• Surviving a Cyber Attack: Preparedness and Resiliency in Action

    Newport, R.I.—Over 50 senior leaders and a small group of selected students gathered at the Pell Center on December 8, 2015 to participate in a four-hour cybersecurity tabletop exercise. The event, specifically designed for corporate executives and general counsels, was part of the Rhode Island Corporate Cybersecurity Initiative, and focused on best practices for incident response and mitigation.

    The exercise was led by a panel of experts, including: Ellen Giblin, Privacy Officer at the Boston Children’s Hospital; Kevin Swindon, FBI Supervisory Special Agent in the Boston Cyber Division; Don Ulsch, Senior Managing Director at PwC; Ken Mortensen, Senior Managing Director at PwC; Stephen Ucci, Counsel at the Locke Lord law firm and RI State Representative; and Scott Baron, Chief Information Security Officer at Finance of America Holding. The panel, which represented the ‘dream team’ every company would wish to have to manage a potential cyber attack, took participants through a simulated cyber incident and provided considerations and tips on how to respond, remediate, and survive an attack.

    Keynote speaker Peter Neronha, U.S. District Attorney for the District of Rhode Island, offered some initial remarks and praised the work of the Pell Center over the last several years for raising awareness about the most pressing cybersecurity issues and for providing a venue where public and private sector leaders have been able to discuss ways to make their organizations—and thus Rhode Island—safer and more resilient to cyber incidents. Mr. Neronha discussed some insights in the work of his office to prosecute cybercrime and laid the groundwork for a productive discussion on the topic.

    Participants in the exercise worked together to determine appropriate responses and mitigation strategies to the real-world scenario at hand, using existing regulations, policies, and procedures. The cybersecurity experts and practitioners in the room shared a wealth of information, including tips and lessons learned from some of the most sophisticated cybersecurity incidents they either investigated or helped large companies resolve and mitigate. They also discussed issues that often arise when working with law enforcement and encouraged attendees to consider all the resources available to them in the event of a cyber incident, including through state and federal law enforcement agencies, and the set of standards and guidelines that they should follow.

    DSC_0134Francesca Spidalieri, Pell Center Senior Fellow for Cyber Leadership, moderated the event and provided additional input and suggestions. As she is often quoted saying, she reminded the audience that: “There are really only two kinds of organizations: those that have been hacked, and those that don’t know they have been hacked. And that is why it is key to prepare before a breach happened.”

    Each table, composed by lawyers, cybersecurity practitioners, corporate executives, and law enforcement officials, worked together to define a set of actions in reaction to each module of the event scenario. A representative of each table presented their findings, to which panelists offered constructive criticism and additional tips on successful mitigation strategies and post-breach measures. Module two, for example, presented an interesting challenge: whether or not to pay a costly extortion demand from the antagonist in the exercise. This gave the scenario an extra level of complexity, and panelist Don Ulsch emphasized the importance of understanding the full impact of such a demand for any company and the broad spectrum of risks and consequences of the decision to pay (or not pay) the ransomware.

    The panel also addressed disclosure obligations under current securities laws—some of which may require a disclosure of cybersecurity risks and incidents in financial statements—and the pre- and post-breach guidance that may shape the way Boards of Directors address fiduciary obligations as part of corporate governance. Among the other major takeaways identified by participants were: the recognition that leadership plays a key role in establishing and sustaining an organizational culture of cybersecurity; the acknowledgment that developing relationships with law enforcement organizations pre-breach is fundamental; and that emphasis on employees’ cybersecurity training.

    Attendees left the tabletop exercise with a road map on how to advise their companies and their clients facing a cyber incident, and on how to better prepare, respond, remediate, and survive a cyber attack.


    Learn more about the Rhode Island Corporate Cybersecurity Initiative here. 

  • Woman holding a digital tablet and a credit card in seasonal attire on a shag rug with milk and Christmas cookies.

    Picks of the Week: Protect Yourself from a Digital Grinch During the Holiday Season!

    Don’t Get Grinched by Cybercrime During the Holiday Season | The New York Times

    Retailers Scrambling Against Latest Credit Card-Stealing Malware | Fortune

    Avoid Scams This Holiday Season | U.S. Immigration and Customs Enforcement

    With exactly two weeks left in the holiday season, online sales—which, according to comScore, surpassed $3 billion on Cyber Monday, making it the largest online spending day in history—are expected to bring in at least $1 billion a day for online retailers from now until the holidays are over.

    But as millions of consumers flock to the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind, as they aim to take advantage of the holiday rush by preying on the naiveté of shoppers looking to score a holiday deal. As a result, consumers should be prepared for an even higher risk of online fraud across all channels than in past years. In fact, one in 86 transactions may be fraudulent, according to new data from ACI Worldwide, and hackers are also targeting retailers with a new wave of malware intended to steal credit card and debit card information directly from payment terminals at the stores.

    The recent push by banks to implement security chip-enabled credit cards and by merchants to install chip-reading terminals in stores may prevent hackers from creating counterfeit credit cards, but they are no defense against fraudulent “card not present” transactions, such as those that occur online.

    While security experts are still working to find possible solutions against the latest malware and scam techniques, here are some tips on how to protect yourself from online Grinches this holiday season:

    • Buy only from reputable merchants and websites, and be wary of emails and pop-up messages asking for your password, credit card number, or personal information—No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look at the specific email address and domain name of the sites first to make sure it’s really from the retailer and not a close derivative, and then contact the legitimate organization directly to verify the request.
    • Use strong passwords and use a different one for each online account—Create long, complex passwords using upper and lower-case letters, special characters and numbers. A password with at least 10 characters is generally recommended. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
    • Be skeptical of deals that sound too good to be true—Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is.
    • Do not send cash or wire money for payment—Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
    • Check your credit card activity daily and keep an eye out for “microcharges”—Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
    • Be alert for potential charity donation scams—Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
    • Secure your computer and mobile devices—Keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your computer from viruses, worms, Trojan horses, and other types of malicious programs.
    • Don’t use public Wi-Fi for personal banking or online shopping—Personal information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
    • Use your smartphone wisely—Mobile devices offer convenient consumer resources but may also provide cyber criminals with your personal and account information.

    Follow Francesca on Twitter @Francesca_cyber.

  • Senior Fellow contributes to international publication on countries’ Cyber Readiness

    Pell Center Senior Fellow Francesca Spidalieri provided extensive research and analysis for a new international publication on countries’ cyber readiness levels and the practical steps national leaders can take to protect their increasingly interconnected society and digital economy.

    Newport, R.I. – The “Cyber Readiness Index 2.0, A Plan for Cyber Readiness: A Baseline and an Index,” published by the Potomac Institute for Policy Studies (PIPS), examines 125 countries and evaluates their maturity and commitment to securing their cyber infrastructure and services. The methodology includes over 70 unique data indicators across seven essential elements: national strategy, incident response, e-crime and law enforcement, information sharing, investments in research and development, diplomacy and trade, and defense and crisis response. By applying this actionable blueprint, countries can better understand their Internet-infrastructure dependencies and vulnerabilities and assess their preparedness to cyber risks.wld

    Dozens of country examples are used to illustrate innovative and multicultural solutions towards becoming cyber ready. As lead author Melissa Hathaway stated, “the Cyber Readiness Index 1.0 was launched in Australia two years ago and has influenced many countries around the world. We hope the CRI 2.0 has even broader impact.”

    Today, most nations recognize what fast, reliable, and affordable communication systems and Internet-facing services can yield for their economic growth. But few of them consider the exposure and costs of less resilient critical services, theft of corporate proprietary data and state secrets, and the impact of e-fraud and e-crime—all of which lead to economic and national security instability. Put simply, a country’s cyber insecurity is a tax on growth; and resilient, connected societies must drive modernization with security at its core.

    Cyber Readiness Index 2.0 Cover Image“Instead of simply studying the problem,” said Pell Center Senior Fellow Francesca Spidalieri, “the CRI represents a new way of approaching the interconnected nature of information communication technologies and offers a framework that we hope will spark international discussion and inspire global interest in addressing the economic erosion from cyber insecurity.” Indeed, the CRI methodology identifies areas where national leaders can improve their country’s current cyber security posture by leveraging laws, policies, standards, and market levers (e.g. incentives and regulations), and implementing other initiatives to preserve the security of their connectivity and protect the value of their economy.

    In addition, Spidalieri applied a modified version of the CRI 1.0 methodology in her most recent study on the “State of the States on Cybersecurity” to assess current levels of cyber readiness across states in the United States. The study, published by the Pell Center, highlights effective mechanisms and innovative solutions that state governments and their leaders can adopt to better protect critical infrastructure, enhance cyber incident response, promote information sharing, grow their cybersecurity industry, and attract qualified talent to their states. The full report is available for download here.

  • Picks of the Week: How Paris Attacks Will Change Cybersecurity

    What the Paris Attacks Means for the Future of Cybersecurity | Fortune

    Poisoning the Internet won’t Stop more Paris Attacks | The Christian Science Monitor

    After Paris, Encryption will be a Key Issue in the 2016 Race | Wired

    The recent terrorist attacks in France, Egypt, and Lebanon have rapidly reopened the global debate on the appropriate balance between national security and our privacy online. While many of us believe our right to privacy extends to the Internet, others have used the unspeakable violence of recent weeks to advocate for backdoors into secure communications and increased online surveillance. As Jason Healey recently wrote, “the Islamic State’s brutality in France may tilt the pendulum toward security [in this debate,]. But even he acknowledges that “whether tamping down on the Internet will keep anyone safer is unknown, but it will certainly diminish the Web as an engine of global innovation.”

    The events in Paris have thrusted these issues onto the front pages of newspapers worldwide because, in the wake of the attacks, many of us have asked the same question: how could ISIS execute such a complex attack while evading detection from intelligence services? The answer so far appears to be that the perpetrators employed some type of encryption in their digital communications. Experts have hypothesized at least three different possibilities: either the attackers used powerful over-the-counter encryption to communicate and coordinate the attacks; or they collaborated on the dark web; or they just stopped using technology for coordination once they reached a certain level of operational readiness.

    Today, virtually anyone—terrorists, criminals, state actors, non-state actors, etc.—can employ advanced encryption techniques in addition to other software and services to slip through security and surveillance.”

    In the aftermath of the Paris attacks, US officials are rehashing their argument that would-be terrorists have “gone dark” after the Edward Snowden revelations, making the case that Snowden’s actions tipped-off potential criminals as to how the US conducts surveillance online, enabling them to take counter-measures to avoid it.

    Technology companies, privacy advocates, computer security personnel, and encryption experts, however, oppose the idea of providing so-called “backdoor” access to encryption, which they argue would make Internet data more vulnerable and significantly weaken Internet security for everybody. “Hacking of personal information and web sites,” they argue, “seem like the more possible outcome rather than detection of terrorist activity.”

    Just last month, in fact, the White House overruled law enforcement’s request to push tech companies to create such backdoors. Indeed, the White House concluded that creating such backdoors would increase US citizens’ vulnerability to foreign government, cyber criminal, and terrorist intrusions.

    Time will tell whether the Paris attacks will change the White House and other countries’ view on this sensitive debate, and whether cybersecurity will finally take center stage on the national security conversation going into the 2016 presidential race.  What is certain is that the battle over encryption and other privacy-related technologies won’t be over anytime soon and it will continue to reflect the larger public policy debates on the balance between national security and civil liberties. As we move in the next decade into a world where far more powerful computing capability will come on line, such as quantum computing, the ability for every person to encrypt their communications at levels that may not be able to be decrypted will only help sharpen that debate.  – Senior Fellow Francesca Spidalieri

  • Photograph of the front of the Capitol Building in Washington D.C.

    Picks of the Week: Senate’s Cybersecurity Bill is a Starting Point, not the Finish Line

    The Problems Experts and Privacy Advocates Have with the Senate’s Cybersecurity Bill | Forbes

    Senate Passes Cybersecurity Information Sharing Bill Despite Privacy Fear | The Washington Post

    Ex-NSA Chief Warns of Cyberspace Dangers | U.S. News and World Report


    Last week, the bipartisan and long-anticipated Cybersecurity Information Sharing Act (CISA)—a bill designed to bring together the departments of Defense, Justice, and Homeland Security in their efforts to combat cyber crime and to encourage the voluntary sharing of cyber threat information—passed in the Senate by a wide margin. The Act’s passage, however, was not without controversies.

    Proponents of the bill have called it a necessary tool in the fight against the constant cyber threats facing businesses and government alike, and have highlighted the need for greater collaboration between the public and private sectors following the mega data breaches of the past couple of years. Under the legislation, government agencies, corporations, and other organizations would be legally allowed to share information that could potentially help identify cybercriminals, mitigate the risks from cyber attacks, and help them take preemptive measures against those potential attacks and their perpetrators. Retired Army Gen. Keith Alexander, former chief of the NSA and U.S. Cyber Command, testified in favor of the measure before the Senate Armed Services Committee on Wednesday and praised lawmakers for passing the CISA bill, but also warned that more incentives will be needed to promote information sharing and to encourage companies to promptly alert government agencies of cyber intrusions. “In cyberspace, to go halfway around the world takes 67 milliseconds,” he said. “I believe that those that want to do us harm can do that in one swipe … if that happens, the cost to our nation could be measured in the trillions.”

    Opponents of the bill argue that it would impinge on civil liberties by effectively opening the door to the unchecked sharing of information between private companies and the government. Critics believe that the vague language in the bill could pave the way to short-circuit warrant requirements that government agencies must abide by when seeking certain domestic information.  There are major concerns regarding how cyber threat information will be shared, to what extent companies will be required to anonymize the information they share with other entities, and how that information will be managed and disseminated.

    Doubts and critics aside, most view the fact that the Senate passed a cybersecurity bill at all as a success in and of itself. Lawmakers have spent nearly a decade attempting to pass comprehensive cybersecurity legislation, so it is no surprise that the passage of this bill was hailed as a significant step in the right direction in the fight against hackers and cybercriminals. The problem, however, is that the legislative process never moves as fast as cyber-criminals. While this and other similar bills grew stale during seemingly-endless years of compromise and contention in Congress, hackers refined their criminal craft and developed more sophisticated methods of attack. As a result, CISA may not be as effective as hoped in the prevention of cybercrime and it may have not prevented some of the most damaging data breaches that have made headlines in recent months, such as the ones at OPM, Sony, and Target.

    That being said, although supporters of the information sharing bill assure the public that sufficient privacy protections are included in it, the bill still has many hurdles to pass before it can become the law of the land. It will have to be reconciled with the two similar bills passed by the House in April—the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act—and ultimately a combination of the three Acts will make its way to the White House for final authorization through the President’s signature.

    These developments notwithstanding, we must remember that sharing threat intelligence alone is not going to prevent or mitigate specific threats if that information is not properly and timely processed, operationalized, and ultimately incorporated into an overarching cybersecurity strategy and risk mitigation platform within any given organization. The road to that goal is a long one, and we have only just begun to pull away from the starting line. – Senior Fellow Francesca Spidalieri

  • Pell Center Releases “State of the States on Cybersecurity” Report

    Eight States Lead the Rest in Cybersecurity Readiness

    New Pell Center study establishes benchmarks for state government in meeting the cyber threat

    Newport, R.I. — Eight U.S. states are leading the rest in cybersecurity readiness.  In a new report from the Pell Center at Salve Regina University, Senior Fellow Francesca Spidalieri reviews the efforts of state governments in California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington.  These states provide a collective overview of sound approaches to “protect infrastructure, information, and operations.”

    State of the States Report CoverThe study, “State of the States on Cybersecurity,” highlights effective mechanisms and creative solutions that state governments and their leaders have devised to take advantage of existing assets, to better protect critical infrastructure, to promote information sharing, to grow their cybersecurity industry, and to attract qualified talent to their states.

    States were chosen based on their recognition of cybersecurity as a priority and their strong commitment to increase their security and resilience against cyber threats. “These states are exercising their responsibility through both government action by leveraging policies, plans, laws, regulations, and standards, and by providing the right set of incentives and assistance for other stakeholders,” said Spidalieri.

    “With greater and greater frequency, state governments are falling victim to an array of cyber threats, including data breaches, tax fraud, and political hacktivism,” said Pell Center Executive Director Jim Ludes.  “This new study shines a light on the states that are leading the way in preparing for and mitigating these threats so that others can follow.”

    According to Spidalieri, “Local and state governments, just like the federal government, hold the information of millions of people and depend on information communication technologies and the Internet to provide a number of services to their citizens, to maintain critical infrastructure as public utilities, to share information across states and federal networks, and to make sure that first responders receive the data they need in crisis situations. This is why it is critical,” she continued, “that states protect their cyber infrastructure and digital investments and develop comprehensive plans to increase their preparedness and resilience.”

    It is important that cybersecurity measures are enforced at the state-level to protect citizens and reduce cyber risks. Maintaining the most recent security products, tools, and plans is just as important as educating users in the proper practices to reduce their cyber risks. The initiatives exemplified throughout this new report provide models for other states and jurisdictions to follow and offer a useful set of effective mechanisms and activities at the state-level to put recommended action into practice.

    “State of the States on Cybersecurity” is part of the ongoing Cyber Leadership Project at the Pell Center and follows previous reports that investigate critical issues in cybersecurity leadership development across the United States.

    The full report is available for download here.



  • Picks of the Week: Government Struggles with Cybersecurity Vulnerabilities

    How the Story of Hillary Clinton’s Emails Has Changed | The New York Times

    AP Exclusive: Under Clinton, State’s Cybersecurity Suffered | Associated Press

    Teen Who Hacked CIA Director’s Email Tells How He Did It | Wired

    While Hillary Clinton continues to face scrutiny for her email practices and the use of a private server during her tenure as Secretary of State, other government officials have recently had other problems with their email. This week, a hacker claimed to have broken into the personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson. It remains unclear whether the officials were using their personal accounts to conduct government business or if they simply used them to occasionally store email and documents from work. Nonetheless, the hackers were able to access highly sensitive information, such as the SF-86 application Brennan had filled out to obtain his top-secret government security clearance, which is similar to the millions of SF86 applications that were obtained when hackers broke into the networks of the Office of Personnel Management (OPM).

    News of this latest breach came on the same day as the Associated Press reported that the State Department was assessed as being among the worst agencies in the federal government at protecting its computer networks. Although inspectors generals have expressed concerns about the cybersecurity posture of the State Department since 2009, these deficiencies point to a broader problem in the government’s handling of security issues and sensitive data that can be difficult to correct, according to experts and official reports. Indeed, another report released by the Government Accountability Office (GAO) back in September had identified “persistent weaknesses” in information security and the lack of strong cybersecurity measures in over 20 federal agencies.

    OPM, for instance, was harshly criticized over the summer after acknowledging that breaches of government databases exposed sensitive personal information of over 22 million people. Months later, we still get reports revealing the hack was worse than previously disclosed. Just a few weeks ago, OPM admitted that five times as many fingerprints were stolen as originally estimated!

    While the State Department may be a higher target for foreign intelligence services than other government agencies due to the sensitivity of the information exchanged, the latest breaches are indicative of government-wide security problems that need to be addressed. The Department of State’s inspector general, in fact, identified many of the same basic cybersecurity shortcomings found in other agencies, and there is really no oversight to make sure individual agencies follow even basic compliance.

    Policymakers and other government leaders will continue to struggle to be taken seriously in this space as long as their own defenses remain so bad and the agencies they lead or work for do not improve their cyber deficiencies and implement effective risk management programs. As I have argued before, our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information. This means that politicians and public officials at the highest levels need to have a basic understanding of cybersecurity, and—critically—that we can’t let important cybersecurity lessons be lost in a political turf war. Unfortunately, few of them have actually taken the time to educate themselves about the most pressing cyber threats and the basics of cybersecurity, and even fewer are taking proactive steps to make cybersecurity a priority.

    During the first Democratic debate, for example, candidate Jim Webb was the only one to mention cybersecurity as one of the major threats facing the U.S. right now, and former Florida Governor and Republican candidate Jeb Bush is the only one to have articulated some kind of plan on his website for dealing with it so far. All presidential candidates, however, should be more articulate and proactive on cybersecurity issues, just like they are on issues from debt to foreign policy to immigration. The future president, regardless of the party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a priority for their administration and think of this issue in terms of both national security and economic stability. – Francesca Spidalieri

  • The Pell Center declares its Cyber Awareness for National Cyber Security Awareness Month

    Picks of the Week: Cybersecurity Awareness Month at the Pell Center

    National Cyber Security Awareness Month Kicks Off In Nation’s Capital | PR Newswire

    Presidential Proclamation – National Cybersecurity Awareness Month, 2015 | The White House

    Rhode Island Cybersecurity Commission Report Delivers Plan to Enhance Cybersecurity Efforts Statewide and Nationally | Rhode Island Office of the Governor

    October marks National Cyber Security Awareness Month, in which citizens and businesses alike are encouraged to learn more about online safety and information security with the goal of raising awareness about cybersecurity and increasing the nation’s resilience in the event of a cyber incident.

    Recognizing the importance of cybersecurity issues, President Obama designated October as National Cyber Security Awareness Month in 2004, and this year kicked things off with a presidential proclamation that highlighted his executive order to promote information sharing between government and industry, as well as the implementation of the National Cybersecurity Framework. “We now live in an era of the Internet—our children will never know a world without it,” Obama’s proclamation reads. “Our financial systems, our power grid, and our health systems run on it, and though widely helpful, this reliance reminds us of our need to remain aware, alert, and attentive on this new frontier. By working together to prevent and disrupt threats to our digital infrastructure, America can continue pioneering new discoveries and expanding the boundaries of humanity’s reach.”

    National Cyber Security Awareness Month is a coordinated effort of the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MSISAC), as well as companies, schools, and nonprofit organizations around the country.

    To assist with this national effort, the Pell Center is posting cybersecurity tips daily on social media throughout the month, and is hosting multiple cybersecurity-related events, including a panel discussion on “Cybersecurity, the Internet, and the U.S. Presidential Race,” and a Cyber Resilience Workshop. The Pell Center will also host the second Summit of the Rhode Island Cybersecurity Commission, which was created by RI Governor Gina Raimondo in May 2015 to assess the state’s cybersecurity infrastructure and recommend ways to enhance the resiliency of government operations within all executive branch agencies and to promote the growth of a cybersecurity industry and workforce in Rhode Island. In addition, the Pell Center has provided extensive research and insights for the first RI Cybersecurity Commission’s report—released yesterday—which includes detailed recommendations to enhance the cybersecurity posture of the state and start developing a strong cyber ecosystem in Rhode Island. In addition, later this month the Pell Center will publish a more detailed study of the current level of ‘cyber readiness’ for states across the nation.

    Although the theme of this second week of National Cyber Security Awareness Month is “Creating a Culture of Cybersecurity at Work,” the reality is that no individual, business, or government entity is immune to cyber risks and none of them is solely responsible for securing their own Internet connectivity and digital assets. All of us have a role to play in securing our part of cyberspace and the information we create, store, and process through the devices and networks we use. Cybersecurity is a shared responsibility—we are, as they say, in this together. Individual actions have a collective impact, and when we use the Internet safely we make it more secure for everyone. If each of us does our part by implementing stronger security practices and adopting better cyber hygiene, we can collectively become a more resilient and safer digital society. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Picks of the Week: As One World Leader Leaves the Nation’s Capital, Another Arrives

    Same (Red) Carpet, Different Climate

    Conflict Flavors Obama’s Meeting With Chinese Leader | New York Times

    Full Transcript: Interview With Chinese President Xi Jinping | The Wall Street Journal

    A President and A Pope Head to Washington | The Washington Post

    Two prominent world leaders—Pope Francis and Chinese President Xi Jinping—are in Washington DC on official state visits this week, and although both leaders will be afforded red-carpet treatment they come with different agendas and will find DC host to different climates. The stark contrast between the Pope’s visit and President Xi’s visit has been palpable in recent days and is testing Washington’s diplomatic, political, and organizational abilities.  While the Pope has been welcomed by ceremonial displays of respect and cooperation by state officials, and has drawn hundreds of thousands of people to his events, President Xi will have state ceremonies and meetings with business leaders (largely behind closed doors), but has also already been confronted by a series of demonstrations of human rights activists protesting against China’s repression of online expression and other human rights abuses.

    President Xi leads an economic superpower that U.S. officials believe is responsible for widespread theft of government and corporate secrets, from nuclear power plant designs to search engine source codes to confidential negotiating positions of energy companies to the massive breach of the Office of Personnel Management’s computers. Indeed, his visit comes as the U.S. is wrangling over whether to impose economic sanctions against Chinese companies and individuals who have benefited from the thefts of U.S. intellectual property and trade secrets. Tensions between the two countries extend to a range of other issues as well, including maritime skirmishes in the South China Sea and China’s efforts to devalue its currency in the face of the recent stock market plunge.

    China has consistently denied accusations of cyberspying, but the dispute with China highlights the different climates that are preceding—and characterizing—the visits of Pope Francis and President Xi. In an interview with The Wall Street Journal, President Xi said that “China takes cybersecurity very seriously,” and that his government “does not engage in theft of commercial secrets in any form,” and that China doesn’t encourage it from Chinese companies.

    Sanctions are unlikely to be imposed while President Xi is visiting the U.S., and it is even expected that President Xi and President Obama may announce an agreement on principles governing the use of cyber attacks against critical infrastructure, embracing a commitment by each country that it will not be the first to use cyber weapons to cripple the other’s critical infrastructure during peacetime. President Xi has declared that China is ready to collaborate with the U.S. and the international community “to build a peaceful, secure, open and cooperative cyberspace on the basis of the principles of mutual respect and mutual trust,” but it remains to be seen whether President Obama will confront President Xi directly over the contentious issues, in an attempt to push parties to draw some lines around their behavior, or whether President Obama will celebrate an unexpected partnership on issues like climate change and Iran, choosing instead to handle the frictions over cyber espionage, maritime security, and human rights in private.

    As the same red carpet was ceremonially rolled up after the Pope’s departure yesterday afternoon, then ceremoniously unrolled in the same spot for President Xi’s arrival in the evening, the world was watching to see whether either state visit will have any practical effect in the fight to end poverty, income inequality, climate change, human rights abuses, and economic espionage. Most likely than not, progress will not be achieved over one state dinner, and more discussion and time will be needed before results are reached. – Francesca Spidalieri

  • Second Italian Renaissance Revival Rural Villa Style, IRS, Washington DC

    IRS Hacked…Again!

    Although many people may seek to avoid phone calls from the IRS, this is one you’ll want to take—the IRS is contacting nearly 100,000 people because hackers stole their personal (and sensitive) tax information. In addition, the hackers attempted to pilfer an extra 100,000 tax returns but were unsuccessful, according to the agency. The IRS breach is just the latest bullet point in an endless list of cyber exploits that we have now grown accustomed to.

    Officials said this was part of an elaborate scheme that began in February and most likely originated in Russia in order to steal identities and claim fraudulent tax refunds. The entry point for the hackers was an online service run by the IRS called “Get Transcript,” which is used to download previous filings. The hackers used previously-stolen information—probably retrieved from other hacks and then sold in online black markets—to access the IRS website and obtain even more information about the taxpayers, including their Social Security number, date of birth, tax filing status, and street address. As an immediate countermeasure, the IRS shut down the affected website and is notifying affected taxpayers of the breach and providing them with credit-monitoring services.

    Thieves, however, can still use the information to claim fraudulent tax refunds in the future and use the old tax returns to complete credible-looking forms, thus helping hackers avoid the IRS defenses. Typically, thieves try to file fake tax returns with made-up information early in the filing season, before the legitimate taxpayers can file their returns—and before employers and financial institutions file wage and tax documents with the IRS. While efforts to combat fraud have increased, too many instances of preventable fraud are slipping through the cracks. Criminals continue to adapt and outpace security measures, and even the filters and additional safeguards added by the agency to its computer system to prevent similar schemes are unable to identify all suspicious returns and stop brute force techniques to break into apps like the “Get Transcript” one.

    This latest incident should be a wake-up call for government agencies, regulators, and even Congress to work with private tech firms to end reliance on weak online authentication schemes and commonly-known flaws in the use of text passwords and security questions, and to work with the tax preparation industry to utilize some of their data and tools that can help identify potential fraudsters.

    This is not the first time the IRS has been targeted by identity thieves, both foreign and domestic, and most likely won’t be the last time either. The IRS hack, while small in overall numbers, demonstrates the vulnerability of the US tax system and of people’s most sensitive data. It is particularly disturbing since the risk isn’t confined just to online users, but every US resident. Just as the data breaches in 2013 and 2014 lit a fire under Visa and Mastercard to accelerate deployment of more secure point-of-sale systems to counteract credit card vulnerabilities, this incident should create momentum around the need to move beyond passwords and personally identifiable (and guessable) security questions for login access and work with the tax preparation industry to combat fraud, prevent theft from the US treasury, and strengthen the integrity of the US tax system. Clearly, this will require concerted efforts from the government and industry to work together to strengthen the nation’s financial system against similar threats. Until then, you might want to answer the phone if the IRS is calling.

    IRS Hacked, 100,000 tax accounts breachedUSA Today 

    IRS Believes Massive Data Theft Originated in Russia | CNN

    The IRS Could Have Prevented Its Latest Data Hack. Time For Some TFAForbes