Cyber Scene #13 - Cybersecurity: Getting Personal

Cyber Scene #13

Cybersecurity: Getting Personal

Perhaps off-gridders living in yet unmelted igloos are untouched, but the Equifax breach has jolted the uninitiated half (not/not this audience) of the US population into the path of the hackers' express. While Equifax Chairman and Chief Executive Richard Smith was cited as blithely stating on 17 August 2017 that the only difference among companies are those who know they were hacked and those who don't, this hack hits millions where it hurts most: identity and wallet. For those having been hit by the OPM or other social security and financial breaches, it magnifies the risk. For this readership, personally at risk as well, it provides bitter "I told you so" bragging rights. For any igloo inhabitant readers who crave a chilling experience, the same WSJ story offers one analysis beginning with Cisco's 8 March 2017 discovery of its software weakness and urgent plea with users to upgrade. One would hope that a service that posts credit information in a nanosecond would also act in the same timely manner to patch vulnerabilities once known. 

Bricks and Bits

Just as one reflects on how bad this is, Mark P. Mills, in his Wall Street Journal Op-Ed, "The Cyber Age Has Hardly Begun”, points out that cyber issues are just getting started. On looking not at breaches but economic stimuli, he discusses sector industries and infrastructures from the perspective of "cyberphysicality." The example of Amazon's market value, following the recent acquisition of Whole Foods being twice that of Walmart and 500-fold greater than century-old Sears, is indicative of seismic changes in the economy driven by cyber. The current status of this merger is the equivalent of the U.S. economy in 1920. These cyberphysical corporations point to the eventual decline and/or eclipse of today's two-speed economy. Mills concludes: "It's a sign that America is about to shift to the next level, driven by cyberphysical software. Economic growth and jobs will follow." So will the risks.

Houses of Bricks and Bits: Beware of the Big Bad Bear

As the brick and mortar sector takes a major hit--physically from the recent spate of North American hurricanes, tornados, wildfires and earthquakes as well as what your author dubs "merger and acquisition climate change," the Security and Exchange Commission (SEC) which regulates and protects U.S. firms, suffered its own cyber breach. "Edgar" may now be your next corporate houseguest: it is the Electronic Data Gathering, Analysis and Retrieval System which processes 1.7 corporate filings per year and is cast as the SEC's "crown jewel." Unlike Equifax, SEC senior executives reportedly became aware of the 2016 hack only months later. As the former SEC Chairman Luis Aguilar noted, the SEC should foster transparency, "...particularly an agency that expects full and fair disclosure from publicly traded companies." Unfortunately, the disclosure of, not from, publicly traded companies may be far more "public" than the firms and regulators anticipated. Mr. Aguilar, notably, now works for Falcon Cyber Investments, LLC, which invests in cybersecurity. So yes, the breach made firm actions immediately transparent to the hackers; the SEC execs, however, were guilty only of ignorance and faulty public sector cybersecurity protocols. The Senate is holding a hearing on 26 Sep. 2017 to explore SEC oversight issues.

As for the houses of bits, Facebook is now facing up to a legislative call for more transparency regarding that Bear. For those who assumed that Facebook discloses and shares everything on line, that is not so. Only your personal subscriber data is disclosed. Jim Rutenberg took Facebook to task in a comprehensive 18 Sep 2017 NYT article for its "stunning lack of specificity about foreign interference" with regard to Congressional calls for information regarding the Russian-related "fake ads" which seemed to focus on "amplifying divisive social and political messages across the ideological spectrum" during the 2016 elections. Under pressure from the "4th branch" (media) as well as Congress, Facebook caved as of 22 Sep 2017 and agreed to disclose information on thousands of Russian-backed ads to congressional investigators. Changes it intends to initiate include disclosing its requirements for political ads, more stringent requirements for said ads, and adding over 250 employees to monitor election integrity. However, in an apparent reference to the 1st Amendment, CEO Zuckerberg said, in the same article, that it would not censure ads prior to publication, stating: "Freedom means you don't have to ask permission first, and that by default you say what you want." Ex post facto measures would include removing the offending post and/or suspending the accounts of the guilty. Facebook has been under the Congressional gun--both the House and Senate Intelligence Committees (HPSCI and SSCI, about which Cyber Scene has written)--for underwhelming cooperation. Facebook had previously held back, noting that only a search warrant would move Facebook to disclose. That has apparently come from Robert Mueller's investigation on Russian interference and influence. According to the WSJ analysis, Facebook is giving Congress only 3,000 ads created by one Russian entity, the Internet Research Agency, which generated $100,000 of income for Facebook. Mueller is presumably to receive more. He and his team, however, are not talking.

They're Back! Congress Ramps Up

Both Intelligence Committees intend to help Mr. Zuckerberg in his efforts to balance his privacy responsibilities and his reluctant efforts to disclose Russian influence to Americans. According to the above New York Times and the Wall Street Journal of stories, legislative leaders and others are considering social media requirements similar to television and radio requirements with public disclosure of sourcing for political ads. There has been strong bipartisan support in both legislative bodies to disclose and curb foreign interference in U.S. elections. There is also a Democratic Senate initiative (Warner, VA and Heinrich, NM) to require new Federal Election Commission rules to curb foreign spending on political advertising and identify the sourcing as the 18 Sep NYT Rutenberg article cites: "I'm Vladimir Putin and I approve this message!". However, the 22 Sep WSJ article notes that this initiative would not have prevented the genre of "hot button" ads that were traced to Russian interference.

Both Intelligence committees, however, are keeping a lid on their hearings. The SSCI has held five closed hearings on "intelligence matters" in Sep. The HPSCI is also tight-lipped. On the other hand, both the House and Senate have been open and active since the curtailed recess regarding FY2018 authorization activity. As a follow-up to Intelligence Act activity (officially on the Senate's calendar) cited in Cyber Scene last month, the Defense Authorization Act for FY 2018 was passed by the House and by the Senate with one insignificant (author's comment) amendment on 19 Sep. The Senate's Commission on Security and Cooperation in Europe also convened on 14 Sep. to examine "the scourge of Russian disinformation."

Bear Territory

On that Russian front, the Senate Foreign Relations Committee held a 19 Sep 2017 hearing featuring former Governor of Utah/former Ambassador to China/former Presidential candidate Jon Huntsman, Jr. as the nominee to be Ambassador to Russia, succeeding Russian expert John Tefft. Author comment: the most prestigious ambassadorial appointments are usually political. Ambassador Tefft, who had retired following his ambassadorial post to Ukraine in July 2014, was recalled as a political nominee, confirmed by the Senate and accepted by Russia in November 2014; he had previously served in Russia as #2 under career Ambassador Thomas Pickering as well as Ambassador to Georgia and Lithuania. Given Congressional unity regarding the importance of Russia, it is likely that Jon Huntsman will receive favorable support and confirmation. Your author is less certain as to whether Russia will graciously agree to allow him to present his credentials; Ambassador Tefft has understandably dealt with some Russian flak.

As of this Cyber Scene publication, 69 ambassadorial posts, not counting Iran and North Korea, are vacant.

Bravo, R & O Contributors!

To conclude on a positive note, for those of you who have explored and published on hackable self-drive cars, cloud vulnerabilities, password weakness, two-factor authentication, and related issues, the Wall Street Journal of 18 Sep 2017 has issued a special report (nine articles, six pages and its own section) dedicated to cybersecurity for the masses. Perhaps new to you, however, is the article entitled "Insurance Grows for Cyberattacks." This is a growth industry (think tornadoes spinning off from hurricanes) used by companies to protect themselves from liability-related legal action. As many of you have seen, Equifax includes a "check here for extra protection; this also prohibits you from suing us" box. Since lawsuits continue to pile on Equifax anyway, companies may find insurance cheaper than legal counsel. This new insurance application is driving more cybersecurity risk analysis.

So back to you, dear R & O readers! As was noted above, we are but at the beginning of a cybersecurity era.