henryfarrell + cybersecurity_class   581

China, EU seize control of the world’s cyber agenda - POLITICO
The United States is losing ground as the internet’s standard-bearer in the face of aggressive European privacy standards and China’s draconian vision for a tightly controlled Web.

The weakening American position comes as the European Union, filling a gap left by years of lax U.S. regulations, imposes data privacy requirements that companies like Facebook and Google must follow. At the same time, China is dictating companies’ security practices with mandates that experts say will undermine global cybersecurity — without any significant pushback from the United States.

The result: Beijing and Brussels are effectively writing the rules that may determine the future of the internet. And China’s vision is spreading across the developing world as it influences similar laws in Vietnam, Tanzania and Nigeria.

Experts in cyber policy say the trends could slow the internet’s growth, stunt innovation and erect new market barriers for American businesses. And while these trends began before Donald Trump became president, his administration has yet to devise a clear plan to rebut either of these agendas.

“The U.S. cannot afford to be on the sidelines,” said Chris Painter, America’s top cyber diplomat from 2011 to 2017, who is now with the Global Commission on the Stability of Cyberspace. “Other countries are doing things legislatively that affect the U.S. … and the U.S. is on the back foot.”

Morning Cybersecurity
A daily briefing on politics and cybersecurity — weekday mornings, in your inbox.

Email
Your email…
Sign Up
By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

One result of this shift is the erosion of the freewheeling U.S. vision of the internet that had reigned for decades. “The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet,” said Adam Segal, director of the Council on Foreign Relations’ cyber policy program. “And we don’t particularly have a coherent response to it.”

The lack of U.S. leadership also harms ordinary Americans by letting industry block the adoption of strong protections against cyberattacks, said Sen. Ron Wyden (D-Ore.), one of Congress’ leading voices on cybersecurity and technology issues.

“The United States is failing on cybersecurity because our Congress has been captured by corporations who have successfully killed any effort to impose meaningful cyber standards,” he told POLITICO in an email.

For years, the U.S. objected aggressively when China and other authoritarian regimes tried to co-opt international venues to push their cyber agendas. In 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan introduced a “code of conduct for information security,” which would have codified their vision of content regulation, but behind-the-scenes work by Western governments halted its momentum. The U.S. blocked similar efforts at a United Nations technology commission. And in 2010, the U.S. helped prevent a vote to hand a role in internet policymaking to the International Telecommunications Union, which would have given a stronger hand to authoritarian countries that often lose to the West in other settings.

“In all bilateral and multilateral encounters heretofore, the United States has successfully and consistently, in a bipartisan way, opposed” authoritarian visions for cyberspace, said a former State and Commerce department official who spent eight years working on cyber issues and requested anonymity to speak candidly.

But the U.S. has offered only token opposition to the cybersecurity law that China imposed last year, which among other things requires companies operating in China to provide authorities with the source code to their software.

The U.S. has taken a much more modest approach to its own cybersecurity policy: It passed a cyber information sharing law in 2015 that gave companies legal immunity for sharing threat data with the government, and the National Institute of Technology and Standards introduced a voluntary “framework” for managing digital security risks. Industry groups praised these efforts, saying they influence policies worldwide.

But beyond these piecemeal steps, the U.S. has advanced no coherent vision of cybersecurity regulation to counter the ones from China and Europe. And Russia will soon try again with its cybersecurity “code of conduct” — with vague language discouraging interference in other states’ internal affairs — at the U.N. General Assembly in September.

The U.S. is at a disadvantage, Painter said, because while China and others roll out ambitious plans, American diplomats call for only modest reforms. “If the U.S. line is, ‘Leave the status quo as it is,’ that’s always hard,” he said.

Rod Rosenstein is pictured. | Getty Images
Justice Department unveils strategy to fight election meddling, cybercrime
By ERIC GELLER
Chinese Communist Party leaders see cybersecurity “as a fundamental part of their governance model,” said Samm Sacks, a senior fellow at the Center for Strategic and International Studies. And President Xi Jinping has taken a personal interest in the topic, beyond how most world leaders engage with the issue.

Meanwhile, Beijing’s grip on domestic affairs gives it an advantage over the U.S. when it comes to laying down the law.

The result is China’s cybersecurity law, which took effect on June 1, 2017, creating vaguely defined inspection regimes for network operators and critical infrastructure owners. These businesses must let Chinese officials test their equipment and software at any time. They must also store their data in China so investigators can access it. One provision could let Beijing demand companies’ decryption keys, which would effectively ban the unbreakable encryption found in apps like Signal.

But even as the fractious Chinese bureaucracy prepared to implement the law, Beijing was busy promoting its view of digital security controls abroad, focusing on developing nations that it hopes will join a coalition to counter the West’s more open internet agenda.

In a digital extension of its sweeping One Belt One Road initiative, China spent vast sums to expand internet connectivity in small and underdeveloped countries. It donated computers to governments in nearly three dozen countries, from Pakistan to Malawi to the small island state of Tonga. Huawei, the Chinese telecom giant that U.S. officials consider a cybersecurity risk, set up armies of security cameras in the Kenyan cities of Nairobi and Mombasa as part of its “Safe City” initiative.

Cyber experts suspect China’s generosity is driven by its strategic self-interest: Beijing wanted to have a foothold in these emerging countries’ computer networks. Evidence has occasionally emerged to support this view. In January, the French newspaper Le Monde reported that China had spent years spying on the African Union, whose headquarters it built and donated to the international organization in 2012. Buried in the facility’s ready-made computer network, the paper said, were backdoors letting Beijing monitor the African Union’s activities.

“China’s influence is second to none in terms of its relationships with developing countries and in terms of its expanding relationship, recently, with developed countries,” said the former State Department official. As a result, he said, “Chinese companies are essentially the lead [and] have inside access” to countries’ systems.

The U.S. government and American corporations also must deal with a newly aggressive Europe on cyber issues. In August 2016, the EU enacted its first major cyber law, which requires “operators of essential services” to “take appropriate and proportionate … measures to manage” their cyber risks. The EU is now considering another law that would task its cyber agency, ENISA, with certifying security products in EU member states.

Both of these laws will force U.S. companies with European footprints to redesign their security measures to comply, and the more they do so, experts said, the more the EU position becomes the default. The same is true for the EU’s General Data Protection Regulation, which imposes tough data privacy and disclosure requirements — including the threat of massive fines for companies that violate them — and could undermine cybersecurity.

The White House is discussing introducing a GDPR competitor, according to news reports, but it may be too late — the European rule effectively kneecapped the United States’ ability to set global privacy standards at a lower level. “If you’re a company,” said the former State Department official, “you have to abide by the stricter standard.”

The question for the U.S. is whether to abandon its insistence on a voluntary, industry-led approach and enact more regulations that reflect a clear U.S. vision. Many experts said the American tradition of letting the private sector shape the debate has undercut the nation’s standing globally.

Other countries “have looked around and said, ‘All right, this doesn’t really seem to be accomplishing very much,’” Segal said.

One option would be to follow China and the EU in passing a sweeping national cyber law. If it took a light touch but still imposed rules, and if the U.S. could demonstrate that it improved security, other countries would take note. But as recent history shows, such a law would have a difficult chance of passing Congress.

James Lewis, a cyber expert at CSIS, said the U.S. is the only country where extreme distrust of government prevents meaningful cyber regulations. “That’s not how it works in the rest of the world,” he said. “And I say that for both democracies and dictatorships. This overwhelming angst we have about government is not reflected anywhere else on the planet.”

… [more]
weaponized_interdependence  china  Internet  cybersecurity_class  International_Organization_article 
27 days ago by henryfarrell
Donald J. Trump: Remarks at the Budweiser Events Center in Loveland, Colorado
I will make certain that our military is the best in the world in both cyber offense and defense. I will also ask my Secretary of Defense and Joint Chiefs to present recommendations for strengthening and augmenting our Cyber Command.

As a deterrent against attacks on our critical resources, the United States must possess the unquestioned capacity to launch crippling cyber counter-attacks. This is the warfare of the future, America's dominance in this arena must be unquestioned.

Cyber security is not only a question of developing defensive technologies but offensive technologies as well.

For non-state terror actors, the United States must develop the ability – no matter how difficult – to track down and incapacitate those responsible. We should turn cyber warfare into one of our greatest weapons against the terrorists.

To enhance the defense of the other agencies of government, including our law enforcement agencies, we will put together a team of the best military, civilian and private sector cyber security experts to comprehensively review all of our cyber security systems and technology.

The Cyber Review Team will proceed with the most sensitive systems first, but ultimately all systems will be analyzed and made as secure as modern technology permits.

I will also require that follow-up reviews take place on a regular basis determined by the sensitive nature of the security involved.

The review will include providing exact recommendations for the best combination of defensive technologies tailored to specific agencies.
cybersecurity_class  Info_with_Abe 
6 weeks ago by henryfarrell
The Internet Freedom Agenda: Not Dead, but Not Exactly Thriving Either | Council on Foreign Relations
They noted that the State Department never stopped its internet freedom work, though it was severely handicapped by the lack of attention from former Secretary of State Rex Tillerson and the hiring freeze he put in place (and just reversed by Secretary Pompeo). The Freedom Online Coalition, a partnership of thirty governments, continues to meet and issue statements. They pointed to continued interest in the strategy in Congress and a recent increase in funding. And they stressed the importance of other, non-governmental actors such as the Global Network Initiative. 
cybersecurity_class 
may 2018 by henryfarrell
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A secret information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.

The pilot program, codenamed “Project Indigo,” recently established a confidential information-sharing channel for a subunit of FS-ISAC known as the Financial Systemic Analysis & Resilience Center (FSARC). That subunit shares “scrubbed” cyberthreat data, including malware indicators, with the Fort Mead-based Cyber Command, according to current and former U.S. officials.

The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.

It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.

The program is currently organized in a fairly informal manner, but participants have been discussing a more formal arrangement. Eight financial institutions are involved in FSARC: Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. Project Indigo also provides data to the Department of Homeland Security and U.S. Treasury. However, those agencies were already getting data from the banks that is narrowly leveraged for defensive measures.

In an emailed statement, a Cyber Command spokesperson acknowledged Project Indigo’s existence.

“The pilot began in 2017 with USCYBERCOM personnel receiving sector-specific exposure to risks facing critical financial payment systems, and observing exercises related to risk mitigation and recovery around realistic scenarios,” said Cyber Command spokesperson Col. Daniel King. “Later, two samples of anonymized cyber threat information were shared with USCYBERCOM to allow the government and its critical infrastructure partners the ability to jointly assess and address emerging threats.”

“No Personally identifiable Information (PII) was shared with USCYBERCOM as part of this effort,” King added.

The financial institutions that participate in the arrangement gave consent to FSARC to share the data with the U.S. government, a person familiar with the effort told CyberScoop. Sources spoke on the condition of anonymity due to the sensitive nature of the program.

In one recent case, FSARC gave Cyber Command a “combo of open-source derived IOCs [indicators of compromise] associated with DPRK [North Korea] and some observed,” one source said. “Open source” in this case means from outside a financial institution, while “observed” refers to internal data.

Under the agreement, financial institutions share data “considered not exclusive” to any one financial firm, a former U.S. official said. Another source familiar with the program said that it was challenged by the simple fact that the banks weren’t yet “interested in sharing at a level which would be truly useful [for Cyber Command].”

An October 2016 press release originally announcing FSARC explained that its mission is to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cyber security threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government.”

That announcement specifically described “government partners” as Treasury, DHS and the Federal Bureau of Investigation, but it did not mention U.S. Cyber Command or the National Security Agency.

Wells Fargo, Bank of America and JPMorgan Chase did not respond to multiple requests for comment. The Office of the Direction of National Intelligence and NSA deferred to Cyber Command for comment.

It’s widely known that large financial institutions face a bevy of sophisticated cyberattacks from both nation states and well-equipped criminal groups. Organized as a private non-profit organization, the FS-ISAC sits at the center of this activity, collecting and sharing information between companies so they can be collectively informed about active cyberthreats.

The collected data can often be extremely sensitive. Not only does it contain malware indicators, but sometimes other sensitive information tied to the targeted institutions. As a result, the intelligence is usually both highly valuable for defenders and potentially dangerous if it’s ever made public.

In an emailed statement, an FS-ISAC spokesperson said: “[Project Indigo] focuses on sharing cyberthreat intelligence related to key threats facing systemically important critical infrastructure operators, with the intention of protecting our financial institutions, their networks and their clients. No customer information has been shared with the U.S. Government under Project Indigo.”

While it’s common for businesses to voluntarily provide federal agencies with information about incidents in cyberspace, the 2013 Edward Snowden leaks chilled these types of relationships, especially between private companies and intelligence agencies. Cyber Command is not an intelligence unit, but it maintains a close relationship with the NSA, including sharing the same leader and building.

Jason Healey, a former intelligence officer and current senior research scholar at Columbia University’s School for International and Public Affairs, told CyberScoop he believed Project Indigo represented a pragmatic step forward.

“We need to be prepared for there to be a role, especially in time critical incidents, for Cyber Command to contribute so long as they are also coordinating with Treasury and [DHS],” said Healey.

Blurring government boundaries
Project Indigo raises questions about the existing hierarchy in government and whether decision-makers see a need for the military to be more integrated with the private sector on cybersecurity.

Over the last eight years, the Defense Department’s role in working with private companies on cybersecurity has fluctuated significantly.

During the Obama administration, the government took steps to make DHS the lead on public-private partnerships. This push was boosted in 2015, when Congress passed the Cybersecurity Information Sharing Act (CISA). The law gave certain liability protections to private companies whenever they shared cyberthreat data with the government through a portal managed by DHS.

The decision to embolden DHS with CISA came after there was a public outcry over privacy concerns. Just two years after the Snowden leaks, critics worried that the Defense Department would mishandle CISA.

A current U.S. official described Project Indigo as “classic mission creep,” a term used to describe when one agency oversteps its boundaries in regards to another agency’s program.

But experts contend that Cyber Command’s role will need to evolve if it’s to reach its full potential. Additionally, the military is already involved in other information sharing initiatives with the private sector.

In December, a Government Accountability Office (GAO) report called on the Defense Department, including Cyber Command, to clarify and further define how it interacts with companies and civilian agencies.

“DOD was supposed to develop [a] comprehensive plan for CYBERCOM to support civil authorities in responding to cyberattacks. DOD has rigorous requirements for what plans should look like, and this didn’t match,” Joseph Kirschbaum, director of GAO’s Defense Capabilities and Management office, previously told CyberScoop.

Congress is currently weighing what role Cyber Command should play in protecting private companies from hackers. In the past, members of the Senate Armed Service Committee have advocated for the military to be more involved.

Last summer, Lt. General Vincent Stewart, the current deputy commander of Cyber Command, said he would like the military to be able to reverse-engineer malware samples in order to create new hacking tools.

“Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use it against us,” Stewart described. The practice is already well known inside NSA, based on leaked classified documents.

Generally speaking, the military’s relationship with the banks is still evolving.

During the Cyber Command Strategy Conference earlier this year, a high ranking Cyber Command official remarked on stage that “if J.P. Morgan wants to meet us halfway, then that would mean us monitoring their networks [for malicious cyber activity],” according to two individuals who attended the February event.

The comment stunned some audience members, although former NSA Director Gen. Keith Alexander had said something very similar in 2013.
cybersecurity_class 
may 2018 by henryfarrell
Is Facebook’s Anti-Abuse System Broken? — Krebs on Security
Last week, Facebook deleted almost 120 groups totaling more than 300,000 members. The groups were mostly closed — requiring approval from group administrators before outsiders could view the day-to-day postings of group members.

However, the titles, images and postings available on each group’s front page left little doubt about their true purpose: Selling everything from stolen credit cards, identities and hacked accounts to services that help automate things like spamming, phishing and denial-of-service attacks for hire.
cybersecurity_class 
april 2018 by henryfarrell
Margaret Roberts Dissertation
Fear, Friction, and Flooding: Methods of Online Information Control
Abstract
Many scholars have speculated that censorship e↵orts will be ine↵ective in the information age,
where the possibility of accessing incriminating information about almost any political entity will
benefit the masses at the expense of the powerful. Others have speculated that while information
can now move instantly across borders, autocrats can still use fear and intimidation to encourage
citizens to keep quiet. This manuscript demonstrates that the deluge of information in fact still
benefits those in power by observing that the degree of accessibility of information is still determined
by organized groups and governments. Even though most information is possible to access,
as normal citizens get lost in the cacophony of information available to them, their consumption
of information is highly influenced by the costs of obtaining it. Much information is either disaggregated
online or somewhat inaccessible, and organized groups, with resources and incentives
to control this information, use information flooding and information friction as methods of controlling
the cost of information for consumers. I demonstrate in China that fear is not the primary
deterrent for the spread of information; instead, there are massively di↵erent political implications
of having certain information completely free and easy to obtain as compared to being available,
but slightly more dicult
to access.
cybersecurity_class  PDKL-Ninety-five 
february 2018 by henryfarrell
Anatomy of an online misinformation network
Massive amounts of fake news and conspiratorial content have spread
over social media before and after the 2016 US Presidential Elections despite
intense fact-checking efforts. How do the spread of misinformation
and fact-checking compete? What are the structural and dynamic characteristics
of the core of the misinformation diffusion network, and who are
its main purveyors? How to reduce the overall amount of misinformation?
To explore these questions we built Hoaxy, an open platform that enables
large-scale, systematic studies of how misinformation and fact-checking
spread and compete on Twitter. Hoaxy filters public tweets that include
links to unverified claims or fact-checking articles. We perform
k-core
decomposition on a diffusion network obtained from two million retweets
produced by several hundred thousand accounts over the six months before
the election. As we move from the periphery to the core of the network,
fact-checking nearly disappears, while social bots proliferate. The
number of users in the main core reaches equilibrium around the time of
the election, with limited churn and increasingly dense connections. We
conclude by quantifying how effectively the network can be disrupted by
penalizing the most central nodes. These findings provide a first look at
the anatomy of a massive online misinformation diffusion network.
PDKL-Ninety-five  cybersecurity_class 
january 2018 by henryfarrell
Examining Trolls and Polarization with a Retweet Network
This research examines the relationship between political homophily
and organized trolling efforts. This is accomplished by analyzing
how Russian troll accounts were retweeted on Twitter in the context
of the #BlackLivesMatter movement. This analysis shows that
these conversations were divided along political lines, and that
the examined trolling accounts systematically took advantage of
these divisions. The findings of this research can help us better
understand how to combat systematic trolling.
cybersecurity_class 
january 2018 by henryfarrell
Skyrocketing Bitcoin Fees Hit Carders in Wallet — Krebs on Security
“We have to take additionally a ‘Deposit fee’ from all users who deposit in Bitcoins. This is the amount we spent on transferring your funds to our suppliers. To compensate your costs, we are going to reduce our prices, including credit cards for all users and offer you the better bitcoin exchange rate.”

“The amount of the Deposit Fee depends on the load on the Bitcoin network. However, it stays the same regardless of the amount deposited. Deposits of 10$ and 1000$ attract the same deposit fee.”

“If the Bitcoin price continues increasing, this business is not going to be profitable for us anymore because all our revenue is going to be spent on the Bitcoin fees. We are no longer in possession of additional funds to improve the store.”
silkroad  cybersecurity_class 
december 2017 by henryfarrell
« earlier      
per page:    204080120160

Copy this bookmark:



description:


tags: