Cybersecurity and Cyberwarfare

The US government on banned the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to US officials. Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, apparently. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Apple on Tuesday (Sept. 12) unveiled its new FaceID facial recognition technology for the iPhone X—the successor to the iPhone TouchID fingerprint scanner. The company says FaceID is 20 times more secure than TouchID, and can be used for unlocking apps and using ApplePay. Still, this kind of technology (which you can read more about here) raises a lot of questions. Here’s what we’re wondering:
Where will the data be stored?
What are the legal implications of opening your phone with your face?
What else will Apple use the data for, even if it’s just on our phones?
Who else will have access to those sensors?
Does facial recognition this effective really make sense in real-life scenarios?

How can we reduce the consequences for consumers and companies when the next breach happens? We can pass national data breach legislation. A national standard would not have prevented the Equifax breach, but it would clarify for consumers and companies the types of information subject to protection and the penalties for failing to do so.

While respecting the valuable role of the states, we clearly need a basic federal standard to ensure that all Americans can expect adequate data protection allowing companies to better deploy security and training so that the next breach is less damaging for consumers. Sen Mark Warner (D-VA) has not only renewed the call for national data breach legislation, but also asked the important question “is it time to rethink data protection policies dealing with these large, centralized sets of highly sensitive data on millions of Americans?” The answer to Senator Warner’s question is yes.

As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones:
#1: What measures did Equifax take to protect our personal information?
#2: What measures should Equifax have taken to protect our personal information?
#3: What’s the gap between the answers to questions #1 and #2?

The massive data breach at credit reporting firm Equifax has put the company in the cross-hairs of congressional committees and one of the nation’s most aggressive attorneys general, while fueling a new push for stronger protections on Americans’ personal information. Even the Trump administration, which has advocated slashing government rules, has indicated new regulations might be needed. The revelation that a hack of Equifax’s computer system exposed the Social Security numbers and birth dates of as many as 143 million people also could scuttle Republican efforts to limit the liability faced by credit reporting companies and other financial firms in disputes with consumers. The scale of the latest in a series of high-profile data breaches has refocused attention on the role of the three major credit reporting companies — Equifax, Experian and TransUnion — as repositories of a trove of sensitive data. “This debacle should be a wake-up call to both consumers and policymakers about the industry's broad reach,” said Rohit Chopra, a senior fellow at the Consumer Federation of America.

Sen Mark Warner (D-VA), co-founder of the Senate Cybersecurity Caucus, said Congress might need to rethink cybersecurity policies in the wake of a data breach of Equifax, one of the largest data brokers in the U.S. The company revealed a "cybersecurity incident" that it said potentially impacted 143 million consumers, or about half the population. The information involved included "names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers," said the company.

Sen Warner said, "[T]he scope of this breach...raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans."

The Cyber Vulnerability Disclosure Reporting Act (HR 3202) would require the Department of Homeland Security (DHS), within 240 days of the bill’s enactment, to submit a report to the Congress describing the policies and procedures used to coordinate the sharing of information on cyber vulnerabilities with businesses and other relevant entities. The report also would describe how those policies and procedures were used to disclose such vulnerabilities over the past year and, if available, how recipients of those disclosures acted upon the information.

Based on an analysis of information from DHS, CBO estimates that implementing the bill would cost less than $500,000 over the 2018-2022 period; such spending would be subject to the availability of appropriated funds. Enacting H.R. 3202 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3202 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

The Cybersecurity and Infrastructure Security Agency Act of 2017 (HR 3359) would rename the National Protection and Programs Directorate (NPPD) of the Department of Homeland Security (DHS) as the Cybersecurity and Infrastructure Security Agency. The bill also would consolidate certain missions of NPPD under two divisions: the Cybersecurity Division and the Infrastructure Security Division.

Based on information from DHS, CBO has concluded that the requirements in the bill would not impose any new operating requirements on the agency. On that basis, CBO estimates that implementing H.R. 3359 would have a negligible effect on the federal budget. Enacting HR 3359 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3359 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.

Lenovo Inc., one of the world’s largest computer manufacturers, has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers. In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities.

As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

After an extensive review, the Nation has issued an editor’s note concerning an Aug 9 article that raised questions regarding a consensus finding of the U.S. intelligence community that the Democratic National Committee (DNC) was hacked by Russian actors seeking to tilt the playing field in the 2016 presidential election.

“Former NSA experts say it wasn’t a hack at all, but a leak—an inside job by someone with access to the DNC’s system,” reads the subhead on the story, which was written by Patrick Lawrence, a contributing writer for the magazine. In her note to readers, which now sits atop the Lawrence piece, Nation Editor and Publisher Katrina vanden Heuvel writes, “We believe it is important to challenge questionable conventional wisdom and to foster debate—not police it. Focusing on unreported or inadequately reported issues of major importance and raising questions that are not being asked have always been a central part of our work.”