Cybersecurity and Cyberwarfare

IBM said that it has achieved a breakthrough in security technology that will allow every business, from banks to retailers to travel-booking companies, to encrypt their customer data on a massive scale — turning most, if not all, of their digital information into gibberish that is illegible to thieves with its new mainframe.

“The last generation of mainframes did encryption very well and very fast, but not in bulk,” said Ross Mauri, general manager of IBM's mainframe business. Mauri estimates that only 4 percent of data stolen since 2013 was ever encrypted. As the number of data breaches affecting US entities steadily grows — resulting in the leakage every year of millions of people's personal information — IBM argues that universal encryption could be the answer to what has become an epidemic of hacking.

The Verizon debacle joins a lengthy list of incidents where companies and government agencies have accidentally published people’s confidential information, a problem that experts say may be getting harder to fix as more companies their storage to the cloud. Chris Vickery, director of cyber-risk research at UpGuard, found the Verizon data trove sitting in a critical data repository managed by a third vendor based in Israel. The repository had been misconfigured—a human error—leaving it unprotected. Thanks to a chronic shortage of skilled tech workers, it’s hard to find employees with the necessary skills and training to consistently avoid such mistakes, Vickery says. Tech workers setting up cloud systems or in-house servers can misunderstand the settings on the software they’re setting up, or cut corners to make data more easily accessible within the organization.

Experts and government officials say 911 systems across the country are dangerously outdated and putting lives at risk, while 911 fees consumers pay on monthly phone bills to maintain and upgrade the systems are often diverted by states for other uses. In fact, Scripps found that two dozen states were named “diverters” by the Federal Communications Commission at least once from 2008-2015, and some were repeat offenders. Experts warn that the nation’s antiquated patchwork of 911 systems is an easy target for hackers who want to wreak havoc and criminals who want to hijack 911 and demand a ransom.

Congressional Democrats are calling on the Federal Communications Commission to review its cybersecurity protocols following a May cyberattack that knocked the agency’s commenting system offline, and ahead of online activism in support of net neutrality.

Ranking House Democrats on two committees —Commerce and Oversight, as well as their relevant subcommittees — first sent a letter to the three FCC commissioners on June 26, expressing their concerns about the agency’s cyber preparedness and the attack’s impact on net neutrality comments. “Recent events have raised questions about the security of the FCC’s network, and we have serious concerns that the FCC’s website failures deprive the public of opportunities to comment on net neutrality — an issue that affects everyone who uses the internet,” the six Democrats wrote. The same six Democrats followed up with a letter to the Government Accountability Office on July 7 that asked the office to examine the FCC’s “information technology and information security practices.”

Nothing connected to the internet is safe from hackers. And I mean nothing. Modern cybersecurity is a constant cycle of breaches and patches. Systems are compromised, security experts play catch up, and eventually hackers find a new way in. Each side tries to outwit the other. But at any given moment, one of them is always a step ahead. President Donald Trump doesn’t seem to understand that. “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded,” he tweeted July 9. Yes, Russia. Yes, really. Setting aside the question of what “many other negative things” Trump and Putin plan to guard, and how; and setting aside the absurdity of the idea that the United States would partner with Russia, of all countries, on a cybersecurity initiative, there is a basic question to answer: Is “impenetrable cybersecurity” even possible? No, it is not.

Cybersecurity specialists are warning that President Donald Trump’s voter-fraud commission may unintentionally expose voter data to even more hacking and digital manipulation. Their concerns stem from a letter the commission sent to every state, asking for full voter rolls and vowing to make the information “available to the public.” The requested information includes full names, addresses, birth dates, political party and, most notably, the last four digits of Social Security numbers. The commission is also seeking data such as voter history, felony convictions and military service records.

Digital security experts say the commission’s request would centralize and lay bare a valuable cache of information that cyber criminals could use for identity theft scams — or that foreign spies could leverage for disinformation schemes. “It is beyond stupid,” said Nicholas Weaver, a computer science professor at the University of California at Berkeley.

The FBI will not investigate a cyberattack that crashed the Federal Communications Commission’s website during an influx of comments on an agency plan to reverse network neutrality.

Agency chief Ajit Pai said the FBI declined to investigate the FCC cyberattack that followed a “Last Week Tonight with John Oliver” segment in May, when Oliver called on viewers to submit comments opposing Pai’s plan to scale back net neutrality rules. “In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement,” Pai wrote to a pair of Senate Democrats, who were skeptical of the attack. “The FCC and FBI agreed to have further discussions if additional events or the discovery of additional evidence warrant consultation.”

The Federal Communications Commission's network neutrality docket continues to draw a crowd of critics. The latest is House Commerce Committee Ranking Member Frank Pallone (D-NJ). Rep Pallone has called on the Department of Justice and the FBI to investigate whether any federal law has been broken in the filing of fake comments using stolen identities, as some have claimed.

Rep Pallone said he was also worried that some "unknown parties" may be trying to influence federal policy. hat came in a letter to attorney general Jeff Sessions and acting FBI director Andrew McCabe. Rep Pallone wants them to investigate net neutrality activist group Fight for the Future's assertion that at least 14 people had told the FCC that their identities had been used to file comments without their permission, as well as that some 450,000 identical comments were submitted by an "unknown party" that may have been using info gained via data breaches. "Federal law prohibits knowingly making any materially false statement or representation in any matter within the jurisdiction of the executive, legislative, or judicial branch," Rep Pallone's office said.

A new wave of powerful cyberattacks hit Europe on June 27 in a possible reprise of a widespread ransomware assault in May that affected 150 countries. Ukraine reported ransom demands targeting the government and key infrastructure, and the Danish Maersk conglomerate said many of its systems were down. The Russian oil giant Rosneft was also hit, as was the British advertising and marketing multinational WPP. Norway’s National Security Authority said an “international company” there was affected.

Ukraine first reported the cyberattacks, saying they targeted government ministries, banks, utilities and other important infrastructure and companies nationwide, airport departure tables and demanding ransoms from government employees in the cryptocurrency bitcoin. By midafternoon, breaches had been reported at computers governing the municipal energy company and airport in Ukraine’s capital, Kiev, the state telecommunications company Ukrtelecom, the Ukrainian postal service and the State Savings Bank of Ukraine. Payment systems at grocery stores were knocked offline, as well as the turnstile system in the Kyiv metro.

Federal Communications Commission Chairman Ajit Pai unveiled new details about a reported cyberattack that came after comedian John Oliver urged his viewers to flood the agency with pro-network neutrality comments. In response to a series of questions about the incident from Sens Ron Wyden (D-OR) and Brian Schatz (D-HI), Chairman Pai said he was taking the issue seriously. “I agree that this disruption to [the Electronic Comment Filing System] by outside parties was a very serious matter,” Pai wrote in a letter. “As a result, my office immediately directed our Chief Information Officer (CIO) to take appropriate measures to secure the integrity of ECFS and to keep us apprised of the situation. The Commission's CIO has informed me that the FCC's response to the events sufficiently addressed the disruption, and that ECFS is continuing to collect all filed comments."

The ECFS slowed to a crawl after Oliver’s HBO show addressed the net neutrality proceeding in May, leading many to assume that the system was bogged down by an influx of public filings. But the next day, FCC CIO David Bray said the disruption was caused by a malicious distributed denial of service (DDoS) attack, a move designed to take down a site by flooding it with fake traffic. “I appreciate the FCC’s response,” Sen Wyden said. “I’m waiting to draw any final conclusions until the FBI weighs in. However, it is clear that FCC wasn’t ready for this attack. In the future, the agency should consider other ways to submit comments if its web portal fails again.”