Welcome to eWhite House Watch
Where Technology, Privacy, and Politics Collide
eWhite House Watch features concise updates on cyber policy issued by the Office of the President of the United States (POTUS). Monitored and written primarily by law students, each eWHW cyber policy update is presented in an easy-to-scan format that includes links to POTUS announcements, federal and state proposed legislation, breaking news, updates, cyber policy committee reports, and more.
Striking the proper balance of benefits between technological advances and privacy protection has always posed challenges. Today, the challenges are even greater as technology significantly outpaces privacy protections; and the need for greater recognition of this reality and honest public discourse is more pressing than ever. eWhite House Watch monitors the cyber agenda so you can be informed and partake in the debate.
Visit our special feature, Origins: The White House Cyber Agenda for details on the current administration's Comprehensive National Cybersecurity Initiative. Learn More
The creator of eWhite House Watch also created eLessons Learned with a similar vision in mind: To provide readers with useful and timely information about how technology impacts our legal system and our lives in a way that is easy to understand. Learn More
House Faces Both Support and Criticism over Cybersecurity Bills Discussed this Past Week As reported by The Hill this past week, the House was set to discuss two important Cybersecurity Bills, both expected to pass. According to the proposed bill, the Protecting Cyber Networks Act is intended “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Separately, the National Cybersecurity Protection Advancement Act is an amendment to the Homeland Security Act of 2002 and according to that proposed bill it is expected “to enhance multi-directional sharing of information related to cyber-security risks and strengthen privacy and civil liberties, protections, and for other purposes.. On the surface, neither of the proposed bills seems problematic. There is some significant support for the bill, as noted in The Hill’s piece Tech will be watching cyber vote – in that the Information Technology Industry Council (ITI) has already sent a letter to the House expressing its support for the bills. In the letter ITI said that it “firmly believe[s] that passing legislation to help to increase voluntary cybersecurity threat information and sharing between the private sector, is an important step Congress can take to enable all stakeholders to address threats, stem losses, and shield their systems, partners and customers.” Although ITI is highly supportive of these measures, there are other groups that are not as on board and that have too voiced their own opinions, including major concerns regarding privacy. Also acknowledged in The Hill coverage, groups such as the American Civil Liberties Union, FreedomWorks, and the New America Foundation’s Open Technology Institute, among others also submitted a letter of their own to the House, specifically about the Protecting Cyber Networks Act, urging Congress to oppose it. Their concern is that the actual effect of the law would result in abuse by the National Security Agency. They close their letter by saying, “PCNA’s overbroad monitoring, information sharing, and use authorizations effectively increase cyber-surveillance, while the authorization for the use of defensive measures actually undermines cybersecurity.” According to The Hill’s report, it seems as though the House is expected to pass both bills. However, the groups opposed to the bills raise some compelling concerns that may cause some pause. While most acknowledge that Congress needs to do something to address the issue of cybersecurity, the question is whether these two bills are the answer.
Author: Sarah Austin On March 31, 2015 the DHS reported two new malware campaigns spotted in the Middle East. The first malware campaign is a brand-new information gathering tool called Trojan Laziok. The operators of Trojan Laziok have been targeting oil, gas and helium companies in the Middle East since January 2015. This malware infects the companies’ computer systems via a phishing email that contains an infected Microsoft Excel file. Once the email is opened and the malware has infiltrated the system, it collects vital data and information regarding the companies’ anti-virus protection. Access to information about the companies’ anti-virus protection allows the malware’s operators to remain undetected while continuing to infect the companies system with more advanced malware, such as Cyberats and Zbots, which can record audio and video from the infected computers and monitor keystrokes. Experts are unsure of the Trojan Laziok operators’ motives, but it is clear that the operators of Trojan Laziok have detected and exploited one of the energy industries major weaknesses: lack of investment in updating their Microsoft software and cybersecurity systems. This exposed weakness makes the energy industry a prime market for both cybercriminals who want to turn a quick profit for themselves, and sophisticated attackers who want to cause severe economic harm to their targets. The second newly detected malware campaign, called Volatile Cedar, has been attacking Israeli and Lebanese political groups via publicly-facing web servers since 2012. This malware was able to remain undetected for two years because its operators carefully and continuously adapted it to navigate around sophisticated anti-virus protection systems. Volatile Cedar is a tool that gathers information, such as passwords, from the Microsoft servers it infects. After one computer is compromised, the malware spreads rapidly to other computers in the targeted parties’ network. It is also a self-monitoring program equipped with a self-destruct system to protect itself from detection. The operators of Volatile Cedar are sophisticated attackers. The attackers’ suspected motive is intrastate espionage and a large number of victims are from Lebanon. However, many victims in other countries have yet to be detected. Even since reports of detection a few days ago, the attackers’ have activated a self-destruct command from their control center to prevent investigators from acquiring more information regarding the customized malware system. Experts have suggested that an increase in threat intelligence sharing could be a significant part of the solution to the cyberwar in the Middle East. OFFICIAL SOURCE:http://www.dhs.gov/sites/default/files/publications/nppd/ip/daily-report/dhs-daily-report-2015-04-01.pdf SECONDARY SOURCES:http://www.networkworld.com/article/2904293/lebanese-cyberespionage-campaign-hits-defense-telecom-media-firms-worldwide.html#tk.rss_all http://news.softpedia.com/news/Trojan-Laziok-Used-for-Reconnaissance-in-the-Energy-Sector-477175.shtml http://www.csoonline.com/article/2905719/advanced-persistent-threats/cyberwar-heats-up-in-the-middle-east.html?phint=newt%3Dcso_newswatch&phint=idg_eid%3D0bef32add6184e914bc1cf0418888edc#tk.CSONLE_nlt_newswatch_2015-04-03
The grounds for which Wikimedia is basing its lawsuit involve the mass surveillance program that the NSA has been implementing. One of the most troublesome facets of this program, according to Wikimedia’s pleading, is the NSA’s search and seizure of internet communications, which is called “Upstream” surveillance. Wikimedia argues that these actions violate its users most basic of rights, citing the U.S. Constitution’s First Amendment protection of freedom of speech, and Fourth Amendment protection against unreasonable search and seizure because defendants’ conduct involved suspicionless seizure and searching of Internet traffic by NSA on U.S. soil. The founder of Wikipedia, Jimmy Wales, continues to emphasize that user privacy is of utmost importance. When such privacy is put in question, and people fear that their information will be leaked, the Wiki experience is seriously undermined. This issue, with the NSA specifically, was made much more serious and real with the Edward Snowden 2013 public disclosures, which revealed information about Wikimedia’s programs. According to its blog postings, Wikimedia has been looking for a way to file a lawsuit ever since this incident. Zeroing in on the “upstream” surveillance aspect allows the suit to serve as a vehicle to address Wikimedia’s views on how….. For the full article please follow this link: http://scarincihollenbeck.com/how-many-nsa-does-it-take-to-anger-wikimedia/ To download the complaint please click here: http://ewhwblog.com/wp-content/uploads/2015/03/Wikimedia_v._NSA_Complaint21.pdf Wikimedia_v._NSA_Complaint2 **This article was authored by Cyber Security attorney Fernando M. Pinguelo, Partner at Scarinci Hollenbeck attorneys at Law and Jenna Methven, Chief Blog Correspondent and Blogger for eWhiteHouse Watch and a Monmouth University student.
Washington, D.C. – March 9, 2015 On March 4-6, 2015, the International Association of Privacy Professionals ("IAPP") held its annual Global Privacy Summit at the Mariott Marquis in Downtown Washington D.C., and as per the usual, it was a who's who of privacy pros in attendance. eWhite House Watch had the pleasure of attending the conference as part of IAPP’s Press Corps, and is pleased to report that it was a smashing success. This year, the three-day privacy extravaganza featured topics ranging from keynote speaker Glen Greenwald's Snowden coverage, privacy issues surrounding the Internet of Things (IoT), privacy issues for startups, cyber insurance, and the U.S. Consumer Privacy Bill of Rights proposed by Obama just a few weeks prior to the event. Regular conference attendee (and past IAPP conference speaker) Fernando M. Pinguelo (partner and Chair of Scarinci Hollenbeck’s Cyber Security & Data Protection group) observed, “IAPP’s tradition of offering high caliber presenters with real-world experience and insight continues, and is matched only by the notable keynote speakers who add a level of urgency to the data privacy and security dialogue and the conference attendees whose active participation contributes greatly to the panel discussions and learning experience.” eWhite House Watch also had the opportunity to sit in on a private roundtable discussion between IAPP President and CEO J. Trevor Hughes and Vice President of Research and Education Omar Tene. Referring to the year-over-year increase in consumer awareness regarding data privacy concerns, Hughes drew analogies between the digital and industrial economies. Both Hughes and Tene agreed that the media, consumer awareness, and the influence of the president were critical to getting uniform data privacy legislation on the books here in the U.S., and that unfortunately, such a massive shift in the regulation of data privacy might only be sparked by an Exxon-Valdez-caliber breach incident. “Aside from the informative programs available to lawyers in private practice, I find the conference also offers me the unique opportunity to meet with clients and colleagues in one location, many of whom also make it a point to attend this one in particular,” added Angelo A. Stio, III, partner in the Litigation & Dispute Resolution Department of Pepper Hamilton LLP, and a member of its Privacy, Security and Data Protection group. This year's conference was littered with networking events, and was packed full of consulting service providers on the exhibitor floor. And for the first time, a new session type called "From the Game Changers" was introduced as shorter, more informal professional-to-professional chats on practical experiences these 'Game Changers' withstood during their careers. In all, the 2015 Global Privacy Summit was a wealth of knowledge for both seasoned and aspiring privacy professionals, and lived up to the high standards of event coordination and substantive content that IAPP members have come to know and expect from the organization. "We really like how this event brings together the entire industry, including the regulators, and allows us to share our often differing views on the latest developments in the field," reflected Michael Morgan, Of Counsel in Cybersecurity and Data Privacy group at Jones Day. eWhiteHouse Watch’s Executive Editor stated “we are already looking forward to next year's event.”
On February 26, 2015, the FCC ruled in favor of net neutrality by applying Title II (of the Communications Act of 1934 to Internet service providers and reclassifying broadband access as a telecommunications service. Championing the new regulations, FCC Chairman Tom Wheeler said, "[t]his is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech. They both stand for the same concept." While Mr. Wheeler views the regulations as a referee, Telecom company's insist that the measures will do more harm than good, and consumers will bear the brunt of change. What is net neutrality? In short, adoption of Title II established three bright line rules… No Blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices. No Throttling: broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices. No Paid Prioritization: broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration – in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates. Who is for it and who is against it? Those who support net neutrality argue that allowing “paid prioritization” unfairly raises prices on content services and that adoption of title II levels the playing field for all Americans. Opponents say the Title II designation will stifle innovation in broadband. A group of Internet service providers (ISPs), including AT&T, Comcast, Time Warner Cable, and Verizon, argue that the new classification permits the FCC to conduct "unprecedented government micromanagement of all aspects of the Internet economy." What does this law mean for the consumer? The FCC promises that broadband will continued to cost the same amount as it did before. This ruling establishes the authority to implement regulations put in place in 2010, and will grant the FCC the administrative authority to examine practices and hear complaints. This past week, at the Mobile World Conference, Mr. Wheeler seemed argued that he his plans have been mischaracterized. Wheeler dismisses the idea that adoption of Title II is heavy handed regulation but is instead, as Mr. Wheeler characterized it, a referee throwing up the card when someone acts in an unfair manner. In Europe there are proposals coming through the European commission which would allow specialized services, being provided by telecom groups, to be delivered at guaranteed speeds for customers - very different from what has been proposed int the US. Many opponents have accused the President as relaying pressure from Facebook and google to take action on their behalfs. While adoption of the regulations will begin to have an effect in early summer, the telecoms companies are saying to Mr. Wheeler - “we’ll see you in court.” http://www.mediaite.com/tv/john-oliver-explains-fccs-net-neutrality-ruling-to-confused-republicans/
Looks like mistakes are finally catching up to the group of hackers with suspected ties to the NSA, referred to as “Equation Group” by Kaspersky Researchers, as reported in Ars Technica this past week. After almost 14 years of going unnoticed, it looks like Equation Group is finally getting the recognition they deserve. The Ars Technica article exposed information regarding the astounding capabilities of Equation Group, as well several reasons why it seems it’s more likely than not affiliated with the NSA. As seen in previous posts, the NSA is a reoccurring topic when it comes to cyber security. As reported, the information from the Report released this past week from the Kaspersky Security Analysis Summit proves why Equation Group is being called “probably the most sophisticated computer attack group in the world.” The Ars Technica article discusses Equation Group’s impressive record, with its most note-worthy achievements including a 2002/2003 hack involving Oracle databased installation CDs and a 2009 attack carried out by infecting CDs sent to specific researchers from a recent scientific conference they had attended. According to the Kaspersky website, Equation Group uses “implants” in order to infect victims and obtain information. According to the Kaspersky report, Equation Group is responsible for more than 500 attacks in 42 countries, although it is estimated by some that the real number is probably much higher considering its impressive ability to prevent themselves from being tracked. As pointed out in the article, Kaspersky researchers refrained from specifically naming the NSA in their report, although the procedural similarities between Equation Group and operations known to be the NSA are striking. Aside from this, as noted in the Ars Technica article, the time and resources, as well as Equation Group’s advanced capabilities are things “people have come to expect from a spy agency sponsored by the world’s wealthiest nation.” Despite keeping quiet since the report’s release this past week, it should be interesting to see if the NSA comes up with a response or acknowledges the allegations made in the report at all. Either way, Equation Group definitely poses a serious threat to cyber security worldwide, whether tied to the NSA or not. Or, maybe not. Depending on how you look at it, this program may be exactly the kind of program the NSA should be running, instead of the broad domestic surveillance it’s developed in recent years – here’s why.