Cyber Round Up: NATO Seeks $3.2 billion for cyber; U.S. cyber policy has deterrence failure;

  • NATO to Seek Bids for $3.2 Billion in Satellite, Cyber Security (Bloomberg):  Pending NATO contracts will focus on satellite communications, air and missile defense systems, software, and cyber security. An article said that the $3.2 billion commitment is representative of the organization’s adjustment to new threats, including those from Russian meddling and increased cyber attacks.  Specifically, about 290 million of the 300 billion euros will be devoted to cyber security, the article reported. The contracts will be outlined during April’s conference in Ottawa and bids will be accepted by the end of this year.  The full article can be read here.

  • US cybersecurity policy has ‘a real deterrence failure,’ Endgame CEO Nate Fick says (CNBC):  The U.S. isn’t ready to respond to cyber attacks, or at least, that’s what Endgame CEO Nate Fick thinks.  In an interview with Jim Cramer, Fick said that the Russia meddled in the elections in the cyber realm because they knew the U.S. wouldn’t respond.  If Russia had physically sent agents to the polls, it would be a totally different story.  Fick explained that not all parts of U.S. government are behind in cyber, and in fact, some, like the Air Force, are leading the way.  Shifting to a discussion of the private sector, where he partially pitched his own software company, Fick said that businesses should take a value based approach to cyber security.  The full interview and article can be seen here.

  • Apple just made a historic and risky change to all iPhones — and you probably didn’t even notice (Business Insider):  Apple’s new software update for devices like iPhones and iPads included its new Apple File System.  A report earlier today explained why replacing the antiquated system makes sense, but also noted that it includes an increased level of encryption. An older article covering Apple’s decision to adopt the new system explained that the software allows a user to to choose between “no encryption, single-key encryption, or multi-key encryption with per-file keys for file data, and a separate key for sensitive metadata.” The articles dicussing the new software can be read here and here.



Cyber Round Up: Good news for federal cybersecurity; Swiss pick Watson to confront cybersecurity; De-risking cities: connectivity and cybersecurity

  • A rare piece of good news for federal cybersecurity (FCW):  There is some sign of progress amidst all the negativity surrounding the government and cyber security. An article late last week discussed DHS’s Credentials and Authentication Management task order.  The program focuses on identity and access management, a problem the article suggests is behind every major breach of the U.S. government in the last five years. The article highlights the two strongest factors of CRED, the first of which is that the program is actually giving agencies the capability to create a master record for monitoring access.  Second, the grant was crafted with bonuses to incentivize agencies that go beyond the minimal requirements, allowing them to improve efficiency.  The full article can be read here.
  • SIX picks IBM Watson for cybercrime fight (Banking Technology):  This blog recently recapped a report that IBM’s Watson will be used in the fight against cybercrime.  A recent article reported that the Swiss market security infrastructure SIX will use the technology to bolster its cyber operations.  The Security Operations Center will use Watson’s ability to tap into over a million documents in order to do a comprehensive threat assessment.  SIX officials called the cognitive software a “perfect match.”  The full article can be read here.
  • De-Risking Cities: Connectivy and Cybersecurity (Planning Report):  The VX 2017 Conference was recently held for industry leaders to gather and discuss relevant issues in technology and clean energy.  A panel including representatives from the LA Department of Water and Power, Metropolitan Water District of Southern California, and the Information Systems Audit and Control Association addressed how to mitigate risk with critical infrastructure.  The article, which can be found here, includes the full transcript of the panel discussion.


Cyber Round Up: North Korea implicated in Federal Reserve cyberheist; Gorsuch Knows His Cyber; Cybersecurity Bill of Rights

  • U.S. Preparing Cases Linking North Korea in Theft at N.Y. Fed (WSJ):  Federal prosecutors are preparing a case that would charge Chinese middlemen for orchestrating a major bank robbery for North Korea.  An article this week from the Wall Street Journal said that the $81 million robbery from the Federal Reserve was conducted entirely online.   The cyber thieves used access codes from Bangladesh’s central bank to transfer the money from the Federal Reserve accounts to four different banks in the Philippines.  The article also said that these same cyber actors have connections to the 2014 Sony hacks.  The article quoted an NSA official who stressed the significance of a nation state robbing banks, if the allegations against North Korea were true.  The full article can be read here.
  • Gorsuch on Cyber-Related Issues: Part One (Lawfare):  Supreme Court nominee Neil Gorsuch is well versed in cyber related issues.  Commentary earlier this week explained how Gorsuch, when the issues are appropriately before him, is able to understand and engage with the technology at issue.  The article stressed that with a Supreme Court that is technologically challenged, Gorsuch could be a useful addition.  This post in particular is the first in a series of three examining Gorsuch’s cyber decisions, this one focusing on U.S. v. Ackerman.  The full explanation of the decision can be found here.

  • It’s time for a Cybersecurity Bill of Rights (The Hill):  An opinion piece this week stressed the need for a cyber Bill of Rights.  The post listed an example of all the devices that record or track our lives, and said our privacy is more in jeopardy than ever before.  The U.S. Constitution does not specifically address privacy, and the author believes a series of amendments to define privacy protections in the modern era is necessary.  The article explains why privacy is more than just data security, and proposes three rights that should be established.  Those rights are the right to privacy, the freedom to code, and the freedom to socially interact on the internet. The full post can be read here.



Third Circuit Sidesteps Fifth Amendment in Forced Decryption Decision

The United States Court of Appeals for the Third Circuit handed down its decision in United States v. Apple Mac Pro Computer earlier this week.  The case involves a former Philadelphia police officer, Francis Rawls, who was being investigated for child pornography.  Mr. Rawls refused to decrypt two hard drives that the government claimed contained child pornography.  Mr. Rawls argued that decrypting the hard drives was the equivalent to self-incrimination which would be a violation of the Fifth Amendment.  When Rawls chose not to comply with the orders, he was held in contempt and was jailed.

The Third Circuit made its decision without addressing the Fifth Amendment question, instead choosing to uphold the forced decryption under the All Writs Act.  While not providing subject matter jurisdiction itself, the Act was intended to aid courts in executing their existing jurisdiction. The court stated, “[T]he Magistrate Judge had subject matter jurisdiction under Federal Rule of Criminal Procedure 41 to issue a search warrant, and therefore had jurisdiction to issue an order under the All Writs Act that sought ‘to effectuate and prevent the frustration’ of that warrant.”

In upholding the Decryption Order under the All Writs Act, the Third Circuit sidestepped the Fifth Amendment issue.  Eventually, the Supreme Court will have to clarify whether forced decryption can be squared with the Fifth Amendment.  As Orin Kerr discussed, the Third Circuit provided some insight as to how the case may have been decided under the Fifth Amendment and the “foregone conclusion” doctrine. In a footnote, the Third Circuit suggests that the “foregone conclusion” analysis should not necessarily focus on whether the government knows the content of the devices.  Instead, the Court said, “a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production.”  Kerr’s post explains that the footnote is dicta, but provides strong support for the government in future cases.  He further explained that this decision avoided a split between circuits.

The entire Third Circuit decision is included below.



Cyber Round Up: Challenges for Rob Joyce; Proposal gives DHS $1.5 billion for cyber; Congressman wants cyber version of National Guard

  • Challenges Ahead For New White House Cybersecurity Advisor (Forbes): Commentary earlier this week addressed some of the many challenges that will be facing recently appointed cyber security adviser Rob Joyce.  The article labeled the former NSA hacker as “the poster child for. . . distrust” that is so commonly associated with the NSA in the post-Snowden era.  Coupled with President Trump’s apparent disregard for privacy rights, the article suggests that having one of the nation’s lead hackers could pose a very scary situation.  The article also quoted those in the field who praised Joyce as a strong pick.  The full article can be found here.
  • Trump’s budget proposal gives DHS $1.5 billion for cybersecurity (The Hill):  The blueprint of President Trump’s budget includes a significant allocation to securing cyber space.  An article yesterday explained that $1.5 billion would be given to DHS to secure federal networks.  The article quoted the blueprint as stating that, “Through a suite of advanced cyber security tools and more assertive defense of government networks, DHS would share more cybersecurity incident information with other federal agencies and the private sector, leading to faster response to cybersecurity attacks directed at federal networks and critical infrastructure.”  The article also said that agencies would be scored on their cyber security practices and would be held accountable.  The full article can be read here.
  • Congressman proposes creating a National Guard for cybersecurity (Military Times):  A young Democrat from Arizona and a former U.S. Marine has suggested a type of cybersecurity reserve similar to the National Guard.   The article summarized Congressman Ruben Gallego’s talk at the South by Southwest conference, where he said that the best cyber minds won’t be drawn to the long hours and low salaries of typical government jobs.  Nor would they have any interest in physical training or boot camp.  Instead, the article says, “cybersecurity warriors” would be on call whenever the nation needed them. The full article and details of Gallego’s talk can be found here.


U.S. Charges Russian Federal Security Service Officers with Hacking Related to Yahoo

Multiple news outlets have reported that a forty-seven-count indictment was handed up in the Northern District of California for multiple computer fraud and abuse act violations stemming from breaches of Yahoo accounts.

The indictment includes four named parties and other unknown and unnamed:

(1) Dmitry Aleksandrovich Dokuchaev was a Russian FSB Officer,

(2) Igor Anatolyevich Sushchin also an FSB Officer and Dokuchaev’s superior,

(3) Alexsey Alexseyevich Belan, a Russian national and resident as well as a hacker who has been on the FBI’s “Most Wanted” list, and is subject to an INTERPOL “Red Notice” (meaning that Russian authorities should have detained and arrested Belan once located within the Russian Federation), and

(4) Karim Baratov, a Canadian national and resident, also a criminal hacker and an associate of Dokuchaev’s.



Of course the trick now will be to see how many (if any) of these persons are ever located and brought before the jurisdiction of a U.S. Court.  However, I suppose the symbolism of the indictment is all that matters for the time being.








Tags: ,

In an Asymmetrical World: Mutually Assured Destruction Means Developed Nations are Disadvantaged

According to an article by Niall Ferguson which appeared in the Boston Globe, we are currently in a state of Cyber War.  This article, entitled “Cyber War I Has Already Begun,” discusses the the Russian hacks surrounding election time in the United States and posits that the largest issue is not whether or not Russia was able to affect the outcome of the election but rather the fact that Russian hackers were able to launch cyber incursions effectively unchecked.

The article quotes Adm. Michael S. Rogers (head of the National Security Agency and US Cyber Command), as saying that “[The Nation is] … at a tipping point.”  Cyber-centric threats are now number one on the Director of National Intelligence’s (DNI) list, the article further states that the Pentagon reports over 10M intrusion attempts per day.  The full text of the article is here.


Thus, the concept of mutually assured destruction (MAD) which has its roots in cold-war nuclear rhetoric is unlikely to prove reliable to maintain any sort of status quo.  Under MAD, nuclear-capable Nations all realized that given the number of nuclear weapons within arsenals throughout the world that any nation that launched a nuclear attack would receive an in-kind response which would trigger additional attacks and counter-attacks which would ultimately result in global thermonuclear war with mankind itself being the ultimate loser.  Due to the fact that the barriers to entry into the  “nuclear-club” were so high and required extensive research and development which could only be funded and maintained in an advanced nation-state context MAD both in theory and as applied prevented the use of nuclear devices in a post World-War II context.

However, those same barriers to entry do not exist in the realm of cyber and thus it is both likely and possible that bad actors who are not necessarily supported by a nation-state could initiate a cyberattack against a developed nation’s cyber resources and in such a scenario the concept of MAD is meaningless given the lack of symmetry.  For instance, while the US could arguably cripple Chinese or Russian infrastructure (and they could, in turn, do the same to the US), no similar offensive could be launched against a single person or even a group of hackers with no direct nation-state ties (obviously a kinetic operation could be launched against either type of group, however that raises a whole other set of issues especially if the only “offense” was cyber in nature).

In short, these are scary times and we may want to consider the relevance of smaller groups or factions that operate outside the context of a traditional nation-state and thus any virtual or kinetic offensive operations launched against such groups may be limited in both reach and effect.  This is somewhat analogous to the early American raids against the British Regular Army, with small incursions designed to hit-and-run, maximize impact and minimize exposure. Thus, a numerically inferior force may wreak havoc amongst a far larger force which does not bode well for the developed world in the realm of cyber.  If this maxim holds true then we will continue to face cyber attacks from a wide-ranging base of potential bad actors, all of whom may find solace in the fact that even if we solve the issue of attribution, retribution will be muted given the nature of the target (and the fact that a group/persons do not possess critical infrastructure or other such target-rich entities).

This should concern all of us, since a lack of a MAD-inspired détente means the world is full of potential threats, many of which have no regard for the cyber or kinetic capabilities of so-called Superpowers. Consequently, as the article quoted Robert Morris Sr., the only “safe” computing device is one that is not in use and is in fact not even powered on (of course Morris, may not have fully factored in the smartphone and IoT variants as some of these devices may continue to be insecure even when powered off by a user).  There may therefore be no such thing as a “safe” computing device — users beware.


Tags: ,

Cybersecurity: The Internet of Things (IoT) & You — Exercise Caution

As we continue to move to a world wherein all things are networked and even toys now have connections to the cloud, people need to be cognizant and careful.  According to the Hacker News, in 2015 the toy manufacturer VTech revealed that they had suffered a data breach which resulted in the exfiltration of personally identifiable information (PII) of nearly 5M adults as well as photos of roughly 200K children.  Not only did the breach involve the PII of adults, but also the names, gender, and birthdates of children, which raises a number of additional potential issues, according to the article.  Fast forward to 2017, and yet another toymaker has fallen victim to a massive data breach.  The Hacker News reported that CloudPets, developed by a California-based company, Spiral Toys, exposed the voice recording of over 2M parents and children as well e-mail addresses and passwords for over 800K accounts.  CloudPets are stuffed animals which allow parents and children to send voice messages back and forth via the internet, according to the article. The article further states that Spiral Toys was advised at least four times that their data had been exposed and they failed to take any ameliorative steps.


I have and will continue, to make the argument that cybersecurity requires a baseline approach especially as the number of connected devices grows at a seemingly exponential rate.  So long as manufacturers are not required to meet minimum cybersecurity hygiene standards the number of incidents such as those referenced herein will crop up as seemingly innocuous devices become the target of choice due to their lax security protocols and lack of safeguards.  In the instances above the cybersecurity measures in place were either non-existent or rudimentary at best.  The encryption was weak, the databases were public, and arguably these companies failed to meet the duty of care owed to consumers and what is likely valuable PII.  The databases were reportedly devoid of either social security numbers, or credit card information. However, the fact remains that the available data could (and still may) be used as one piece of the puzzle from which additional information can be gleaned, e-mail addresses can be targeted, and passwords can be leveraged to attempt to access additional accounts (in many cases, users have a single password that is used across multiple sites).

This should raise a number of red flags for all of us.  Consider the world in which we live, our cars are connected, our appliances are connected, children’s toys are now connected, in each case we are providing at least limited information in order to access and utilize all of our connected devices and in so doing we put a large amount of trust that companies will safeguard that data.  However, as we continue to see that is often not the case.  This is further exacerbated by the “make it work mantra,” wherein the majority of users simply want products to perform as advertised.  Thus, consumers will often forego research and understanding of how/where their data is going and will be used so they can get the product to function as quickly as possible.  In the case of these toys, consider a parent who is faced with a child that just wants the toy to do whatever it has been billed and advertised as doing.  They are not interested in using complex passwords that are difficult to remember and enter, they are unlikely to research the toy company to determine if they are using two-way encryption or if they offer multi-factor authentication for their devices —  they just want the item to work.  This raises a whole new set of issues regarding the “human side” of cybersecurity.

This is one area where technology can be implemented which can manage the cybersecurity aspects of IoT devices and yet still provide ease-of-use.  The problem being that companies are ultimately profit-driven and thus in the absence of any financial incentive to bake in additional technology to help safeguard data while simultaneously enhancing ease-of-use, companies choose the lowest cost-alternative, nearly universally.  This, therefore is one area where the threat of either legal liability or dare I say, regulations can be implemented via legislation that mandates that companies and especially those in the realm of IoT take certain steps with respect to cybersecurity.  One of the keys here will be to draft intelligent legislation that does not merely require that cybersecurity protocols be baked in but rather that the additional cybersecurity have enhanced ease-of-use so that opting out of additional security measures would, in fact, be purposeful and intentional rather than merely a button to click to get the product to function online versus navigating through burdensome security-driven setup.

Until then, I encourage everyone to become device-aware and consider the information you are providing in order to get something simply “to work.”  In many cases, you may find that having a connected device is neat in theory but scary in practice.  Companies perform cost-benefit-analysis on a daily basis — so too, should consumers.


Tags: ,

Cyber Round Up: New leak could be devastating; Security and cryptocurrency; Governors stress cyber needs

  • New leak exposes a trove of personal passwords and sensitive info (Mashable):  News over the weekend suggests that a recent leak could be one of the most devastating in recent memory.  The report says that Cloudflare, one of the biggest websites for internet security, was the victim of a hack.  Unfortunately, according to the article, the extent of the damage is unknown, but it recommended that people should start changing passwords on a multitude of sites immediately.   A quote in the report from a member of Google’s security team is telling of the nature of the breach: a”The examples we’re finding are so bad … I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings . . .We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”   The article can be read in its entirety here.

  • The cybersecurity side of cryptocurrency (CSO):   Bitcoin isn’t the only online currency, and it isn’t all good news.  A recent article  discussed how regulators, as they often are, are lagging behind when it comes to blockchain technology and online currency and that significant vulnerabilities exist as a result.  The piece first explains that new “altcoins,” an abbreviation for bitcoin alternatives, are being developed and used every day.  The online currency market is now valued at $13 billion, the article said.  But it’s not all good, as these have created a unique opportunity for ransomware attacks.  The article also explained that they have become an easy way for criminals to launder their money.   The full article can be read here.
  • Governors put spotlight on cybersecurity (The Hill):  Cyber security remained a political hot topic over the weekend, this time being touted as crucial by numerous state governors.  While cyber security policy often gets attention at the federal level, an article  said that governors were stressing how important it is for states, too.  VA Gov. Terry McAuliffe said that his state alone was targeted by 86 million cyber attacks last year. The event Saturday was one of two focusing on cyber security during the National Governors Association winter meetings.  McAuliffe, like many others, has emphasized the need for public-private partnerships, including one he established between Virginia and Amazon to create a stronger cyber workforce.  The full piece can be found here.


Hackers need 12 hours to steal info while breach detection takes 300 days, hacker survey says

A report released last week took a different approach to cyber security.  Instead of analyzing all the breaches that occurred and looking for trends there, the report surveyed the threats themselves.  Nuix’s “Black Report” surveyed 70 different hackers at a conference to see the cyber security world through their eyes.  The report, which is included in its entirety below, may catch some by surprise.

The survey revealed that 88% of hackers could steal valuable information in under 12 hours.  The breach would not be detected, however, for as long as 300 days.   The professionals surveyed also explained that firewalls and antivirus problems provided no challenge, but endpoint security technologies did stop attacks.   The hackers said that they rarely ever repeated the same methodologies, so that any new defenses are essentially rendered useless.

The company that produced the report, Nuix, conveniently is selling a “next generation endpoint technology,” so the motivation behind the report may be questionable.   Still, it provides a unique, fresh way to evaluate the approaches we take to cyber security.



Next Page »


Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Christopher w. FolkChristopher W. Folk

is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Ryan D. White

Ryan D. WhiteRyan is currently a second year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.Full biography

Anna Maria Castillo

is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography