• Image of the American Flag covered in ones and zeroes and cracked in pieces to represent a cracked cyber code.

    Why the Democratic Party hacks should concern all Americans: Picks of the Week

    Dem party hacks shows neither side is serious about cybersecurity | The Hill

    Is Hacking Hillary Clinton Russian Payback for the ‘Freedom to Connect’? | Net Politics – Council on Foreign Relations

    By November, Russian Hackers Could Target Voting Machines | Lawfare


    The news that the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign were hacked—allegedly by Russian state-sponsored hackers or proxies—has generated intense attention and has already cost the DNC chair her job and forced the resignation of the DNC’s CEO. More troubling, however, is the possibility that a foreign country may be using the fruits of its cyber espionage campaign to influence domestic electoral politics and to manipulate the U.S. presidential election. This affects more than just the Democratic party, and the string of cyber attacks has implications for every political party, every organization, and our democratic principles themselves.

    America must, before it is too late, have a rational and informed discussion about cybersecurity and the ramifications of cyber crime, cyber espionage, and even cyber disruption on our economy, national security, civil liberties, and democratic processes.

    As Col. Leighton (ret.) rightly pointed out this week in The Hill, “when the Internet was first developed, it was designed to foster communications between researchers. Security was, at best, an afterthought. Throughout the ’80s, ’90s, and the 2000s, we built ever more capable systems, developed faster and faster processors, housed billions of terabytes of data, and placed our private and public lives increasingly online. We did much of this without really designing security into the software and hardware that was making all this possible. Few of us really thought much about Internet security.”

    Today, the proliferation of information communications technologies (ICTs) and the increased reliance on the Internet has exposed governments and organizations alike to a growing number of vulnerabilities and opened the door to a wide range of malicious cyber activities and different threat actors. Cyber risks can affect organizations of all sizes in all sectors and can represent an existential threat for highly connected societies.

    Companies and government agencies alike can actually do a lot to start building strong defenses necessary to protect, detect, mitigate, and respond to persistent cyber threats, but they don’t always have the will, the resources, or the knowledge needed. As a start, organizations should guard against phishing attacks, sanitize their email attachments, develop Data Loss Prevention strategies, guard against insider threats, and encrypt all their sensitive data. Unfortunately, very few companies and government agencies have undertaken these measures to date. Their failure to do so has already cost them millions of dollars in post-breach investigation, remediation, and recovery costs; damages to reputation and brand value; and even the resignation of top executives (e.g. Target, Sony, OPM). Cybersecurity cannot be treated as an isolated “IT problem” best left to the IT department alone. As I have argued before, this approach is both untenable and dangerous. Achieving cybersecurity requires the consistent attention and commitment of every organization’s most senior leaders. Those senior leaders must see cyber risk as a component of their organization’s overall security posture, and work to integrate cybersecurity front and center into their daily activities and anchor it into their decision-making processes in a holistic and comprehensive manner. And our national leaders have an additional responsibility to assure the safety and security of our country’s most valuable, sensitive information, systems, and infrastructure.

    The fact that foreign actors may be attacking our nation’s computer systems—let alone a powerful adversary like Russia—in an apparent attempt to influence a presidential election should concern all Americans of any party. As Bruce Schneier noted, “this kind of cyber attack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November—that our election systems and our voting machines could be vulnerable to a similar attack.”

    There have also been speculations that the recent hacks might somehow represent payback for the position taken by the Obama Administration and then Secretary of State Clinton in support of Internet freedom—including efforts to help individuals silenced by their authoritarian governments (i.e. Russia and China)—and that those policies and rhetoric constituted a U.S. strategy to intervene in the domestic politics of foreign countries through cyber means. This and other theories offered by experts frame recent hacks and the release of DNC emails (and potentially new disclosures promised by WikiLeaks founder Julian Assange) in ways that reinforce the increasing political and economic risks that highly-connected countries face and the lack of global norms regulating cyberspace. As David Fidler concludes, “the escalating risks and paucity of agreed norms help explain the growing prominence of coercion, retaliation, and deterrence in cybersecurity policies. Frequent calls for retaliation against Russia, if Russian involvement in the DNC leaks is sufficiently established, highlight these rising dangers, the entrenched disagreements about appropriate state behavior in cyberspace, and the growing desire to address cybersecurity threats through power politics.”

  • Flags of the United States of America and the European Union Fading Together

    Picks of the Week: What the new EU-US Privacy Shield means for your company

    Europe Approves New Trans-Atlantic Data Transfer Deal | The New York Times

    EU-US Privacy Shield now officially adopted but criticisms linger | Tech Crunch

    EU-US Privacy Shield Agreement Goes into Effect | The Verge

    Vector illustration of USA and European Union Flags in puzzle isolated on white backgroundThe recently-approved EU-US Privacy Shield—a new agreement for the legal transfer of personal data from the EU to the US—replaces the prior Safe Harbor agreement, which was invalidated by the Court of Justice of the EU (CJEU) in 2015, and changes how data is shared between the two continents. The previous framework had allowed US companies to self-certify that they would comply with more stringent EU data protection standards when transferring data from the EU to the US. But in the wake of the Edward Snowden disclosures and mounting concerns over US government surveillance programs, the Safe Harbor agreement came under increased scrutiny in Europe for failing to provide sufficient protections for individuals and their personal data, and was ultimately declared illegal by the CJEU.

    The new Privacy Shield aims to address those concerns, ensuring that online data—from social media posts and search queries to information about workers’ pensions and payroll—transferred from the EU to the US abides by sufficient levels of privacy protection and provides legal clarity for businesses that depend on transatlantic data transfers.


    So, what will change for US companies doing business in the EU?

    Beginning this August, US companies collecting employee and customer data from the EU will be able to self-certify with the US Department of Commerce that they are compliant with the new data protection rules.

    Information about data processing: participant companies must publish a declaration of commitment to comply with the Privacy Shield principles, enforceable under US law, and include a link to the US Department of Commerce’s Privacy Shield website and a complaint submission form.

    Free and accessible dispute resolution: companies must respond to individual complaints within 45 days and must provide, at no cost, an independent recourse mechanism. Participants must also commit to binding arbitration at the individual’s request to address any complaint that has not been resolved by other mechanisms.

    Cooperating with the US Department of Commerce: participants must respond promptly to inquiries and requests by the US Department of Commerce for information relating to the Privacy Shield.

    Maintaining data integrity and purpose limitation: participants must limit personal data use to the information relevant for the purposes of processing and must comply with a new data retention principle.

    Transferring data to third parties: companies wishing to share personal data with third parties (e.g., vendors) must obtain assurances that the third party can provide the “same level of protection” for the data. If a third party can no longer ensure the appropriate level of data protection, it must inform the company.


    Following the demise of Safe Harbor in 2015, many US-based organizations—and especially large tech vendors, such as Amazon, Google, IBM, and Oracle, among others—who previously benefited from the regime, found alternative ways to get around EU data sovereignty and privacy concerns by offering EU model contract clauses for their customers or even by building data centers inside Europe. These practices allow users to restrict the flow of data to stay inside Europe, or even inside a specific data center, in case the information is restricted from leaving any specific EU country. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Image of a Businessman Holding a Laptop, Surrounded By an American Flag and the Planet Earth

    Picks of the Week: What Leaders Should Learn from the Clinton’s Email Controversy

    Hillary Clinton’s Email Was Probably Hacked, Experts Say | The New York Times

    Hillary Clinton Calls for Stronger Cybersecurity Measures | Bloomberg

    The damning things the FBI said about Clinton’s email | USA Today

    This week, FBI Director James Comey concluded a year-long probe of Hillary Clinton’s email practices and her use of a private server during her tenure as Secretary of State by announcing that he would not be recommending criminal charges and that investigators had no “direct evidence” that her account had been “successfully hacked.” Cybersecurity experts, as reported by the New York Times, took the second statement as an admission that Clinton’s email account had likely been breached but that the intruders were far too skilled to leave evidence of their work.

    Since news broke in March 2015 that Secretary Clinton used a private email server, government officials and others have been monitoring the Internet to see whether any of her messages, or those directed to her, have made their way online. Nothing has surfaced yet, but this only indicates the material hasn’t yet made it online—it does not confirm whether anything was, in fact, compromised. Director Comey seemed to leave the door open that Clinton’s email may have been infiltrated, as he made clear she used mobile devices for email while in “the territory of sophisticated adversaries,” and that hacking by “hostile actors” was “possible.” There can be little doubt that a Secretary of State—as a Cabinet-level official—is one of the most prominent targets of foreign espionage efforts. The President, Secretary of State, and other top leaders in the public and private sectors all qualify in this top tier of potential targets. These individuals handle some of the most important and sensitive—therefore most alluring—information in the country, and foreign governments and nefarious actors are sure to deploy their best talent and techniques to obtain that information.

    Interestingly, just a few days before the release of the FBI verdict on this matter, Mrs. Clinton had pledged to promote cybersecurity and expand investments in the field as part of her new Technology and Innovation agenda rolled out at the end of June. The plan calls for the strengthening of federal networks to improve the US government’s cybersecurity and for increased public-private partnerships to train more computer science teachers, reboot job training, boost investments in local innovation, and foster “civic internet of things” through public investments, according to a fact sheet posted on her campaign website.

    While the new plan is commendable, we should not forget that protecting our national security and reaping the benefits of information communications technologies and increased connectivity to promote economic growth go hand in hand with assuring the safety and security of a country’s most valuable, sensitive information and infrastructure. Unfortunately, as Mr. Comey said, Mrs. Clinton and her staff “were extremely careless in their handling of very sensitive, highly classified information,” which left her office vulnerable to data breaches.

    As I have argued before, our leaders have a responsibility to lead by example and set the tone from the top by developing good cyber policy and doing their best to respect and enforce those policies. The next president, regardless of their party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a top priority for their administration and think of this issue in terms of both national security and economic well-being. This means that politicians and public officials at the highest levels need to have a deeper knowledge of cybersecurity and cyber best practices, and make sure that their digital and economic agenda is aligned with their national security and cybersecurity agenda. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Pencil erasing the words "the past" from a white page.

    Picks of the Week: ‘Right to Be Forgotten’ Continues to Divide the World

    Google Takes Right to Be Forgotten Battle to France’s Highest Court | The Guardian

    Google Appeals French ‘Right to be Forgotten’ Order | The Wall Street Journal

    Ne Privons Pas Les Internautes Français d’Informations Légales | Le Monde

    The Internet has a long memory. But what if the pictures, data, and personal information that can be found about you online appear unfair, one-sided, or just plain wrong? The so-called “right to be forgotten” has sparked one of the biggest debates playing out in cyberspace as well as in the real world, and the issue is poised to generate legal, technological, and moral wrangling for years to come.

    Internet search giant Google recently appealed a decision by France’s highest administrative court over a legal ruling that could force it to censor some of its search results worldwide under the principle of the European Union’s “right to be forgotten.”

    In May 2014, the European Court of Justice (ECJ) shook the Internet when it declared that EU citizens had a right to be forgotten online, and ruled that all search engines like Google must remove links to “inadequate, irrelevant or no longer relevant” information from their results when a EU resident requests it, and as long as there are no good reasons to maintain the information. The right was the result of a Spanish citizen’s legal challenge over an 11-year-old newspaper notice about debt. Since then, Google—the most popular search engine in the world—has reviewed almost 1.5 million similar requests, of which about 40% have resulted in the removal of a search result.

    The French data protection authority (CNIL), however, ruled that removing the content in question only from EU searches was not enough—indeed, in March it fined Google €100,000 for refusing to apply the right to be forgotten to all of its websites worldwide, regardless of where they are accessed. Google rejected the ruling and filed an appeal, which has kicked off one of the first major legal battles over how to apply the right to be forgotten. The case is now before France’s highest court.

    Google has argued that, if French law applies globally, “other countries [perhaps less open and democratic ones] could demand global removals based on their idea of what the law should be around the world.” In an open letter published in Le Monde, Google said it had already received demands from other governments to remove content globally on various grounds, and that complying with the CNIL’s order to apply the right to its sites outside Europe would encourage other countries that want to censor content, and would also limit Google’s ability to resist those demands.

    France’s CNIL denies there is a territorial question, arguing that the global filtering is the only way to enforce the right to be forgotten fully. They pointed out, as an example, that a hypothetical “Mr. Complainant” could ask for an old dating profile to be removed from searches for his name—but while that would prevent a misunderstanding with his French fiancée or Portuguese cousin, his American colleague or his “geeky, curious neighbor,” who could just fake his IP address to a non-EU country and could still recover the old content.

    While it remains to be seen what the French court will decide, the right to be forgotten has now been embraced beyond the EU, including in Japan and Russia. In the US, however, while publicly popular according to opinion polls, such a right remains firmly off the table. As New Scientist points out, “this is in part because the First Amendment is so powerful in American law and in part because US policy views the Internet as a neutral tool that efficiently organizes the world’s information into a harsh but genuine reality.”

    If American residents want to delete any of their digital tracks, Google instructs them to go to the source of negative personal information. Once gone from the original website, the content purges automatically from search results. Nonetheless, successful content removal in this case is not based on a legal requirement, but on the sympathies of the website operator—a strategy that doesn’t always work.

    Although the right to be forgotten hasn’t “broken the Internet” as the tech community had warned back when the idea of incorporating such a right into EU regulations first took shape, it has sparked an animated debate about how broadly the EU can apply its strict privacy laws—and who sets global standards for how to balance personal privacy with free expression. Ultimately, this could decide the future of the Internet as a global information resource.

    As national policies and growing concerns about digital information shape the way we experience, understand, and use the Internet, we must also find new answers to whether and how the Internet should remain global. The right to be forgotten will be central to those answers. – Senior Fellow Francesca Spidalieri

  • World Cybersecurity

    Picks of the Week: What the Panama Paper Breach Means for Your Organization Cybersecurity

    Cybersecurity Lessons Learned From ‘Panama Papers’ Breach | Forbes

    What the Panama Paper Hack Means for Worldwide Cybersecurity | Massive Media

    The Panama Papers Wake Up Call | Security Week

    In the wake of the revelations from the so-called “Panama Papers,” the world of the rich and powerful has been reeling. A single cyber attack against Mossack Fonseca—a Panamanian law firm that was virtually unknown to the public—has sent a tsunami around the world, already toppling one world leader with more turbulence likely to come.

    The attacker absconded with such a vast trove of confidential, attorney-client information—including over 4.8 million emails, 2.2 million PDFs, and 2.6 terabytes of information—that journalists and other investigators have been reviewing it for more than a year. The resulting leak was the largest data security breach in history, and has made previous revelations by WikiLeaks and Edward Snowden look small and limited by comparison.

    The leaked information allegedly details the ways some of the world’s most powerful figures, including presidents, kings, prime ministers, their relatives, and close associates in more than 40 countries from Europe, Asia, the Middle East, Africa, and Americas, have used offshore companies to hide income and avoid paying taxes. Some of the information dated back almost 40 years to a period before the Internet even existed.

    The identity of the attacker(s), however, remains a mystery. Perhaps it was a company insider with access to the relevant passwords and files? Or maybe a skilled attacker, well-versed in the intricacies of cyber espionage?

    Experts believe that neither profile is accurate, because the Mossack Fonseca cyber attack was actually quite simple. So simple, in fact, that even a script kiddie with limited hacking knowledge could have done it. The leak stemmed from known vulnerabilities in older versions of popular open source web server software Drupal and WordPress that had not been updated and that can easily be exploited. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today. In addition, Mossack Fonseca’s web server was not behind a firewall and wasn’t separated from their mail servers, and they did not encrypt their emails, which is particularly egregious given the sensitivity of their clients’ information. In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. And, even if it had put their web server behind a firewall and separated it from their mail servers, hackers would have still been able to exploit their unpatched vulnerabilities to access data on internal systems—it would simply have taken them a bit longer.

    In addition, some of the security mistakes Mossack Fonseca made were violations of common cyber hygiene.

    So, what can your organization learn from this latest hack and do to prevent a similar breach?

    • Patch, patch, patch—ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
    • Train your employees on password protection (and don’t store passwords in a file called passwords!)—require regular changing of passwords (at least quarterly). If you don’t already have a policy in place governing the creation, use, and sharing of passwords for your organization, establish one. Encourage employees to create complex passwords, never to share them, and to implement additional layers of security, such as dual-factor authentication, adding fingerprint locks on computers, single use codes, etc.
    • Train your employees on recognizing phishing emails—fraudulent emails are still a major attack vector. Cyber criminals obtain organization-wide data from just one employee falling for a false email request. Include in your policy what work can be done on personal devices (such as smartphones and tablets), and what work must be done on workplace computers protected by a strong firewall and good virus software.
    • Do not give everybody access to everything—put your eggs in multiple baskets, classify your documents, and segment your networks. Too many organizations have grown their networks with maximum convenience in mind, effectively giving access to everything to everyone. Unfortunately, that means access to outsiders as well if there is even a small chink in your cyber-defenses.
    • Do not store data beyond what you need—if your organization collects some Personally Identifiable Information (PII), such as social security numbers and credit card information, do not store more than you actually need and are willing to protect.
    • Do not use email for sensitive communications—the biggest lesson already learned from the Sony Corporation hack should have been to avoid writing anything that could potentially incriminate or embarrass you or your business. A casual insult, side comment, inappropriate joke or any similar communication, taken in the context of the intended audience, may not offend; however, written data should be considered permanent and available to a broad audience.
    • Do not ignore warning signs and risks—if something seems wrong, don’t ignore it. Take a screenshot, write down the error message, call support, run an antivirus scan. Sometimes it turns out to be nothing, or even a new feature you didn’t know about. Other times it means you are under attack.
    • Do not go another day without an incident response plan—there are only two types of organizations: those that have been breached, and those who don’t know that they have been breached. Any responsible organization should be prepared to respond, mitigate, and remediate a cyber attacks, and this should start by having a clearly-defined and well-exercised incident response plan.

    – Francesca Spidalieri, Senior Fellow

  • Picks of the Week: No Country in the Americas is Cyber Ready


    IDB and OAS urge Latin America and the Caribbean to strengthen cybersecurity | Inter-American Development Bank

    Much of Latin America is Unprepared for Cyber Attacks – Report | Latin Post

    Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean? | CSIS

    A new report published this week by the Inter-American Development Bank (IDB) and the Organization of American States (OAS) called on countries in Latin America and the Caribbean (LAC) to step up their efforts on cybersecurity or face “potentially devastating” cyber attacks.

    2016 Cybersecurity Report Latin America and CaribbeanWhile the “2016 Cybersecurity Report: Are we ready in Latin America and the Caribbean?” recognized that countries in the LAC region are accelerating their focus on cybersecurity and moving it upwards on their policy and social agendas, it ultimately concluded that most LAC countries are unprepared for the security challenges of the digital age.

    The report—which was the result of a major collaboration among OAS, IDB, Oxford University, the Potomac Institute, the Center for Strategic International Studies, the Getulio Vargas Foundation, the FIRST organization, the European Council, and the World Economic Forum—analyzes the state of preparedness of the 32 OAS countries based on 49 indicators. It is the first significant examination of the level of preparedness against growing cyber threats in Latin America and the Caribbean based on two unique frameworks.

    The preliminary evaluation of countries in the LAC region was based on CRIndex2.0-1smthe Oxford Cyber Security Capacity Maturity Model (CMM), which consists of 49 indicators in five areas, namely policy and strategy, education, culture and society, legal framework, and technology. LAC countries’ cyber readiness was subsequently assessed and validated using portions of the Cyber Readiness Index 2.0 (CRI 2.0), which includes over 70 unique data indicators across seven indices, namely national strategy, incident response, e-crime and law enforcement, information-sharing, investment in research and development, diplomacy and trade, and defense and crisis response. While the two frameworks differ in their analytical approaches to measuring cyber capacity and readiness, they are complementary and together provided a powerful tool to uncover interesting insights and assess country-level cyber preparedness in the LAC region.

    The results? While a few major Latin American countries, like Brazil, México, Argentina, Chile, and Colombia have achieved an “intermediate level of preparedness,” they still lag far behind countries like the United States, Israel, Estonia, and the Republic of Korea.

    Worse yet, sixteen countries in the region have no coordinated capacity to respond to cyber incidents and only six have adopted a national cybersecurity strategy—one of the most important elements of a country’s commitment to securing their cyber infrastructure and critical services upon which their digital future and economic wellbeing depend. Internet penetration in the LAC region is still quite low (averaging less than 50%) and society is largely unaware of the risks and vulnerabilities associated with the use of Internet-based technology. Two out of three countries do not have a command and control center for cybersecurity, and the absence of recognized clearinghouses or brokers of authoritative information compounded by the mistrust among stakeholders still hamper the ability of most LAC countries to establish formal information-sharing mechanisms. Moreover, although most LAC countries have increased their law enforcement efforts domestically and have updated national legislation to combat cybercrime and strengthen data protection and privacy laws, the successful prosecution of cybercrimes is still hindered by the absence in most states of a mechanism to report cyber incidents and the inability by a large majority of criminal justice systems to handle electronic evidence and conduct sufficient forensics investigations.

    Government leaders in the LAC region cannot ignore the fact that cyber incidents are increasing in both scope and scale. Recognizing their responsibility to their countries and citizens, they must take the necessary steps and investments to address the resilience of their country’s core services and infrastructures to enable them to be better prepared for and speedily recover from cyber incidents, while at the same time continue to embrace the opportunities that come from having a connected society.  As IDB President Luis Alberto Moreno stated at the time of the report’s release, the LAC “region arrived late to the Industrial Revolution. We cannot miss the opportunity that the Digital Revolution offers us. Because of that, cybersecurity must be a priority.”

  • Picks of the Week: The White House’s New Cybersecurity Action Plan & Budget


    Cybersecurity National Action Plan | The White House,

    The Real Reason to Like the President’s Cybersecurity Plan | Net Politics

    Opinion: $19 billion alone won’t fix Washington’s cybersecurity problem | Passcode

    President Barack Obama recently announced the Cybersecurity National Action Plan (CNAP), which would allocate $19 billion for cybersecurity initiatives at federal agencies and would establish a chief information security officer (CISO) for the federal government. The plan, although overdue, demonstrates a renewed focus on cybersecurity and represents the culmination of seven years of this administration’s work on a dynamic and critical topic.

    Cybersecurity has been an important issue for this administration since day one—the President ordered a 60-day review of federal government cybersecurity policies and programs after first taking office in 2009—but it has taken several years to make palpable progress in this field, even though the country has suffered rampant cyber crime, data breaches, and IP theft since that time.

    The most successful initiative of this administration has been the NIST’s Cybersecurity Framework, a roadmap for organizations to review their cybersecurity risk and a guide to strengthen their overall cybersecurity posture by mapping a variety of global standards. Since its release in February 2014, the Framework has facilitated behavioral change in organizations, encouraged them to examine and understand key priorities and vulnerabilities, and supported cyber resiliency within and across sectors. Indeed, while the framework was aimed at critical infrastructure, in practice, it has provided a toolkit for institutions of all shapes and sizes. Moreover, its success has shown that a lot can be accomplished by encouraging thorough and continuous attention to good housekeeping and cyber hygiene.

    In addition, Congress had finally passed the bi-partisan and long-anticipated Cybersecurity Information Sharing Act (CISA)—a bill meant to facilitate the voluntary sharing of cyber threat information between companies and the federal government. And most recently, the Departments of Justice and Homeland Security had issued guidelines for private sector information sharing.

    The new White House initiative focuses on getting the federal house in order, creating a ‘cyber workforce’ through financial incentives, encouraging more effective work and ‘knowledge-sharing’ between both private and public sectors, and creating a nationwide campaign to raise public awareness of the importance of cybersecurity. As Cameron Kerry from Brookings notes, “rather than introducing new solutions, the Cybersecurity National Action Plan provides more resources, leadership, and focus to the challenges of government cybersecurity.” A major part of the initiative will consist in hiring a CISO to oversee the security practice of federal agencies and the overhaul of the federal government’s computer systems—a task that some security experts initially worried would prove a massive (and maybe impossible) undertaking. Most private companies today already have CISOs and, if the federal government is going to be serious about protecting its own cybersecurity, it should do the same while also putting additional resources into the task.

    Critics of the plan have argued that simply throwing more money at the problem, without providing specific policy proposals and organizational initiatives to protect US networks from nefarious cyber criminals, won’t improve cybersecurity. Indeed, while more resources are needed, their deployment needs to be prioritized. The Obama administration will respond to this concern as it articulates how agencies should decide what needs to be replaced and upgraded. Moreover, long-standing impediments to effective government programs’ execution, like federal acquisition policies and workforce policies, should be addressed to make it easier for the government to invest in leading-edge technologies and compete for tech talent with Silicon Valley. Additional steps should be taken by the administration and Congress to make sure that the new cybersecurity budget is spent effectively and efficiently, reducing the government’s vulnerability to large-scale hacks and data breaches and ultimately ensuring that it is prepared to play its critical role in addressing today’s digital threats.

    Overall, President Obama’s action plan and new fiscal 2017 budget—which includes $3.1 billion for IT modernization of federal systems—reflect a serious investment in tackling the significant cyber threats facing the US and reducing the ongoing harm to the nation’s security and economic prosperity. Changing the government’s cybersecurity culture—and getting employees at the various agencies on board with taking security seriously—however, may prove the biggest challenge yet…- Senior Fellow Francesca Spidalieri

  • Picks of the Week: Apple goes head-to-head with the U.S. government over encryption


    A Message to Our Customers | Apple

    Apple Fights Order to Unlock San Bernardino Gunman’s iPhone | The New York Times

    Why Apple Should Comply with the FBI: Cybersecurity expert | CNBC


    The ongoing debate over encryption between Silicon Valley and Washington—which has often pitted the tech industry against intelligence and law enforcement officials—has come to a head in the public dispute between the government and the world’s largest tech company over the ability of federal investigators to access encrypted data hidden on an iPhone used by the San Bernardino terror suspects.

    This week, a federal judge ordered Apple to assist the FBI get around the phone’s passcode protection and any auto-erase functions the device might employ so that investigators can access the encrypted content. To comply with the judge’s order, Apple would have to build a new iPhone operating system that circumvents key security functions and install it on the seized device in order to turn off the feature that would erase the iPhone’s data after 10 incorrect password entries. In a statement released on Wednesday, Apple CEO Tim Cook said that doing so would undermine encryption by creating a ‘backdoor’ that could potentially be used on future devices. “In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession,” he said. He maintained that the order would effectively require “the same engineers who built strong encryption into the iPhone to protect our users … to weaken those protections and make our users less safe.” The government has argued that it has the legal and ethical authority to search the device in this matter, and that what they seek to do would not jeopardize the security of other phones.

    As Apple has publicly vowed to appeal the order, the outcome of this case may have far-reaching ramifications—if the government can compel Apple to do this, then it can likely do the same for other software providers in future cases.

    Technology companies, privacy advocates, computer security personnel, and encryption experts have long opposed providing so-called “backdoor” access to encryption, which they argue would make Internet data more vulnerable and significantly weaken Internet security for everyone. Indeed, commandeering companies into compromising their user’s devices or exploiting vulnerabilities in operating systems would not only erode trust between tech companies and their consumers, but it would also open the door for other governments to make similar demands.

    Many of Apple’s defenders note that the disclosures exposed by Edward Snowden have already prompted technology companies to build tougher encryption safeguards in their products due to privacy demands from consumers. Governments around the world, however, are starting to require companies to build new tools to bypass the security of their own products, and even to hand over encryption keys and source codes in the name of national security. And furthermore, law enforcement has argued that these increasingly strong encryption methods make it more difficult to pursue terrorists and criminals.

    Apple has only a few days to file an appeal to the court order, but the battle over encryption and other privacy-related technologies doesn’t look to be over anytime soon and it will continue to reflect the larger public policy debates on the balance between national security and civil liberties. As we move in the next decade into a world where far more powerful computing capability will come into existence, such as quantum computing, the ability for every person to encrypt their communications at levels that may not be able to be decrypted will only help sharpen that debate. – Senior Fellow Francesca Spidalieri

  • Image of the American Flag covered in ones and zeroes and cracked in pieces to represent a cracked cyber code.

    Picks of the Week: Cybersecurity Lacking from 2016 Campaign Trail

    Clinton’s Emails Drown out Cyber Debate | The Hill

    Election 2016 Why Every Candidate Should Be Talking Cybersecurity | Secure World

    Hillary Clinton Email Scandal ‘Very Serious,’ Says Bernie Sanders | Reuters

    While Hillary Clinton continues to face scrutiny for her email practices and the use of a private server during her tenure as Secretary of State, few of the 2016 Presidential candidates have discussed the more serious cybersecurity issues affecting the nation.

    Securing the nation’s critical infrastructures and digital assets from cyber risk had been expected to be a focal point during the primaries and the election, given the growing scope, volume, and sophistication of cyber threats to the U.S. government, companies, and citizens alike.

    Yet only a few candidates in either party have published proposals for combating cyber threats. And when asked about the issue on the campaign trail or at the debate podium, many of the candidates have given cursory responses or pivoted to other topics. Surprisingly, even the damaging breach of the federal Office of Personnel Management (OPM)—which was likely carried out by China and exposed sensitive personal information of over 32 million Americans, both federal employees and defense contractors—hasn’t gotten much attention since it was first disclosed last summer.

    Until now, much of the conversation we have seen on the campaign trail around cybersecurity matters has focused almost exclusively on the federal investigation into Clinton’s emails, which could conclude later this year, and the question of how to take on ISIS online.

    As The Hill explains in one of their articles this week, “candidates have their own reasons for shying away from the cyber debate. On the Democratic side, observers see little upside to bringing up the issue. Clinton, the front-runner, is looking to distance herself from allegations her email server was insecure, potentially exposing national security secrets to foreign hackers. Insurgent Democratic candidate Sen. Bernie Sanders (I-Vt.), meanwhile, is not an expert on Internet security and is unlikely to win new supporters by emphasizing it. On the Republican side, strategists say the topic simply doesn’t resonate with the GOP primary base.”

    It is certainly true that there is a disconnect between the importance that voters place on cybersecurity as an issue, and how important it actually is to both their personal lives and the national security and economic stability of their country. The average voter and Internet user still lacks a basic understanding of the Internet’s interdepencies and inherent threats, and may not realize how nearly every aspect of modern society and the economy today depends on the accessibility, reliability, and security of Internet connectivity. And for those who care about cybersecurity, it is difficult to know where each candidate stands on the issue.

    Policymakers and other government leaders, on the other hand, continue to struggle to be taken seriously in this space because of their own poor defenses—both CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson had their personal email accounts broken into—and the lack of strong cybersecurity best practices across government agencies. Few of them have actually taken the time to educate themselves about the most pressing cyber threats and the basics of cybersecurity, and even fewer are taking proactive steps to make cybersecurity a priority.

    As I have argued before, our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information and infrastructure.  All presidential candidates should be more articulate and proactive on cybersecurity issues, just like they are on issues from debt to healthcare to immigration. The future president, regardless of their party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a top priority for their administration and think of this issue in terms of both national security and economic stability. This means that politicians and public officials at the highest levels need to have a deeper knowledge of cybersecurity, and—more importantly—not let relevant cybersecurity issues, such as economic espionage, encryption, and security of critical infrastructure, be lost in a political turf war. So far, even the few cyber issues raised during the national debates or on candidates’ platforms have often circled back to Clinton’s email scandal. The issue over Secretary Clinton’s email use seems to have taken a new urgency in recent days, since the US Department of State announced that they would withhold private emails chains from Clinton’s server that contain top-secret information, and as the battle for the two parties’ nominations heats up. In fact, while Clinton has spent much of her campaign trying to distance herself from this scandal, the policy plans of both Carson and Bush mention the controversy, and even Senator Sanders—who had previously refrained from invoking this dispute—has now raised the issue.

    Hopefully, we won’t have to wait for a breach of even greater proportions than the OPM hack or of even greater strategic significance than the Snowden revelations to land cybersecurity discussions on the forefront of the campaign trail! – Francesca Spidalieri, Senior Fellow For Cyber Leadership

  • Emblem of the World Economic Forum on a window in Geneva.

    Picks of the Week: The Dark Side of the Fourth Industrial Revolution

    Global Tensions Threaten to Upstage World Economic Forum in Davos | The New York Times

    An Open Letter to the Leaders of the World’s Governments signed by Organizations, Companies, and Individuals | Secure the Internet
    The ‘Fourth Industrial Revolution,’ by Klaus Schwab | The Financial Times

    Global leaders have gathered in Davos, Switzerland this week for the 46th annual World Economic Forum (WEF). Although recent global events—from Chinese economic slowdown to the refugee crisis in Europe to the string of militant attacks around the world—have overshadowed the WEF’s opening ceremonies, billionaires, business titans, celebrities, and politicians have arrived to this snow-blanketed village with a mission to “improve the state of the world.”

    The official theme of this year’s conference—Mastering the Fourth Industrial Revolution—may sound out-of-step with the major global events highlighted above, but Klaus Schwab, WEF’s founder and author of the newly published book “The Fourth Industrial Revolution,” is nonetheless urging the powerful participants to ponder “the fusion of technologies across the physical, digital and biological worlds, which is creating entirely new capabilities and dramatic impacts on political, social and economic systems.”

    Coming after the steam engine, mass production, and information technology, the fourth industrial revolution promises to bring even faster cycles of innovation. But it also poses huge challenges to companies, workers, governments, and society alike. The promise is cheaper and more efficient distribution of goods, data, and services, driving a new wave of economic growth. The threat is mass unemployment, asymmetric warfare, and a further breakdown of already strained trust between corporations and populations.

    The impact of automation and technical advancement is just one aspect of this new revolution. Cybersecurity is another. “We will see more security issues with the Internet of things,” warned Eugene Kaspersky, chairman and CEO of Kaspersky Lab, at a panel organized by Internet security company WiseKey. From the vulnerability of power plants to transit systems and automated cars, Davos has been abuzz with these concerns. Jimmy Wales, the Founder of Wikipedia, urged attendees to take cybersecurity seriously, but not to allow government to use the pretense of ‘security’ to deprive users of encryption. A group of organizations, companies, and individuals even posted an open letter to government leaders in attendance, encouraging them to support the development and use of communications and systems while also rejecting “laws, policies, or other mandates or practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies.”

    Cybersecurity, of course, is just one of the challenges taking center stage at the WEF conference this week. In today’s environment of escalating terrorist attacks and heightened economic and political instability, it is unrealistic and unfair to look to Davos as some sort of panacea for the world’s problems. Indeed, while the conference agenda is full of sessions about some of the timeliest topics, including the refugee crisis in Europe and the rising threat of terrorism after Islamic State-inspired attacks in Paris, California, and elsewhere, the discussions are unlikely to sway national policies or produce major breakthroughs. – Francesca Spidalieri, Senior Fellow for Cyber Leadership


    Image Courtesy of Urs Jaudas via Flickr