Welcome to eWhite House Watch
Where Technology, Privacy, and Politics Collide

Cyber Policy Updates Written By La...

Cyber Policy Updates Written By Law Students

eWhite House Watch features concise updates on cyber policy issued by the Office of the President of the United States (POTUS). Monitored and written primarily by law students, each eWHW cyber policy update is presented in an easy-to-scan format that includes links to POTUS announcements, federal and state proposed legislation, breaking news, updates, cyber policy committee reports, and more.

Technology + Privacy + Politics

Technology + Privacy + Politics

Striking the proper balance of benefits between technological advances and privacy protection has always posed challenges. Today, the challenges are even greater as technology significantly outpaces privacy protections; and the need for greater recognition of this reality and honest public discourse is more pressing than ever. eWhite House Watch monitors the cyber agenda so you can be informed and partake in the debate.

New to the Cyber World?

New to the Cyber World?

Visit our special feature, Origins: The White House Cyber Agenda for details on the current administration's Comprehensive National Cybersecurity Initiative. Learn More

Companion Blog: eLessons Learned

Companion Blog: eLessons Learned

The creator of eWhite House Watch also created eLessons Learned with a similar vision in mind: To provide readers with useful and timely information about how technology impacts our legal system and our lives in a way that is easy to understand. Learn More



In the Clear after 14 Years? Not Quite.

Looks like mistakes are finally catching up to the group of hackers with suspected ties to the NSA, referred to as “Equation Group” by Kaspersky Researchers, as reported in Ars Technica this past week. After almost 14 years of going unnoticed, it looks like Equation Group is finally getting the recognition they deserve. The Ars Technica article exposed information regarding the astounding capabilities of Equation Group, as well several reasons why it seems it’s more likely than not affiliated with the NSA. As seen in previous posts, the NSA is a reoccurring topic when it comes to cyber security. As reported, the information from the Report  released this past week from the Kaspersky Security Analysis Summit proves why Equation Group is being called “probably the most sophisticated computer attack group in the world.” The Ars Technica article discusses Equation Group’s impressive record, with its most note-worthy achievements including a 2002/2003 hack involving Oracle databased installation CDs and a 2009 attack carried out by infecting CDs sent to specific researchers from a recent scientific conference they had attended. According to the Kaspersky website, Equation Group uses “implants” in order to infect victims and obtain information. According to the Kaspersky report, Equation Group is responsible for more than 500 attacks in 42 countries, although it is estimated by some that the real number is probably much higher considering its impressive ability to prevent themselves from being tracked. As pointed out in the article, Kaspersky researchers refrained from specifically naming the NSA in their report, although the procedural similarities between Equation Group and operations known to be the NSA are striking. Aside from this, as noted in the Ars Technica article, the time and resources, as well as Equation Group’s advanced capabilities are things “people have come to expect from a spy agency sponsored by the world’s wealthiest nation.” Despite keeping quiet since the report’s release this past week, it should be interesting to see if the NSA comes up with a response or acknowledges the allegations made in the report at all. Either way, Equation Group definitely poses a serious threat to cyber security worldwide, whether tied to the NSA or not. Or, maybe not.  Depending on how you look at it, this program may be exactly the kind of program the NSA should be running, instead of the broad domestic surveillance it’s developed in recent years – here’s why.

President Obama Rejuvenates the Cyber Troops: Is the Private Sector be on Board?

This past week, President Obama met with tech gurus at Stanford University to discuss cybersecurity and emphasized the need to focus more efforts on combating cyber security threats. The theme of his speech was the unification of efforts by the private sector and public sector. The flexibility of the private sector combined with the wealth of data collected by the government could, the President hopes make for an aggressive partnership capable of combating cyber threats. While the President’s remarks were very broad, a plenary session of corporate leaders spoke about two issues that might define a cyber security relationship. First, the need to reduce outdated legislation that hinders cyber protection efforts and Second, the definition of “data” that is to be shared.   During a plenary panel, led by Director of Homeland Security Jeh Johnson, corporate leaders talked about the the growing need to face cyber threats facing their industries and hurdles to doing so. One of the themes that each executive touched on was that outdated legislation and regulatory measures hinder the company’s ability to face modern threats. For example, Kenneth Chenault of American Express, highlighted that limits on access to customers via text messaging and email hindered Amex’s ability to rapidly respond to such threats. Additionally, Mr. Chenault called for greater transparency in the way in which the government collects and shares it’s data with private industry, claiming that less than 1% of all threats facing Amex were sourced from government entities.   Mr. Bernard Thompson, from Kaiser Permanente emphasized that private industry should not be willing to blindly hand over their data to the government. Healthcare data is sensitive information and he said that the relationship between government and private industry should be clearly defined by the type of data industry is willing to share. He emphasized that he would under no circumstances be willing to share “content” with the government, but would provide information about those attempting to gain access to that content. Mr. Thompson reiterated the point that outdated legislation continues to hinder Kaiser Permanente’s ability to face growing threats. Financial and Healthcare corporations like American Express and Kaiser Permanente respectively, have built their reputations on trust with their customers. Any talk of data sharing will need to be clearly defined. Additionally, any government led cyber security policy will inevitably usher in a series of new regulations and with them regulatory cost. Corporations, unlike our sluggish bureaucracy must make cuts were new regulatory measures are needed to be enforced. A certain degree of deregulation of outdated measures will be necessary to help corporations create a lean cyber fighting mechanisms. http://www.c-span.org/video/?324360-2/publicprivate-collaboration-cybersecurity  

Obama’s Cybersecurity Initiative: Substance? Or Hot Air?

Success of the President's proposed cyber legislation hinges on the willingness of corporations to share their data with the government.  But why would a company want to share data with the government? While the Sony hack was shocking to most, it’s unlikely that corporations will be willing to trust the government with their customers most sensitive data. For one, businesses owe a duty to their customers to maintain their data in accordance with their agreements with and expectations of their customers.  Also, despite billions of dollars in funding, the federal bureaucracy has failed to meet its own federal cybersecurity standards. Using data from General Accounting Office, George Mason University researchers found that in 2006, there were more than 5,503 cyber-breaches on federal IT systems, in 2013 - 61,213 cyber-breaches. Since 2002, the federal government has had its own legislation similar to the one proposed by the President last week, and despite $78.8 billion in funding, the number of IT security breaches has increased more than 10 times since 2006. Critics argue criminalizing cybercrime will not prevent what Americans fear - industrial espionage and oversea hackers. Summary of President’s proposal: 1.      Cyber information sharing between private sector and government, with liability protection for companies 2.      Expanding RICO to include cyber-crime 3.      Criminalizing the sale of botnets and the sale of banking information overseas 4.      Greater restrictions on selling spyware 5.      Gives Courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity 6.      Making rogue insiders punishable by the CFAA (Computer Fraud and Abuse Act) 7.      Uniform national data breach notification - 30 days within attack 8.      Establish a consumer policy bill of rights Additionally, critics argue that the law could hinder U.S. internet users who have no intention of committing cybercrimes but who may be out of compliance with a U.S. judgment in an effort to debilitate cybercrime. What is lacking from this bill is a mechanism that actively seeks out global cyber threats; and while the new legislation may reign in domestic cybercriminals - it does nothing to relieve our increasing threat - rapidly emerging economies with no form of legal redress for victims of cybercrimes. Despite bills that promise to reign in cybercriminals, it remains incumbent on companies to strengthen their own defenses.

Obama’s Cybersecurity Initiative: Substance? Or Hot Air?

Success of the President's proposed cyber legislation hinges on the willingness of corporations to share their data with the government.  But why would a company want to share data with the government? While the Sony hack was shocking to most, it’s unlikely that corporations will be willing to trust the government with their customers most sensitive data. For one, businesses owe a duty to their customers to maintain their data in accordance with their agreements with and expectations of their customers.  Also, despite billions of dollars in funding, the federal bureaucracy has failed to meet its own federal cybersecurity standards. Using data from General Accounting Office, George Mason University researchers found that in 2006, there were more than 5,503 cyber-breaches on federal IT systems, in 2013 - 61,213 cyber-breaches. Since 2002, the federal government has had its own legislation similar to the one proposed by the President last week, and despite $78.8 billion in funding, the number of IT security breaches has increased more than 10 times since 2006. Critics argue criminalizing cybercrime will not prevent what Americans fear - industrial espionage and oversea hackers. Summary of President’s proposal: 1.      Cyber information sharing between private sector and government, with liability protection for companies 2.      Expanding RICO to include cyber-crime 3.      Criminalizing the sale of botnets and the sale of banking information overseas 4.      Greater restrictions on selling spyware 5.      Gives Courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity 6.      Making rogue insiders punishable by the CFAA (Computer Fraud and Abuse Act) 7.      Uniform national data breach notification - 30 days within attack 8.      Establish a consumer policy bill of rights Additionally, critics argue that the law could hinder U.S. internet users who have no intention of committing cybercrimes but who may be out of compliance with a U.S. judgment in an effort to debilitate cybercrime. What is lacking from this bill is a mechanism that actively seeks out global cyber threats; and while the new legislation may reign in domestic cybercriminals - it does nothing to relieve our increasing threat - rapidly emerging economies with no form of legal redress for victims of cybercrimes. Despite bills that promise to reign in cybercriminals, it remains incumbent on companies to strengthen their own defenses.

SOTU Watch: Obama Cybersecurity Boost

SOTU Watch: Obama Cybersecurity Boost   With great expectation that Cyber Policy will be a significant focus of the upcoming State of the Union address (SOTU) – more than any other of this administration’s past SOTUs – we feature our SOTU Watch series leading up to, during, and after January 20th’s main event.   Earlier this week, President Barack Obama vowed to introduce three new pieces of legislation aimed at providing online protections for consumers and students. Obama labeled the new legislation the “consumer privacy bill of rights” and promised that his proposals aim to protect consumer privacy and “ensure that private industry can keep innovating.”   President Obama is launching this program at a time when consumers and industry leaders are still coming to terms with the devastating hack of Sony Entertainment this past December, among other high-profile breaches. Ironically, on Monday the Administration witnessed another embarrassing example of the potential power of hackers when people claiming to be supporters of ISIS took control of the Pentagon’s social media accounts scoring a propaganda move for the group.   President Obama outlined three new pieces of legislation:   A consumer privacy bill of rights, a set of rules about how technology companies can use and store sensitive information about their consumers.   A set of standards as for when a company must reveal that it has been breached and when a credit card or bank is breached - at present states have their own rules.   A bill that would place limits on data that is collected on students using technology in the classroom.   In theory these are uncontroversial ideas, but the politics of cybersecurity in the United States is not so clear cut. Especially since the Edward Snowden incident pitted privacy activist against the government security establishment. Additionally, it unclear whether Republicans share the same definition of “cybersecurity” as the President. While google and yahoo lobby budgets continue to grow, it will be interesting to see just what shape a “cybersecurity” definition will take. Nevertheless, President Obama says that he hopes that Congress will join him in making his proposed laws the law of the land.

Sony Hacking – A Matter of U.S. National Security? You Betcha.

What may have first appeared to most to be of the type of data breach we’ve grown accustomed to hearing about, this one’s different – or is it? While much of the early media attention to the Sony hacking story morphed into salacious coverage of the details of embarrassing emails and the inner workings of Hollywood, the coverage is shifting back to the undeniable national security implications that this incident exposed.  As we’ve covered in previous posts and feature articles, there is an underlying theme of national security that each private industry data breach touches on U.S. economic survival.   As has been reported, the United States is now seeking China's help "to cripple" North Korean cyber offensive capabilities. The New York Times reported this morning that U.S. preparedness for an incident such as this may not be as one may think.  A must-read, the NYT story describes the Sony hack as “the first major, state-sponsored destructive computer-network attacks on American soil.” The story continues by identifying the many difficulties facing a U.S. “proportional response.” Included is the “concern over the risk of escalation with North Korea, since the United States has far more vulnerable targets, from its power grid to its financial markets, than North Korea.”   While the Obama Administration and the Department of Defense have taken steps to build a stable cyber defense mechanism (see Naval Academy Cyber Security CenterUS Cyber Command, etc.), these defense mechanisms have yet to be integrated in any meaningful way with private industry. The Administration blames the attack on North Korea, but North Korea denies any wrongdoing, even going as far as proclaiming its interest in helping the United States get to the bottom of what happened and help find the perpetrators.