Cybersecurity and Cyberwarfare

Many experts say lack of trust will not be a barrier to increased public reliance on the internet. Those who are hopeful that trust will grow expect technical and regulatory change will combat users’ concerns about security and privacy. Those who have doubts about progress say people are inured to risk, addicted to convenience and will not be offered alternatives to online interaction. Some expect the very nature of trust will change.

In October 2016, botnets (an interconnected group of electronic devices under the control of a botmaster, or botherder, who can then use the bot army to steal information or carry out scams on a massive scale) made headlines as the instrument behind a distributed denial of service (DDoS) attack against domain name system (DNS) provider Dyn that took dozens of websites, including Amazon, Netflix, Spotify, Twitter, and even the Swedish government, offline for hours. In response to a Request for Comment from the National Telecommunications and Information Administration (NTIA), OTI offered seven recommendations for addressing the threats posed by botnets:

1. Use bug bounty programs to reduce vulnerabilities in IoT products
2. Design devices such that they can be patched and updated
3. Ship items with unique, random credentials, and let users customize login information
4. Establish clear support windows and end-of-life procedures
5. Let users know which security features are available to them on a device—and which are not
6. Connect consciously
7. Support the products that implement best practices

The FBI monitored social media accounts on Election Day 2016 to track Russian efforts to spread damaging false information about candidates. Dozens of agents scanned Twitter and Facebook, where stories promoting conspiracy theories and false claims against Democratic nominee Hillary Clinton had gained traction before the vote. Apparently, agents and security analysts spent the day at the FBI headquarters in Washington watching for security threats they believed were originating from Russia. Another group of FBI analysts and investigators found overseas-based social media accounts linked to the viral stories, which they suspected to be a part of a Russian disinformation operation, apparently.

The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In 2015, OPM reported significant breaches of personal information that affected 21.5 million individuals. The Senate report accompanying the Financial Services and General Government Appropriations Act, 2016 included a provision for GAO to review information security at OPM. GAO evaluated OPM's (1) actions since the 2015 reported data breaches to prevent, mitigate, and respond to data breaches involving sensitive personnel records and information; (2) information security policies and practices for implementing selected government-wide initiatives and requirements; and (3) procedures for overseeing the security of OPM information maintained by contractors providing IT services. To do so, GAO examined policies, plans, and procedures and other documents; tested controls for selected systems; and interviewed officials. This is a public version of a sensitive report being issued concurrently. GAO omitted certain specific examples due to the sensitive nature of the information.

GAO is making five recommendations to improve OPM's security. OPM concurred with four of these and partially concurred with the one on validating its corrective actions. GAO continues to believe that implementation of this recommendation is warranted. In GAO's limited distribution report, GAO made nine additional recommendations.

When hackers took aim at the internet’s backbone in 2016, impeding access to websites like Twitter and Spotify, they did so by weaponizing the Internet of Things — a catch-all category of web-connected devices that includes fitness trackers and smart thermostats. The resulting denial-of-service attack was limited and short-lived, in the end, but cybersecurity fears about IoT remain prevalent — and a group of lawmakers in Congress is now getting to work to ensure the US government raises its own digital defenses in response. That’s the aim of a new bill out Aug 1 by Sens Mark Warner (D-VA) and Cory Gardner (R-CO).

Their measure — called the Internet of Things Cybersecurity Improvement Act of 2017 — is an attempt to force companies that sell wearables, sensors and other web-connected tools to federal agencies to adhere to some new security standards. For example, lawmakers’ new proposal would put into law a requirement that vendors ensure the small, often screenless devices sold to the US government can be patched with security updates. It also prohibits those tech companies from hard-coding passwords into the firmware of the tools they offer the feds.

The political landscape in France is worrisomely ripe for the enactment of new laws or policies that could undermine the security of encrypted products and services in the name of national security. France has a new president, Emmanuel Macron, who has taken an aggressive stance on encryption and allied himself with UK Prime Minister Theresa May, another hawk on the issue. Meanwhile, French law enforcement officials continue their multi-year push—including in the New York Times and at the EU level—for legislation that would ensure that they can always obtain the encrypted data they seek. Under these conditions, it seems that the encryption debate in France is just beginning—and could end abruptly in favor of backdoors in the face of another major terror attack.

The Federal Communications Commission has told members of Congress that it won't reveal exactly how it plans to prevent future attacks on the public comment system. FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter in June that it was researching "additional solutions" to protect the comment system.

Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return. "Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC’s IT staff has worked with commercial cloud providers to implement Internet‐based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs."

The Republican National Committee counsel's office asked employees to preserve all documents regarding the 2016 presidential election. The memo stresses that the RNC has not been contacted in any of the investigations into possible ties between President Trump's campaign or allies and Russia. The move is instead framed as a proactive step. “Given the important role that the RNC plays in national elections and the potentially expansive scope of the inquiries and investigations, it is possible that we will be contacted with requests for information,” says a July 28 memo to staff from the RNC counsel’s office. "Therefore, we must preserve all documents potentially relevant to these matters until they are resolved or until we are informed by all necessary parties that preservation is no longer necessary."

On June 26, 2017, Reps Frank Pallone (R-NJ), Elijah Cummings (D-MD), Diana DeGette (D-CO), Robin Kelly (D-IL), Mike Doyle (D-PA), and Gerald Connolly (D-VA) wrote to the Federal Communications Commission to express concerns about the FCC's cybersecurity preparedness and the multiple reported problems with the FCC's website in taking public comments in the net neutrality proceeding.

On July 21, FCC Chairman Ajit Pai responded by saying the Information Technology (IT) staff at the FCC immediately addressed the disruption to the FCC's Electronic Comment Filing System (ECFS). Chairman Pai wrote, "Although i cannot guarantee that we will not experience further attempts to disrupt our systems, our staff is constantly monitoring and reviewing the situation so that everyone seeking to comment on our proceedings will be afforded the opportunity to do so."

The purpose for this document is assist risk managers in making decisions with respect to privacy when sharing cybersecurity information. It builds upon the previously published basic principles by outlining actions to promote efficient and effective information sharing while minimizing the impact on privacy interests. Importantly, this document reflects the contributions of industry, civil society, and the government. This document supplements ISAO 300-1 Introduction to Information Sharing, Section 9 Information Privacy.