Cyber Scene #22 - All Cybersecurity Politics Are ...
Cyber Scene #22
All Cybersecurity Politics Are:
Local
The OPM breach "wake-up call" as conveyed by the 20 June Washington Post's "Cybersecurity 202" by Derek Hawkins will be echoing across the 22 million federal active and retired workforce as hackers on 18 June admitted in federal court to have cashed in on personal identifying information gathered in the breach. In this instance, they worked through the Langley Federal Credit Union accounts of the victims for loans, then cashed the checks. The worst nightmare might be well into the future and beyond the 2026 credit monitoring scope offer from OPM...coming to a credit union near you?
National
Point. Apple has announced a new iPhone block to make law enforcement access to smartphones more difficult. The Wall Street Journal's Robert McMillan (13 June) reported that Apple's development under beta testing, the USB Restricted Mode, blocks other devices from accessing the phone data via its Lightning port beyond one hour after the phone is unlocked. This could eliminate a security loophole that forensic companies attempt to penetrate. However...
Counterpoint. The following day (14 June), Mr. McMillan follows up regarding the success of a Gwinett County (Atlanta region) district attorney investigator in unlocking the iPhone thanks to a $15,000 device from Grayshift LLC welcomed by law enforcement forensic officials. McMillan recounts the 2016 legal battle between Apple and the FBI's effort to unlock the phone of the 2015 San Bernadino shooter. This readership may recall that the issue was resolved by the Israelis unlocking it for the FBI. However, the FBI (to assuage any intelligence naysayers) also warned U.S. internet users in late May of the need to reboot home routers to remove "foreign cyber actors'" malware, per Harvard Law Professor Jonathan Zittrain's New York Times article, "From Westworld to Best World for the Internet of Things (IoT)" of 3 June. He goes on to note that such vulnerabilities fall into two categories: first, endangering users such as the issue of the 1.4 million recalled Jeeps with hackable brakes or coffee makers subject to overheating and fires; and second, IoT's 10 billion+ networked things producing, collectively, threats much larger when scaled up such as a fleet of hacked Jeeps. He suggests two solutions as well: for attacking life-cycle issues, imposing a "life cycle bond" on internet-enabled products that can be cashed in by consumers if the company reneges on continued support of the product and second, that vendors need to establish a means of communication across their products (he uses the Mac and PC positive example, not regional DVD systems!) to free the consumer from being locked into a non-interoperable technology.
In the shadow of Europe's new DPRA (see& Cyber Scene #21) rules on cybersecurity, the Economist's Technology Quarterly of 2 June entitled "Data Detectives" explores the notion of justice with the first chilling article, "I know what you'll do next summer." It continues to explore surveillance, encryption ("Read my phone"), electronic monitoring ("Home, home within range"), predictive policing ("Algorithm blues"), and the need for rigorous oversight ("Watching the detectives"). While the titles are catchy, the analysis attempts to be balanced by the conclusive need for citizen engagement driven not by oversight per se but by political will. In a democracy, this is not only possible but required.
Meanwhile, technology surges forward. The Wall Street Journal Report, "Cybersecurity" of 29 May looks at global tech developments from the perspective of the tech CEO and asks "What keeps them up at night?" The answer: everything --partners, rivals/enemies, disclosures, oversight, as well as tech attacks of all manner. The report continues by exploring how the knowledge that the technology will be attacked has not resulted in improved behavior and modification by the workforce. However, some companies are paying their own workforce with bonuses to find flaws before the attackers do, and they still struggle with encryption issues and the need for security patches. They also struggle in hiring, with two articles devoted to the gap between supply and demand and one specifically the search for cyber women (recurrent Cyber Scene job hunters). To avoid too much optimism, there are also articles about Huawei and ZTE (our old Chinese friends) and a return to paper ballots in the US (Note from the author: when the new African Union building was built by the Chinese several years ago, African leaders returned to paper ballots as well.)
As captured by Lawfareblog, the Senate has made progress with individual contributions as well as collective ones in June. Senator Mark Warner (D-VA) familiar to this readership as Vice-Chairman of the SSCI, addressed NSA on Law Day (12 June) on the subject of cybersecurity law and policy. As a tech leader himself (co-founder of future Nextel) for 20 years prior to governorship of VA, Senator Warner addressed the gathering hosted by the NSA General Counsel Glenn Gerstell, he too a tech and cybersecurity expert. The Senator opened with a historical backdrop of the Sons of Liberty and Bletchley Park (a surprise coupling) and the rule of law needed to fortify our institutions (think: need for paper ballots and the not-so-Cold War). He notes that in the olden (Cold War) days, at least "politics stopped at the water's edge" whereas today we live in a globalized world where we are "divided from within and not sufficiently resisting efforts to divide us from without." He then addresses the need for "new norms in the digital age" supported by a cyber doctrine. He notes several examples of "no rules of the road in cyberspace" risking an accidental conflict, and the lack of rules when an intended response to one is required. China and Russia figure prominently in his discourse. He calls upon the need to work with other democracies to establish international legal standards even as we "uphold the rule of law at home."
And collectively, on 18 June the Senate passed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 including a cyber amendment (Section 1634). This Act is generally viewed as a "must pass" bill. Since the House had passed its own version, the two bills go to reconciliation. One aspect of the Senate's amendment, as noted by UT/Austin's International Security and Law Professor Charles Francis, is the call for a "Cyberspace Solarium Commission" --a charge to develop a consensus on a cyberspace strategy to protect US advantages and defend against those who would erode them. Modeled after Eisenhower's Project Solarium to overcome divisions re: the US strategy regarding the Soviet Union, it is formed as a 9/11 Commission with more access and clarity. The creation of Senator Ben Sasse (R-NB) who serves on both the Senate Judiciary (see Cyber Scene #20) and Armed Services Committees, the Commission is framed broader than cybersecurity, encompassing a full spectrum of threats and challenges (Prof. Francis calls it "something of a SWOT analysis"). Francis sees the US at a strategic inflection point regarding many public and private sector capabilities as well as vulnerabilities. He cites the Russell/Goldsmith "Hoover paper" ("Strengths Become Vulnerabilities" of 5 June from Stanford's Hoover Institution) as an excellent "vulnerabilities" reference. He underscores the balance between capabilities and vulnerabilities being adversely impacted of late due to private sector distrust of the USG and the global income tilt of US-based companies. Section 1634 lays out specifics re: the composition of the commission to ensure that it is bicameral and bipartisan and includes the DNI Principal Deputy Director (PDDNI), DEPSECDEF, DEPSECDHS, and staff at its disposal from DoD and ODNI. The bonus is that it would hold subpoena power.