The President

White House’s All-Inclusive Cybersecurity Directive – What does it all mean?

By Sarah Austin   On Tuesday, July 26 The White House unveiled a new policy directive specifying how the federal government will react to growing and rapidly evolving cyberthreats.   The new directive implements principles from February’s Cybersecurity National Action Plan. Most importantly, it reinforces the White House’s policy that cybersecurity is a team effort.   Under the new directive, the FBI will be responsible for coordinating the response to an immediate threat, and the Department of Homeland Security will be responsible for managing the effects after an attack occurs. The directive will also require the U.S. Departments of Justice and Homeland Security to keep an updated list of contact information to assist those impacted by a cyberattack and report it to the proper authorities.  

Read More

President Obama’s Budget Proposal Seeks $19 Billion to Launch Cybersecurity National Action Plan

President Obama presented his final annual budget proposal to Congress on Tuesday, which included a $19 billion request to support the launch of his new Cybersecurity National Action Plan (CNAP). The $19 billion request reflects a $5 billion increase in current spending. The President insists that this investment will ensure that Americans will have the tools to protect themselves online, companies will be able to protect their operations and information from hackers, and the government will be able to defend itself against cyber attacks. Some highlights of the CNAP include:   • $3.1 billion to form the Information Technology Modernization Fund, which will rebuild the federal government’s aging computer systems.   • The formation of the Commission on Enhancing National Cybersecurity, comprised of top business and technical non-government employees and thinkers, who will advise the government on the newest technical solutions and the best cybersecurity practices to protect privacy and public safety.

Read More

The (cyber) State of the Union – Have we placed enough of a priority on our cyber security since 2008?

By Kristen Tierney   While security seemed to be a major focal point during President Obama’s State of the Union Address last Tuesday night, cyber security did not receive quite as much direct attention. Not surprisingly, national security took a front seat, but this time with very little focus on national surveillance policies. Perhaps it could be because it is the President’s eighth and last State of the Union Address, but the overall tone felt nostalgic, with the President frequently referencing the traditional American “spirit” and “work ethic.” Yet, it was candid and at times even “playful,” with the President evoking laughter several times throughout the night.   The President opened his address by laying out four major questions that he planned to answer, one of which was how we as a nation can “make technology work for us and not against us.” In trying to promote the need for technological developments in science and in medicine, Obama referred to the American “spirit of discovery.” calling for a similar response in dealing with issues like climate change and developing the cure for cancer as there was during the development and buildup of the American space program.   Developments in internet access received a brief but honorable mention, when the President said we have successfully “protected an open internet” and which also allowed for more students and low-income Americans to have internet access. It would have been impossible for the President to address issues of national security without at least acknowledging the looming threat of terrorism. It was at this point that the internet received a less honorable mention when the President acknowledged the use of the internet as a tool for terrorist groups like Al Qaida and ISIL in recruiting new members.

Read More

Net Neutrality – A Win for Liberty or Lawyers?

On February 26, 2015, the FCC ruled in favor of net neutrality by applying Title II (of the Communications Act of 1934 to Internet service providers and reclassifying broadband access as a telecommunications service. Championing the new regulations, FCC Chairman Tom Wheeler said, "[t]his is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech. They both stand for the same concept." While Mr. Wheeler views the regulations as a referee, Telecom company's insist that the measures will do more harm than good, and consumers will bear the brunt of change. What is net neutrality? In short, adoption of Title II established three bright line rules… No Blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices. No Throttling: broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices. No Paid Prioritization: broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration – in other words, no “fast lanes.”  This rule also bans ISPs from prioritizing content and services of their affiliates. Who is for it and who is against it? Those who support net neutrality argue that allowing “paid prioritization” unfairly raises prices on content services and that adoption of title II levels the playing field for all Americans. Opponents say the Title II designation will stifle innovation in broadband. A group of Internet service providers (ISPs), including AT&T, Comcast, Time Warner Cable, and Verizon, argue that the new classification permits the FCC to conduct "unprecedented government micromanagement of all aspects of the Internet economy." What does this law mean for the consumer? The FCC promises that broadband will continued to cost the same amount as it did before. This ruling establishes the authority to implement regulations put in place in 2010, and will grant the FCC the administrative authority to examine practices and hear complaints. This past week, at the Mobile World Conference, Mr. Wheeler seemed argued that he his plans have been mischaracterized. Wheeler dismisses the idea that adoption of Title II is heavy handed regulation but is instead, as Mr. Wheeler characterized it, a referee throwing up the card when someone acts in an unfair manner. In Europe there are proposals coming through the European commission which would allow specialized services, being provided by telecom groups, to be delivered at guaranteed speeds for customers - very different from what has been proposed int the US. Many opponents have accused the President as relaying pressure from Facebook and google to take action on their behalfs. While adoption of the regulations will begin to have an effect in early summer, the telecoms companies are saying to Mr. Wheeler - “we’ll see you in court.”

In the Clear after 14 Years? Not Quite.

Looks like mistakes are finally catching up to the group of hackers with suspected ties to the NSA, referred to as “Equation Group” by Kaspersky Researchers, as reported in Ars Technica this past week. After almost 14 years of going unnoticed, it looks like Equation Group is finally getting the recognition they deserve. The Ars Technica article exposed information regarding the astounding capabilities of Equation Group, as well several reasons why it seems it’s more likely than not affiliated with the NSA. As seen in previous posts, the NSA is a reoccurring topic when it comes to cyber security. As reported, the information from the Report  released this past week from the Kaspersky Security Analysis Summit proves why Equation Group is being called “probably the most sophisticated computer attack group in the world.” The Ars Technica article discusses Equation Group’s impressive record, with its most note-worthy achievements including a 2002/2003 hack involving Oracle databased installation CDs and a 2009 attack carried out by infecting CDs sent to specific researchers from a recent scientific conference they had attended. According to the Kaspersky website, Equation Group uses “implants” in order to infect victims and obtain information. According to the Kaspersky report, Equation Group is responsible for more than 500 attacks in 42 countries, although it is estimated by some that the real number is probably much higher considering its impressive ability to prevent themselves from being tracked. As pointed out in the article, Kaspersky researchers refrained from specifically naming the NSA in their report, although the procedural similarities between Equation Group and operations known to be the NSA are striking. Aside from this, as noted in the Ars Technica article, the time and resources, as well as Equation Group’s advanced capabilities are things “people have come to expect from a spy agency sponsored by the world’s wealthiest nation.” Despite keeping quiet since the report’s release this past week, it should be interesting to see if the NSA comes up with a response or acknowledges the allegations made in the report at all. Either way, Equation Group definitely poses a serious threat to cyber security worldwide, whether tied to the NSA or not. Or, maybe not.  Depending on how you look at it, this program may be exactly the kind of program the NSA should be running, instead of the broad domestic surveillance it’s developed in recent years – here’s why.

President Obama Rejuvenates the Cyber Troops: Is the Private Sector be on Board?

This past week, President Obama met with tech gurus at Stanford University to discuss cybersecurity and emphasized the need to focus more efforts on combating cyber security threats. The theme of his speech was the unification of efforts by the private sector and public sector. The flexibility of the private sector combined with the wealth of data collected by the government could, the President hopes make for an aggressive partnership capable of combating cyber threats. While the President’s remarks were very broad, a plenary session of corporate leaders spoke about two issues that might define a cyber security relationship. First, the need to reduce outdated legislation that hinders cyber protection efforts and Second, the definition of “data” that is to be shared.   During a plenary panel, led by Director of Homeland Security Jeh Johnson, corporate leaders talked about the the growing need to face cyber threats facing their industries and hurdles to doing so. One of the themes that each executive touched on was that outdated legislation and regulatory measures hinder the company’s ability to face modern threats. For example, Kenneth Chenault of American Express, highlighted that limits on access to customers via text messaging and email hindered Amex’s ability to rapidly respond to such threats. Additionally, Mr. Chenault called for greater transparency in the way in which the government collects and shares it’s data with private industry, claiming that less than 1% of all threats facing Amex were sourced from government entities.   Mr. Bernard Thompson, from Kaiser Permanente emphasized that private industry should not be willing to blindly hand over their data to the government. Healthcare data is sensitive information and he said that the relationship between government and private industry should be clearly defined by the type of data industry is willing to share. He emphasized that he would under no circumstances be willing to share “content” with the government, but would provide information about those attempting to gain access to that content. Mr. Thompson reiterated the point that outdated legislation continues to hinder Kaiser Permanente’s ability to face growing threats. Financial and Healthcare corporations like American Express and Kaiser Permanente respectively, have built their reputations on trust with their customers. Any talk of data sharing will need to be clearly defined. Additionally, any government led cyber security policy will inevitably usher in a series of new regulations and with them regulatory cost. Corporations, unlike our sluggish bureaucracy must make cuts were new regulatory measures are needed to be enforced. A certain degree of deregulation of outdated measures will be necessary to help corporations create a lean cyber fighting mechanisms.