Cyber Scene #14 - Trick or Treat?
Cyber Scene #14
Trick or Treat?
OLD HAUNTS
China: 1,000 cyber flowers
"What scares me is that vulnerabilities with the highest consequences of failure are also the least covered," cites PTC software Chief Security Officer Joshua Corman, adding that if it is a bedside pump, it is fatal, or a turbine, explosive. Bloomberg Businessweek goes on to detail a 19 October 2017 report from cybersecurity company Recorded Future which tracks the ability of the U.S. and China to discover vulnerabilities. Despite the existence, since 1999, of the NIST's "common vulnerabilities and exposures" (CVEs) database, the Chinese have outpaced the U.S. in "spotting" (or, editor's comment, actually publishing) cyberthreats. China maintains a 20-day advantage.
The latest Equifax fiasco is one such example, where the Chinese published the Apache announcement in one day in its National Vulnerability Database. Back in March 2017 the House Committee on Energy and Commerce asked Mitre and DHS, which oversees Mitre's contract to manage the CVE database, how it was progressing. The speed Mitre needed to meet this "explosion of CVEs" was, of course, insufficient to counter the Equifax horror show.
North Korea: 6,000 hackers wolves in sheep's clothing? Zombie sleeper cells?
Back to bedside manner, the 15 October New York Times debunks the "laughable" state of North Korea's cyberpower. In the May ransomware attack, the British National Health Service system was crippled. North Korea missed out on a $1B cyberheist--"real money" (except for Bitcoin) per Everett Dirksen--only because of a possible character flaw: misspelling "foundation" as "fandation."
The North Koreans have certainly read Sun Tzu's "The Art of War" though, in profiting from their "primitive" reputation and element of surprise. Former GCHQ Director Robert Hannigan admitted that the North Korean cyberthreat "crept up on us; because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn't take it seriously." Former NSA Deputy Director Chris Inglis, speaking in October at the Cambridge Cyber Summit, cites the North Korean use of cyber as "tailor-made" due to is low cost, asymmetry, anonymity and stealth. And it's a source of income. One wonders when the digital sleeper cells reportedly planted in South Korea's critical infrastructure might come to life. A ghastly combination. And who is burying whom?
TRICK, TRICK, TREAT
Israel demasking Russia for the U.S.
According to Nicole Perlroth and Scott Shane (NYT 10 October), it was the Israelis who first identified Russian hackers in US systems. Although both CIA and NSA avoided using Kaspersky software, and CIA's former Russian expert reportedly discounted that company's hollow attempt "...to convince the U.S. government that it was just another security company," many US agencies were unfortunately less skeptical. The article identifies several such agencies who were snookered by a convincing mask. Spy vs spy vs spy. As Georgetown Russian Professor Peotr Pirogov once said in 1971, "Where today are Boris and Natasha?" Everywhere, apparently.
Come as you are? Futuristic bits? Quantum mechanics and the "facial-industrial complex"
Google's southern California quantum computing team of physicists and engineers is moving beyond a universe, according to a Wall Street Journal 16 October article which predicts a quantum computer that "could change the world." In addition to providing a primer in quantum mechanics for the WSJ's wider readership, the study investigates progress among scientists such as Scott Aaronson, chief of the Quantum Information Center at University of Texas at Austin, who believes that quantum mechanics is "fundamentally a new way of harnessing nature to do computations" as researchers look to "Y2Q", roughly 2026, when a vastly different and large-scale quantum computer is expected to come on line.
Meanwhile, The Economist (31 August 2017) opines that the Chinese will be the first to deploys quantum-cryptographic satellite networks capable of, inter alia, determining whether a message has been intercepted so that the receiver would know if it arrived "secure" or not. (See paragraph 1 above re: the Chinese advances.) The Chinese reportedly launched the world's first quantum-communications satellite in 2016. It is, notably, named after a 5th century Chinese philosopher who studied optics. Yes, China has had a head start over the U.S.
With a quantum-computing satellite watching over us, terrestrial technology is also advancing with facial recognition providing "Nowhere to hide," (The Economist 9 September). The version of facial recognition cited in the article focuses on reading facial expression for the gamut of reasons ranging from denoting violent intentions among football game attendees to detecting those who dissemble "which helps grease the wheels of daily life." Both trick and treat, the use of this increasingly sophisticated biometric data still lacks legislation to mitigate its misuse, certainly on a global level. This is big business, as the follow-on study portrays--the "facial-industrial complex." With reportedly 300,000 companies worldwide engaged, the technology is particularly embraced by...the Chinese. The journalist's tour of Beijing's Megvii Hqs. was cast as being "...like visiting Big Brother's engine room." On the counter-measure side, the Israeli start-up, D-ID, is developing a way to thwart facial recognition. And, the West is pegged as being behind.
Congress: Role of disclosure or witch hunt?
Three US Senators--Senator John McCain (R AZ), Mark Warner (D VA), and Amy Klobuchar (D MI)--are collaborating on the Honest Ads Act in response to the deceptive ads bought by Russian operatives believed to have had a bedeviling impact on the 2016 presidential elections to force Facebook, Google and other internet companies to disclose their sources. The NYT 19 October article goes on to examine the challenges facing the bill as well as some history. The latter includes pushback from the internet companies in 2011 when the Federal Election Commission attempted to strengthen online disclaimer requirements, as it also attempted in 2016.
The House Permanent Select Committee on Intelligence is slated in early November for an open hearing on the Russian Investigation Task Force whereas the Senate Select Committee on Intelligence has held five closed hearings in October on "intelligence matters."
The Senate Committee on Banking, Housing and Urban Affairs met in open session on 17 October on consumer data and credit bureaus to grill Mr. Smith (no, not the former Equifax CEO but)--Andrew M. Smith, Partner in Covington and Burling, LLP who represents the Consumer Data Industry; Marc Rotenberg, President of the Electronic Privacy Information Center; and Chris Jaikaran, a Congressional Research Service cybersecurity policy analyst.