Bringing boards up to cyber speed (CSO Online): A recent report from the National Association of Corporate Directors is intended to help the many board members who do not fully understand the breadth and depth of risks associated with cyber attacks, a recent article said. The organization surveyed board members and found that only 11% had a high understanding of cyber risks, according to the article. The article also quotes former DHS Secretary Tom Ridge, who said that directors are focused on financial risk and do not grasp how cyber attacks can affect their bottom line or reputation. The report is intended to help business leaders learn how to best allocate resources to mitigate risk, the article suggests. The full article can be read here. The full report is included in this post.
Cyber Round Up: Obama Underestimated Cyber Threat, Electrical Grid Attack ‘Imminent’; The Bigger Issue with the Election Hacks
- Obama Says He Underestimated Threat Posed by Cyberattacks (WSJ): President Obama admitted to underestimating the affect cyber hacks could have on our society in an interview yesterday, a Wall Street Journal report said. The outgoing President said he did not underestimate Putin himself, but did not fully understand the drastic impact that hacks and misinformation could have on “open societies, our open systems, . . . democratic practices.” While President Obama recommended that the event not be politicized, one Republican representative said the Obama administration has been warned for years about these threats but has not listened. The full text of the article can be found here.
U.S. Grid in ‘Imminent Danger’ From Cyber-Attack, Study Says (Bloomberg): A recent report from the Energy Department says what many already knew, the electrical grid is in danger. An article recapping the report says it emphasized that cyber defenses were being deployed much slower than the constantly evolving, sophisticated threats. An attack on the electrical grid could disable defense systems as well as jeopardize the health and safety of millions of citizens, the article said. The report also discussed cyber for natural gas lines, and estimated that modernization of the grid could cost up to $500 billion. The article can be read in its entirety here.
The Real Russian Hacking Story: A Nation Underdefended From Cyberattack (Forbes): Commentary today addressed the Russian election hacks beyond the politicized headlines of recent weeks. The post suggests that people need to look beyond the election specifically and instead consider the big picture regarding increased need for cyber defenses across the U.S. The article points out that while news reports suggested the U.S. was capable of executing large scale cyber attacks in response to Russia’s interference, President Obama chose not to because of the United States’ vast number of vulnerabilities. In short, cyber war would be worse for us than it would be for them. The article suggests that U.S. changes have not been as broad or sweeping as they need to be to confront cyber-first nations like Russia. The full post can be found here.
The swirl around Russia’s meddling in recent U.S. elections has continued the last few days. Yesterday, top intelligence officials testified before the Senate Armed Services Committee regarding foreign cyber threats to the U.S. Today, ODNI released its declassified report on Russia’s role in the 2016 election cycle. Throughout all of this, President-elect Trump has cast doubt on whether the hacks could really be attributed to Russia. Today, the President-elect acknowledged that Russia, as well as many other nations, certainly do try to infiltrate U.S. systems. He would not recognize that any foreign involvement affected the outcome. Trump isn’t alone, as some experts have explained that there is some reason to be skeptical.
Included below is the text of the Joint Statement and video of testimony given in yesterday’s hearings by Director of National Intelligence James Clapper, Undersecretary of Defense for Intelligence Marcel Lettre, and Director of U.S. Cyber Command and NSA Admiral Michael Rogers. The declassified report from ODNI is also included.
The Center for Strategic & International Studies’ Cyber Policy Task Force assembled a series of recommendations for President-elect Trump regarding cybersecurity. The agenda suggests that the new administration should be guided by two principles in shaping cyber policy: making sure there are consequences for international actors and incentivizing domestic actors to provide better cybersecurity.
Those two principles can be followed in addressing what the task force identifies as the five biggest cyber challenges: (1) Deciding on a new international strategy to help handle a dangerous global security environment; (2) Making a greater effort to reduce and control cyber crime (3) Improving efforts to secure critical infrastructures and cyber
hygiene, including a new approach to securing government agencies; (4) Identifying the appropriate balance between federal government and the private sector in moving the field forward; (5) Determining how to organize the United States to defend cyberspace, including either strengthening the role of DHS or creating a new cyber agency.
The report includes a thorough introduction, several policy based recommendations, some organizational recommendations, as well as some suggestions for how to better utilize resources. The full agenda is included below.
The Russians are coming, the Russians are coming. The latest narrative from the White House and the media reads like a Hollywood drama with the threat of our entire infrastructure being overtaken by Vladimir Putin and his evil operatives. Does anyone else find it suspicious that when 20+ million personnel records were exfiltrated from the Office of Personnel Management the rhetoric and nation-blaming was somewhat calm. However, when e-mails from high-level political campaigns are exposed suddenly we are expelling “diplomats” and preparing to do whatever is necessary to rein in the nefarious cyber-bullies — aka Mother Russia.
I had the chance to peruse the report that was issued claiming the Russian civilian and military intelligence services (“RIS”) were behind the cyber attacks which were focused on the government and specifically the U.S. Presidential Election.
The report has some really interesting graphics and a lot of advice about preventing attacks along with a tiny little Yara signature that purports to demonstrate that the attack(s) originated from Russia (or RIS). Furthermore, a joint statement from the Department of Homeland Security (“DHS”) and the Office of the Director of National Intelligence (“ODNI”) from October 7, claims that the motives and methods used to hack the e-mails of political organizations are consistent with Russian-directed cyber events. After reading the report I was left wondering if anyone that writes these ever worked in the technology sector or has had any experience in counterintelligence.
Having some experience myself, I would just note that if I need to perform something programmatically and someone else has already written the code I need and it is modular enough to allow ease-of-use with minor tweaking, I am absolutely going to use that (assuming of course that it is open-source or if in-house part of my code repository). The logic of the analysis seems to be that RIS writes code and it always has comments in Russian (I mean that makes perfect sense, if I am going to write code to infiltrate a foreign government step 1 is to use my native language …) and it comes from IP address ranges known to be from, or used by RIS thus the hacking must have been performed by RIS — seriously? How about Tor and VPN, if the theory is that only a nation-state has the expertise to perform something as complex as getting John Podesta to click on an phishing e-mail then wouldn’t that same super-smart nation-state have the ability to obfuscate both the code used as well as the geolocation from which the attack was initiated? Apparently not, the RIS re-uses their old code with comments written in Russian and has a limited number of IP addresses from which attacks can be launched and voila — we have our culprits.
The following is a joint report from the FBI and DHS regarding Russia’s malicious cyber activity, which the U.S. government is referring to as Grizzly Steppe.
Cyber Round Up: Prepping for Cyber with ISIL; Trump says Computers Can’t Be Secured; Law Firms and Cyber Security
Military weighs expanded use of cyber, space weapons against ISIL (USA Today): The battle against ISIS could potentially turn to cyber, a recent article says. The report says that military leaders have been preparing options for President-elect Trump in both cyber and space that could change the nature of the battle against the terrorist group. One major concern, according to the article, is how far down the chain of command the authority to utilize cyber weapons will be. While the extent of the U.S. military’s cyber capabilities are generally unknown, the article explains that operating in cyberspace can have unintended consequences that hurt more than just the original target. The rest of the article, which can be found here. describes current and future strategies for fighting ISIL in more traditional ways.
Trump questions quest for cybersecurity: ‘No computer is safe’ (Washington Post): President-elect Trump has addressed cybersecurity matters repeatedly the last several days. In addition to questioning Russian involvement in the election hacks and President Obama’s response, Trump also spoke on the extensive, and perhaps infinite, vulnerabilities with computers, according to one article. The report includes quotes from Trump stating that no computer is ever safe, and the only secure way to deliver messages is the old fashioned way. The article goes on to discuss the Trump team’s criticism of how Obama handled the alleged Russian meddling. The full text of the article can be found here.
Law Firms and the Front Lines of Cyber Security (Tech.co): An article yesterday analyzed why law firms are prime targets for hackers and what their vulnerabilities and solutions are. Why firms are targets is fairly obvious, as they have large amounts of confidential information on file. The vulnerabilities are not quite as obvious, the article suggests, as law firms have placed a low priority on cybersecurity while many struggle financially. The report claims that firms are targeted by state sponsored actors because of the high number of devices used, as well as the quality of the information regarding business deals such as mergers and acquisitions. The answer, according to the article, is part legislative and part technological. The full text can be found here.
Dear Mr. Trump: To ‘Cyber’ Better, Try the Blockchain (Wired): Among the many pieces predicting what cyber may look like in the next administration, one particular piece keyed in on one technology that President-elect Trump should focus on. The article recommends that Trump utilize blockchain to shore up cyber instead of the traditional perimeter model for security. The comment from Wired explains just how different each model works, with the key difference being that current models attempt to exclude unwanted individuals, while blockchain, as explained below, is a completely open network. The author reports that the most popular blockchain network, bitcoin, has never been hacked. The report also investigates banks’ use of blockchain, and some other popular networks. The full text of the suggestion for the Trump administration can be found here.
Blockchain for Dummies
In reading the above piece, those of us who are not tech experts might be wondering what blockchain is. The following is an attempt to sum it up in a While certainly not a consensus opinion, there are those who believe the technology could be revolutionary. It’s not super exciting, but many of the biggest transformations in businesses were not. Supporters of liberalism and free market ideology love the decentralized trust system. Not only can it change how businesses and customers interact, but one commentator claims it is as innovative as limited liability, property rights, and even the internet itself. Is blockchain going to be that much of a game changer? Probably not. But it shows enough promise to spark a discussion of that nature.
In order to properly understand the benefits of blockchain, it is important to understand the problem that it was attempting to solve. Without getting into too many details, the core problem was double-spending. Through a couple of different methods, it was possible for a user on the internet to spend the same coin twice. One analogy that has been used to explain the problem is a simple bank transaction. When you move money in a bank transaction, it is usually done all electronically. There is no physical exchange of paper between individuals. This system only works is because the banks can be trusted. There was a need for a way to secure transactions on the internet. Blockchains eventually provided the answer.
A 21st Century Cyber-Physical Systems Education examines the intellectual content of the emerging field of Cyber-physical systems (CPS) and its implications for engineering and computer science education. This report is intended to inform those who might support efforts to develop curricula and materials; faculty and university administrators; industries with needs for CPS workers; and current and potential students about intellectual foundations, workforce requirements, employment opportunities, and curricular needs. CPS are “engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components.” CPS can be small and closed, such as an artificial pancreas, or very large, complex, and interconnected, such as a regional energy grid. CPS engineering focuses on managing inter- dependencies and impact of physical aspects on cyber aspects, and vice versa.
Several news outlets today reported on the announcement that President-elect Trump has chosen Tom Bossert to be homeland security adviser. The President-elect particularly praised Bossert’s expertise in the cyber realm. One report said that Bossert will have an elevated status in the administration and will be “independent.” Bossert previously served in the Bush administration, where he helped author one of the nation’s first cyber strategies. He has been President of the risk management firm Civil Defense Solutions, and a Zurich Cyber Risk Fellow at the Atlantic Council’s Cyber Statecraft Initiative.
Another article quoted Bossert as stating that the U.S. “must work toward [a] cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.”
Much of the focus on cybersecurity since the November elections has shifted from alleged Russian meddling in the election to what the new year and new administration will mean for cybersecurity. The vast majority of that has been speculation and a wide variety of recommendations for President Trump. The announcement today provides the first solid insight as to what Trump’s cyber policies may consist of.
I feel it is worth noting that Trump feels confident enough in Bossert to give him independent status. The WSJ article referenced above claimed that Bossert will have the same level of authority as Lt. Gen. Michael Flynn. With such great deference given to Bossert, it is possible that he be one of, if not the lead player in shaping cyber policy for the next four years.
Included below is the Bush administration cyber strategy that Bossert is reported to have helped author. The strategy was mainly a laissez-faire approach. The goals of the National Strategy to Secure Cyberspace were (1) prevent cyber attacks against America’s critical infrastructure; (2) reduce national vulnerability to cyber attacks; and (3) minimize damage and recovery time from cyber attacks that do occur. These are all fairly obvious objectives. The administration also placed most of the burden on the private sector, claiming that it was “best equipped” to handle it. The government did have a role in limited situations, but it wasn’t much. The strategy really focused on the development of public-private partnerships, an idea we still see frequently today in the cyber realm.
Bossert’s recent quote about his views of the government’s role in cyber seem to parallel the key components of the 2003 National Strategy. While the President-elect’s campaign and actions have yet to yield any clear cyber positions, it is possible that today’s announcement has provided some insight into what may be a limited role for the government in coming years.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
Anna Maria Castillo
is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review.
Christopher W. Folk
is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
- NACD Cyber-Risk Oversight 2017 Report
- Cyber Round Up: Obama Underestimated Cyber Threat, Electrical Grid Attack ‘Imminent’; The Bigger Issue with the Election Hacks
- Russian Election Hacks Update with Reports, Testimony, Videos
- CSIS Task Force: A Cyber Agenda for the 45th President
- The Man Who Cried [Grizzly] Bear (previously known as the Boy Who Cried Wolf)
- Opinion: Proposed NY Cybersecurity Regulations — Not Great but better than nothing? on
- Report: Commission on Enhancing National Cybersecurity on
- NY: Governor Cuomo Announces new Cybersecurity Regulations on
- Cyber Round Up: Obama Cyber Security Commission to Release Final Report; Amazon Unveils Cyber Security Service; US and Israel Aim to Cooperate on Cyber Research on
- Cyber Round Up: Obama Cyber Security Commission to Release Final Report; Amazon Unveils Cyber Security Service; US and Israel Aim to Cooperate on Cyber Research on
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010