also notes the problems investigators face with determining the intent behind online text, an element required in most criminal laws that stand against online abuse.
One thing is clear: cyber abuse, cyber mobs, cyber bullying, cyber harassment, and all the other labels that have come to represent the rise in victimization through online text, is a global problem. Each country will ultimately have to determine whether to prosecute these harms by extending current laws or creating independent laws that create a new category of crimes. If this new amendment passes in the UK, a lot of eyes and ears will be tuned into the results.
Cyber Round Up: US Government Investigates Cyber Vulnerabilities in Medical Devices; DOJ Creates New Roles for Cybersecurity; Israeli Start-up Provides New Method for Early Detection of Cyber Attacks; China’s Cybersecurity Stance at Upcoming Summit; Obama’s Order to Cut Identity Theft Signals Further Need for Cybersecurity Legislation
- While there are no known instances of hackers attacking patients through medical devices, the Department of Homeland Security is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment, according to a report by Reuters. According to the report, the concern is that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity.
- Federal Times reports that the Department of Justice (DOJ) has restructured its National Security Division (NSD) and made new appointments to refocus efforts on cybersecurity, specifically as related to state-sponsored cyber terrorism and espionage. For the full report, click here, and for our own coverage, here.
- “Walls can’t protect you anymore. In this new world a new security paradigm is needed,” Chief Executive Mark Gazit said about the new Israeli Start-up company ThetaRay, in a Reuters report. Reuters reports that after spending nearly a decade of research to develop algorithms that analyze massive amounts of data and can detect an anomaly immediately, two professors created the ThetaRay program which uses algorithms to take any type of data, analyze it in real time and detect where a cyber threat is present.
- The Hill reports that China is taking a tough public line on cybersecurity ahead of a summit next month to be attended by President Obama and Chinese President Xi Jinping. For an in-depth report on recent hostilities over cybersecurity between the United States and China, as well as summit predictions, read the full article here.
- Time reports that President Obama signed an executive order Friday to improve security measures for government credit and debit cards, equipping them with microchips in place of the standard magnetic strips and PINs. According to the report, the White House also called on Congress to pass data breach and cybersecurity legislation, writing in a statement that “The current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”
“The US Justice Department is shifting the focus of its national security prosecution team to deal with cyber instead of spies,” writes Lawfare. “U.S. national security prosecutors shift focus from spies to cyber,” proclaims Reuters. “DOJ heightens focus on state-backed cyber crime” is The Hill’s headline. All are reacting to a press release from the U.S. Department of Justice dated Tuesday, October 21, 2014.
The release states that my former colleague and friend Luke Dombosky has been named Deputy Assistant Attorney General of Justice’s National Security Division (NSD) to “manage NSD’s newly created portfolio covering protection of national assets, including efforts to combat economic espionage, proliferation, and cyber-based national security threats;” the “Anti-Terrorism and Advisory Council (ATAC) Coordinator program will be re-designated as the National Security Coordinator/ATAC program, to better reflect its ongoing work on the full range of national security threats, including combating economic espionage and counterproliferation;” and other “strategic changes within the … (NSD) designed to put additional focus on the protection of national assets from the threat of state-sponsored economic espionage and proliferation, including through cyberspace.”
[Full disclosure: this author was a federal prosecutor assigned to an ATAC and a JTTF. The ATAC's are groups of federal, state and local law enforcement agencies headed by the local U.S. Attorneys around the country. They were created by Attorney General Ashcroft shortly after 9/11/01 in order to address issues of terrorism.]
From Reuters: “The revamp… also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States.” This reflects my long advocacy of combining computer engineers with lawyers and policy makers, something I try to do in interdisciplinary classes every day.
John P. Carlin, the Assistant Attorney General for National Security who announced these changes, used a cyber term to explain them: “We need to develop the capability and bandwidth to deal with what we can see as an evolving threat,” reports Reuters. The same article also quotes a former Justice prosecutor stating: “This is not just a reshuffling of the deck.”
“This is such a new field and frontier that there aren’t sanctions, there aren’t penalties in place for doing this,” he said. “I think that’s the piece that’s missing.”
McCaul has seen private companies fill the vacuum, waging their own cyber offensive against these state cyber thieves.
“I would obviously prefer that that be done through our capabilities at the federal level,” he said. “I think we have capabilities that the private sector doesn’t always have to help with attribution.”
Here is the entire news release from the Department of Justice:
October is Cyber Awareness Month, which means that cyber news is in abundance. However, the cyber issue that continues to gain the most attention is the evolving debate over the nature of the relationship between the federal government and private industry when it comes to cybersecurity. Should the government be more involved in how private companies handle cybersecurity? Or should they back away, and allow private companies to make their own decisions when it comes to cybersecurity? This is the question lurking behind the scenes of many cyber reports hitting the newsstands today.
Take the recent story on the possibility of biometrics replacing passwords as a primary security measure. The story hit the news after White House cybersecurity coordinator, Michael Daniel, made the statement that biometric scanning devices will become the norm for identity confirmation online. The story was covered by the WashingtonTimes, USAToday, SC Magazine, and Yahoo News. So what do these recent reports have to do with the current tensions between government and private industry? The answer lies behind Mr. Daniel’s reasons for making the announcement in the first place. SC Magazine reported Mr. Daniel stating that passwords are a “terrible” security mechanism, and that organizations should improve on their use of encryption. This is a perfect example of what appears the be the current administration’s trend for handling the cybersecurity tension with private companies: leave the private industry alone, but make suggestions. Is this the best way to balance the interests of these two sectors of society? Or should the government be more involved in regulating the industry’s cybersecurity measures?
According to a Bloomberg report, some feel that the number one thing the government can do is get out of the way. The report quotes Ajay Banga, the Chief Executive Officer of MasterCard, who is pushing for the government to eliminate legal barriers to sharing information and move away from a posture that blames companies for cyber attacks. On the other hand, according to a WashingtonTimes report, there are concerns inside the White House that almost all private companies when left to their own devices have a habit of not paying enough attention to cybersecurity threats. Nevertheless, the report also notes that as of yet, the Obama administration has been reluctant to push legislation that would require private companies to take any specific cybersecurity measures. In fact, according to a USAToday report, the Obama administration has given up trying to pass one big cybersecurity bill, and is opting to break up the legislation into bite-size chunks that lawmakers are more likely to approve.
There are also pragmatic reasons for looking outside legislation for potential solutions. The WashingtonTimes report goes on to quote Mr. Daniel: “the speed of regulation does not move at the speed of technology” and thus the government has to be “mindful” that any regulations will probably be outdated by the time they are issued. In the meantime, the administration has launched a “Cybersecurity Framework,” which the report describes as the “result of a yearlong private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity.” This “Framework” fits the trend of “suggesting” rather than “requiring” cybersecurity measures to the private industry.
The United States is not alone when it comes to dealing with the cybersecurity tensions between the government and private industry. SC Magazine recently reported on the “mutual suspicion” between police and the private sector in the UK when it comes to issues of cybersecurity. For the full report, click here.
President Barack Obama believes cyber terrorism is one of the biggest threats to national security and says the White House is bracing for a possible doomsday scenario if hackers can successfully penetrate government and business computer systems, the FOX Business Network reported. Will the current balance of control between the government and private industry over cybersecurity provide Americans will adequate protection from a cyber attack? Only time will tell.
Cyber Round Up: President Obama Puts Focus Back on Cybersecurity; Cyber Sabotage by Digital Cat Burglars; Israel Aims to Become a Cybersecurity Superpower; South Korea Switches to Offensive Cyber Capabilities; Problems with Russia’s New Internet Policy; China Claims US Fabricating Cyber Accusations; Ninth Circuit Considers Overturning National Security Letters Ruling
- According to FoxBusinessNews, when President Obama spoke at fundraising events in New York City and Connecticut last week, he tried to turn America’s focus away from Ebola and back towards what he described as one of the biggest threats to National Security: cyber terrorism. FoxBusinessNews reported that after downplaying the Ebola scare, the president laid out a potential “doomsday” scenario if hackers can successfully gain entry into government systems or breach security walls at major banks. Read the full article here.
- International digital cat burglars? According to an article in Fortune, an American biomedical company was hacked, and the schematics of their fully-tested product stolen by a Chinese competitor and rushed to market in a mere 18 months, beating the original innovators to market. The Fortune article describes this cyber sabotage as “[j]ust the tip of a mammoth iceberg of cyber warfare over the last decade that has left companies and organizations that are standing on the sidelines shellacked.” While the article distinguishes between independent hackers, hackers financially backed by states, and purely state-employed hackers, the article discusses how all three groups are involved in some form of cyber sabotage in the form of international trade theft, and suggests that the NSA’s cyber reputation may be to blame for prompting Russian and China to follow suit.
- The Washington Post reports that Israel, the world’s second largest exporter of cyber products and services, aims to become a cybersecurity superpower, and to do that, the Israeli military is launching an ambitious program to groom the next generation of cyberwarriors while they are still in high school. The article goes on to discuss the various other initiatives by Prime Minister Benjamin Netanyahu, who claims in the article that the cyber-fight reached a peak during the 50-day Gaza war this summer.
- South Korea is developing offensive cyber capabilities to counter the growing number of cyber attacks it faces from North Korea, according to a report by The Diplomat. According to The Korean Herald, this marks a move from their prior defensive focus.
- The US State Department’s first coordinator for cyber issues, Christopher Painter, discussed his issues with Russia’s new internet policy in a recent article by DW.com. According to the article, Russia recently announced new rules to restrict so-called extremist content online and requiring social networks to store their data in Russia. The article takes a close look at how the United States is trying to repair lost trust with other countries that resulted from the NSA surveillance scandal.
- According to WorldBulletin, China is pointing the finger back at the United States, claiming they have cried wolf in the their recent cyber security accusations. At a news brief last Thursday, Chinese Foreign Ministry Spokesperson Hong LeiChina urged the U.S. to stop “fabricating stories” and “mudslinging” when it comes to cyber security accusations, reports WorldBulletin. GlobalResearch also posted an article announcing this message.
- The Wall Street Journal reports the Federal Bureau of Investigation would lose a powerful tool against terrorism if a federal ruling against the agency’s use of secret requests for information about individuals’ phone usage and electronic transactions isn’t overturned, a U.S. lawyer warned an appeals court hearing the matter. According to the report, the letters allow the FBI to obtain records from telephone, banking and Internet companies without court approval as long as the bureau certifies that the records would be relevant to a counterterrorism investigation.
When sound was added to film between World War I and World War II, newsreels playing in movie theaters vividly portrayed the sights and sounds of American foreign battlefields, combat-footage, and invasions. We’ve become accustomed to relying on these images and videos in our television and print news media, to stay informed on war-related current affairs. However, today we are faced with a different kind of war. A war that takes place behind-the-scenes. A war that can’t be seen. That’s because today the United States is at war in cyberspace.
The San Antonia Business Journal reports that thousands of attacks are being launched everyday against US businesses by nation-states like China, Russia and Iran. According to the article, if these attacks are successful, they have the potential of creating chaos in our economy.
While the article notes that the United States has caught or deflected most of these attacks before they could cause any harm, when individual companies are attacked, will they be able to protect against organized attacks by nation-states? Not according to the article.
So what should we do? The article quoted solutions suggested by US Representative Mike Rogers, the chairman of the House Intelligence Committee, who is pushing for more sharing of information between government and private industry. As for Congressional plans, the article mentioned that the House has passed bi-partisan legislation that according to Representative Rogers, would establish rules for private industry and governments to share information on cyber threats.
There seems to be one message that is popping up again and again concerning the hidden war in cyberspace: the need for a stronger relationship between government and private industry. To read more, here is the full article.
Cyber Round Up: Researchers Aimed at Plugging Cybersecurity Holes in UK’s Power Stations; France’s New Cybersecurity Law; China’s Cyberwar on Hong Kong Protestors; Rising Cyber Threats in Software Used in Nuclear Power Plants; Japan Launches Cybersecurity Talks
- ZDNET reports that a team of experts will be looking at how to plug security holes in the vital systems that run the UK’s power stations, rail networks and manufacturing plants. According to the report, the researchers aim to improve operational decision making and lay the groundwork for a new, cyber-threat-resilient control architecture for the grid.
- Bloomberg reports on France’s new cybersecurity law, which will require that the 200 entities most vital to the country’s economy boost security using home-grown technology and experts, or risk being fined. Read more about the new law and other initiatives by France to promote cybersecurity in the Bloomberg article here.
- According to VoiceofAmerica News, China has turned to cyber attacks on Hong Kong protestors. According to the report, days after demonstrators in Hong Kong began filling the streets, a Chinese-authored spyware bug specifically designed and targeted to infect protestor’s iPhones and iPads was discovered by a mobile digital security firm. Read the full story here. Additionally, VoiceofAmerica News also reported China as the leader in cyber warfare against American industry, read the full report here.
- Indicators depict that the use of Software Intensive Systems in nuclear power plants is rapidly increasing, and with that, potential threats to centrifuges, personal data and controls, according to a report by PowerEngineering. The article discusses emerging issues with software growth and cyber attacks in the nuclear industry, and offers possible solutions.
- GlobalPost reports that in preparation for the 2020 Tokyo Olympics, Japan plans to launch bilateral cybersecurity talks with France, Australia, Israel and Estonia. The article also notes that bolstering cooperation with the countries is also seen as a signal to China that Japan will expand cooperation with countries that “respect basic human rights and the rule of law in view of ensuring free distribution of information.”
Is network neutrality a public-safety issue? The answer is yes, according to Catherine Sandoval, a commissioner with the California Public Utilities Commission, who spoke out at a recent network neutrality public forum in Sacramento, California. The forum was hosted by Representative Doris Matsui, and featured FCC commissioners Jessica Rosenworcel and Mignon Clyburn. Multichannel News, Fox40 News, and The National Journal all reported recaps of the event. At the forum, Rosenworcel stated that the public safety aspect of network neutrality was not talked enough about in Washington, reports Multichannel News.
The recent network neutrality debate has spurred widespread discussion since January 2014, when the U.S. Court of Appeals for the District of Columbia stripped the FCC of its power to enforce network neutrality protections under the regulatory framework it was using (holding that the classification of broadband carriers as “information services” as defined in the 1996 Telecommunications Act contradicted a previous FCC decision that put broadband companies beyond its regulatory reach). Read the full case here. Read a Washington Post report on the case here.
If the FCC reclassifies Internet carriage as a “telecommunications service,” online communications would automatically be subject to common carrier protections. Instead, the FCC has proposed a rule allowing companies to pay for access to a fast lane to deliver content to their customers. So how does this proposed rule effect public safety?
According to Catherine Sandoval, allowing paid prioritization of Internet traffic could hurt critical systems such as 911 call centers and water pumps, reports The National Journal. Not only that, according to the Multichannel report, Ms. Sandoval went on to warn that other critical systems could be negatively impacted, citing nuclear power plants and critical care smart beds for stroke patients.
How does net neutrality effect these systems which have broad public safety implications? According to the Fox40 News Report, Ms. Sandoval explained at the forum that the free and open use of the internet has allowed utilities to develop programs and apps to monitor and control energy use, and that “subjecting internet access to negotiations and slowdowns to minimum speeds can make pumps fail to open so they don’t provide water for cooling a power plant or water to fight a fire.” The Multichannel report then goes on to explain that the minimum broadband speeds available for the non-paying ISP clients would not provide the quality of broadband service required by these critical systems. However, the National Journal reports that many skeptics of net-neutrality rules point to public safety as a reason that Internet providers should be given flexibility to prioritize some services.
For a fuller recap of the net neutrality public forum, here are links to the articles by Multichannel News, Fox40 News, and the National Journal. Click here to access a Washington Post article discussing the broader implications of the proposed FCC rule, including whether it this type of internet regulation should be controlled by the FTC or the FCC.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Cyber Round Up: White House Breach Linked to Russian Government; New Law Against Cyber Squatting in Nigeria; DHS Probes Cybersecurity Dangers in Medical Devices; New Report Links Cyber Espionage Group to Chinese Intelligence; Justice Official Speaks on Government-Business Cooperation to Improve Cybersecurity
- Offensive Cyber Operations in US Military Doctrine
- New UK Law Quadruples Sentence for Cyber Abuse
- Cyber Round Up: US Government Investigates Cyber Vulnerabilities in Medical Devices; DOJ Creates New Roles for Cybersecurity; Israeli Start-up Provides New Method for Early Detection of Cyber Attacks; China’s Cybersecurity Stance at Upcoming Summit; Obama’s Order to Cut Identity Theft Signals Further Need for Cybersecurity Legislation
- Justice Shifts to Cyber From Terrorists With Reorganization Announced Today
- Justice Shifts to Cyber From Terrorists With Reorganization Announced Today on
- NATO’s Cyber Declaration: More Bark than Bite? on
- Cyber Provisions in NATO Wales Summit Declaration on
- The Heartbleed Bug and the Political Implications of Vulnerability Management on
- Fourth Amendment does not (yet) apply to NSA’s telephone call database (metadata) on
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010