Cybersecurity and Cyberwarfare

The recent Equifax Inc data breach prompted Sens at a Sept 26 hearing to question whether the Federal Trade Commission has the proper authority to effectively enforce data security standards. How to better define the Federal Trade Commission’s authority to oversee corporate data security is a long-standing issue, and U.S. credit bureau Equifax’s breach compromising the personal data of 143 million consumers has, at least for the moment, further raised interest in the subject.

The Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security heard testimony on proposals to improve the FTC’s handling of consumer protection issues, including its role in overseeing data security efforts. Subcommittee Chairman Jerry Moran (R-KS) said that there will be a full committee hearing on the Equifax data breach in “mid-October.” Subcommittee Ranking Member Richard Blumenthal (D-CT) said that he will soon introduce legislation to allow the FTC to investigate any data breaches, exercise oversight, and issue penalties.

Earlier this summer we outlined some of our work to combat bots and networks of manipulation on Twitter. Since then, we have received a number of questions about how malicious bots and misinformation networks on Twitter may have been used in the context of the 2016 U.S. Presidential elections. Sept 28, Twitter Vice President for Public Policy Colin Crowell met with staff from Senate Select Committee on Intelligence and House Permanent Select Committee on Intelligence to discuss these issues.

Of the roughly 450 accounts that Facebook recently shared as a part of their review, we concluded that 22 had corresponding accounts on Twitter. All of those identified accounts had already been or immediately were suspended from Twitter for breaking our rules, most for violating our prohibitions against spam. In addition, from those accounts we found an additional 179 related or linked accounts, and took action on the ones we found in violation of our rules. Neither the original accounts shared by Facebook, nor the additional related accounts we identified, were registered as advertisers on Twitter. However, we continue to investigate these issues, and will take action on anything that violates our Terms of Service.

[Commentary] Actual policy actions to protect our vote from outside interference have been next to nil. That needs to change now.

First, and most obviously, our cybersecurity must be strengthened. We need greater education on how to prevent cyberattacks; more coordination between layers for cybersecurity at the individual, group and government levels; and new government regulation mandating upgrades in cybersecurity for everyone and everything involved in the electoral process. Second, information about Russian state propaganda — not censorship of these content providers — must be provided to the American people. Third, foreign purchase of advertisements aimed at influencing elections must be prohibited. Fourth, Americans who colluded with Russian (or any foreign) actors to influence the outcome of our elections must be punished.

[Michael McFaul is director of the Freeman Spogli Institute for International Studies and a Hoover fellow at Stanford University. He was previously special assistant to President Obama at the National Security Council from 2009-2012 and former U.S. ambassador to Russia from 2012-2014]

This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

The United States has asked China not to implement its new cyber security law over concerns it could damage global trade in services. China ushered in a tough new cyber security law in June, following years of fierce debate around the move that many foreign business groups fear will hit their ability to operate in the country. The law requires local and overseas firms to submit to security checks and store user data within the country. The United States, in a document submitted for debate at the World Trade Organization Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad.

“China’s measures would disrupt, deter, and in many cases, prohibit cross-border transfers of information that are routine in the ordinary course of business,” it said. “The United States has been communicating these concerns directly to high level officials and relevant authorities in China,” the US document said, adding it wanted to raise awareness among WTO members about the potential impact on trade. “We request that China refrain from issuing or implementing final measures until such concerns are addressed.”

Nine days after Facebook chief executive Mark Zuckerberg dismissed as “crazy” the idea that fake news on his company’s social network played a key role in the US election, President Barack Obama pulled the youthful tech billionaire aside and delivered what he hoped would be a wake-up call.

For months leading up to the vote, President Obama and his top aides quietly agonized over how to respond to Russia’s brazen intervention on behalf of the Donald Trump campaign without making matters worse. Weeks after Trump’s surprise victory, some of Obama’s aides looked back with regret and wished they had done more. Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, President Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, President Obama warned, it would only get worse in the next presidential race. Zuckerberg acknowledged the problem posed by fake news. But he told President Obama that those messages weren’t widespread on Facebook and that there was no easy remedy.

The Department of Homeland Security contacted election officials in 21 states to notify them that they had been targeted by Russian government hackers during the 2016 election campaign.

In June 2017, DHS officials said that people connected to the Russian government tried to hack voter registration files or public election sites in 21 states, but this was the first time that government officials contacted individual state election officials to let them know their systems had been targeted. Officials said DHS told officials in all 50 states whether their systems had been attacked or not. In only a handful of states, including Illinois, did hackers actually penetrate computer systems, according to US officials, and there is no evidence that hackers tampered with any voting machines. State elections officials in Alabama, Colorado, Connecticut, Iowa, Maryland, Minnesota, Ohio, Oklahoma, Pennsylvania, Virginia, Wisconsin and Washington were told they were targeted.

The National Telecommunications & Information Administration has released a report on botnets, DDoS attacks and other cyber threats. The report was based on over 40 responses to NTIA's request for comments on those attacks, which was issued last June. A final report that incorporates the NTIA report is due to the President by May 11, 2018.

NTIA got 47 responses, including from NCTA-The Internet & Television Association, with what the agency said were several broad themes: addressing risks is a shared responsibility; distributed, automated attacks are linked to other threats; they are global and require international cooperation. NTIA said the commenters "resoundingly" endorsed voluntary, consensus-based and community-led processes, including the National Institute of Standards & Technology and NTIA's privacy multi-stakeholder processes. There were also strong voices against too large a regulatory role by government, but others said that the lack of existing security protection and the lack of market incentives to adopt them meant there was greater need for "policy interventions."

How the Kremlin built one of the most powerful information weapons of the 21st century — and why it may be impossible to stop.

President Donald Trump blocked a Beijing-backed fund’s attempt to buy an American chip maker, signaling his administration will closely scrutinize Chinese investment in semiconductor technology. President Trump took the rare step of personally intervening in the transaction after the would-be deal makers asked him to overrule an earlier negative determination from the Committee on Foreign Investment in the US, a multiagency panel that reviews deals for national-security concerns.

According to a statement from the White House, President Trump believes the transaction could risk U.S. national security due to “the potential transfer of intellectual property to the foreign acquirer, the Chinese government’s role in supporting this transaction, the importance of semiconductor supply chain integrity to the United States Government, and the use of Lattice products by the United States Government.”