Cybersecurity and Cyberwarfare

Nine days after Facebook chief executive Mark Zuckerberg dismissed as “crazy” the idea that fake news on his company’s social network played a key role in the US election, President Barack Obama pulled the youthful tech billionaire aside and delivered what he hoped would be a wake-up call.

For months leading up to the vote, President Obama and his top aides quietly agonized over how to respond to Russia’s brazen intervention on behalf of the Donald Trump campaign without making matters worse. Weeks after Trump’s surprise victory, some of Obama’s aides looked back with regret and wished they had done more. Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, President Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, President Obama warned, it would only get worse in the next presidential race. Zuckerberg acknowledged the problem posed by fake news. But he told President Obama that those messages weren’t widespread on Facebook and that there was no easy remedy.

The Department of Homeland Security contacted election officials in 21 states to notify them that they had been targeted by Russian government hackers during the 2016 election campaign.

In June 2017, DHS officials said that people connected to the Russian government tried to hack voter registration files or public election sites in 21 states, but this was the first time that government officials contacted individual state election officials to let them know their systems had been targeted. Officials said DHS told officials in all 50 states whether their systems had been attacked or not. In only a handful of states, including Illinois, did hackers actually penetrate computer systems, according to US officials, and there is no evidence that hackers tampered with any voting machines. State elections officials in Alabama, Colorado, Connecticut, Iowa, Maryland, Minnesota, Ohio, Oklahoma, Pennsylvania, Virginia, Wisconsin and Washington were told they were targeted.

The National Telecommunications & Information Administration has released a report on botnets, DDoS attacks and other cyber threats. The report was based on over 40 responses to NTIA's request for comments on those attacks, which was issued last June. A final report that incorporates the NTIA report is due to the President by May 11, 2018.

NTIA got 47 responses, including from NCTA-The Internet & Television Association, with what the agency said were several broad themes: addressing risks is a shared responsibility; distributed, automated attacks are linked to other threats; they are global and require international cooperation. NTIA said the commenters "resoundingly" endorsed voluntary, consensus-based and community-led processes, including the National Institute of Standards & Technology and NTIA's privacy multi-stakeholder processes. There were also strong voices against too large a regulatory role by government, but others said that the lack of existing security protection and the lack of market incentives to adopt them meant there was greater need for "policy interventions."

How the Kremlin built one of the most powerful information weapons of the 21st century — and why it may be impossible to stop.

President Donald Trump blocked a Beijing-backed fund’s attempt to buy an American chip maker, signaling his administration will closely scrutinize Chinese investment in semiconductor technology. President Trump took the rare step of personally intervening in the transaction after the would-be deal makers asked him to overrule an earlier negative determination from the Committee on Foreign Investment in the US, a multiagency panel that reviews deals for national-security concerns.

According to a statement from the White House, President Trump believes the transaction could risk U.S. national security due to “the potential transfer of intellectual property to the foreign acquirer, the Chinese government’s role in supporting this transaction, the importance of semiconductor supply chain integrity to the United States Government, and the use of Lattice products by the United States Government.”

The US government on banned the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to US officials. Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, apparently. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Apple on Tuesday (Sept. 12) unveiled its new FaceID facial recognition technology for the iPhone X—the successor to the iPhone TouchID fingerprint scanner. The company says FaceID is 20 times more secure than TouchID, and can be used for unlocking apps and using ApplePay. Still, this kind of technology (which you can read more about here) raises a lot of questions. Here’s what we’re wondering:
Where will the data be stored?
What are the legal implications of opening your phone with your face?
What else will Apple use the data for, even if it’s just on our phones?
Who else will have access to those sensors?
Does facial recognition this effective really make sense in real-life scenarios?

How can we reduce the consequences for consumers and companies when the next breach happens? We can pass national data breach legislation. A national standard would not have prevented the Equifax breach, but it would clarify for consumers and companies the types of information subject to protection and the penalties for failing to do so.

While respecting the valuable role of the states, we clearly need a basic federal standard to ensure that all Americans can expect adequate data protection allowing companies to better deploy security and training so that the next breach is less damaging for consumers. Sen Mark Warner (D-VA) has not only renewed the call for national data breach legislation, but also asked the important question “is it time to rethink data protection policies dealing with these large, centralized sets of highly sensitive data on millions of Americans?” The answer to Senator Warner’s question is yes.

As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones:
#1: What measures did Equifax take to protect our personal information?
#2: What measures should Equifax have taken to protect our personal information?
#3: What’s the gap between the answers to questions #1 and #2?

The massive data breach at credit reporting firm Equifax has put the company in the cross-hairs of congressional committees and one of the nation’s most aggressive attorneys general, while fueling a new push for stronger protections on Americans’ personal information. Even the Trump administration, which has advocated slashing government rules, has indicated new regulations might be needed. The revelation that a hack of Equifax’s computer system exposed the Social Security numbers and birth dates of as many as 143 million people also could scuttle Republican efforts to limit the liability faced by credit reporting companies and other financial firms in disputes with consumers. The scale of the latest in a series of high-profile data breaches has refocused attention on the role of the three major credit reporting companies — Equifax, Experian and TransUnion — as repositories of a trove of sensitive data. “This debacle should be a wake-up call to both consumers and policymakers about the industry's broad reach,” said Rohit Chopra, a senior fellow at the Consumer Federation of America.