ICD Brief 58.
We bring you some unusual updates this week. It’s clear that nations are beginning to utilize innovation to address threats. The question is how wrong can we be and still get it right? Here’s a sample.
Do you believe that corporations should be able to “hack back”? How about replacing social security numbers with Estonia’s cryptographic model? Do you care that the EU Commission confirms the EU-US Privacy Shield is OK? Did you know that India’s techies are driving the next generation cyber security architecture? And that the Chinese are monitoring the content on their own platforms more rigorously? And what does the father of Israel’s cyber and defense eco system think about North Korea and Iran?
Last week, I joined thousands in a variety of DC CyberWeek events. Special thanks to Parson’s Vice President Marianne Meins who hosted an amazing Meetup with DC Chapter of Cyber Security for Control Systems at Parson’s Cyber Innovation Center Control Systems Lab.
This week, I will join more than 700 participants from 30 states and 11 countries welcomed by Governor Dayton to Cyber Security Summit 2017 in Minneapolis October 23-25 at the Minneapolis Convention Center. Proud to be a Board member.
Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced a bill Friday that would allow hacking victims to “hack back” when attacked.
The Active Cyber Defense Certainty Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files.
“A U.S. senator on Tuesday asked the Defense Department to explain how it manages the risks when it uses software that has been scrutinized by foreign governments, saying the practice may represent a national security threat.”
“Earlier this month White House cybersecurity czar Rob Joyce raised eyebrows when he proposed the radical idea of abandoning the venerable Social Security number (SSN) as a national identifier and replacing it with modern cryptographic identifiers. Amongst all of the buzz about what such a system might look like, whether it is even feasible and how secure it might be, it was surprising to see comparatively little discussion of Estonia’s national cryptographic identifier system which not only does everything being discussed for a future US system, but far, far more, representing a truly “digital first” society.”
“On Monday, the US Department of Homeland Security announced a new requirement for federal agencies to employ web and email encryption to boost cybersecurity protections. At a cybersecurity roundtable hosted by the Global Cyber Alliance, Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security, issued a Binding Operational Directive (BOD) for these federal agencies to implement these cyber policies.”
“As Vulture South reported Monday, Australia’s government hopes to have consumer Internet of Things products given security “star ratings” of some kind, so consumers know what they’re buying. The notion seems problematic: for example, what does a five-star security rating on a security camera mean, if it’s attached to a router with admin:password as its login credentials?”
“Following the first enforcement actions by local authorities in Shantou and Chongqing for violations of the new Network Security Law that came into effect this year, authorities in China have recently shown a clear initial focus with several new cases targeting provisions of the law that require monitoring of platform content. As of the start of October 2017, enforcement actions by authorities in China have targeted platform content violations in nearly 70 percent of all actions under the new provisions of the data protection rules.”
On October 18, 2017, the European Commission published its report and supporting documents regarding its first annual review of the EU-U.S. Privacy Shield (Privacy Shield), which sets forth procedures and safeguards for transferring personal data from the European Union (EU) to the United States. The report concludes that Privacy Shield “ensures an adequate level of protection for personal data” transferred from the EU to the United States.
“The European Union will boost its law enforcement agency and free up funding to help police break encryption for investigations, but the move is unlikely to satisfy Europe’s most powerful governments that want broad access to chat messages and data. The Commission said Wednesday it wants to create a “toolbox” to help national law enforcement break encryption, provide up €500,000 to train European police and boost its police agency Europol’s ability to hack into phones, computers and private messages.”
LAS VEGAS: As enterprises the world over scout for next-generation cyber security architecture to mitigate attacks, the Indian systems integrator (SI) community is helping major companies embrace state-of-the-art security structures, Chris Young, Chief Executive Officer of McAfee, has said.
‘Yitzhak Ben-Israel thinks Kim’s cyberwarriors are third-rate, U.S. missile defense is good, and the Iran deal is a keeper. Success, it is said, has many fathers, and that is certainly the case of Israel’s astonishing achievements in the areas of missile defense and cybersecurity. But if anyone is entitled to claim paternity, it is Isaac Ben-Israel. As a major general, he commanded the IDF unit in charge of military R&D and as the Director of Defense R&D in the Israeli Ministry of Defense, he oversaw the creation of Israel’s cutting edge anti-missile systems. As a civilian, he became the architect of Israel’s unique cyberdefense ecosystem. Today, at 68, he heads the department of security studies at Tel Aviv University, chairs Israel’s Space Agency and its National Council for Research and Development and, in his spare time, writes influential books on high-tech military strategy and runs his own consultancy firm, RAY-TOP (Technology Opportunities) Ltd. He’s a busy man.’
‘It turns out that North Korea isn’t just a nuclear threat. It’s also a cyberthreat, and in some ways, this may be more frightening. Launched largely anonymously, cyberattacks can cripple essential infrastructure — power grids, financial networks, transportation systems — and inflict social disorder and political anarchy. Immediate retaliation is difficult. All this now seems plausible.’
By: Drew Neisser
Finding myself among the 145 million American’s who personal information was compromised by the gargantuan Equifax data breach, I welcomed the chance to talk with cybersecurity expert Norman Guadagno, senior VP of data security company Carbonite. Our conversation was both scary and enlightening as Guadagno pointed out how poorly Equifax handled the crisis, the inevitability of having your personal and company data hacked and, most important, the little-known fact that ever-growing marketing tech stacks are creating even greater security threats.
By: Leonardo Cooper
“Cyber security training firms continue to stress the importance of educating employees in order to minimise the risk of cyber threats. ‘Staff’, they argue, ‘are both your company’s greatest asset and your biggest potential security risk’. And as employees are the weakest link in the security chain, they must be well trained and educated. It is true that employees are a huge security weakness: 46% of IT security incidents are caused by employees each year globally and 55% of companies surveyed by Experian Data Breach Resolution said they ‘experienced one or more security incidents where the catalyzing event was a negligent or malicious employee.’”