Cybersecurity and Cyberwarfare

Sen Ed Markey (D-MA) and Rep Ted Lieu (D-CA) have teamed up to introduce a bill to boost IoT cybersecurity by creating a voluntary self-certification program under the Department of Commerce. The Cyber Shield Act would establish a voluntary cybersecurity program for the Internet of Things things, with input from an advisory committee comprising "academia, industry, consumer advocates, and the public" on benchmarks for security for consumer devices from baby monitors, cameras and cell phones to laptops and tablets. The goal is to have manufacturers hold themselves to "industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes" for the reward of branding their products as such. Manufacturers would self-certify that their products met the benchmarks, and then could display a "Cyber Shield" label, like a "Good CyberHouseprotecting" seal of approval.

The committee will advise the Secretary of Commerce, who could elect not to treat a product as certified unless it was tested and accredited by an independent laboratory. The secretary would have two years from the enactment of the legislation to establish the cybersecurity benchmarks. The program would get a going over by the Commerce inspector general every two years staring not more than four years after enactment.

[Commentary] It is this committee’s mission to protect consumers, and in the coming months, we will be taking a more expansive look at the online experience to ensure safety, security, and an unfiltered flow of information. Recently, the Equifax data breach compromised the personal information of 145 million Americans, including social security numbers, addresses, credit card numbers, and more. This committee held a hearing on the breach and will continue to deeply scrutinize the staggering amount of personal information changing hands online and the business practices surrounding those transactions.

My colleagues and I will hold a separate hearing to assess identity verification practices, and determine whether they can be improved to protect personal data on the web even after a consumer’s information has been breached. These hearings are just the start of a long-term, thoughtful, and research-focused approach to better illuminate how Americans’ data is being used online, how to ensure that data is safe, and how information is being filtered to consumers over the web. While technology is responsible for a lot of positive change in our world, malignant behavior online can have consequences that are not fully disclosed to the American people.

The Trump Administration is planning to write a new cybersecurity strategy, White House Homeland Security Adviser Tom Bossert said, suggesting that the slew of Obama-era cyber plans and strategies are fast outliving their usefulness.

There’s no timeframe for when the strategy will launch, Bossert told reporters, but it will follow the broad outlines of a cybersecurity executive order President Donald Trump released in May. “As soon as we’re prepared to put forward a strategy that will be beneficial to the government and the nation, we’ll do so,” Bossert said on the sidelines of a Washington cybersecurity conference hosted by Palo Alto Networks.

Two House committees announced that they would conduct a joint probe into the FBI's handling of the Hillary Clinton e-mail investigation. The Clinton investigation concluded with no charges being levied against the former secretary of state who was running for president under the Democratic ticket.

House Oversight and Government Reform Committee Chairman Trey Gowdy (R-SC) and House Judiciary Committee Chairman Bob Goodlatte (R-VA) said in a joint statement that they are unsatisfied with how the probe into Clinton's private e-mail server concluded. Among other things, the chairmen want to know why the bureau publicly said it was investigating Clinton while keeping silent that it was looking into President Donald Trump's campaign associates and their connections to Russia. "Our justice system is represented by a blind-folded woman holding a set of scales. Those scales do not tip to the right or the left; they do not recognize wealth, power, or social status," Chairmen Goodlatte and Gowdy said in a joint statement. "The impartiality of our justice system is the bedrock of our republic, and our fellow citizens must have confidence in its objectivity, independence, and evenhandedness. The law is the most equalizing force in this country. No entity or individual is exempt from oversight."

The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, said FBI Director Christopher Wray, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.

In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said. “To put it mildly, this is a huge, huge problem,” Wray said. “It impacts investigations across the board — narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.” The FBI and other law enforcement officials have long complained about being unable to unlock and recover evidence from cellphones and other devices seized from suspects even if they have a warrant, while technology companies have insisted they must protect customers’ digital privacy.

About one-fourth of e-mails that purport to be from federal agencies are malicious phishing e-mails spoofing federal addresses, according to a report from the cybersecurity company Agari. The study was based on Agari clients that use an e-mail security feature called Domain-based Message Authentication, Reporting and Conformance, or DMARC. The Homeland Security Department gave federal agencies three months to install DMARC on their e-mail systems Oct 16 as part of a larger e-mail and web security drive.

CIA Director Mike Pompeo declared that US intelligence agencies determined that Russia’s interference in the 2016 American presidential election did not alter the outcome, a statement that distorted spy agency findings. “The intelligence community’s assessment is that the Russian meddling that took place did not affect the outcome of the election,” Pompeo said. His comment suggested — falsely — that a report released by US intelligence agencies in January had ruled out any impact that could be attributed to a covert Russian interference campaign that involved leaks of tens of thousands of stolen e-mails, the flooding of social media sites with false claims and the purchase of ads on Facebook.

A report compiled by the CIA and other agencies described that Russian operation as unprecedented in its scale and concluded that Moscow’s goals were to undermine public faith in the US democratic process and help elect Donald Trump. But the report reached no conclusions about whether that interference had altered the outcome — an issue that U.S. intelligence officials made clear was considered beyond the scope of their inquiry.

Secretary of State Rex Tillerson says US foreign policy is "resilient enough to accommodate unknowns," including President Donald Trump's tweets. In an interview with The New York Times Magazine, Sec Tillerson said the president's tweets often catch him off guard, but that he tries to incorporate the messages "into my strategies and my tactics." "In a dynamic situation, like we deal with here all the time — and you can go walk around the world, they’re all dynamic — things happen," he said. "You wake up the next morning, something’s happened. I wake up the next morning, the president’s got a tweet out there. So I think about, O.K., that’s a new condition. How do I want to use that?”

Google is creating an even more secure login process for users at high risk of online attacks. The new Advanced Protection feature focuses on defending against phishing, accidental sharing, and fraudulent access to accounts. The feature has been introduced for users such as journalists who need to protect their sources, or campaign staffers during an election.

The program will use Security Keys, which are small USB or wireless devices required to sign into accounts. Google says they’re the most secure version of two-step verification; they use public key cryptography and digital signatures to confirm a person’s identity. Security keys can be fiddly, so Google says they’re for users who don’t mind carrying them around, using the Chrome browser on desktop, and using Google apps, as the key won’t work with the iPhone’s mail, calendar, and contact apps.

Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database. The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to reporters. Microsoft declined to discuss the incident.

The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.