Cyber Round Up: Germany Calls Russian Cyber Attack ‘warfare’; Cyber Command Not a ‘Bully’; New SEC Guidance Comes Up Short

  • Russia cyber attack on Germany a ‘form of warfare’ (The Telegraph): A story last week discussed a recent and then still ongoing cyber attack against Germany. The report said that while government officials weren’t saying much, many expect there to be a lot more damage than those officials were initially letting on. The story suggested that the attacks were the work of Fancy Bear, a group allegedly associated with Putin’s intelligence agencies. The main concern, according to the article, is that the network attacked is supposed to be one of the most secure in Germany’s government. The full article can be read here.

  • US Cyber Command: An Assiduous Actor, Not a Warmongering Bully (Ciper Brief):  Last week, an article was posted on the Cipher Brief titled, “US Cyber Command: “When faced with a bully…hit him harder.” A response to that story came on Sunday on the same site, which refuted the idea that Cyber Command is a bully. The latter article explains that “[a] more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’” That assertion is just one of many made by the author, who focused mostly on the developing nature of cyber space as the defining factor in Cyber Command’s current strategies. The full article can be read here.

  • SEC’s new cybersecurity guidance falls short (CSO Online):  Last week, this blog highlighted the new cyber guidance released by the SEC in a post that can be found here.  A piece by CSO Online reaches the conclusion that the SEC could have done much in its newest guidance, particularly in the wake of the Equifax breach. The article says that the guidance is an improvement, but that it still doesn’t have the teeth to make it truly effective. At the end of the day, the article explains, these are still just recommendations. The article contrasts this with data breach notification laws that have been passed in 48 states. The full article can be found here.

Tags: , , ,

Blockchain: Background and Policy Issues

Below is a Congressional Research Service report released last week that provides some basic background regarding blockchain technology and related policy issues.


Tags: , ,

Cisco Systems 2018 Annual Cybersecurity Report

Below is Cisco’s annual cyber report. An article with commentary on the report from Forbes can be found here.



The Supply Chain Problem and Cyber Security

The Supply Chain Problem

A few weeks ago, an article from Nextgov, a website dedicated to “how technology and innovation are transforming the way government agencies serve citizens and perform vital functions,” described recent efforts by DHS to address cyber security risks as they relate to supply chains.  The article quotes Jeanette Manfra, the head of DHS’s Office of Cybersecurity and Communications, who explained that “[t]he program’s major goals are to identify the greatest supply chain cyber threats, figure out if there are technical ways to mitigate those threats and, if not, figure out other solutions.” But other than barring companies with weak supply chain security from government contracts, no other solutions were mentioned. Below I look at what a cyber security supply chain policy might encompass.

One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.[i] The problem, however, was that ArcSight is a program that is heavily relied on by the Pentagon.[ii] The program is a “cybersecurity nerve center” that sends alerts when it detects a potential attack on a network.[iii] The program is also used frequently by private sector companies.[iv] By providing the program code to Russia, HP not only created a vulnerability for the United States but exposed that vulnerability to the most notorious cyber threat to the U.S. in recent years.

Another example of the cyber supply chain problem occurred several years ago with the United States Air Force. The Air Force had contracted with a vendor in an Asian country to produce hardware for one of the Air Force’s systems.[v] When the hardware arrived in the U.S. and was reviewed by the Air Force, however, they found that the chips contained an extra transistor. While the chip performed its intended function, the Air Force could not decipher what else the piece would do with the extra transistor. As a result, that batch of hardware was disposed of and never installed.

These two examples highlight the breadth and depth of the challenges regarding supply chains and cyber security. Supply chain security implicates hardware and software, public sector and private, and in these two instances, Asia and Russia. The Air Force was fortunate enough to find the altered specifications in its hardware, and reports so far suggest no harm has come from Russia’s ArcSight review.

Every point in every supply chain presents a weakness for that product’s cybersecurity. Every individual human that comes into contact with every component piece of hardware or software is a potential threat.  The threats to the supply chain include:[vi]

  • Installation of hardware or software containing malicious logic
  • Installation of counterfeit hardware or software
  • Failure or disruption in the production or distribution of critical products
  • Reliance on a malicious or unqualified service provider for the performance of technical services
  • Installation of hardware or software that contains unintentional vulnerabilities

All of these create potential weaknesses that can be exploited at a later point in time. Vulnerabilities could be exploited to steal sensitive information. Anything that program does could send a copy of that data to a third party. A vulnerability created by a nefarious actor somewhere in the supply chain could be a switch that lies dormant until activated when it would disable the system. Depending on what system that might be, there could be devastating consequences.

Two major concepts underlie the cyber supply chain security issues in the United States: (1) the United States technology sector is dependent on hardware components manufactured all over the world; and (2) the United States government is heavily dependent on commercial off-the-shelf cyber programs.

Continue reading

Tags: , , ,

Council of Economic Advisers: The Cost of Malicious Cyber Activity to the U.S. Economy

Below is a report released earlier this month from the Council of Economic Advisers, “The Cost of Malicious Cyber Activity to the U.S. Economy.”


Tags: , ,

Cyber Round Up: Overlooking North Korea; DoD and Operation Gladiator Shield; Cyber and Electronic Warfare Teams

  • APT37 (Reaper): The Overlooked North Korean Actor (FireEye): While everyone’s attention is on North Korea’s development of nuclear capabilities, a recent report says there is an overlooked cyber threat there, too. The report from FireEye calls the group APT37 (Reaper) and says its capabilities have grown in both scope and sophistication. Moreover, the report says with “high confidence” that the group is acting on behalf of the North Korean state. The full article can be read here.
  • Operation Gladiator Shield targeting DoD’s cyber terrain (Federal News Radio):   An article earlier this week recaps the early results from a DoD program known as Operation Gladiator Shield.  The mission is intended to help better organize and secure cyber networks, including JFHQ-DoDIN, which the article explains “is the secure, operate and defend arm of the U.S. Cyber Command.” One quote in the article says that DoD has identified 42 areas of operations, as the first step in securing all networks is to understand what those are. The article does a nice job of showing how complex the networks and programs related to them are. The full article can be read here.

  • The Army is putting cyber, electronic warfare teams in its BCTs (Army Times): The Army is continuing to implement a plan so that units in the field will have operational cyber and electronic warfare teams at their disposal, a recent article says. “The teams include soldiers to handle network operations, electronic warfare and both offensive and defensive cyber operations,” the article explains.  Some of the biggest hurdles are logistical issues and determining what the needs in the field actually are, according to the article. The full explanation of the program can be found here.

Tags: , , ,

SEC Updates Guidance on Cyber Disclosures

The SEC updated its guidance for how public companies should handle not only actual cyber incidents, but also the risk of such events. Two quotes below summarize the basics of the new guidance, while the full statement from the SEC is attached at the bottom of this post.  Also attached is the 2011 guidance, which this new update builds upon.

  • “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
  • “While the Commission continues to consider other means of promoting appropriate disclosure of cyber incidents, we are reinforcing and expanding upon the staff’s 2011 guidance. In addition, we address two topics not developed in the staff’s 2011 guidance, namely the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.”

2018 Guidance

Commission Statement and Guidance on Public Company Cybersecurity Disclosures 33-10459

2011 Guidance

CF Disclosure Guidance_ Topic No. 2 - Cybersecurity


Cyber Round Up: Evaluating ‘Active Cyber Defence’; UK Blames Russia for NotPetya; Intel Makes Quantum Breakthrough

  • Evaluating the U.K.’s ‘Active Cyber Defence’ Program (Lawfare): A post last week on Lawfare recaps the U.K.’s cyber defense program a year after its implementation. The article summarizes the U.K.’s National Cyber Security Centre’s own report while explaining aspects that could be useful for the U.S.  The three main themes of the program, according to the post, are government-centered action, intervention, and transparency. While the first year generally shows some success and some themes should be adopted by the U.S., it is not a silver bullet, the article says. The full post can be read here.
  • The US and UK say Russia was behind the huge NotPetya ransomware attack (MIT Tech Review): A post on “The Download” says that the British government attributed a major cyber attack in 2017 directly to Russia, a move that the post labeled “rare.” The NotPetya was a ransomware attack based on a Windows flaw that affected computers worldwide. The post says that the White House later agreed with the British government that Russia was responsible. The full post is here.

  • Intel Touts New Quantum Computing Breakthrough, This Time With Silicon (Extreme Tech): A recent article explains how the often relied upon silicon has finally been adapted to quantum computing. The article explains how Intel entered the silicon qubit game with game with what it calls the “spin qubit.” This is one of two parallel tracks that Intel is pursuing in the development of quantum computing, the article says. The article has a video to show exactly what Intel is doing and also explains how it differs from what other companies such as IBM are doing. The full article can be read here.

Tags: , , , ,

The Difference Between Cyber and Information Warfare

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
― Sun Tzu, The Art of War

On Friday, February 16, 2018, Deputy Attorney General Rod Rosenstein announced the indictment of 13 Russian officials related to Russian meddling in the 2016 Presidential election. The first charge, conspiracy to defraud the United States, is against all thirteen defendants. Specifically, “[t]he defendants allegedly conspired to defraud the United States by impairing the lawful functions of the Federal Election Commission, the U.S. Department of Justice, and the U.S. Department of State . . .” Other charges include conspiracy to commit wire fraud and bank fraud and aggravated identify theft. The full press release and the indictment are attached at the bottom of this post.

In his statement, Rosenstein explained that the Russians defined their operation as “information warfare.” The use of that phrase reminded me of an important distinction that was first brought to my attention this past fall – the distinction between cyber warfare and information warfare.

General Michael Hayden, former director of both the CIA and NSA, spoke at Syracuse University on Russia-U.S. relations in October.[i] In particular, Hayden focused on Russia’s interference in the 2016 Presidential elections and how those acts fit within Russia’s broader scheme of information warfare.

To provide context for Russia’s policies, Hayden explained the policy making process in the U.S, which he was a part of, when the U.S. was trying to define its own role in cyber space. At that time, the decision makers weighed two options. Option One was to focus on just cyber and try to “dominate” that sphere. Option Two was to enter the world of information warfare – a much more expansive and daunting task. Information warfare includes psychological warfare, disinformation, deception, and public diplomacy. The U.S. chose Option 1 while Russia chose Option 2.

In light of recent events, one must question whether that position is still the correct one today. Should the U.S. expand its capabilities in the cyber domain to include those related to information warfare? If the answer is yes, then who should be responsible for conducting those operations?

Continue reading


Worldwide Threat Assessment of the U.S. Intelligence Community

Below is a Statement for the Record given by Director of National Intelligence Daniel R. Coats to Congress on February 13, 2018 regarding the U.S. intelligence community’s worldwide threat assessment, including a section dedicated to cyber security.



« Previous PageNext Page »


Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography


Follow by Email