Cyber Scene #15 - Cyber Tuesday

Cyber Scene #15

Cyber Tuesday

Regs and Rulers

The Economist in "Big Tech and Washington: Capitol Punishment" on 28 October examines the possible application of regulatory steps to US tech giants similar to those that have been (and are being) applied to the US banking sector. Despite differing US political views, technology firms are a big target but employ "fewer workers per dollar of market value." The article goes on to explore "anti-social networks" and the US Senate bipartisan initiative to scrutinize these operations, addressed in last month's Cyber Scene, in the Honest Ads Act.

As a follow up to the Chinese, Russian, and North Korean cyber attacks, the regulatory pendulum is reversing course. We ended last month's Cyber Scene with Equifax testimony before Congress, and open this month on the same subject: testimony by the General Counsels of Facebook, Twitter, and Google before the Senate Select Committee on Intelligence (SSCI) on 1 November regarding the social media influence on US 2016 elections. SSCI's seven other hearings in November were closed.

The House, likewise, followed on 2 November with a House Permanent Select Committee on Intelligence "open in closed space" testimony by Carter Page. The session was in fact closed, but the testimony was redacted and then published on 6 November. Audience, beware: the written testimony included many historic exchanges between Mr. Page and the HPSCI and ran 207 pages. Viewing (not allowed) might have been worse: the session began at 9:40 a.m. and ended at 4:58 p.m. CSPAN does cover all the truly open sessions, but when it does warns that the text version is "uncorrected closed caption." It is unintentionally quite humorous. Readers may be better served by the Congressional text links/transcripts while viewers might enjoy the atmospherics on CSPAN, including occasional verbal mortar fire that loses something in the textual translation.

The House Judiciary Committee on 14 November pursued testimony regarding the Investigation into Russia's Role in the 2016 Election with Attorney General Sessions. Following a surprising declaration by AG Sessions of the possibility of the appointment of a second special counsel, and a few new admissions, discussion then turned to changes to FISA 702 citing the exception issues of foreign intelligence or crime, the original Patriot Act, the USA Liberty Act itself, and the eternal challenge of balancing security and privacy. The same day, CNN's Mark Short on "State of the Union" hosted former DNI James Clapper and former CIA Director John Brennan. Mr. Clapper stated that "The (Russian) threat is manifest and obvious...to paint it any other way is astounding and poses a peril to our democracy."

The Senate Foreign Relations Subcommittee on East Asia, the Pacific and International Cybersecurity Policy on 14 November, also in an open session, hosted Michael Pillsbury (from the conservative Hudson Institute) and Graham Allison (from the less conservative Harvard Kennedy School)--both exceedingly serious and longstanding (for Dr. Allison, back to the Cuban Missile Crisis--really!) enlighteners of public policy issues who offer think tank and academic perspectives on cyber policy. The full Senate Foreign Relations Committee met earlier, on 7 November, in a closed hearing on North Korea's Cyber Capabilities and US Policy Response. The SSCI, however, only obliquely identifies the subject of its closed hearings as "intelligence matters."

Uber Alles

Not to be outdone by Equifax, on 21 November 2017 Uber disclosed a major hack from October 2016 affecting the names, emails, and phone numbers of 57 million riders and the licenses of over 600,000 drivers. The cover up included paying off the hackers ($100,000) to conceal the breach, per the Wall Street Journal (21 November) . Bloomberg Technology spokesperson Eric Newcomer (video 22 November) elaborated. The Washington Post (21 November) added that Uber has hired Matt Olsen--former Director of the US National Counterterrorism Center, DOJ Deputy Assistant Attorney General, former National Security Agency General Counsel and presently President and Co-founder of IronNet Cybersecurity (yes, all one person) for help going forward. Mr. Olsen has his work cut out for him, as Uber, under a new CEO, is also dealing with five US criminal probes and several civil suits including well-heeled Alphabet Inc. (aka Google). London had revoked Uber's license earlier this year.

Is HAL Back?

On the one hand, technology fashions the future as regulators scurry to catch up. The Economist (21 October) looked at artificial intelligence outsmarting humans and learning to "work things out for itself, without being taught by people." In Germany, the Economist (9 November) looks at Bosch, a tech firm that "closes London's Tower Bridge" and operates factories across a production spectrum from robotic lawnmowers in Germany to food in India, through 440 subsidiaries in 60 countries. Bosch now looks at remaking itself into an "ultra-secure technology platform." Its Smart Home chief, Peter Schnaebele, notes that "Orwell's 1984 is kindergarten compared to the IOT world. When it comes, and people re-evaluate privacy, Bosch will be prepared." Such a multinational behemoth seems to defy circumscription and regulation.

Bloomberg Businessweek Special Issue (6 November 2017-8 January 2018--they are already ahead of the future!) is devoted to "The Year Ahead 2018", singling out cybersecurity as one of its top five technology concerns. Shedding some light on the future before the electrical grid is taken out (as in western Ukraine), Bloomberg Businessweek's Max Chafkin and Dune Lawrence examine the use of the malicious software, Trojan, which left Kiev in the dark two years ago and calls upon its readership to be aware that this attack is heading west. They cite a 20 October FBI and Homeland Security alert warning of a "multistate intrusion campaign" aimed at critical infrastructure. In addition to the "usual suspects" cited in Cyber Scene paragraph 2 above and the US, of course, Iran is the only additional country noted in the article by unidentified intelligence analysts as possessing the capability of taking out a power grid. In the Ukraine attack, the Kremlin-backed group Sandworm used NotPetya, a variation of a well-known ransomware program, Petya, getting into the system through a tax-filing application, destroying the data, spreading the virus and paralyzing the country. The authors cite evidence (not further specified) that this was just a warmup for a hack in the US. Apparently, Sandworm's code has already been identified in computers at a dozen US power plants, one of which is nuclear. The greatest concern, per the author, Martin Libicki, of Cyberspace in Peace and War is that this could lead to outright war. The Senate Foreign Relations Committee might be thinking the same thing.

And Now the Good News...for Job Hunters

On the job front, NARFE, the National Association of Active and Retired Federal Employees, magazine cover article of its November edition (available by subscription and unavailable on the NARFE webpage), features the need for more cybersecurity professionals in the federal workforce. It cites the well-known severe shortages in the pool of professionals vis-a-vis the magnitude of the threats. The USG is facing challenges in competing with the private sector, both "...in a footrace to recruit, train and retain these professionals." The future looks overwhelming: the article projects "1.5 million unfilled cybersecurity positions globally by 2020." Two studies are underway by the Government Accountability Office (GAO): one to be released in December 2017 on Homeland Security, and the second in December 2018 on the entire federal government. The article concludes by addressing some public/private sector compensation allowances and mapping cybersecurity functions and their definitions for present readers/future recruits.