The Electronic Frontier Foundation (EFF) is asking the Library of Congress to give owners of voice assistant devices like Amazon’s Echo, Google Home and other voice assistants the right to “jailbreak” the devices: freeing them from content control features designed to prevent users from running unauthorized code on those...
A recent article in the New York Times postulated America may choose to respond to a devastating cyberattack with a nuclear response. In November of 2017, a widely viewed social media video entitled Slaughterbots suggested “swarms of AI-controlled drones [could] carry out strikes on thousands of unprepared victims with targeted precision.” Both of these articles raised […]… Read More
There is a common assumption in the infosec community that enormous breaches like those at Equifax, Anthem, and Target are the new norm. That the next mega breach is simply a matter of time. This is because large companies loathe spending money on things that are not directly profitable like secure infrastructure or quality training for employees. Further, there isn’t really any external pressure on corporations to do better—so they won’t.
Some countries have recognized that these sorts of negative externalities cause significant public harm, and have sought to get ahead of the threat curve with cybersecurity legislation. Singapore currently has a comprehensive cybersecurity bill under consideration that is trying very hard to bring a bit of order to the wild west of technology threats. The bill is exhaustive in covering management of cyberthreats, so let’s look at what it does well and what it does not do well.
- Appoints a national CISO. US cyberdefenses frequently suffer from an unclear chain of command, as well as competing for agency priorities. The buck needs to stop somewhere to mount an effective defense.
- Designates critical infrastructure. You cannot prioritize defenses for systems you aren’t looking at.
- Duty to report. This is a big one. Often fearful of liability, stock impact, or impact to reputation, corporations will often sit on cyberattack disclosure for months—sometimes until an executive can sell his company’s stock. Removing any ambiguity on when and how to report breaches gets everyone on the same page.
- Designates best standards and obliges companies to follow them. There’s currently no consistent, agreed-upon best cybersecurity practices for companies to follow.
- Power to investigate and force remediation. In contrast to US defense contractors who handle critical infrastructure, were not obligated to report breaches until 2015, and to date have not lost any contracts due to loss of classified data, Singapore’s draft bill grants the authority for a cybersecurity officer to both investigate a critical infrastructure breach, and compel remediation along industry best practices.
- Licenses infosec corps. While this could be a little iffy in the implementation, holding companies that audit critical infrastructure to an agreed-upon standard benefits everyone. Infrastructure owners know precisely what services they are paying for, cybersecurity officials can judge the impact of standardized services more accurately, and no one has to deal with a Norse Corp.
The not so good
- Criminal sanctions for offenses. While seemingly a no-brainer, breaches are rarely due to a single individual’s malfeasance, and much more often the end result of a sick corporate process. A more effective deterrent would be fines leveled at the corporate level, and large enough to hurt. While an ineffective company can lose a handful of employees quite easily, they would feel the loss of a profit percentage much more acutely.
- Secrecy. Many sections within the bill contain provisions for non-disclosure and corresponding fines and imprisonment for anyone speaking out about a breach in a non-approved way. From a governance perspective, this makes sense. Singapore is deriving their authority to monitor critical infrastructure by classifying breaches as a security threat, and a classic belief of governments is that one does not speak publicly of security threats. Network threats are different. Configurations and applications used by a shipping company can have significant overlap with those used at non-critical corporations. Transparency and information sharing not only pressure a breached company to demonstrate an adequate remediation but also offer lessons learned that can keep hundreds of less critical organizations safe. Sunlight and sharing are proven methods for defenders to propagate best solutions to everyone.
What does it mean?
Traditionally, information security has been viewed as the responsibility of individual companies, and not a particularly important one at that. Efforts of countries like Singapore to centralize cyberthreat defense and vulnerability remediation are an attempt to acknowledge the reality that breached infrastructure affects everyone. A hack might stay within an offshore drilling company, but the knock-on effects to shipping, trade, and the environment can create an impact on millions of citizens.
While the law has not traditionally been responsive to technology needs, that is gradually changing. With input from industry leaders and privacy advocates, technology law has the potential to change for our benefit.
Check out the full text of the bill here.
The post Singapore government gets into the network defense game appeared first on Malwarebytes Labs.
While it's doubtful that the US will catch the Russians accused of participating in the massive 2014 Yahoo breach, a third culprit appears ready to cooperate. Reuters has discovered that Canadian citizen Karim Baratov is slated to appear for a "change of plea" hearing on November 28th, indicating that he's likely to plead guilty to helping Russian officers (Dmitry Dokuchaev and Igor Sushchin) swipe 500 million Yahoo accounts. His attorney has declined to comment, but he has already waived his right to avoid extradition to the US.
Section 215 of the US Patriot Act has been in the headlines a lot lately. This controversial section was used by the US intelligence agencies to scoop up large quantities of US phone records, among other things. The section had a sunset clause and needed to be renewed periodically, with the latest deadline at midnight May 31st 2015. The renewal has previously been a rubber-stamp thing, but not this time. Section 215 has expired and been replaced by the Freedom Act, which is supposed to be more restrictive and better protect our privacy. And that made it headline news globally.
But what does this mean in practice? Is this the end of the global surveillance Edward Snowden made us aware of? How significant is this change in reality? These are questions that aren’t necessary answered by the news coverage.
Let’s keep this simple and avoid going into details. Section 215 was just a part in a huge legal and technical surveillance system. The old section 215 allowed very broad secret warrants to be issued by FISA courts using secret interpretations of the law, forcing companies to hand over massive amounts of data about citizens’ communications. All this under gag orders preventing anyone to talk about it or even seek legal advice. The best known example was probably the bulk collection of US phone records. It’s not about tapping phones, rather about keeping track of who called whom at what time. People in US could quite safely assume that if they placed calls, NSA had them on record.
The replacing Freedom Act still allows a lot of surveillance, but aims to restrict the much criticized mass surveillance. Surveillance under Freedom Act needs to be more specified than under Section 215. Authorities can’t just tell a tele operator to hand over all phone records to see if they can find something suspicious. Now they have to specify an individual or a device they are interested in. Tele operators must store certain data about all customers, but only hand over the requested data. That’s not a problem, it is pretty much data that the operators have to keep anyway for billing purposes.
This sounds good on paper, but reality may not be so sunny. First, Freedom Act is a new thing and we don’t know yet how it will work in practice. Its interpretation may be more or less privacy friendly, time will tell. The surveillance legislation is a huge and complex wholeness. A specific kind of surveillance may very well be able to continue sanctioned by some other paragraph even if section 215 is gone. It’s also misleading when media reports that the section 215 intelligence stopped on June 1st. In reality it continues for at least six months, maybe longer, to safeguard ongoing investigations.
So the conclusion is that the practical impact of this mini reform is a lot less significant than what we could believe based on the headlines. It’s not the end of surveillance. It doesn’t guarantee privacy for people using US-based services. It is however an important and welcome signal that the political climate in US is changing. It’s a sign of a more balanced view on security versus basic human rights. Let’s hope that this climate change continues.
Image by Christian Holmér