henryfarrell + cybersecurity_class   626

Toward a Human-Centric Approach to Cybersecurity | Ethics & International Affairs | Cambridge Core
A “national security–centric” approach currently dominates cybersecurity policies and practices. Derived from a realist theory of world politics in which states compete with each other for survival and relative advantage, the principal cybersecurity threats are conceived as those affecting sovereign states, such as damage to critical infrastructure within their territorial jurisdictions. As part of a roundtable on “Competing Visions for Cyberspace,” this essay presents an alternative approach to cybersecurity that is derived from the tradition of “human security.” Rather than prioritizing territorial sovereignty, this approach prioritizes the individual, and views networks as part of the essential foundation for the modern exercise of human rights, such as access to information, freedom of thought, and freedom of association. The foundational elements of a human-centric approach to cybersecurity are outlined and contrasted with the prevailing trends around national security–centric practices. A human-centric approach strives for indivisible network security on a planetary scale for the widest possible scope of human experience, and seeks to ensure that such principles are vigorously monitored and defended by multiple and overlapping forms of independent oversight and review.
3 days ago by henryfarrell
The spread of low-credibility content by social bots | Nature Communications
The spread of low-credibility content by social bots
Chengcheng Shao, Giovanni Luca Ciampaglia, Onur Varol, Kai-Cheng Yang, Alessandro Flammini & Filippo Menczer
Nature Communicationsvolume 9, Article number: 4787 (2018) | Download Citation

The massive spread of digital misinformation has been identified as a major threat to democracies. Communication, cognitive, social, and computer scientists are studying the complex causes for the viral diffusion of misinformation, while online platforms are beginning to deploy countermeasures. Little systematic, data-based evidence has been published to guide these efforts. Here we analyze 14 million messages spreading 400 thousand articles on Twitter during ten months in 2016 and 2017. We find evidence that social bots played a disproportionate role in spreading articles from low-credibility sources. Bots amplify such content in the early spreading moments, before an article goes viral. They also target users with many followers through replies and mentions. Humans are vulnerable to this manipulation, resharing content posted by bots. Successful low-credibility sources are heavily supported by social bots. These results suggest that curbing social bots may be an effective strategy for mitigating the spread of online misinformation.
cybersecurity_class  PDKL-Ninety-five 
19 days ago by henryfarrell
Neutrollization: Industrialized trolling as a pro-Kremlin strategy of desecuritization - Xymena Kurowska, Anatoly Reshetnikov, 2018
Neutrollization: Industrialized trolling as a pro-Kremlin strategy of desecuritization
Xymena Kurowska, Anatoly Reshetnikov, First Published August 8, 2018 Research Article
Article information 

This article considers the significance of trolling for security processes through a contextual analysis of industrialized pro-Kremlin trolling in the Russian blogosphere. The publicity surrounding Russia’s hacking activities in international politics conceals the significance of the domestic trolling culture in Russia and its role in the ‘trolling turn’ in Russia’s foreign policy. We contextually identify the practice of ‘neutrollization’ – a type of localized desecuritization where the regime adopts trolling to prevent being cast as a societal security threat by civil society. Neutrollization relies on counterfeit internet activism, ostensibly originating from the citizenry, that produces political disengagement by breeding radical doubt in a manner that is non-securitizing. Rather than advocating a distinct political agenda, and in contrast to conventional understandings of the operations of propaganda, neutrollization precludes the very possibility of meaning, obviating the need to block the internet in an openly authoritarian manner. It operates by preventing perlocution – that is, the social consequences of the security speech act. This prevention is achieved through the breaking or disrupting of the context in which acts of securitization could possibly materialize, and is made possible by a condition of ‘politics without telos’ that is different from the varieties of depoliticization more familiar in Western societies.
cybersecurity_class  PDKL-Ninety-five 
8 weeks ago by henryfarrell
China, EU seize control of the world’s cyber agenda - POLITICO
The United States is losing ground as the internet’s standard-bearer in the face of aggressive European privacy standards and China’s draconian vision for a tightly controlled Web.

The weakening American position comes as the European Union, filling a gap left by years of lax U.S. regulations, imposes data privacy requirements that companies like Facebook and Google must follow. At the same time, China is dictating companies’ security practices with mandates that experts say will undermine global cybersecurity — without any significant pushback from the United States.

The result: Beijing and Brussels are effectively writing the rules that may determine the future of the internet. And China’s vision is spreading across the developing world as it influences similar laws in Vietnam, Tanzania and Nigeria.

Experts in cyber policy say the trends could slow the internet’s growth, stunt innovation and erect new market barriers for American businesses. And while these trends began before Donald Trump became president, his administration has yet to devise a clear plan to rebut either of these agendas.

“The U.S. cannot afford to be on the sidelines,” said Chris Painter, America’s top cyber diplomat from 2011 to 2017, who is now with the Global Commission on the Stability of Cyberspace. “Other countries are doing things legislatively that affect the U.S. … and the U.S. is on the back foot.”

Morning Cybersecurity
A daily briefing on politics and cybersecurity — weekday mornings, in your inbox.

Your email…
Sign Up
By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

One result of this shift is the erosion of the freewheeling U.S. vision of the internet that had reigned for decades. “The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet,” said Adam Segal, director of the Council on Foreign Relations’ cyber policy program. “And we don’t particularly have a coherent response to it.”

The lack of U.S. leadership also harms ordinary Americans by letting industry block the adoption of strong protections against cyberattacks, said Sen. Ron Wyden (D-Ore.), one of Congress’ leading voices on cybersecurity and technology issues.

“The United States is failing on cybersecurity because our Congress has been captured by corporations who have successfully killed any effort to impose meaningful cyber standards,” he told POLITICO in an email.

For years, the U.S. objected aggressively when China and other authoritarian regimes tried to co-opt international venues to push their cyber agendas. In 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan introduced a “code of conduct for information security,” which would have codified their vision of content regulation, but behind-the-scenes work by Western governments halted its momentum. The U.S. blocked similar efforts at a United Nations technology commission. And in 2010, the U.S. helped prevent a vote to hand a role in internet policymaking to the International Telecommunications Union, which would have given a stronger hand to authoritarian countries that often lose to the West in other settings.

“In all bilateral and multilateral encounters heretofore, the United States has successfully and consistently, in a bipartisan way, opposed” authoritarian visions for cyberspace, said a former State and Commerce department official who spent eight years working on cyber issues and requested anonymity to speak candidly.

But the U.S. has offered only token opposition to the cybersecurity law that China imposed last year, which among other things requires companies operating in China to provide authorities with the source code to their software.

The U.S. has taken a much more modest approach to its own cybersecurity policy: It passed a cyber information sharing law in 2015 that gave companies legal immunity for sharing threat data with the government, and the National Institute of Technology and Standards introduced a voluntary “framework” for managing digital security risks. Industry groups praised these efforts, saying they influence policies worldwide.

But beyond these piecemeal steps, the U.S. has advanced no coherent vision of cybersecurity regulation to counter the ones from China and Europe. And Russia will soon try again with its cybersecurity “code of conduct” — with vague language discouraging interference in other states’ internal affairs — at the U.N. General Assembly in September.

The U.S. is at a disadvantage, Painter said, because while China and others roll out ambitious plans, American diplomats call for only modest reforms. “If the U.S. line is, ‘Leave the status quo as it is,’ that’s always hard,” he said.

Rod Rosenstein is pictured. | Getty Images
Justice Department unveils strategy to fight election meddling, cybercrime
Chinese Communist Party leaders see cybersecurity “as a fundamental part of their governance model,” said Samm Sacks, a senior fellow at the Center for Strategic and International Studies. And President Xi Jinping has taken a personal interest in the topic, beyond how most world leaders engage with the issue.

Meanwhile, Beijing’s grip on domestic affairs gives it an advantage over the U.S. when it comes to laying down the law.

The result is China’s cybersecurity law, which took effect on June 1, 2017, creating vaguely defined inspection regimes for network operators and critical infrastructure owners. These businesses must let Chinese officials test their equipment and software at any time. They must also store their data in China so investigators can access it. One provision could let Beijing demand companies’ decryption keys, which would effectively ban the unbreakable encryption found in apps like Signal.

But even as the fractious Chinese bureaucracy prepared to implement the law, Beijing was busy promoting its view of digital security controls abroad, focusing on developing nations that it hopes will join a coalition to counter the West’s more open internet agenda.

In a digital extension of its sweeping One Belt One Road initiative, China spent vast sums to expand internet connectivity in small and underdeveloped countries. It donated computers to governments in nearly three dozen countries, from Pakistan to Malawi to the small island state of Tonga. Huawei, the Chinese telecom giant that U.S. officials consider a cybersecurity risk, set up armies of security cameras in the Kenyan cities of Nairobi and Mombasa as part of its “Safe City” initiative.

Cyber experts suspect China’s generosity is driven by its strategic self-interest: Beijing wanted to have a foothold in these emerging countries’ computer networks. Evidence has occasionally emerged to support this view. In January, the French newspaper Le Monde reported that China had spent years spying on the African Union, whose headquarters it built and donated to the international organization in 2012. Buried in the facility’s ready-made computer network, the paper said, were backdoors letting Beijing monitor the African Union’s activities.

“China’s influence is second to none in terms of its relationships with developing countries and in terms of its expanding relationship, recently, with developed countries,” said the former State Department official. As a result, he said, “Chinese companies are essentially the lead [and] have inside access” to countries’ systems.

The U.S. government and American corporations also must deal with a newly aggressive Europe on cyber issues. In August 2016, the EU enacted its first major cyber law, which requires “operators of essential services” to “take appropriate and proportionate … measures to manage” their cyber risks. The EU is now considering another law that would task its cyber agency, ENISA, with certifying security products in EU member states.

Both of these laws will force U.S. companies with European footprints to redesign their security measures to comply, and the more they do so, experts said, the more the EU position becomes the default. The same is true for the EU’s General Data Protection Regulation, which imposes tough data privacy and disclosure requirements — including the threat of massive fines for companies that violate them — and could undermine cybersecurity.

The White House is discussing introducing a GDPR competitor, according to news reports, but it may be too late — the European rule effectively kneecapped the United States’ ability to set global privacy standards at a lower level. “If you’re a company,” said the former State Department official, “you have to abide by the stricter standard.”

The question for the U.S. is whether to abandon its insistence on a voluntary, industry-led approach and enact more regulations that reflect a clear U.S. vision. Many experts said the American tradition of letting the private sector shape the debate has undercut the nation’s standing globally.

Other countries “have looked around and said, ‘All right, this doesn’t really seem to be accomplishing very much,’” Segal said.

One option would be to follow China and the EU in passing a sweeping national cyber law. If it took a light touch but still imposed rules, and if the U.S. could demonstrate that it improved security, other countries would take note. But as recent history shows, such a law would have a difficult chance of passing Congress.

James Lewis, a cyber expert at CSIS, said the U.S. is the only country where extreme distrust of government prevents meaningful cyber regulations. “That’s not how it works in the rest of the world,” he said. “And I say that for both democracies and dictatorships. This overwhelming angst we have about government is not reflected anywhere else on the planet.”

… [more]
weaponized_interdependence  china  Internet  cybersecurity_class  International_Organization_article 
july 2018 by henryfarrell
Donald J. Trump: Remarks at the Budweiser Events Center in Loveland, Colorado
I will make certain that our military is the best in the world in both cyber offense and defense. I will also ask my Secretary of Defense and Joint Chiefs to present recommendations for strengthening and augmenting our Cyber Command.

As a deterrent against attacks on our critical resources, the United States must possess the unquestioned capacity to launch crippling cyber counter-attacks. This is the warfare of the future, America's dominance in this arena must be unquestioned.

Cyber security is not only a question of developing defensive technologies but offensive technologies as well.

For non-state terror actors, the United States must develop the ability – no matter how difficult – to track down and incapacitate those responsible. We should turn cyber warfare into one of our greatest weapons against the terrorists.

To enhance the defense of the other agencies of government, including our law enforcement agencies, we will put together a team of the best military, civilian and private sector cyber security experts to comprehensively review all of our cyber security systems and technology.

The Cyber Review Team will proceed with the most sensitive systems first, but ultimately all systems will be analyzed and made as secure as modern technology permits.

I will also require that follow-up reviews take place on a regular basis determined by the sensitive nature of the security involved.

The review will include providing exact recommendations for the best combination of defensive technologies tailored to specific agencies.
cybersecurity_class  Info_with_Abe 
july 2018 by henryfarrell
The Internet Freedom Agenda: Not Dead, but Not Exactly Thriving Either | Council on Foreign Relations
They noted that the State Department never stopped its internet freedom work, though it was severely handicapped by the lack of attention from former Secretary of State Rex Tillerson and the hiring freeze he put in place (and just reversed by Secretary Pompeo). The Freedom Online Coalition, a partnership of thirty governments, continues to meet and issue statements. They pointed to continued interest in the strategy in Congress and a recent increase in funding. And they stressed the importance of other, non-governmental actors such as the Global Network Initiative. 
may 2018 by henryfarrell
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A secret information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.

The pilot program, codenamed “Project Indigo,” recently established a confidential information-sharing channel for a subunit of FS-ISAC known as the Financial Systemic Analysis & Resilience Center (FSARC). That subunit shares “scrubbed” cyberthreat data, including malware indicators, with the Fort Mead-based Cyber Command, according to current and former U.S. officials.

The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.

It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.

The program is currently organized in a fairly informal manner, but participants have been discussing a more formal arrangement. Eight financial institutions are involved in FSARC: Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. Project Indigo also provides data to the Department of Homeland Security and U.S. Treasury. However, those agencies were already getting data from the banks that is narrowly leveraged for defensive measures.

In an emailed statement, a Cyber Command spokesperson acknowledged Project Indigo’s existence.

“The pilot began in 2017 with USCYBERCOM personnel receiving sector-specific exposure to risks facing critical financial payment systems, and observing exercises related to risk mitigation and recovery around realistic scenarios,” said Cyber Command spokesperson Col. Daniel King. “Later, two samples of anonymized cyber threat information were shared with USCYBERCOM to allow the government and its critical infrastructure partners the ability to jointly assess and address emerging threats.”

“No Personally identifiable Information (PII) was shared with USCYBERCOM as part of this effort,” King added.

The financial institutions that participate in the arrangement gave consent to FSARC to share the data with the U.S. government, a person familiar with the effort told CyberScoop. Sources spoke on the condition of anonymity due to the sensitive nature of the program.

In one recent case, FSARC gave Cyber Command a “combo of open-source derived IOCs [indicators of compromise] associated with DPRK [North Korea] and some observed,” one source said. “Open source” in this case means from outside a financial institution, while “observed” refers to internal data.

Under the agreement, financial institutions share data “considered not exclusive” to any one financial firm, a former U.S. official said. Another source familiar with the program said that it was challenged by the simple fact that the banks weren’t yet “interested in sharing at a level which would be truly useful [for Cyber Command].”

An October 2016 press release originally announcing FSARC explained that its mission is to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cyber security threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government.”

That announcement specifically described “government partners” as Treasury, DHS and the Federal Bureau of Investigation, but it did not mention U.S. Cyber Command or the National Security Agency.

Wells Fargo, Bank of America and JPMorgan Chase did not respond to multiple requests for comment. The Office of the Direction of National Intelligence and NSA deferred to Cyber Command for comment.

It’s widely known that large financial institutions face a bevy of sophisticated cyberattacks from both nation states and well-equipped criminal groups. Organized as a private non-profit organization, the FS-ISAC sits at the center of this activity, collecting and sharing information between companies so they can be collectively informed about active cyberthreats.

The collected data can often be extremely sensitive. Not only does it contain malware indicators, but sometimes other sensitive information tied to the targeted institutions. As a result, the intelligence is usually both highly valuable for defenders and potentially dangerous if it’s ever made public.

In an emailed statement, an FS-ISAC spokesperson said: “[Project Indigo] focuses on sharing cyberthreat intelligence related to key threats facing systemically important critical infrastructure operators, with the intention of protecting our financial institutions, their networks and their clients. No customer information has been shared with the U.S. Government under Project Indigo.”

While it’s common for businesses to voluntarily provide federal agencies with information about incidents in cyberspace, the 2013 Edward Snowden leaks chilled these types of relationships, especially between private companies and intelligence agencies. Cyber Command is not an intelligence unit, but it maintains a close relationship with the NSA, including sharing the same leader and building.

Jason Healey, a former intelligence officer and current senior research scholar at Columbia University’s School for International and Public Affairs, told CyberScoop he believed Project Indigo represented a pragmatic step forward.

“We need to be prepared for there to be a role, especially in time critical incidents, for Cyber Command to contribute so long as they are also coordinating with Treasury and [DHS],” said Healey.

Blurring government boundaries
Project Indigo raises questions about the existing hierarchy in government and whether decision-makers see a need for the military to be more integrated with the private sector on cybersecurity.

Over the last eight years, the Defense Department’s role in working with private companies on cybersecurity has fluctuated significantly.

During the Obama administration, the government took steps to make DHS the lead on public-private partnerships. This push was boosted in 2015, when Congress passed the Cybersecurity Information Sharing Act (CISA). The law gave certain liability protections to private companies whenever they shared cyberthreat data with the government through a portal managed by DHS.

The decision to embolden DHS with CISA came after there was a public outcry over privacy concerns. Just two years after the Snowden leaks, critics worried that the Defense Department would mishandle CISA.

A current U.S. official described Project Indigo as “classic mission creep,” a term used to describe when one agency oversteps its boundaries in regards to another agency’s program.

But experts contend that Cyber Command’s role will need to evolve if it’s to reach its full potential. Additionally, the military is already involved in other information sharing initiatives with the private sector.

In December, a Government Accountability Office (GAO) report called on the Defense Department, including Cyber Command, to clarify and further define how it interacts with companies and civilian agencies.

“DOD was supposed to develop [a] comprehensive plan for CYBERCOM to support civil authorities in responding to cyberattacks. DOD has rigorous requirements for what plans should look like, and this didn’t match,” Joseph Kirschbaum, director of GAO’s Defense Capabilities and Management office, previously told CyberScoop.

Congress is currently weighing what role Cyber Command should play in protecting private companies from hackers. In the past, members of the Senate Armed Service Committee have advocated for the military to be more involved.

Last summer, Lt. General Vincent Stewart, the current deputy commander of Cyber Command, said he would like the military to be able to reverse-engineer malware samples in order to create new hacking tools.

“Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use it against us,” Stewart described. The practice is already well known inside NSA, based on leaked classified documents.

Generally speaking, the military’s relationship with the banks is still evolving.

During the Cyber Command Strategy Conference earlier this year, a high ranking Cyber Command official remarked on stage that “if J.P. Morgan wants to meet us halfway, then that would mean us monitoring their networks [for malicious cyber activity],” according to two individuals who attended the February event.

The comment stunned some audience members, although former NSA Director Gen. Keith Alexander had said something very similar in 2013.
may 2018 by henryfarrell
« earlier      
per page:    204080120160

Copy this bookmark: