Cyber Security

Cyber Security

Mathematical Mesh alpha release promises better end-to-end encryption

Articles, Blog, Cyber Security, cybersecurity, Encryption
featured image

Web pioneer proposes a new cryptographic system that relies on threshold key infrastructure to improve end-to-end encryption.

One of the main challenges posed by the internet has been the need to secure communications across a massive tangle of public and private networks. Security experts agree that end-to-end communication encryption is the best means of defending users against third-party interception or breaches that could expose the potentially sensitive content.

End-to-end encryption, however, has been more of a dream than a reality, particularly given the rise of “walled gardens” led by internet giants such as Google, Facebook and Amazon. Each always maintains some form of access to their users’ communications.

A new approach to end-to-end encryption called Mathematical Mesh was quietly introduced at this year’s HOPE (Hackers of Planet Earth) conference by esteemed cryptographer Phillip Hallam-Baker, who is currently a principal scientist at Comodo and was formerly a member of the CERN team that designed the World Wide Web, among many other accomplishments.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Many Cyberspace Solarium Commission recommendations expected to become federal law

Articles, Blog, Congress, Cyber Security, cybersecurity, Cyberspace Solarium Commission
featured image

Dozens of cybersecurity measures designed to protect US businesses and infrastructure are part of the National Defense Authorization Act. Budget, political concerns might eliminate some.

Several cybersecurity proposals are advancing in both the US House and Senate that flow from the prolific work of the public-private brainstorming initiative called the Cyberspace Solarium Commission. The Commission was formed in 2019 to break through the seemingly intractable barriers blocking the path to devising and implementing practical solutions to the most challenging cybersecurity problems.

The vehicle through which the commission hopes to enact several dozen of its legislative recommendations (out of 75 recommendations included in its inaugural report this past spring) is the National Defense Authorization Act (NDAA), an annual “must-pass” federal law that sets the budget and expenditures for the US military. The commission’s executive director Mark Montgomery estimated earlier this month that each chamber’s bills would feature eight to 20 of the commission’s recommendations.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Twitter hack raises alarm among government officials, security experts

Articles, Blog, Cyber Security, cybersecurity, hacking, Twitter
featured image

The recent account takeover attack underscores how Twitter and other social platforms have become a critical component of political systems worldwide.

A hack of Twitter last week shook the foundations of the internet, cybersecurity, and political worlds. A gang of young people purportedly obsessed with OGusers, early Twitter adopters with one or two characters in their handles, ostensibly targeted 130 high-profile accounts and reset passwords and sent messages from the accounts of 45 “celebrities.” The hacks appear financially motivated, with the attackers fleeing with $121,000 worth of bitcoin generated through the scam messages they sent from the accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk and other personages.

Coming as they did during a period of high paranoia just a few months from the 2020 presidential election, the hacks seem somehow intermixed with the ongoing fear of the kinds of nation-state digital attacks that took place during the 2016 elections. The take-over of what has become a vital political platform attracted the attention of lawmakers, including James Comer (R-KY), the ranking member of the House Committee on Oversight and Reform, who sent a letter to Twitter CEO Jack Dorsey demanding a briefing no later than July 24.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Time running out to protect US November elections

Articles, Blog, Cyber Security, cybersecurity, elections
featured image

Experts say it’s too late for significant legislative action to better protect voting this fall, but meaningful changes are still possible.

Four years have passed since the 2016 presidential election when revelations of Russian hacking of the DNC threw political contests into turmoil. In the aftermath, the Mueller investigation, Justice Department indictments and other efforts made clear that the US election and voting systems themselves were the targets of cyberattacks. The subsequent Mueller probe and DOJ indictments also revealed massive Russian digital disinformation campaigns that permeated the election.

Now, as the country heads into the next presidential campaign weakened by a pandemic and laboring under a collapsed economy, little has happened over the past four years to substantially shore up voting, campaign or election security, with only marginal improvements made around the edges. There is time, though, to implement last-minute security measures that could substantially improve election integrity, experts say.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New DOE document names China, Russia as threats to US bulk power system

Articles, Blog, Critical Infrastructure, Cyber Security, cybersecurity, DOE
featured image

A US Department of Energy RFI seeks information on energy industry’s supply chain security practices following executive order to develop industry regulations.

On May 1, the Trump Administration issued an Executive Order on Securing the United States Bulk Power System that seeks to remove from the power grid crucial electric equipment supplied by vendors from foreign adversarial nations. Yesterday, the Department of Energy (DOE), Office of Electricity issued a request for information (RFI) “seeking information to understand the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system (BPS).”

The RFI is a follow-on to the executive order (EO), which directs the Energy Department, in consultation with other agencies, to develop regulations implementing its goals through a rulemaking process. The EO defines electric equipment as items used in substations, control rooms and power generating stations, including reactors, capacitors, substation transformers, large generators, voltage regulators, along with several other defined pieces of electrical equipment.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Domestic 5G development at core of US communications security plan

5G, Articles, Blog, Cyber Security, cybersecurity, White House
featured image

New NTIA document outlines White House 5G security goals, which promote home-grown R&D and call for continuous risk assessment and management.

In late March, during the first phase of the coronavirus lockdown, the White House issued a little-noticed document entitled The National Strategy to Secure 5G of the United States, which articulates a “vision for America to lead the development, deployment, and management of secure and reliable 5G communications infrastructure worldwide, arm-in-arm with our closest partners and allies.” The document was the White House’s effort to comply with the Secure 5G and Beyond Act, which required the president to” develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure in the United States.”

The Act also required the president to submit within 180 days an implementation plan developed in consultation with a host of government departments and agencies. In May, the Commerce Department’s National Telecommunications and Information Administration (NTIA) began a proceeding to receive comments on how it might implement the vision of the White House Strategy, with the comment period ending on June 25. Early this week, NTIA posted the comments it received from 80 organizations, corporations and interested individuals.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Bipartisan bill could bring back the White House national cyber director role

Articles, Blog, Congress, Cyber Security, cybersecurity, White House
featured image

Cyberspace Solarium Commission leaders introduce the National Cyber Director Act to reintroduce cybersecurity expertise into the White House.

Last week a bipartisan group of US House of Representatives legislators introduced the National Cyber Director Act to create the position of a national cyber director within the White House. The creation of this role is one of the chief recommendations of an increasingly influential intergovernmental group known as the Cyberspace Solarium Commission.

The commission issued its report — the product of months-long deliberations by four members from congress, four senior executive agency leaders and six experts from outside of government – just as the coronavirus pandemic quarantine kicked in during March. Nevertheless, the commission’s 80 recommendations, such as creating a national cyber director, are quickly being translated into actionable legislation on Capitol Hill.

Two of the commission’s leaders, Cyberspace Solarium Chair Congressman Jim Langevin (D-RI) and Solarium Co-Chair Congressman Mike Gallagher (R-WI), introduced the bill. Other legislators backing the bill include House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), Ranking Member of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure and Innovation John Katko (R-NY), former Ranking Member of the House Intelligence Committee C. A. Dutch Ruppersberger (D-MD), and Ranking Member of the House Intelligence Committee’s Subcommittee on Intelligence Modernization and Readiness Will Hurd (R-TX).

[This article appeared in CSO Online. To read the rest of the article please visit here.]

New Republican bill latest in long line to force encryption backdoors

Articles, Blog, Congress, Cyber Security, cybersecurity, Encryption
featured image

Here we go again. Senate Republicans push a new bill to mandate “lawful access” to encrypted devices and data. It won’t end until law enforcement has better cyber forensics capabilities.

In what seems like Groundhog Day when it comes to encrypted communications, a group of Republican senators last week introduced the Lawful Access to Encrypted Data Act, which aims to end the use of so-called “warrant-proof” encrypted technology by terrorists and criminals. Senate Judiciary Committee Chairman Lindsey Graham (R-SC), Tom Cotton (R-AR) and Marsha Blackburn (R-TN) introduced this latest measure to find a way for law enforcement to gain access to devices and data that are protected by unbreakable encryption methods.

“The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security,” the Senators said in a statement.

Although the bill’s proponents don’t say so explicitly, the “lawful access” it seeks to establish mirrors a long string of potentially damaging efforts by the federal government to install backdoors into encrypted communications, according to critics. Virtually all cybersecurity and cryptography experts insist that any break in the encryption chain will break security and protection altogether, leaving criminals and adversarial nation-states with even more power to hack into users’ devices and communications for nefarious purposes.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Data security risks threaten approval of Chinese undersea cable plan

Articles, Blog, China, Cyber Security, cybersecurity, FCC, Law, News, Team Telecom
featured image

The US government’s “Team Telecom” wants to partially deny a proposed undersea cable connection between the US and Hong Kong over surveillance, data theft concerns.

On June 17, the intergovernmental group known as Team Telecom filed on behalf of the Executive Branch a recommendation to the Federal Communications Commission (FCC) to partially deny an undersea cable system application by a Chinese company called Pacific Light Cable Network (PLCN). Team Telecom (recently renamed as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector) consists of the Department of Homeland Security )DOH) and the Department of Defense (DOD) led by the Department of Justice’s National Security Division, Foreign Investment Review Section. In its filing Team Telecom specifically urged the commission to reject that part of the application that involves a direct connection between the US and Hong Kong.

The rationale for the recommended rejection echoes similar recent moves by the Trump Administration to push Chinese technology out of the US telecommunications system and power grid supply chains. The White House, along with Team Telecom, has stepped up its arguments that China poses a digital and technology security threat, a contention that is occurring against a backdrop of soured trade negotiations and a politically deteriorating relationship between the US and China.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Revised DOJ compliance guidance offers risk-management lessons for cybersecurity leaders

Articles, Blog, Cyber Security, cybersecurity, Law, News
featured image

Prosecutors use this guidance to assess criminal liability in a compliance breach, so it behooves business and security leaders to understand the expectations.

In February 2017, the Criminal Division of the US Justice Department (DOJ) issued its first-ever guidance for prosecutors of white-collar crime to use when assessing whether a company complied with its own risk management program. The document urged prosecutors to consider whether a company’s compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” That guidance was updated in April 2019 into a formal document called “The Evaluation of Corporate Compliance Programs.”

Both documents aim to give prosecutors criteria to consider when bringing criminal charges. The three fundamental questions prosecutors are urged to answer when assessing whether the compliance programs are helping to “promote corporate behaviors that benefit the American public” are:

  1. Is the program well-designed?
  2. Is the program effectively implemented?
  3. Does the compliance program work in practice?

On June 1, the DOJ issued yet another update to its compliance guidance, this time weaving in new language to make sure compliance programs aren’t merely one-and-done snapshots, but are instead dynamic programs that get updated to fit changing circumstances. The new guidance also asks prosecutors to make sure compliance programs are adequately resourced within organizations.

[This article appeared in CSO Online. To read the rest of the article please visit here.]