Supply chains and off the shelf security

A report released yesterday details how Hewlett Packard Enterprise allowed a Russian agency to review a cyber defense system that is widely used not just in the private sector in the United States but also the military.  The HPE program called ArcSight is a “nerve center” that alerts analysts when computer systems may be under attack.

The Reuters report provides a quality summary of the story and the complicated issues it presents.  The article points out the lack of reporting requirements for off the shelf cyber programs and highlights the widespread problems with supply chain security.  The technology market is simply vast to know who has a hand in designing the endless pieces of software and hardware.

While private businesses may have to manage their own risk, government agencies, especially those with a national security focus, cannot roll the dice.  The U.S. government needs to heighten its standards for both the software and hardware it uses. It’s a complex problem and will require a comprehensive solution.  But doing nothing cannot be an option.

Tags: , , ,

Cyber Round Up: Recommendations for EU Cyber Proposal; Setback for Bitcoin in U.S.; Government’s Cyber Competition Problem

  • Cybersecurity in Europe: key recommendations for the new cyber review (Politico EU):  Earlier this month, the European Union announced a proposal for a strengthened ENISA, the EU’s cybersecurity agency.  An article on Politico highlighted some of the concerns and questions that the proposal left unanswered.  The post, which was written by a consulting firm, calls for more harmonization, not lowering encryption standards, and more information sharing.  The rest of the recommendations and the full post can be read here.
  • Backers withdraw two proposals to list U.S. bitcoin funds (Reuters):  The bitcoin movement suffered a setback, a recent article said, as efforts to register two funds with the SEC were withdrawn.  According to the article, the SEC told the investment firms that they would not review bitcoin applications until futures related to bitcoin were trading.  The article notes that the SEC and NYSE have been hesitant to regulate the bitcoin market, adding to uncertainties about the currency’s future.  The full article can be read here.

UPDATE:  An additional story can be found here that describes South Korea and other nations’ crackdown on cryptocurrency.

  • The Government Needs More Cyber Talent—But So Does Everyone Else (WSJ):  The government cannot afford to hire to the best talent in the cyber security industry, a recent article says.  This problem is not unique to cyber, as the private sector offers higher paying jobs across the board.  According to the article, SEC Chairman John Clayton said he plans to request a bigger budget to address this problem next year. The article discusses some specifics of the compensation discrepancies.  It also notes that the geographic requirements of working for the federal government are another barrier to recruiting top talent. The full article can be read here.

Tags: , , ,

The Flip Side of a Breach: Data Integrity

The Flip Side of a Breach: Data Integrity

The media tends to focus on the high-profile data breaches: OPM, Target, TJX, Home Depot, Equifax, the SEC (EDGAR), with the narrative typically centered on identity theft and/or credit card fraud.  However, as we delve further into these, we cannot, and should not ignore the other side of the data breach coin — namely, data integrity.

We have numerous vendors, from A to Z offering information security services, intrusion detection, network anomalies, data exfiltration detection, user training, etc., etc.  While these services are arguably important (and as the recent breaches show us, are rarely if ever fully implemented), we should be equally as interested in the integrity of our data as we are in the overall security of information.  If we focus on a breach in the context of data exfiltration and identity theft, then we are only looking at a small piece of the pie.  While criminal organizations are typically motivated by revenue, that comes in many forms.

Consider, the SEC hack, for instance, if that were focused on data manipulation then the effects could be far-reaching and significant.  The prospect of modifying filings within SEC could make stock price manipulation possible and tremendously profitable.  While there are controls in place and tracing transactions related to that are more likely to proceed in an investigation than a typical identify theft/card fraud hack, the fact remains that trying to implement data security while foregoing data integrity is exceedingly unwise.

When I was in software engineering we used source code control systems to ensure the integrity of our trunk and branches and to be able to “see” modifications to the code.  This was a critical component of the software development process and it would be unimaginable for a large software project to forego such a system.  The data that entities collect, and retain is often expensive to procure, to store, to retrieve, and to analyze. Thus, if the integrity cannot be guaranteed then all of those expenses may be for naught.  Suffice it to say that, data is the foundation of the world we live in.  Data that is missing or stolen causes a certain set of issues, however data that is tampered with is even more vexing since our current information security implementations may not even detect these.

Imagine a consumer that attempts to purchase a home only to find that they have multiple accounts that were flagged 90-days late.  The herculean efforts that would have to be undertaken to rectify erroneous items on a credit report would be extremely onerous for an individual consumer.  Now multiply that, and consider a scenario where a larger segment of the population is impacted.  What would the economic effect be if those persons most likely to enter into new credit agreements were unable to do so for 60-90-120 days?  What would the ramifications be if data from the credit agencies was deemed to be unreliable?

If we continue to take a point approach and look at each hack/breach as a discrete and distinct operation, we may fail to correlate joint activities, miss the bigger picture and altogether overlook the data integrity issues that we may already have been beset with.

Tags: , ,

Data Breach Notifications: Too Little, Too Late

Equifax, the SEC, Deloitte. They aren’t the first, and they won’t be the last.  As the number of major data breaches continues to grow, so does the debate around whether the federal government needs to step up and regulate data breach notifications.

An article earlier this week in the Wall Street Journal summarizes the arguments for federal action.  There’s a patchwork of data breach notification laws from the states right now, but they clearly don’t get the job done. Equifax sat on the information for months before revealing it to the public.

The title of that article was,”After Equifax, Should the Government Force Companies to Report Hacks?”  The answer is easy.  Of course they should.  And I hope Congress finally drafts legislation that would implement a clear, comprehensive policy for the whole nation.

But while that debate will continue while we wait (and wait, and wait) for Congress to do something, we can’t take our eye off the ball. Data breach notification requirements do not solve the problem. People have a right to know that their data was compromised and they should receive that information in a timely manner.  But adding this law won’t increase cyber security in any way.  All it does is stop the bleeding after the fact. Wouldn’t it be better to not get cut in the first place?

Companies need to practice better cyber security across the board.  We should be focusing on how to prevent data breaches in the first place rather than what to do after they occur.  Some breaches may be inevitable.  But I don’t think we need 2 or 3 major ones being revealed every week.

Lawmakers need to evaluate the tools at their disposal and listen to those who know the field best.  The only way for everyone to benefit is by promoting better cyber hygiene to prevent attacks and breaches.  Letting us know after the fact doesn’t help anyone.

Tags: , ,

Cyber Round Up: Congress isn’t prepared for cyber attack; Chertoff likens cyber to immune system; Deloitte says very few affected

  • We’re under constant threat of cyberattack, and Congress isn’t prepared to do anything about it (Washington Post):  Brianna Wu, a software engineer by trade and now a Democratic candidate for Congress in Massachusetts, wrote a piece for the Washington Post about Congress’s lack of preparation for a cyber attack. The article points out that Congress has failed to act in the wake of several different attacks and that members of the pertinent Congressional committees are not qualified to address these issues. While clearly politically motivated, Wu criticizes both political parties is correct that most Congressmen and women do not have the technical background that she does.  She makes a strong push for civil liability that will force companies to engage in good cyber security practices. The full article can be read here.
  • Ex-Homeland Security Chief: Good cyber security is like an immune system (Yahoo):  The former Secretary of Homeland Security Michael Chertoff recently spoke on cyber issues in an interview with Yahoo.  In his comments, Chertoff compared cyber security to the human body, saying that “The human body doesn’t keep all bacteria and viruses out, but it also has an immune system and that’s what companies should have.” He also urged layered defenses and managed expectations.  Chertoff also advised that companies should not pay ransoms for data, as it only encourages hackers to repeat their behavior.  The full video can be seen here.

  • Investor group seeks probe into SEC hack, urges data rules delay (Reuters): Deloitte was the latest company to disclose a data breach.  A report from Reuters earlier today, however, includes comments from the company that claim ‘very few’ clients were affected.  The attack was discovered in March and could have started as early as October 2016, the article said.  The full report can be read here.

 

Tags: , , ,

Cross-Border Data Access Primer from Harvard’s Berkman Klein Center

One of the biggest challenges with the rapid development of technology has been figuring out how to share that data across jurisdictions, particularly internationally.  Many feel that the existing U.S. system of Mutual Legal Assistance Treaties (MLATs) is outdated and needs to be revamped.  The Berkman Klein Center for Internet & Society at Harvard University recently published a primer on this topic.  The full report is included in this post and can be found here.

SSRN-id3035563

Tags: , ,

SEC Statement on Cybersecurity

A few days late, but in case you missed it, the full statement from SEC Chairman Jay Clayton on the agency’s approach to cybersecurity is included below.  The statement can also be read here.

SEC statement

Tags: ,

Distrustful U.S. allies force spy agency to back down in encryption fight

A report today from Reuters tells the story of how the NSA’s efforts to lead the way for international encryption standards were shut down by several other members in the international community.  The story explains how several other nations were distrustful of the standards proposed to the International Organization of Standards by the U.S. because of information Edward Snowden provided that says the U.S. was hoping to establish standards with back doors for its own use.  The report highlights how the U.S. has had suspect behavior in this realm before.  The full report can be read here.

My kneejerk reaction was that this was just another story highlighting how the Snowden leaks are still hurting the U.S. several years later. But after considering the narrative a little more, I realized that Snowden doesn’t matter for this scenario. Nation-states are always going to be skeptical of each other when this type of technology is on the line.  The U.S. certainly isn’t the only nation who would want to provide itself with an advantage when it comes to access to protected information.  If, for example, China proposed encryption techniques, the U.S. would be just as skeptical, even without a Snowden type leak to use as support for their thinking.

A tiger can’t change its stripes. International actors will never change their behavior and decide to put blind faith in other nations.  Even if there was a new, strong standard that was developed and agreed upon, any one actor that found a vulnerability would keep that information to itself.   As the article points out, the result of this is lower encryption standards.  These lower standards don’t really help anyone, but don’t expect it to change anytime soon.

Tags: , ,

Cyber Round Up: A Manhattan Project for Cybersecurity, EU Scales Up Cyber-Attack Responses, Senate Defense Bill Calls for Blockchain Cybersecurity Study

  • Time for the US to Develop a Manhattan Project in Cybersecurity (The Hill): Opinion contributor Greg Clark poses the question, “If cybersecurity is one the greatest challenges facing our nation today (and few would question that it is), why are we helping our adversary defeat billions of dollars in cyber defenses?” Clark discusses how the Freedom of Information Act allows anyone to ask the government what it’s purchasing, and proposes tactics for making cyber-defenses unknown to adversaries. Some suggestions Clark voices include next-generation security tools, and to cease purchasing “commercial-off-the-shelf” security tools. Read the full article here.
  • Cybersecurity: Commission Scales Up EU’s Response to Cyber-Attacks (European Commission): European Union President Jean-Claude Juncker’s State of the Union Address on Sept. 13, 2017, called for better equipping Europe for cyber-attacks. This included proposing an EU Cybersecurity Agency to assist EU Member States in combating cyber-attacks. This press release from the European Commission explains how the EU is building resilience, stepping up it’s cybersecurity capacity, and creating a criminal law response focused on detecting, tracing, and prosecuting cyber criminals.
  • $700 Billion Senate Defense Bill Calls for Blockchain Cybersecurity Study (CoinDesk): The Senate recently passed a bill that massively increases military spending. Included in the bill is a mandate for the Department of Defense to conduct a blockchain study. While the House of Representatives still needs to approve the bill, Ohio Senator Rob Portman included the amendment requiring the blockchain study. If the bill is passed into law, the study would follow six months later. Read the full article here.

Tags: , , , , , ,

Cyber Round Up: A Better Way to Teach Cybersecurity; Take Cybersecurity Away from Spies; EU-US Privacy Shield Review

  • A Better Way to Teach Cybersecurity to Workers (WSJ): Companies have found out that punishing employees for poor cyber hygiene is not effective, according a recent report in the Wall Street Journal.  The general consensus is that most people dread cyber security training.  Instead, companies are making progress when switching out the stick for the carrot, the article says.  Research has shown that companies using games, competitions, and the like have had better results when it comes to employees’ cyber habits.  The full article can be read here.
  • Take cybersecurity away from spies…for everyone’s sake (Wired): Commentary in an article last week addressed the inherent flaws and conflict of interests when intelligence agencies are the ones who find cyber vulnerabilities.  The post highlights statistics about the British signals intelligence agency, but also mentions the NSA.  For example, according the post, the core exploit in the WannaCry attack was engineered by the NSA. Instead of informing Microsoft of the vulnerability, the intelligence agency chose to hold on to the information for its own use.  The article discusses how these competing interests hinder cyber security.  The full post can be read here.
  • EU-U.S. data pact faces first major test of credibility (Reuters): The EU-U.S. Privacy Shield data pact is set to be reviewed this week after its first year in place, a report over the weekend said.  The deal was meant to provide greater privacy protections for Europeans whose data ends up on U.S. servers.  The big question, according to the article, is whether the U.S. is holding up its end of the deal.  While the deal was viewed as an improvement for privacy in some respects, it has also been challenged as not going far enough, the author reports.  The full post can be read here.

Tags: ,

« Previous PageNext Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories