• Online Christmas shopping with a credit card

    Don’t Get Grinched by Cybercrime During the Holiday Season: Picks of the Week

     

    “Holiday shopping by mobile phone? Beware fake apps and bad Wi-Fi hotspots” – Computerworld

    Worried about Black Friday Cyber Scams? 6 Ways to Protect Your Money” – Forbes

    “5 Ways Retailers Can Stay Safe Over the Holidays” – Dark Readings

    The holiday shopping season is about to get into full swing and retailers are gearing up for another record season of online sales. Research group eMarketer expects that online retail sales will bring in at least $94 billion – or 10.7% of the total retail sales – from now until the end of the holidays, a 17.2% increase in online sales from last year.

    But as millions of consumers pick up their smartphones and tablets to go holiday shopping and flock the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind… In fact, this is prime cybercrime season for digital crooks timing their phishing emails, malicious links, and other online scams and attacks to Black Friday, Cyber Monday, and through the rest of the holiday season. They prey on the naiveté of shoppers looking to score a holiday deal or take advantage of a special reward to trick them into downloading malware, giving up login credentials and credit card information, or send payments to bogus sites.

    Consumers and retailers alike should be prepared for an even higher risk of online fraud and social engineering scams across all channels than in past years. A new report from cybersecurity company Kaspersky Lab shows that the number of online attacks during this high sales season is 9% higher than the average number of attacks that happen during other months of the year, and 2016 is on track to be a record season for online sales… and online scams!

    While security experts continue to work to find possible solutions against the latest malware and scam techniques, here are some of my yearly  tips on how to protect yourself from online Grinches this holiday season:

    • Before, during, and after the holidays, keep an eye on your bank and credit card accounts for signs of suspicious activity, mystery charges, or “micro-charges” – Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
    • Buy only from reputable merchants and recognized websites – Be wary of emails and pop-up messages asking for your password, credit card number, or personal information. No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look for the ‘HTTPS’ in the address bar of your online retailer and check the specific email address and domain name of the sites to make sure it’s really from the retailer and not a close derivative. If in doubt, contact the legitimate organization directly to verify authenticity.
    • Be aware of fake commerce apps – Download apps only from Google and Apple official app stores – which have more rigid requirements for banning malicious apps – and be skeptical of apps that ask for suspicious permissions like access to contacts, text messages, stored password, or credit card information.
    • Avoid “free Wi-Fi networks” – Don’t use public Wi-Fi networks, especially when using your phone for banking and e-commerce. Personal and banking information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
    • Be skeptical of deals that sound too good to be true – Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is!
    • Be alert for potential charity donation scams – Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
    • Use strong passwords and dual-factor authentication – Create long, complex passwords using upper and lower-case letters, special characters, and numbers, and use a different one for each online account. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
    • Do not send cash or wire money for payment – Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
    • Secure your computer and mobile devices – Update your devices to the most current operating system and keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your devices from viruses, worms, Trojan horses, and other types of malicious programs.

    Some additional tips on how to protect your company from cyber threats and strengthen your overall cybersecurity posture:

    • Protect your organization’s endpoints and servers – Scan your organization’s network environment for threats that may have been lurking for several months before surfacing as a malicious attack during the holidays. Harden your servers with good access control and security tools such as antivirus and antimalware software, and run frequent patches and updates. Consider advanced endpoint threat prevention tools that protect memory from experiencing distributed denial-of-service (DDoS) attacks and other complex advanced threats.
    • Train your organization’s workforce – Before the holiday season starts, make sure all your employees receive at least some basic training in cybersecurity and cyber hygiene, and create an environment where they feel comfortable coming to managers if they see any suspicious emails or files.
    • Have a documented and tested incident response plan in place – Make sure your employees know what to do and who to contact if they see something suspicious, and establish clear roles and responsibilities before a serious breach happens. The incident response plan should be regularly exercised and updated.
    • Create a culture of security that starts from the top – if management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values. Cybersecurity is a shared responsibility!

     

  • Can the Vote Really Be Hacked? Picks of the Week

    No, the presidential election can’t be hacked | CNN

    US election machine technology is out of date, expert say | CNBC

    How Clinton, Trump Could Champion Cybersecurity | Dark Reading

    Although we are aware of the efforts by the Russian government to discredit American democracy and interfere with the election, the chance that a malicious actor can carry out a hack that would change the outcome of the presidential election seems virtually impossible. Nonetheless, the recent high-profile hacks of Democratic political organizations and states’ voter registration databases by Russian hackers have already achieved the desired effect of sowing at least some doubts about the integrity of the US election, a concept reinforced repeatedly by Republican nominee Donald Trump in his proclamations that the election is “rigged.”

    Skeptics have dismissed those concerns based on the fact that the electoral system is a decentralized system managed at the state and local levels, and that the voting machines themselves – which are what voters will use to cast their ballots – are standalone systems that are not connected to the Internet. Unlike state voter registration systems that have been hacked or probed in past weeks, the actual voting machines would be much harder to hack remotely and the probability of hacking at the polls remains low. The election may still be manipulated, however, through other cyber means such as bribing a machine operator to inject malicious software, rewriting software to change the way that votes are counted or tabulated, manipulating other weak points in the system, or directly exploiting a vulnerability in the machine’s software.  So, if the question is, ‘Is it possible to hack the vote?’, the answer is yes, definitely!

    Moreover, research shows that the technology behind most voting machines is grossly outdated – 43 states have voting machines that are at least a decade old – and that many of those machines are so riddled with vulnerabilities that almost anyone with rudimentary technical skills could break into them in order to corrupt voting results. And most states don’t have the funding to upgrade their equipment, which in turn doesn’t motivate technology providers to innovate those systems.

    In addition to legacy systems and outdated technology, another concern with voting machines is that some of them don’t have any form of paper trail. Over the past few years, almost all states have moved to using paper ballots or electronic voting systems that maintain a verifiable paper audit trail of the ballots.  Five states (Delaware, Georgia, Louisiana, New Jersey, and South Carolina), however, use completely paperless voting systems. If even one of the voting machines in those jurisdictions is hacked, or malfunctions, or if concerns arise about the legitimacy of a county or state’s election results, there is no independent means to audit individual votes in those particular precincts. Other states, including Pennsylvania, Virginia, Kentucky, and Tennessee, use a combination of paper ballots and paperless voting systems, depending on the jurisdiction.  The concern with paperless systems is that they do not offer the same solid audit trail that a paper ballot does, and would make it much harder to prove with absolute certainty that votes were recorded as cast. Additionally, 31 states allow Internet voting, which could in principle be intercepted and subverted by a sophisticated hacker. Fortunately, most states that allow online voting restrict it to military and overseas residents or citizens with disabilities only. Many states also require voters to mail in paper ballots separately. Only Alaska allows for any registered voter to ask for and submit ballots electronically.

    Another threat to the ballot box would be if hackers were able to delete voters from the database entirely, meaning when they arrived at the polls, their names wouldn’t appear in the system. In this case, however, voters could still cast a provisional ballot and then follow up to verify their registration in the days following the election. The process would be tedious, but not prohibitive.

    While public officials continue to reassure us that the idea that someone could actually hack in any meaningful way into the election system so as to skew the result of the presidential election is far-fetched, rumors of hacking – even if not successful – or even one small case of electronic tampering or manipulation on November 8 could seriously undermine confidence in the election and play into a losing politician’s claim that the election was “rigged.”

    So, what can citizens, state administrators, and federal officials do to ensure the confidentiality and integrity of these elections?

    State boards of elections and law enforcement officials have been hard at work to safeguard elections, and the Department of Homeland Security is working with election officials to monitor suspected breaches on voting systems and bolster security in general. In particular, election officials should continue to implement proper security controls, scan all systems for flaws, test all equipment prior to the election, assure a chain of custody for voter records, maintain up-to-date master files of voter records separate from the public facing online system, put adequate physical security measures in place to prevent unauthorized access, and introduce contingency measures in case of equipment failure.

    As a citizen, if you see anything suspicious such as signs of tampering with voting machines or any sort of intimidation of voters, you should alert local authority and election observers available at all the polling locations. In addition, you should carry your voter registration card and be reassured that most states keep also frequently updated back-up copies of voting rolls offline or in hard copy. Those back-ups could be used to rectify any wrong changes made by malicious actors.

    – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • The Pell Center declares its Cyber Awareness for National Cyber Security Awareness Month

    Championing Cybersecurity Awareness Month: Picks of the Week

    Presidential Proclamation – National Cybersecurity Awareness Month, 2016 | The White House

    How Weak Cybersecurity could Disrupt the U.S. Election | Politico

    Cybersecurity is just too much trouble for the general public, claims study | TripWire

    Obama administration accuses Russian government of election-year hacking | Politico

     

    October marks National Cyber Security Awareness Month (NCSAM) – a time when participating governments and organizations come together to raise public awareness about cybersecurity, provide citizens and businesses alike with tools and resources needed to stay safe online, and increase the Nation’s resilience in the event of a cyber incident.

    NCSAM is a coordinated effort of the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MSISAC), as well as companies, schools, and nonprofit organizations around the country. This year, the stakes are higher than ever: over 169 million personal records were exposed in the US in 2015 alone and, so far, 22% more breaches have been reported this year. The average cost of a data breach has risen to $4 million per incident, and US businesses are losing up to $300 billion in intellectual property theft alone. Hackers release a new piece of malware every 200ms (a couple thousands by the time you’re done reading this article), and hacking attempts show no signs of slowing. At the same time, the general public seems to be suffering from “security fatigue” and a feeling of helplessness when it comes to their online security, according to a new study. Compounding these issues, the integrity and legitimacy of the upcoming Presidential election seem to be hanging in the balance after the recent string of hacks of Democratic party’s organizations and voter registration systems.

    shared-responsibilityRecognizing the importance of cybersecurity issues, President Obama designated October as National Cyber Security Awareness Month in 2004, and this year kicked things off with a presidential proclamation that highlighted his new Cybersecurity National Action Plan, as well as the establishment of a Commission on Enhancing National Cybersecurity – which has been hard at work to recommend ways to strengthen cybersecurity in both the public and private sectors and promote best cybersecurity practices. “Keeping cyberspace secure is a matter of national security, and in order to ensure we can reap the benefits and utility of technology while minimizing the dangers and threats it presents, we must continue to make cybersecurity a top priority,” Obama’s proclamation reads.

    Salve Regina University is an official champion of National Cyber Security Awareness Month, and for the second year in a row, the Pell Center is supporting this national effort and is actively participating to multiple discussions and initiatives across the country. In addition, the Pell Center is posting cybersecurity tips, resources, and insights on social media throughout the month, and is hosting cybersecurity-related events around campus, including a panel discussion on “Hacking the Election.”Print

    In addressing pressing cybersecurity security issues, National Cyber Security Awareness Month has a distinct theme for each week. The overall message of this initiative is to “STOP | THINK | CONNECT” – stop to make sure security measures are in place; think about the implications of our increasingly digital and connected lives and the consequences of our actions and behaviors online; connect and enjoy the benefit of the global Internet economy. That’s actually excellent advice for any online activity, whether that’s uploading snapshots, signing up for a new online service, clicking through to a website, making an online purchase, or downloading the latest app.

    While the upcoming week of National Cyber Security Awareness Month will be dedicated to “Creating a Culture of Cybersecurity in the Workplace,” the reality is that no individual, business, or government entity is immune to cyber risks and none of them is solely responsible for securing their own Internet connectivity and digital assets. All of us have a role to play in securing our critical services, our businesses, and the information we create, store, and process through the devices and networks we use. “Cybersecurity is a shared responsibility,” reiterated President Obama in his proclamation, and he stressed that everyone should do their part to ensure “our information is more secure, our data is safer, and our families and businesses are more protected than ever before. If we work toward this goal – as individuals and as a Nation – together we can realize our full potential in the digital age.”  Indeed, individual actions have a collective impact, and when we use the Internet safely we make it more secure for everyone. If each of us does our part by implementing stronger security practices, adopting better cyber hygiene, and treating cybersecurity as an inherent component of  organization’s policies and processes, we can collectively become a more secure, safer, and resilient digital society.

    You can join in the conversation by following @PellCenter on Twitter and using the official NCSAM hashtag #CyberAware throughout the month, and can get additional information and resources by visiting Stop.Think.Connect, Stay Safe Online, and the European Cyber Security Month website.

    – Senior Fellow Francesca Spidalieri

  • An Apple keyboard with a key that says hack and is colored red, white and blue.

    Is Russia Trying to Hack American Politics? Picks of the Week

    Powell emails were leaked on a site linked to the Russian government | The Washington Post

    World Doping Agency Says Russian Hackers Stole Medical Records of Olympic Athletes | The Wall Street Journal

    How the next President can get cybersecurity right | Passcode

    The latest edition of the (almost) weekly hacks that appeared on the front pages of the newspapers this week featured the personal emails of former Secretary of State Colin Powell and the medical records of US and other Olympic athletes, both of which have been confirmed as authentic.

    The World Anti-Doping Agency’s (WADA) breach, in particular, appears to be the latest in a string of hacks by the Russian government, which has allegedly been using proxy hackers to target numerous US government agencies, political organizations, and other perceived adversaries in an attempt to undermine confidence in the US electoral system and in the integrity of the democratic process. WADA said that US law enforcement officials were able to trace this breach to a group of hackers known as Tsar Team (Fancy Bear), and that the group had illegally gained access via an International Olympic Committee (IOC)-created account.

    This latest episode may have been payback for IOC’s decision to ban numerous Russian athletes from the 2016 Rio Olympics and Paralympic in the wake of a doping scandal that cast a shadow on the country’s sporting establishment. The hackers claimed that the documents posted on the website of Fancy Bear showed the use of performance-enhancing drugs by top U.S. athletes, though they acknowledged the athletes didn’t break any rules.

    Many cybersecurity and political experts have connected the WADA breach to various previous hacks, including those of the Democratic National Committee, the White House, the US State Department, and the US Joint Chiefs of Staff (although no public attribution has been made yet). Russian officials have denied involvement in the various hacks that the experts believe to be sponsored by Russian intelligence organizations. Analysts said to have also linked Secretary Powell’s disclosures to the same hacker group Fancy Bear, although it has to be noted that similar hacks have been carried out by mischievous teens in the past.

    As I have stated before, if the recent cyber intrusions were indeed orchestrated by the Kremlin, it would be a whole new level of involvement by a foreign power in the US political system. The notion that a foreign country or third party can deliberately manipulate the American political process with targeted data breaches is both disturbing and dangerous, and it would open a new front in information warfare that could fundamentally change the value of data for national security. These hacks imperil the political process and could also yield data that can be used for other crimes as well: profiling, blackmailing, and even terrorist activity.

    The next President of the United States will need to prioritize cybersecurity to protect and defend US government agencies and other critical sectors. In a new book out this week, Larry Clinton argues that the next President should make a more aggressive use of the “cybersecurity social contract” model, which finds its origins in the impasse between a previous hands-off government approach that relied on market forces to compel businesses to improve their digital defenses and the surge in recent years of cybersecurity regulations, compliance standards, and penalties for noncompliance. The cybersecurity social contract model “recognizes that regulators can’t keep up with the fast pace of development in cybersecurity technology let alone the evolution of digital threats” and instead it “ensures more industry and government collaboration for sharing information to confront malicious hackers.” The new book includes a trove of strategic and operational recommendations for the next administration to address cybersecurity. In particular, Mr. Clinton also offers 12 specific steps for the new administration to work on collaboratively with the private sector by using the cybersecurity social contract model more actively. If we are to deter and mitigate future hacks successfully, this collaboration should begin sooner rather than later.

    – Senior Fellow for Cyber Leadership Francesca Spidalieri

  • An American flag with a cyber design.

    It’s Time for Both Parties to Get Serious about Cybersecurity: Picks of the Week

     

    U.S. Seeks to Protect Voting System from Cyberattacks | The New York Times

    Political Campaigns need Chief Information Security Officers | Passcode

    How to Hack the Election in 7 Minutes | Politico Magazine

     

    In the wake of hacks that infiltrated the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign, in addition to the political fallout and the multiple warnings from cybersecurity experts about the potential for hacking to disrupt the election, state and national leaders are finally weighing in and proposing measures to protect parties’ sensitive information and the security of the entire election system.

    Secretary of Homeland Security Jeh Johnson is said to be considering whether to designate the US election system itself as critical infrastructure, which could heighten cybersecurity at the ballot box and have significant implications on how federal officials would respond to potential cyber attacks. The DNC recently announced that it has assembled a cybersecurity advisory board in response to the recent hack “to prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class.”

    Simply deeming the US election system a new critical infrastructure (the US already considers 16 different sectors as so called ‘critical infrastructures’) or hiring a few experts and a more sophisticated IT team, however, won’t be enough to ensure voters’ trust and confidence in our national security and in the integrity of our election process. If the nation’s politicians and political campaigns don’t improve their overall cyber defenses and develop new approaches and advanced techniques to strengthen our collective security, mitigate cyber risks, and help us prepare today for tomorrow’s challenges, not only will American’s personal data be at greater risk but the entire democratic process could be compromised.

    Many cybersecurity and political experts have connected the recent hacks and subsequent leak of sensitive emails back to the Russian government. If the cyber intrusions were indeed orchestrated by the Kremlin, it would be the first known state-backed cyber attack to harness the power of the Internet to manipulate a presidential election. The idea that a foreign or other power can deliberately manipulate voters and parties with targeted data breaches in an attempt to influence a presidential election would be insidious on an unprecedented level, and would open a whole new front in information warfare that could fundamentally change the value of data in national security.

    What the US government needs to do is prioritize the use of the limited resources available to first and foremost protect and increase the resilience of those critical infrastructures and services that our society and nation depend upon—power, telecommunications, and financial services—and, at the same time, make clear to any adversary that there will be serious consequences for cyber attacks that disrupt both national critical infrastructures or attempt to manipulate domestic electoral politics. As Jason Healey rightly stated, “the administration needs to be ironclad on the evidence [of the DNC hack] to convince the American people that this is about policy, not politics. This has got to be about defending a constitutional process, not a party.” Moreover, as Passcode’s contributor Bob Hansmann suggested, what “both the Democratic and Republican parties—as well as the Hillary Clinton and Donald Trump campaigns—should [do is] hire chief information security officers (CISO)” to better protect their sensitive information from unauthorized disclosure and “share intelligence on breach attempts and other malicious activity.” That’s not a cure-all by any means. But putting someone in charge of safeguarding their vast collections of sensitive data—whether on political strategies, the candidates themselves, or voters—would vastly improve their defenses against cyber criminals and the prying eyes of foreign intelligence operatives.

    Voters, donors, and the media need to keep up the pressure on politicians and candidates to work harder to prevent cyber attacks. After all, whoever the next President, Senators, and Representatives are, they will face immense challenges in updating policies, strategies, and laws to protect our country’s most valuable, sensitive information, systems, and infrastructure—including the computer networks and systems that operate our nuclear power plants, electrical grids, dams, and our democracy itself. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Image of the American Flag covered in ones and zeroes and cracked in pieces to represent a cracked cyber code.

    Why the Democratic Party hacks should concern all Americans: Picks of the Week

    Dem party hacks shows neither side is serious about cybersecurity | The Hill

    Is Hacking Hillary Clinton Russian Payback for the ‘Freedom to Connect’? | Net Politics – Council on Foreign Relations

    By November, Russian Hackers Could Target Voting Machines | Lawfare

     

    The news that the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign were hacked—allegedly by Russian state-sponsored hackers or proxies—has generated intense attention and has already cost the DNC chair her job and forced the resignation of the DNC’s CEO. More troubling, however, is the possibility that a foreign country may be using the fruits of its cyber espionage campaign to influence domestic electoral politics and to manipulate the U.S. presidential election. This affects more than just the Democratic party, and the string of cyber attacks has implications for every political party, every organization, and our democratic principles themselves.

    America must, before it is too late, have a rational and informed discussion about cybersecurity and the ramifications of cyber crime, cyber espionage, and even cyber disruption on our economy, national security, civil liberties, and democratic processes.

    As Col. Leighton (ret.) rightly pointed out this week in The Hill, “when the Internet was first developed, it was designed to foster communications between researchers. Security was, at best, an afterthought. Throughout the ’80s, ’90s, and the 2000s, we built ever more capable systems, developed faster and faster processors, housed billions of terabytes of data, and placed our private and public lives increasingly online. We did much of this without really designing security into the software and hardware that was making all this possible. Few of us really thought much about Internet security.”

    Today, the proliferation of information communications technologies (ICTs) and the increased reliance on the Internet has exposed governments and organizations alike to a growing number of vulnerabilities and opened the door to a wide range of malicious cyber activities and different threat actors. Cyber risks can affect organizations of all sizes in all sectors and can represent an existential threat for highly connected societies.

    Companies and government agencies alike can actually do a lot to start building strong defenses necessary to protect, detect, mitigate, and respond to persistent cyber threats, but they don’t always have the will, the resources, or the knowledge needed. As a start, organizations should guard against phishing attacks, sanitize their email attachments, develop Data Loss Prevention strategies, guard against insider threats, and encrypt all their sensitive data. Unfortunately, very few companies and government agencies have undertaken these measures to date. Their failure to do so has already cost them millions of dollars in post-breach investigation, remediation, and recovery costs; damages to reputation and brand value; and even the resignation of top executives (e.g. Target, Sony, OPM). Cybersecurity cannot be treated as an isolated “IT problem” best left to the IT department alone. As I have argued before, this approach is both untenable and dangerous. Achieving cybersecurity requires the consistent attention and commitment of every organization’s most senior leaders. Those senior leaders must see cyber risk as a component of their organization’s overall security posture, and work to integrate cybersecurity front and center into their daily activities and anchor it into their decision-making processes in a holistic and comprehensive manner. And our national leaders have an additional responsibility to assure the safety and security of our country’s most valuable, sensitive information, systems, and infrastructure.

    The fact that foreign actors may be attacking our nation’s computer systems—let alone a powerful adversary like Russia—in an apparent attempt to influence a presidential election should concern all Americans of any party. As Bruce Schneier noted, “this kind of cyber attack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November—that our election systems and our voting machines could be vulnerable to a similar attack.”

    There have also been speculations that the recent hacks might somehow represent payback for the position taken by the Obama Administration and then Secretary of State Clinton in support of Internet freedom—including efforts to help individuals silenced by their authoritarian governments (i.e. Russia and China)—and that those policies and rhetoric constituted a U.S. strategy to intervene in the domestic politics of foreign countries through cyber means. This and other theories offered by experts frame recent hacks and the release of DNC emails (and potentially new disclosures promised by WikiLeaks founder Julian Assange) in ways that reinforce the increasing political and economic risks that highly-connected countries face and the lack of global norms regulating cyberspace. As David Fidler concludes, “the escalating risks and paucity of agreed norms help explain the growing prominence of coercion, retaliation, and deterrence in cybersecurity policies. Frequent calls for retaliation against Russia, if Russian involvement in the DNC leaks is sufficiently established, highlight these rising dangers, the entrenched disagreements about appropriate state behavior in cyberspace, and the growing desire to address cybersecurity threats through power politics.”

  • Flags of the United States of America and the European Union Fading Together

    Picks of the Week: What the new EU-US Privacy Shield means for your company

    Europe Approves New Trans-Atlantic Data Transfer Deal | The New York Times

    EU-US Privacy Shield now officially adopted but criticisms linger | Tech Crunch

    EU-US Privacy Shield Agreement Goes into Effect | The Verge

    Vector illustration of USA and European Union Flags in puzzle isolated on white backgroundThe recently-approved EU-US Privacy Shield—a new agreement for the legal transfer of personal data from the EU to the US—replaces the prior Safe Harbor agreement, which was invalidated by the Court of Justice of the EU (CJEU) in 2015, and changes how data is shared between the two continents. The previous framework had allowed US companies to self-certify that they would comply with more stringent EU data protection standards when transferring data from the EU to the US. But in the wake of the Edward Snowden disclosures and mounting concerns over US government surveillance programs, the Safe Harbor agreement came under increased scrutiny in Europe for failing to provide sufficient protections for individuals and their personal data, and was ultimately declared illegal by the CJEU.

    The new Privacy Shield aims to address those concerns, ensuring that online data—from social media posts and search queries to information about workers’ pensions and payroll—transferred from the EU to the US abides by sufficient levels of privacy protection and provides legal clarity for businesses that depend on transatlantic data transfers.

     

    So, what will change for US companies doing business in the EU?

    Beginning this August, US companies collecting employee and customer data from the EU will be able to self-certify with the US Department of Commerce that they are compliant with the new data protection rules.

    Information about data processing: participant companies must publish a declaration of commitment to comply with the Privacy Shield principles, enforceable under US law, and include a link to the US Department of Commerce’s Privacy Shield website and a complaint submission form.

    Free and accessible dispute resolution: companies must respond to individual complaints within 45 days and must provide, at no cost, an independent recourse mechanism. Participants must also commit to binding arbitration at the individual’s request to address any complaint that has not been resolved by other mechanisms.

    Cooperating with the US Department of Commerce: participants must respond promptly to inquiries and requests by the US Department of Commerce for information relating to the Privacy Shield.

    Maintaining data integrity and purpose limitation: participants must limit personal data use to the information relevant for the purposes of processing and must comply with a new data retention principle.

    Transferring data to third parties: companies wishing to share personal data with third parties (e.g., vendors) must obtain assurances that the third party can provide the “same level of protection” for the data. If a third party can no longer ensure the appropriate level of data protection, it must inform the company.

     

    Following the demise of Safe Harbor in 2015, many US-based organizations—and especially large tech vendors, such as Amazon, Google, IBM, and Oracle, among others—who previously benefited from the regime, found alternative ways to get around EU data sovereignty and privacy concerns by offering EU model contract clauses for their customers or even by building data centers inside Europe. These practices allow users to restrict the flow of data to stay inside Europe, or even inside a specific data center, in case the information is restricted from leaving any specific EU country. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Image of a Businessman Holding a Laptop, Surrounded By an American Flag and the Planet Earth

    Picks of the Week: What Leaders Should Learn from the Clinton’s Email Controversy

    Hillary Clinton’s Email Was Probably Hacked, Experts Say | The New York Times

    Hillary Clinton Calls for Stronger Cybersecurity Measures | Bloomberg

    The damning things the FBI said about Clinton’s email | USA Today

    This week, FBI Director James Comey concluded a year-long probe of Hillary Clinton’s email practices and her use of a private server during her tenure as Secretary of State by announcing that he would not be recommending criminal charges and that investigators had no “direct evidence” that her account had been “successfully hacked.” Cybersecurity experts, as reported by the New York Times, took the second statement as an admission that Clinton’s email account had likely been breached but that the intruders were far too skilled to leave evidence of their work.

    Since news broke in March 2015 that Secretary Clinton used a private email server, government officials and others have been monitoring the Internet to see whether any of her messages, or those directed to her, have made their way online. Nothing has surfaced yet, but this only indicates the material hasn’t yet made it online—it does not confirm whether anything was, in fact, compromised. Director Comey seemed to leave the door open that Clinton’s email may have been infiltrated, as he made clear she used mobile devices for email while in “the territory of sophisticated adversaries,” and that hacking by “hostile actors” was “possible.” There can be little doubt that a Secretary of State—as a Cabinet-level official—is one of the most prominent targets of foreign espionage efforts. The President, Secretary of State, and other top leaders in the public and private sectors all qualify in this top tier of potential targets. These individuals handle some of the most important and sensitive—therefore most alluring—information in the country, and foreign governments and nefarious actors are sure to deploy their best talent and techniques to obtain that information.

    Interestingly, just a few days before the release of the FBI verdict on this matter, Mrs. Clinton had pledged to promote cybersecurity and expand investments in the field as part of her new Technology and Innovation agenda rolled out at the end of June. The plan calls for the strengthening of federal networks to improve the US government’s cybersecurity and for increased public-private partnerships to train more computer science teachers, reboot job training, boost investments in local innovation, and foster “civic internet of things” through public investments, according to a fact sheet posted on her campaign website.

    While the new plan is commendable, we should not forget that protecting our national security and reaping the benefits of information communications technologies and increased connectivity to promote economic growth go hand in hand with assuring the safety and security of a country’s most valuable, sensitive information and infrastructure. Unfortunately, as Mr. Comey said, Mrs. Clinton and her staff “were extremely careless in their handling of very sensitive, highly classified information,” which left her office vulnerable to data breaches.

    As I have argued before, our leaders have a responsibility to lead by example and set the tone from the top by developing good cyber policy and doing their best to respect and enforce those policies. The next president, regardless of their party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a top priority for their administration and think of this issue in terms of both national security and economic well-being. This means that politicians and public officials at the highest levels need to have a deeper knowledge of cybersecurity and cyber best practices, and make sure that their digital and economic agenda is aligned with their national security and cybersecurity agenda. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Pencil erasing the words "the past" from a white page.

    Picks of the Week: ‘Right to Be Forgotten’ Continues to Divide the World

    Google Takes Right to Be Forgotten Battle to France’s Highest Court | The Guardian

    Google Appeals French ‘Right to be Forgotten’ Order | The Wall Street Journal

    Ne Privons Pas Les Internautes Français d’Informations Légales | Le Monde

    The Internet has a long memory. But what if the pictures, data, and personal information that can be found about you online appear unfair, one-sided, or just plain wrong? The so-called “right to be forgotten” has sparked one of the biggest debates playing out in cyberspace as well as in the real world, and the issue is poised to generate legal, technological, and moral wrangling for years to come.

    Internet search giant Google recently appealed a decision by France’s highest administrative court over a legal ruling that could force it to censor some of its search results worldwide under the principle of the European Union’s “right to be forgotten.”

    In May 2014, the European Court of Justice (ECJ) shook the Internet when it declared that EU citizens had a right to be forgotten online, and ruled that all search engines like Google must remove links to “inadequate, irrelevant or no longer relevant” information from their results when a EU resident requests it, and as long as there are no good reasons to maintain the information. The right was the result of a Spanish citizen’s legal challenge over an 11-year-old newspaper notice about debt. Since then, Google—the most popular search engine in the world—has reviewed almost 1.5 million similar requests, of which about 40% have resulted in the removal of a search result.

    The French data protection authority (CNIL), however, ruled that removing the content in question only from EU searches was not enough—indeed, in March it fined Google €100,000 for refusing to apply the right to be forgotten to all of its websites worldwide, regardless of where they are accessed. Google rejected the ruling and filed an appeal, which has kicked off one of the first major legal battles over how to apply the right to be forgotten. The case is now before France’s highest court.

    Google has argued that, if French law applies globally, “other countries [perhaps less open and democratic ones] could demand global removals based on their idea of what the law should be around the world.” In an open letter published in Le Monde, Google said it had already received demands from other governments to remove content globally on various grounds, and that complying with the CNIL’s order to apply the right to its sites outside Europe would encourage other countries that want to censor content, and would also limit Google’s ability to resist those demands.

    France’s CNIL denies there is a territorial question, arguing that the global filtering is the only way to enforce the right to be forgotten fully. They pointed out, as an example, that a hypothetical “Mr. Complainant” could ask for an old dating profile to be removed from searches for his name—but while that would prevent a misunderstanding with his French fiancée or Portuguese cousin, his American colleague or his “geeky, curious neighbor,” who could just fake his IP address to a non-EU country and could still recover the old content.

    While it remains to be seen what the French court will decide, the right to be forgotten has now been embraced beyond the EU, including in Japan and Russia. In the US, however, while publicly popular according to opinion polls, such a right remains firmly off the table. As New Scientist points out, “this is in part because the First Amendment is so powerful in American law and in part because US policy views the Internet as a neutral tool that efficiently organizes the world’s information into a harsh but genuine reality.”

    If American residents want to delete any of their digital tracks, Google instructs them to go to the source of negative personal information. Once gone from the original website, the content purges automatically from search results. Nonetheless, successful content removal in this case is not based on a legal requirement, but on the sympathies of the website operator—a strategy that doesn’t always work.

    Although the right to be forgotten hasn’t “broken the Internet” as the tech community had warned back when the idea of incorporating such a right into EU regulations first took shape, it has sparked an animated debate about how broadly the EU can apply its strict privacy laws—and who sets global standards for how to balance personal privacy with free expression. Ultimately, this could decide the future of the Internet as a global information resource.

    As national policies and growing concerns about digital information shape the way we experience, understand, and use the Internet, we must also find new answers to whether and how the Internet should remain global. The right to be forgotten will be central to those answers. – Senior Fellow Francesca Spidalieri

  • Picks of the Week: No Country in the Americas is Cyber Ready

     

    IDB and OAS urge Latin America and the Caribbean to strengthen cybersecurity | Inter-American Development Bank

    Much of Latin America is Unprepared for Cyber Attacks – Report | Latin Post

    Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean? | CSIS

    A new report published this week by the Inter-American Development Bank (IDB) and the Organization of American States (OAS) called on countries in Latin America and the Caribbean (LAC) to step up their efforts on cybersecurity or face “potentially devastating” cyber attacks.

    2016 Cybersecurity Report Latin America and CaribbeanWhile the “2016 Cybersecurity Report: Are we ready in Latin America and the Caribbean?” recognized that countries in the LAC region are accelerating their focus on cybersecurity and moving it upwards on their policy and social agendas, it ultimately concluded that most LAC countries are unprepared for the security challenges of the digital age.

    The report—which was the result of a major collaboration among OAS, IDB, Oxford University, the Potomac Institute, the Center for Strategic International Studies, the Getulio Vargas Foundation, the FIRST organization, the European Council, and the World Economic Forum—analyzes the state of preparedness of the 32 OAS countries based on 49 indicators. It is the first significant examination of the level of preparedness against growing cyber threats in Latin America and the Caribbean based on two unique frameworks.

    The preliminary evaluation of countries in the LAC region was based on CRIndex2.0-1smthe Oxford Cyber Security Capacity Maturity Model (CMM), which consists of 49 indicators in five areas, namely policy and strategy, education, culture and society, legal framework, and technology. LAC countries’ cyber readiness was subsequently assessed and validated using portions of the Cyber Readiness Index 2.0 (CRI 2.0), which includes over 70 unique data indicators across seven indices, namely national strategy, incident response, e-crime and law enforcement, information-sharing, investment in research and development, diplomacy and trade, and defense and crisis response. While the two frameworks differ in their analytical approaches to measuring cyber capacity and readiness, they are complementary and together provided a powerful tool to uncover interesting insights and assess country-level cyber preparedness in the LAC region.

    The results? While a few major Latin American countries, like Brazil, México, Argentina, Chile, and Colombia have achieved an “intermediate level of preparedness,” they still lag far behind countries like the United States, Israel, Estonia, and the Republic of Korea.

    Worse yet, sixteen countries in the region have no coordinated capacity to respond to cyber incidents and only six have adopted a national cybersecurity strategy—one of the most important elements of a country’s commitment to securing their cyber infrastructure and critical services upon which their digital future and economic wellbeing depend. Internet penetration in the LAC region is still quite low (averaging less than 50%) and society is largely unaware of the risks and vulnerabilities associated with the use of Internet-based technology. Two out of three countries do not have a command and control center for cybersecurity, and the absence of recognized clearinghouses or brokers of authoritative information compounded by the mistrust among stakeholders still hamper the ability of most LAC countries to establish formal information-sharing mechanisms. Moreover, although most LAC countries have increased their law enforcement efforts domestically and have updated national legislation to combat cybercrime and strengthen data protection and privacy laws, the successful prosecution of cybercrimes is still hindered by the absence in most states of a mechanism to report cyber incidents and the inability by a large majority of criminal justice systems to handle electronic evidence and conduct sufficient forensics investigations.

    Government leaders in the LAC region cannot ignore the fact that cyber incidents are increasing in both scope and scale. Recognizing their responsibility to their countries and citizens, they must take the necessary steps and investments to address the resilience of their country’s core services and infrastructures to enable them to be better prepared for and speedily recover from cyber incidents, while at the same time continue to embrace the opportunities that come from having a connected society.  As IDB President Luis Alberto Moreno stated at the time of the report’s release, the LAC “region arrived late to the Industrial Revolution. We cannot miss the opportunity that the Digital Revolution offers us. Because of that, cybersecurity must be a priority.”

Page 2 of 712345...Last »