NATO to Seek Bids for $3.2 Billion in Satellite, Cyber Security (Bloomberg): Pending NATO contracts will focus on satellite communications, air and missile defense systems, software, and cyber security. An article said that the $3.2 billion commitment is representative of the organization’s adjustment to new threats, including those from Russian meddling and increased cyber attacks. Specifically, about 290 million of the 300 billion euros will be devoted to cyber security, the article reported. The contracts will be outlined during April’s conference in Ottawa and bids will be accepted by the end of this year. The full article can be read here.
US cybersecurity policy has ‘a real deterrence failure,’ Endgame CEO Nate Fick says (CNBC): The U.S. isn’t ready to respond to cyber attacks, or at least, that’s what Endgame CEO Nate Fick thinks. In an interview with Jim Cramer, Fick said that the Russia meddled in the elections in the cyber realm because they knew the U.S. wouldn’t respond. If Russia had physically sent agents to the polls, it would be a totally different story. Fick explained that not all parts of U.S. government are behind in cyber, and in fact, some, like the Air Force, are leading the way. Shifting to a discussion of the private sector, where he partially pitched his own software company, Fick said that businesses should take a value based approach to cyber security. The full interview and article can be seen here.
- Apple just made a historic and risky change to all iPhones — and you probably didn’t even notice (Business Insider): Apple’s new software update for devices like iPhones and iPads included its new Apple File System. A report earlier today explained why replacing the antiquated system makes sense, but also noted that it includes an increased level of encryption. An older article covering Apple’s decision to adopt the new system explained that the software allows a user to to choose between “no encryption, single-key encryption, or multi-key encryption with per-file keys for file data, and a separate key for sensitive metadata.” The articles dicussing the new software can be read here and here.
Cyber Round Up: Good news for federal cybersecurity; Swiss pick Watson to confront cybersecurity; De-risking cities: connectivity and cybersecurity
- A rare piece of good news for federal cybersecurity (FCW): There is some sign of progress amidst all the negativity surrounding the government and cyber security. An article late last week discussed DHS’s Credentials and Authentication Management task order. The program focuses on identity and access management, a problem the article suggests is behind every major breach of the U.S. government in the last five years. The article highlights the two strongest factors of CRED, the first of which is that the program is actually giving agencies the capability to create a master record for monitoring access. Second, the grant was crafted with bonuses to incentivize agencies that go beyond the minimal requirements, allowing them to improve efficiency. The full article can be read here.
- SIX picks IBM Watson for cybercrime fight (Banking Technology): This blog recently recapped a report that IBM’s Watson will be used in the fight against cybercrime. A recent article reported that the Swiss market security infrastructure SIX will use the technology to bolster its cyber operations. The Security Operations Center will use Watson’s ability to tap into over a million documents in order to do a comprehensive threat assessment. SIX officials called the cognitive software a “perfect match.” The full article can be read here.
- De-Risking Cities: Connectivy and Cybersecurity (Planning Report): The VX 2017 Conference was recently held for industry leaders to gather and discuss relevant issues in technology and clean energy. A panel including representatives from the LA Department of Water and Power, Metropolitan Water District of Southern California, and the Information Systems Audit and Control Association addressed how to mitigate risk with critical infrastructure. The article, which can be found here, includes the full transcript of the panel discussion.
Cyber Round Up: North Korea implicated in Federal Reserve cyberheist; Gorsuch Knows His Cyber; Cybersecurity Bill of Rights
- U.S. Preparing Cases Linking North Korea in Theft at N.Y. Fed (WSJ): Federal prosecutors are preparing a case that would charge Chinese middlemen for orchestrating a major bank robbery for North Korea. An article this week from the Wall Street Journal said that the $81 million robbery from the Federal Reserve was conducted entirely online. The cyber thieves used access codes from Bangladesh’s central bank to transfer the money from the Federal Reserve accounts to four different banks in the Philippines. The article also said that these same cyber actors have connections to the 2014 Sony hacks. The article quoted an NSA official who stressed the significance of a nation state robbing banks, if the allegations against North Korea were true. The full article can be read here.
Gorsuch on Cyber-Related Issues: Part One (Lawfare): Supreme Court nominee Neil Gorsuch is well versed in cyber related issues. Commentary earlier this week explained how Gorsuch, when the issues are appropriately before him, is able to understand and engage with the technology at issue. The article stressed that with a Supreme Court that is technologically challenged, Gorsuch could be a useful addition. This post in particular is the first in a series of three examining Gorsuch’s cyber decisions, this one focusing on U.S. v. Ackerman. The full explanation of the decision can be found here.
It’s time for a Cybersecurity Bill of Rights (The Hill): An opinion piece this week stressed the need for a cyber Bill of Rights. The post listed an example of all the devices that record or track our lives, and said our privacy is more in jeopardy than ever before. The U.S. Constitution does not specifically address privacy, and the author believes a series of amendments to define privacy protections in the modern era is necessary. The article explains why privacy is more than just data security, and proposes three rights that should be established. Those rights are the right to privacy, the freedom to code, and the freedom to socially interact on the internet. The full post can be read here.
The United States Court of Appeals for the Third Circuit handed down its decision in United States v. Apple Mac Pro Computer earlier this week. The case involves a former Philadelphia police officer, Francis Rawls, who was being investigated for child pornography. Mr. Rawls refused to decrypt two hard drives that the government claimed contained child pornography. Mr. Rawls argued that decrypting the hard drives was the equivalent to self-incrimination which would be a violation of the Fifth Amendment. When Rawls chose not to comply with the orders, he was held in contempt and was jailed.
The Third Circuit made its decision without addressing the Fifth Amendment question, instead choosing to uphold the forced decryption under the All Writs Act. While not providing subject matter jurisdiction itself, the Act was intended to aid courts in executing their existing jurisdiction. The court stated, “[T]he Magistrate Judge had subject matter jurisdiction under Federal Rule of Criminal Procedure 41 to issue a search warrant, and therefore had jurisdiction to issue an order under the All Writs Act that sought ‘to effectuate and prevent the frustration’ of that warrant.”
In upholding the Decryption Order under the All Writs Act, the Third Circuit sidestepped the Fifth Amendment issue. Eventually, the Supreme Court will have to clarify whether forced decryption can be squared with the Fifth Amendment. As Orin Kerr discussed, the Third Circuit provided some insight as to how the case may have been decided under the Fifth Amendment and the “foregone conclusion” doctrine. In a footnote, the Third Circuit suggests that the “foregone conclusion” analysis should not necessarily focus on whether the government knows the content of the devices. Instead, the Court said, “a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production.” Kerr’s post explains that the footnote is dicta, but provides strong support for the government in future cases. He further explained that this decision avoided a split between circuits.
The entire Third Circuit decision is included below.
Cyber Round Up: Challenges for Rob Joyce; Proposal gives DHS $1.5 billion for cyber; Congressman wants cyber version of National Guard
- Challenges Ahead For New White House Cybersecurity Advisor (Forbes): Commentary earlier this week addressed some of the many challenges that will be facing recently appointed cyber security adviser Rob Joyce. The article labeled the former NSA hacker as “the poster child for. . . distrust” that is so commonly associated with the NSA in the post-Snowden era. Coupled with President Trump’s apparent disregard for privacy rights, the article suggests that having one of the nation’s lead hackers could pose a very scary situation. The article also quoted those in the field who praised Joyce as a strong pick. The full article can be found here.
- Trump’s budget proposal gives DHS $1.5 billion for cybersecurity (The Hill): The blueprint of President Trump’s budget includes a significant allocation to securing cyber space. An article yesterday explained that $1.5 billion would be given to DHS to secure federal networks. The article quoted the blueprint as stating that, “Through a suite of advanced cyber security tools and more assertive defense of government networks, DHS would share more cybersecurity incident information with other federal agencies and the private sector, leading to faster response to cybersecurity attacks directed at federal networks and critical infrastructure.” The article also said that agencies would be scored on their cyber security practices and would be held accountable. The full article can be read here.
- Congressman proposes creating a National Guard for cybersecurity (Military Times): A young Democrat from Arizona and a former U.S. Marine has suggested a type of cybersecurity reserve similar to the National Guard. The article summarized Congressman Ruben Gallego’s talk at the South by Southwest conference, where he said that the best cyber minds won’t be drawn to the long hours and low salaries of typical government jobs. Nor would they have any interest in physical training or boot camp. Instead, the article says, “cybersecurity warriors” would be on call whenever the nation needed them. The full article and details of Gallego’s talk can be found here.
Multiple news outlets have reported that a forty-seven-count indictment was handed up in the Northern District of California for multiple computer fraud and abuse act violations stemming from breaches of Yahoo accounts.
The indictment includes four named parties and other unknown and unnamed:
(2) Igor Anatolyevich Sushchin also an FSB Officer and Dokuchaev’s superior,
(3) Alexsey Alexseyevich Belan, a Russian national and resident as well as a hacker who has been on the FBI’s “Most Wanted” list, and is subject to an INTERPOL “Red Notice” (meaning that Russian authorities should have detained and arrested Belan once located within the Russian Federation), and
(4) Karim Baratov, a Canadian national and resident, also a criminal hacker and an associate of Dokuchaev’s.
Of course the trick now will be to see how many (if any) of these persons are ever located and brought before the jurisdiction of a U.S. Court. However, I suppose the symbolism of the indictment is all that matters for the time being.
According to an article by Niall Ferguson which appeared in the Boston Globe, we are currently in a state of Cyber War. This article, entitled “Cyber War I Has Already Begun,” discusses the the Russian hacks surrounding election time in the United States and posits that the largest issue is not whether or not Russia was able to affect the outcome of the election but rather the fact that Russian hackers were able to launch cyber incursions effectively unchecked.
The article quotes Adm. Michael S. Rogers (head of the National Security Agency and US Cyber Command), as saying that “[The Nation is] … at a tipping point.” Cyber-centric threats are now number one on the Director of National Intelligence’s (DNI) list, the article further states that the Pentagon reports over 10M intrusion attempts per day. The full text of the article is here.
Thus, the concept of mutually assured destruction (MAD) which has its roots in cold-war nuclear rhetoric is unlikely to prove reliable to maintain any sort of status quo. Under MAD, nuclear-capable Nations all realized that given the number of nuclear weapons within arsenals throughout the world that any nation that launched a nuclear attack would receive an in-kind response which would trigger additional attacks and counter-attacks which would ultimately result in global thermonuclear war with mankind itself being the ultimate loser. Due to the fact that the barriers to entry into the “nuclear-club” were so high and required extensive research and development which could only be funded and maintained in an advanced nation-state context MAD both in theory and as applied prevented the use of nuclear devices in a post World-War II context.
However, those same barriers to entry do not exist in the realm of cyber and thus it is both likely and possible that bad actors who are not necessarily supported by a nation-state could initiate a cyberattack against a developed nation’s cyber resources and in such a scenario the concept of MAD is meaningless given the lack of symmetry. For instance, while the US could arguably cripple Chinese or Russian infrastructure (and they could, in turn, do the same to the US), no similar offensive could be launched against a single person or even a group of hackers with no direct nation-state ties (obviously a kinetic operation could be launched against either type of group, however that raises a whole other set of issues especially if the only “offense” was cyber in nature).
In short, these are scary times and we may want to consider the relevance of smaller groups or factions that operate outside the context of a traditional nation-state and thus any virtual or kinetic offensive operations launched against such groups may be limited in both reach and effect. This is somewhat analogous to the early American raids against the British Regular Army, with small incursions designed to hit-and-run, maximize impact and minimize exposure. Thus, a numerically inferior force may wreak havoc amongst a far larger force which does not bode well for the developed world in the realm of cyber. If this maxim holds true then we will continue to face cyber attacks from a wide-ranging base of potential bad actors, all of whom may find solace in the fact that even if we solve the issue of attribution, retribution will be muted given the nature of the target (and the fact that a group/persons do not possess critical infrastructure or other such target-rich entities).
This should concern all of us, since a lack of a MAD-inspired détente means the world is full of potential threats, many of which have no regard for the cyber or kinetic capabilities of so-called Superpowers. Consequently, as the article quoted Robert Morris Sr., the only “safe” computing device is one that is not in use and is in fact not even powered on (of course Morris, may not have fully factored in the smartphone and IoT variants as some of these devices may continue to be insecure even when powered off by a user). There may therefore be no such thing as a “safe” computing device — users beware.
As we continue to move to a world wherein all things are networked and even toys now have connections to the cloud, people need to be cognizant and careful. According to the Hacker News, in 2015 the toy manufacturer VTech revealed that they had suffered a data breach which resulted in the exfiltration of personally identifiable information (PII) of nearly 5M adults as well as photos of roughly 200K children. Not only did the breach involve the PII of adults, but also the names, gender, and birthdates of children, which raises a number of additional potential issues, according to the article. Fast forward to 2017, and yet another toymaker has fallen victim to a massive data breach. The Hacker News reported that CloudPets, developed by a California-based company, Spiral Toys, exposed the voice recording of over 2M parents and children as well e-mail addresses and passwords for over 800K accounts. CloudPets are stuffed animals which allow parents and children to send voice messages back and forth via the internet, according to the article. The article further states that Spiral Toys was advised at least four times that their data had been exposed and they failed to take any ameliorative steps.
I have and will continue, to make the argument that cybersecurity requires a baseline approach especially as the number of connected devices grows at a seemingly exponential rate. So long as manufacturers are not required to meet minimum cybersecurity hygiene standards the number of incidents such as those referenced herein will crop up as seemingly innocuous devices become the target of choice due to their lax security protocols and lack of safeguards. In the instances above the cybersecurity measures in place were either non-existent or rudimentary at best. The encryption was weak, the databases were public, and arguably these companies failed to meet the duty of care owed to consumers and what is likely valuable PII. The databases were reportedly devoid of either social security numbers, or credit card information. However, the fact remains that the available data could (and still may) be used as one piece of the puzzle from which additional information can be gleaned, e-mail addresses can be targeted, and passwords can be leveraged to attempt to access additional accounts (in many cases, users have a single password that is used across multiple sites).
This should raise a number of red flags for all of us. Consider the world in which we live, our cars are connected, our appliances are connected, children’s toys are now connected, in each case we are providing at least limited information in order to access and utilize all of our connected devices and in so doing we put a large amount of trust that companies will safeguard that data. However, as we continue to see that is often not the case. This is further exacerbated by the “make it work mantra,” wherein the majority of users simply want products to perform as advertised. Thus, consumers will often forego research and understanding of how/where their data is going and will be used so they can get the product to function as quickly as possible. In the case of these toys, consider a parent who is faced with a child that just wants the toy to do whatever it has been billed and advertised as doing. They are not interested in using complex passwords that are difficult to remember and enter, they are unlikely to research the toy company to determine if they are using two-way encryption or if they offer multi-factor authentication for their devices — they just want the item to work. This raises a whole new set of issues regarding the “human side” of cybersecurity.
This is one area where technology can be implemented which can manage the cybersecurity aspects of IoT devices and yet still provide ease-of-use. The problem being that companies are ultimately profit-driven and thus in the absence of any financial incentive to bake in additional technology to help safeguard data while simultaneously enhancing ease-of-use, companies choose the lowest cost-alternative, nearly universally. This, therefore is one area where the threat of either legal liability or dare I say, regulations can be implemented via legislation that mandates that companies and especially those in the realm of IoT take certain steps with respect to cybersecurity. One of the keys here will be to draft intelligent legislation that does not merely require that cybersecurity protocols be baked in but rather that the additional cybersecurity have enhanced ease-of-use so that opting out of additional security measures would, in fact, be purposeful and intentional rather than merely a button to click to get the product to function online versus navigating through burdensome security-driven setup.
Until then, I encourage everyone to become device-aware and consider the information you are providing in order to get something simply “to work.” In many cases, you may find that having a connected device is neat in theory but scary in practice. Companies perform cost-benefit-analysis on a daily basis — so too, should consumers.
Cyber Round Up: New leak could be devastating; Security and cryptocurrency; Governors stress cyber needs
New leak exposes a trove of personal passwords and sensitive info (Mashable): News over the weekend suggests that a recent leak could be one of the most devastating in recent memory. The report says that Cloudflare, one of the biggest websites for internet security, was the victim of a hack. Unfortunately, according to the article, the extent of the damage is unknown, but it recommended that people should start changing passwords on a multitude of sites immediately. A quote in the report from a member of Google’s security team is telling of the nature of the breach: a”The examples we’re finding are so bad … I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings . . .We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” The article can be read in its entirety here.
- The cybersecurity side of cryptocurrency (CSO): Bitcoin isn’t the only online currency, and it isn’t all good news. A recent article discussed how regulators, as they often are, are lagging behind when it comes to blockchain technology and online currency and that significant vulnerabilities exist as a result. The piece first explains that new “altcoins,” an abbreviation for bitcoin alternatives, are being developed and used every day. The online currency market is now valued at $13 billion, the article said. But it’s not all good, as these have created a unique opportunity for ransomware attacks. The article also explained that they have become an easy way for criminals to launder their money. The full article can be read here.
- Governors put spotlight on cybersecurity (The Hill): Cyber security remained a political hot topic over the weekend, this time being touted as crucial by numerous state governors. While cyber security policy often gets attention at the federal level, an article said that governors were stressing how important it is for states, too. VA Gov. Terry McAuliffe said that his state alone was targeted by 86 million cyber attacks last year. The event Saturday was one of two focusing on cyber security during the National Governors Association winter meetings. McAuliffe, like many others, has emphasized the need for public-private partnerships, including one he established between Virginia and Amazon to create a stronger cyber workforce. The full piece can be found here.
A report released last week took a different approach to cyber security. Instead of analyzing all the breaches that occurred and looking for trends there, the report surveyed the threats themselves. Nuix’s “Black Report” surveyed 70 different hackers at a conference to see the cyber security world through their eyes. The report, which is included in its entirety below, may catch some by surprise.
The survey revealed that 88% of hackers could steal valuable information in under 12 hours. The breach would not be detected, however, for as long as 300 days. The professionals surveyed also explained that firewalls and antivirus problems provided no challenge, but endpoint security technologies did stop attacks. The hackers said that they rarely ever repeated the same methodologies, so that any new defenses are essentially rendered useless.
The company that produced the report, Nuix, conveniently is selling a “next generation endpoint technology,” so the motivation behind the report may be questionable. Still, it provides a unique, fresh way to evaluate the approaches we take to cyber security.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Christopher W. Folk
is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.
Ryan D. White
Ryan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.
Anna Maria Castillo
is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- Cyber Round Up: NATO Seeks $3.2 billion for cyber; U.S. cyber policy has deterrence failure;
- Cyber Round Up: Good news for federal cybersecurity; Swiss pick Watson to confront cybersecurity; De-risking cities: connectivity and cybersecurity
- Cyber Round Up: North Korea implicated in Federal Reserve cyberheist; Gorsuch Knows His Cyber; Cybersecurity Bill of Rights
- Third Circuit Sidesteps Fifth Amendment in Forced Decryption Decision
- Cyber Round Up: Challenges for Rob Joyce; Proposal gives DHS $1.5 billion for cyber; Congressman wants cyber version of National Guard
- Cyber Round Up: IBM turns Watson into cyber weapon; Army introduces cyber fast track; Details on China’s new cyber law on
- 2009 v. 2017 in Cybersecurity: Comparing Recommendations for 44th and 45th Presidencies from The Center for Strategic and International Studies on
- Trump Should Try Blockchain (And “Blockchain for Dummies”) on
- Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing? on
- Report: Commission on Enhancing National Cybersecurity on
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010