Underwriters Labs (“UL”) refuses to share new IoT Cybsersecurity Standard (ArsTechnica): According to this article, UL’s refusal to allow researches to examine the full text of this new UL standard for cybersecurity is raising a lot of eyebrows and in many respects is the very antithesis of the typical process by which standards are developed with respect to the internet. Ars was told that it could view a copy of the new UL 2900 certification but in order to do so would have to pay the full retail price and essentially become a UL customer, according to the article. The article cites several sources that indicate a high level of concern with this model and the lack of transparency and outside validation for this internally developed standard. While Ken Modeste, the head of UL’s cybersecurity technical services stated that UL has been around since 1894 and they exist to help the public and industry choose safe products, according to ArsTechnica. The article also quotes another critic, Peiter “Mudge” Zatko (formerly head of cybersecurity research at DARPA), who indicated that UL’s for-profit incentives create a “perverse incentive structure. Empowering the consumer is not where they derive their value/profit…”
The concept of standards with respect to the Internet has largely been that of a collaborative effort between various stakeholders. The UL model puts this on its head and is more of a unitary, dictatorial approach which may in many ways fail to bring in the diversity of opinions and backgrounds which are typical of many of the internet standards developed with a more open and feedback-driven approach. Mudge also hits on a key point, if the standard is being developed and marketed by an entity with an explicit profit motive then is their goal really to empower the consumer or to exact profits? The lack of transparency and the circumvention of industry buy-in is troubling and diminishes rather than enhances the credibility of this new UL standard. Of course, it is difficult to say for sure since I did not pay the requisite $600 in order to actually view the UL 2900 documentation. The question then becomes is this a model for enhanced cybersecurity or merely a model for enhanced revenue for UL?
Retro Analog Tech a Danger to U.S. Power Grid (TheHill): According to a recent article by Cris Thomas, writing for TheHill, some recently introduced legislation in the Senate calls for a return to analog devices in order to improve the security of our grid infrastructure. The article indicates that the goal of the legislation is to replace automated controls with older analog controls which are not susceptible to cyberattacks. It is anticipated that in order to effectuate this a pilot program would be undertaken that would cost $10M and would take two years to identify analog devices that could be installed to isolate portions of the grid and prevent a crippling cyberattack, according to the article. The article points out some of the shortcomings of this approach including the fact that merely being afraid of the future is a poor reason to retreat into the past. Thomas asserts that it would be wiser to invest this $10M and two years into increasing cybersecurity rather than finding ways to return to an inefficient and error-prone analog world.
In some ways, this is positive in that we at least have legislators beginning to contemplate the potential ramifications to our power grid from a cyberattack. However, the idea that we should transform our critical infrastructure to a point in time twenty years earlier in order to sidestep the cybersecurity issues is alarming in many respects. This would be analogous to saying that e-mail is widely used for the propagation of malware and phishing scams and thus the best way to combat this is to return to standard postal mail for all communications or under exigent circumstances they might allow the use of the facsimile machine. While in the short-term this might reduce e-mail based attacks and exploits attempting to stem the tide of technological progress seems an impossible task. I for one would prefer that we take steps to understand the vulnerabilities of our critical infrastructure and that we make the necessary investment to address the most probable vulnerabilities and move from reactive to proactive and leverage technology instead of attempting to revert to a pre-technological era.
WASHINGTON – House Armed Services Committee Chairman Mac Thornberry (R-TX) released the following schedule featuring one (1) hearing the week of June 20-24, 2016.
Wednesday, June 22, 2016
“Military Cyber Operations“
(10:00 AM – 2118 Rayburn – OPEN)
Mr. Thomas Atkin
Acting Assistant Secretary of Defense for Homeland Defense and Global Security
Office of the Secretary of Defense
Lt Gen Kevin McLaughlin, USAF
Deputy Commander, US Cyber Command
Brig Gen Charles Moore, USAF
Joint Staff J-39
It is expected that the hearing will be webcast live, in which case we will have it here on this blog.
U.S. Charges Chinese Man With Economic Espionage For Stealing Source Code With Intent To Benefit The Chinese Government
Announced June 14, 2016:
Manhattan U.S. Attorney Announces Economic Espionage Charges Against Chinese Man For Stealing Valuable Source Code From Former Employer With Intent To Benefit The Chinese Government
Preet Bharara, the United States Attorney for the Southern District of New York, and John P. Carlin, Assistant Attorney General for National Security, announced a six-count superseding indictment (the “Superseding Indictment”) charging XU JIAQIANG with economic espionage and theft of trade secrets, in connection with XU’s theft of proprietary source code from XU’s former employer, with the intent to benefit the National Health and Family Planning Commission of the People’s Republic of China. XU was initially arrested by the Federal Bureau of Investigation (“FBI”) in White Plains on December 7, 2015, and had previously been charged with one count of theft of trade secrets. XU is scheduled to be arraigned on the Superseding Indictment at 12:00 p.m. on Thursday, June 16, 2016, in White Plains federal court before the Honorable Kenneth M. Karas.
U.S. Attorney Preet Bharara stated: “As alleged, Xu Jiaqiang is charged with stealing valuable, proprietary software from his former employer, an American company, that he intended to share with an agency within the Chinese government. Economic espionage not only harms victim companies that have years or even decades of work stolen, but it also crushes the spirit of innovation and fair play in the global economy. Economic espionage is a serious federal crime, for which my office, the Department of Justice’s National Security Division, and the FBI will show no tolerance.”
Assistant Attorney General John P. Carlin stated: “Xu allegedly stole proprietary information from his former employer for his own profit and the benefit of the Chinese government. Those who steal America’s trade secrets for the benefit of foreign nations pose a threat to our economic and national security interests. The National Security Division will continue to work tirelessly to identify, pursue and prosecute any individual who attempts to harm American businesses by robbing them of their valuable intellectual property.”
According to the allegations contained in the criminal Complaint on which Xu was initially arrested, the original Indictment, and the Superseding Indictment filed today in Manhattan federal court:
“In April 2015, President Obama issued Executive Order 13694 declaring a national emergency to deal with the threat of hostile cyber activity against the United States. But six months later, the emergency powers that he invoked to punish offenders had still not been used because no qualifying targets were identified, according to a newly released Treasury Department report.” That is the bottom line of a blog post by Steven Aftergood over at the Federation of American Scientists. You can read his whole post by following this link.
Cyber Round Up: Israel’s Cyber-City Development, Future Generations Need to Think Like Hackers, NIST offers up to $1M in Cybersecurity Education Grants
- Israel’s Desert Blooms with Cyber-City Development (Breitbart): according to this article in the middle of the Negev desert, Israel is building a cyber-city which has placed Israel second only to the US in terms of cyber-expertise. $500 million in private investments pour into Israeli cybersecurity firms annually and Israel seems to have fully embraced the idea that the next war will be in cyberspace, according to the article. Furthermore, the Israeli’s view cybersecurity as not merely threat mitigation but also as an economic driver, and the cyber-city in Negev is living-proof of that, according to the article. The article states that the cyber-city includes elements of the Israeli Defense Forces (“IDF”), as well as private industry, multinational corporations, and also Ben-Gurion University, Israel’s top cybersecurity university. The full text of the article can be found here.
- Future Generations of Cybersecurity Experts Need to Think Like A Hacker (TheMerkle.com): this article theorizes that developing a new mindset where cyber-sleuths think like hacker’s is enabling a new generation of digital detectives. The article states that New York University’s (“NYU”) Brooklyn campus hosted a Cybersecurity Awareness Week with competitions open to high school and university students and where prizes ranged from $450,000 (scholarships) for high schoolers to $11,000 in cash for university students. Sponsors of the event included the Department of Homeland Security, Facebook, and IBM, according to the article. The full text of the article can be found here.
- NIST ‘RAMPS’ Up Cybersecurity Education and Workforce Development with New Grants (NIST): In a recent press release, the National Institute of Standards and Technology indicates that they are offering up to $1 million in grants to establish up to eight Regional Allicance Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The release cites a Global Information Security Workforce Study that estimates an international shortfall of 1.5 million people over the next five years due to a lack of trained professionals and the National Initiative for Cybersecurity Education (“NICE”) is designed to address that need. According to the release, RAMPS will help encourage greater employer engagement in local communities which will help influence education and training providers to develop job-driven training that provides cybersecurity skills. The release states that NIST plans to fund five to eight awards of up to $200,000, and the deadline to apply is July 12, 2016. The press release can be found here.
- Illinois State Meets Growing Need for Cybersecurity Professionals (ISU News): According to this news release, Illinois State University (“ISU”) is trying to prepare students to fill the projected 18 percent growth in Information Security jobs over the next ten years. ISUs School of Information Technology’s Information Assurance and Security has 125 students and their new cybersecurity program slated to launch in the fall of 2017 has room for even more, according to this release. To help drive interest and maintain relevance in a dynamic industry, ISU has supported an annual cyberdefense competition which is open to Illinois high school students and is currently in its fifth year, according to the release. Given the anticipated rate of job growth within this sector one can expect to see more and more educators exploring training options in this burgeoning field. The full text of the article is here.
- University of Oregon: Cybersecurity Looks for Students to Counter the Dark Art of Hacking (The Register-Guard): According to Diane Dietz’s article, the University of Oregon (“UO”) is holding its sixth annual Oregon cybersecurity day to bring in top cybersecurity experts for key sessions on the current state of cybersecurity. Associate Professor Jun Li created the UO Center for Cybersecurity and Privacy last year and began to draft plans for an advanced UO degree in the field of cybersecurity, according to the article. The article states that thus far Li has received a $507,000 grant from the National Science Foundation to examine fraud and attacks on social networks and OU at the same time received $1.5M from the US Department of Energy to examine cyberattacks in the context of the nation’s grid infrastructure. Demonstrating that cybersecurity is being taken seriously and early adopters in higher education seem to be gaining a foothold. The full text of the article is here.
- UC Recognized as Cybersecurity Leader in Education (UC News): According to a University of Cincinnati (“UC”) press release, UC has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education through 2021. UC launched a Cybersecurity track within the undergraduate Information Technology program, followed by a Master’s level program launched a year later, according to the release. The release indicates that UC is now the ninth institution in the US to contain both NSA Centers of Academic Excellence in both Cyber Op and Cyber Defense and this solidifies UC’s position as a national leader in cybersecurity education. The full release is here.
While it was interesting to observe the session, I would have liked to see more technologists involved. The legal portion was quite interesting, but was limited by a limited understanding of the technology. So here are some observations from a non-lawyer technologist:
1. Where is the issue of government responsibility? While there was much discussion that the phone belonged to the San Bernardino government, there was no discussion of their role in the information on the phone being unavailable. There were four technical restrictions that I found in a cursory Google search that would have allowed them to maintain control of the phone (http://www.enterpriseios.com/forum/topic/prevent_adding_passcode). There are possibly more, but the existence of four leads me to believe that it is technically possible. The government could have also chosen a different device if they were concerned with accessing their employees’ information.
2. CALEA specifically applies to telecommunications companies and their backbones. An individually owned and operated device is not the same as a fiber cable carrying thousands of data streams. While as an individual you need a device to use the data provided by the backbone, the device is not an extension of the backbone itself. The New York Telephone case applied to tapping the backbone line, not the physical phone (device-equivalent). In this particular case, the phone is no longer being used for data to be captured in motion.
3. The issue has been raised before that All Writs should not apply when there is adequate law that addresses the issue. In this case, the government has explicitly decided not to legislate personal encryption. (http://www.computerworld.com/article/2991273/encryption/us-wont-seek-law-to-ban-encryption.html) While that does not have the same strength as the government explicitly supporting personal encryption, it should definitely be taken into consideration that they have not written legislation to legally compel manufacturers to create backdoors or assist in investigations.
4. While the national security/terrorism arguments were in full force, that was not where the case began. It began with a drug dealer, who was not accused of killing anyone. The court rejected the FBI’s argument to open his phone (https://www.theguardian.com/technology/2016/feb/29/apple-fbi-case-drug-dealer-iphone-jun-feng-san-Bernardino). So, as one “judge” today kept asking, what is the dividing line for being able to bypass encryption for a phone?
5. From a policy standpoint, there will be a chilling effect on companies developing encryption. Must everyone design software with a backdoor in mind. Will it lead to unsecure hardware and software?
6. While the discussion today centered on the government reimbursing Apple for its engineers’ time in developing the software requested, but there was no mention of reimbursing Apple for a decrease in sales due to their platform no longer being secure.
7. Icloud and physical device security is different because a user has the ability to opt out of storing their data in the icloud. They are under no obligation to upload their information to the icloud and can choose to keep it all locally stored.
8. I am not a legal scholar by any stretch of the imagination, but I would like to see someone make a compelled commercial speech argument. If I get some time this week, I may make a feeble attempt, but I think there is something there, even if only as a supplemental argument. (Zauderer and Central Hudson)
Here is the text of the White House news release:
President Obama Announces More Key Administration Posts
WASHINGTON, DC – Today, President Barack Obama announced his intent to appoint the following individuals to key Administration posts:
- General Keith Alexander, USA (Ret) – Member, Commission on Enhancing National Cybersecurity
- Annie I. Antón – Member, Commission on Enhancing National Cybersecurity
- Ajay Banga – Member, Commission on Enhancing National Cybersecurity
- Steven Chabinsky – Member, Commission on Enhancing National Cybersecurity
- Patrick Gallagher – Member, Commission on Enhancing National Cybersecurity
- Peter Lee – Member, Commission on Enhancing National Cybersecurity
- Herbert Lin – Member, Commission on Enhancing National Cybersecurity
- Heather Murren – Member, Commission on Enhancing National Cybersecurity
- Joe Sullivan – Member, Commission on Enhancing National Cybersecurity
- Maggie Wilderotter – Member, Commission on Enhancing National Cybersecurity
President Obama said, “I have charged the Commission on Enhancing National Cybersecurity with the critically-important task of identifying the steps that our nation must take to ensure our cybersecurity in an increasingly digital world. These dedicated individuals bring a wealth of experience and talent to this important role, and I look forward to receiving the Commission’s recommendations.”
Cyber Round Up: FBI, DHS Run Nationwide Cyber Campaign, Iranians Indicted on Cyber Crimes, Chinese Cyber Spying Decreased Since Agreement with U.S.
- FBI, DHS Run Nationwide Cyber Campaign (Washington Free Beacon): The FBI and DHS began a nationwide campaign warning companies running electrical infrastructure in the country of the dangers posed by cyber threats, according to the Washington Free Beacon. The program began on March 31, and include webinars in eight U.S. states of an “unclassified briefing” called “Ukraine Cyber Attack: Implications for U.S. Stakeholders,” the article explained. Specifically, according to the article, those who watch the webinar briefings will learn details of past cyber attacks, including the techniques and strategies used by hackers who target infrastructure. The full article can be found here.
- Iranians Indicted on Cyber Crimes: The U.S. Department of Justice has indicted seven Iranians for cyber crimes under 18 U.S.C. 1030. The seven defendants are: Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (“Nitr0jen26”), Omid Ghaffarinia (“PLuS”), Sina Keissar, and Nader Saedi (“Turk Server”). According to the court document, Fathi, Firoozi, and Shokohi were, at times relevant to the indictment, were employees of ITSec Team. The remaining defendants, Nitr0jen26, PLuS, Keissar, and Turk Server were employees of Mersad Co. (“Mersad”). ITSec Team and Mersad were private computer security companies based in Iran and actually performed work on behalf of the Islamic Revolutionary Guard Corps (“IRGC”), according to the indictment. The defendants are alleged to have violated 18 U.S.C. 1030(a)(5)(A) — the “Computer Damage statute” — as well as 18 U.S.C. 1030(a)(2) — the “Anti-hacking statute.” The unsealed indictment can be found here.
- Chinese Cyber Spying Decreased Since Agreement with U.S. (Financial Times): According to the Financial Times, government and private sector experts are claiming that Chinese cyber espionage activities have decreased since September 2015 when China agreed with the U.S. to refrain from conducting such activities to boost domestic businesses. The Director of the National Security Agency, Admiral Michael Rogers, appeared earlier this month in front of the Senate Armed Services Committee, and testified that Chinese hacking continues, however, at a lower level, the article continued. The question remains, though, of whether the hacking currently being perpetrated is for government use or for commercial purposes, Admiral Rogers reportedly testified to the committee. The full article can be found here.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Anna Maria Castillo
is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review.
Christopher W. Folk
is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- UL Refuses to Share new IoT Cybersecurity Standard
- Two Steps Forward – One Step Back –> The [re]introduction of retro devices to improve grid security
- “Military Cyber Operations” Congressional Hearing to be Held on 6/22/16
- U.S. Charges Chinese Man With Economic Espionage For Stealing Source Code With Intent To Benefit The Chinese Government
- Cyber “Emergency” Order Nets No Culprits, Reports FAS
- The ongoing iPhone Encryption Saga and Why Apple’s Arguments are Superfluous on
- The ongoing iPhone Encryption Saga and Why Apple’s Arguments are Superfluous on
- Cyber Round Up: Iranian Cyberattack on NY Dam was “Shot Across the Bow”, Possible AMEX Data Breach, Are Data Breaches on the Rise? on
- Too Many Cooks in the Kitchen: Regulatory Enforcement of Data Security Practices on
- Actual Motion Filed by Apple in AppleVsFBI on
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010