Pages

6 April 2016

Still room for improving U.S.-China cyber relations

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.

With help from Darren Goode and Joseph Marks

TODAY: CYBERWAR ON DONALD TRUMP — It might be an unpleasant day for the Republican presidential candidate in cyberspace, POLITICO’s Darren Samuelsohn writes. “The Internet hacking collective Anonymous and its allies have promised April 1 will serve as their launching point for a ‘total war’ on the Republican front-runner that includes shutting down his websites and conducting other digital mischief to ‘dismantle his campaign and sabotage his brand.’” Samuelsohn spoke to a hacker going by the name Compiled who boasted, “We have more than enough knowledge and power on our team to do almost whatever” — and even though Trump might have bolstered cyber defenses after a series of attacks in the past year, “there’s still vulnerability and we know how to take it down.”

STILL NOT BESTIES — Despite last year’s agreement between the U.S. and China to forbid cyber theft of intellectual property, President Barack Obama pointed out Thursday during Chinese President Xi Jinping’s visit that there’s not complete harmony. “Now, as has been true in the past, we will have a candid exchange about areas where we have significant differences — issues like human rights, cyber and maritime issues,” Obama said in a joint appearance. For his part, Xi said the two presidents would “explore possibilities of deepening cooperation” in cybersecurity, among other areas.

Mayer Brown JSM’s Xiaoyan Zhang told MC there’s still room for improvement between the two countries, to say the least. “Since last year’s cyber agreement, the alleged cyberattacks between the United States and China have not lessened” — in fact, it might be more accurate to say “they have increased,” said Zhang, who is counsel of the Intellectual Property and Technology, Media and Telecoms group and is based in Hong Kong and Shanghai. The lack of a binding treaty makes last year’s deal little more than a high-level agreement to general principles, she said. But she expects the two sides to work toward putting flesh on bone, even if the two presidents didn’t get there Thursday: “I think there will be a little more definite and specific agreements coming out.”

HAPPY FRIDAY and welcome to Morning Cybersecurity! Nothing in today’s newsletter is an April Fools’ Day prank, so far as we know. Send thoughts, feedback and especially your tips to tstarks@politico.com and follow @timstarks,@POLITICOPro and @MorningCybersec. Full team info is below.

LEARNING TO READ — Nasdaq and cybersecurity company Tanium teamed up with researchers at Goldsmiths, University of London, to assess vulnerabilities at major corporations and rank them according to risk, concluding that 10 percent had a high vulnerability, 80 percent medium and 10 percent low. The survey of top corporate officials at the high vulnerability companies worldwide turned up some interesting results. Among them: “91% of the high vulnerable board members say they can’t interpret a cybersecurity report,” which prevents them “from asking the right questions.” Two out of every five high-vulnerability respondents said they wouldn’t feel responsible for a cyberattack. The report — “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility” — is out this morning.

CARLIN: CYBER TERRORISM ONLY A MATTER OF TIME — There’s no question ISIL and Al Qaeda would like to attack U.S. critical infrastructure with cyber weapons and it’s only “a matter of time before they acquire some of the capability they’re after,” Assistant Attorney General John Carlin said Thursday. The evidence that they haven’t acquired the capability yet is simply that they haven’t used it, Carlin told an audience of corporate attorneys at the Incident Response Forum. In addition to an attack against a bank or power plant, terrorists might be interested in using more common hacking tools, such as ransomware, to deadlier ends, Carlin said. “There’s not going to be a dollar amount you can pay,” he said. “They’re going to hope, for instance, to deny you your [hospital] patient records and hope that results in the loss of somebody’s life.” Carlin also offered remarks on other cyber topics including the Iran indictments and information sharing.

CONTRACTING WOES AT DHS — A major Homeland Security Department initiative to bolster federal government cybersecurity fell behind its acquisition schedule in 2015, a Government Accountability Office audit out Thursday found. The Continuous Diagnostics & Monitoring program had trouble issuing solicitations, selecting vendors and awarding contracts at various points in its development, according to the GAO. But another initiative — the National Cybersecurity Protection System — was on track as of last year. The GAO review of major DHS acquisitions also cited expanded cyber testing as a factor in some programs falling behind schedule. On Twitter, the House Homeland Security Committee called for passage of a bill that it said would improve DHS’s acquisition process to save taxpayer dollars.

MINOR HACKING OFFENSES — When FBI investigators set their sights on a malicious cyber criminal, they sometimes find … a teenager, said David West, assistant section chief for the bureau’s cyber division. When that happens, it’s common for the FBI to refer the case to local law enforcement rather than pursue it themselves, West said Thursday. “We have to make a decision whether or not the full weight of the federal government is the right thing,” he said at the Incident Response Forum. “When we’re dealing with minors, in many cases, we work with our district attorneys and prosecutors and we refer those investigations.” The frequency of finding teen cyber criminals is dropping, West said, but the overall trend of cyber crime is going up. “Unfortunately, people have found out that cyber crime pays, so we have traditional criminals migrating to cyber crime,” he said.

OPEN FOR BUSINESS — As of Thursday, security researchers can begin signing up for “Hack the Pentagon,” a bug bounty program to help the Defense Department tackle vulnerabilities on its website. The initiative, a partnership with HackerOne, begins April 18 and ends May 12, and the department has set aside $150,000 for payouts. Enlist here.

ARMY CYBERCOM SEEKS ANALYSTS — The Army released the first notice Thursday for a possible contract to provide a slew of operations and analytical services to Army Cyber Command’s training and doctrine office at Fort Gordon, Ga. The contractor would provide analysis supporting Army cyber operations and help develop and maintain the Army’s portion of the Joint Information Environment, a planned cross-service computer cloud, according to the notice. The posting is a sources sought notice, which means the Army hasn’t committed to buying anything and is just doing market research.

FTC VS. RANSOMWARE — The FTC has scheduled a Sept. 7 seminar on the growing ransomware problem, including whether public education campaigns and antivirus and other technologies are up to par. “And we have no predetermined answer to that question, we really are trying to figure this out,” said Dan Salsburg, chief counsel at FTC’s Office of Technology, Research and Investigation.

Recent headlines have focused on how ransomware has hit the health care industry, including an attack this week that forced MedStar Health to shut down computers at 10 hospitals in the Washington, D.C., area. But the problem for consumers and businesses is far more pervasive. “What you hear publicly now in terms of significant compromises is not necessarily reflective of who actors are targeting,” said John Miller, director of ThreatScape Cyber Crime at iSIGHT Partners. Miller added that user and business education, such as simply stopping people from opening malicious documents, keeping computer security systems updated and ensuring data is backed up, can go a long way. “It sounds really simple but it’s actually one of the most effective solutions,” Miller said.

KEEP QUIET, THE GOVERNMENT’S LISTENING — People who believe they’re under government surveillance online are less likely to speak out if they believe their opinion isn’t the majority view, a new study concludes. Published in Journalism & Mass Communication Quarterly, it’s the “first study to provide empirical evidence that the government’s online surveillance programs may threaten the disclosure of minority views and contribute to the reinforcement of majority opinion.” Study author Elizabeth Stoycheff found the results troubling, she told Quartz. “A lot more work needs to be done before we can conclusively show the implications that surveillance has on free speech, but the initial results presented here do not paint an optimistic picture,” the assistant professor at Wayne State University said. “Free speech for only those who espouse popular, majority opinions isn’t free speech at all.”

PLOT THICKENS IN BANGLADESH CYBER BANK HEIST — A Sri Lankan woman who received some of the spoils of a digital bank heist in Bangladesh says a friend set her up, Reuters reported. Hagoda Gamage Shalika Perera received a bank transfer for $20 million out of the roughly $1 billion unidentified hackers tried to steal from Bangladesh Bank via its account at the Federal Reserve Bank of New York in February. Perera expected the transfer, she said, but an acquaintance had led her to believe it was a donation from Japan’s international development agency to a foundation she runs.

RECENTLY ON PRO CYBERSECURITY — The FBI says it hasn’t agreed to helpunlock an iPhone tied to a murder case in Arkansas, contrary to an Associated Press report. … The military intelligence budget for fiscal 2017 lists improving support for cyber operations as one of the top funding priorities, according to a redacted summary. … The financial sector’s increasing reliance on technologymakes it more susceptible to hackers, Treasury Department Deputy Secretary Sarah Bloom Raskin says.

— The FBI is testing whether the technique it used to break into a terrorist’s iPhone can be used elsewhere. The Wall Street Journal.

— “Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file.” ABC News.

— The Office of Personnel Management plans to issue new rules for reporting cyber incidents to health insurers that cover federal employees. Nextgov.

— Cyber warfare is one of the few areas where the Defense Department delegates duties to a machine, said Deputy Secretary Bob Work.

— The electric sector is doing a better job at cyber defense than the media makes out, says Southern Company CEO Thomas Fanning. Electric Perspectives.

— The Office of the Comptroller of the Currency weighed in a little on cyber in a new white paper.

— Reddit apparently got a national security letter. Wired.

— A hacker broke into a porn network and is offering to sell user data.Motherboard.

That’s all for today. Keep your head on a swivel.

No comments:

Post a Comment