Cybersecurity and Cyberwarfare

As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones:
#1: What measures did Equifax take to protect our personal information?
#2: What measures should Equifax have taken to protect our personal information?
#3: What’s the gap between the answers to questions #1 and #2?

The massive data breach at credit reporting firm Equifax has put the company in the cross-hairs of congressional committees and one of the nation’s most aggressive attorneys general, while fueling a new push for stronger protections on Americans’ personal information. Even the Trump administration, which has advocated slashing government rules, has indicated new regulations might be needed. The revelation that a hack of Equifax’s computer system exposed the Social Security numbers and birth dates of as many as 143 million people also could scuttle Republican efforts to limit the liability faced by credit reporting companies and other financial firms in disputes with consumers. The scale of the latest in a series of high-profile data breaches has refocused attention on the role of the three major credit reporting companies — Equifax, Experian and TransUnion — as repositories of a trove of sensitive data. “This debacle should be a wake-up call to both consumers and policymakers about the industry's broad reach,” said Rohit Chopra, a senior fellow at the Consumer Federation of America.

Sen Mark Warner (D-VA), co-founder of the Senate Cybersecurity Caucus, said Congress might need to rethink cybersecurity policies in the wake of a data breach of Equifax, one of the largest data brokers in the U.S. The company revealed a "cybersecurity incident" that it said potentially impacted 143 million consumers, or about half the population. The information involved included "names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers," said the company.

Sen Warner said, "[T]he scope of this breach...raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans."

The Cyber Vulnerability Disclosure Reporting Act (HR 3202) would require the Department of Homeland Security (DHS), within 240 days of the bill’s enactment, to submit a report to the Congress describing the policies and procedures used to coordinate the sharing of information on cyber vulnerabilities with businesses and other relevant entities. The report also would describe how those policies and procedures were used to disclose such vulnerabilities over the past year and, if available, how recipients of those disclosures acted upon the information.

Based on an analysis of information from DHS, CBO estimates that implementing the bill would cost less than $500,000 over the 2018-2022 period; such spending would be subject to the availability of appropriated funds. Enacting H.R. 3202 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3202 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

The Cybersecurity and Infrastructure Security Agency Act of 2017 (HR 3359) would rename the National Protection and Programs Directorate (NPPD) of the Department of Homeland Security (DHS) as the Cybersecurity and Infrastructure Security Agency. The bill also would consolidate certain missions of NPPD under two divisions: the Cybersecurity Division and the Infrastructure Security Division.

Based on information from DHS, CBO has concluded that the requirements in the bill would not impose any new operating requirements on the agency. On that basis, CBO estimates that implementing H.R. 3359 would have a negligible effect on the federal budget. Enacting HR 3359 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3359 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

Lenovo Inc., one of the world’s largest computer manufacturers, has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers. In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities.

As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

After an extensive review, the Nation has issued an editor’s note concerning an Aug 9 article that raised questions regarding a consensus finding of the U.S. intelligence community that the Democratic National Committee (DNC) was hacked by Russian actors seeking to tilt the playing field in the 2016 presidential election.

“Former NSA experts say it wasn’t a hack at all, but a leak—an inside job by someone with access to the DNC’s system,” reads the subhead on the story, which was written by Patrick Lawrence, a contributing writer for the magazine. In her note to readers, which now sits atop the Lawrence piece, Nation Editor and Publisher Katrina vanden Heuvel writes, “We believe it is important to challenge questionable conventional wisdom and to foster debate—not police it. Focusing on unreported or inadequately reported issues of major importance and raising questions that are not being asked have always been a central part of our work.”

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic e-mails and spreading of false or damaging information about Hillary Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

After a data breach exposes sensitive information, agencies usually offer victims credit monitoring as a catch-all solution to prevent fraud. But a group of lawmakers isn't convinced that strategy always gets the job done. “We are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims,” House Energy and Finance Committee Reps Frank Pallone, Jr., (D-NJ), Diana DeGette (D-CO), and Jan Schakowsky (D-IL) wrote in a letter to the Government Accountability Office. “Reliance on these products after the breach may result in consumers being lulled into a false sense of security.” They requested GAO examine how effective current strategies work for various types of breaches, the extent of the protection each one offers, and the factors agencies weigh in choosing a response to a breach. Lawmakers also would like GAO to see if there are better solutions not currently being offered.

President Donald Trump promised big changes on cybersecurity after his election. During the Obama administration, the nation’s cybersecurity was “run by people that don’t know what they’re doing,” the president said during a post-election press conference. The Trump administration, he promised, would gather “some of the greatest computer minds anywhere in the world” and “put those minds together … to form a defense.” Seven months into the president’s administration, however, analysts are wondering what’s so different.

On most major cybersecurity issues, such as securing federal networks and critical infrastructure, Trump officials are in near lockstep with their Obama-era predecessors. Where they differ, there’s no clear Trump cybersecurity doctrine to explain the divergence. “It’s schizophrenic,” said Peter Singer, a cyber theorist and senior fellow at the New America Foundation. “That may be because of the absence of a strategy or it may be because the chaotic execution of that strategy undermines it.”