The old Cold War export control alliance, now known as the Wassenaar Arrangement, hasn’t exactly been a hotbed of new controls since Russia joined the club. But according to the Financial Times, the 41-nation group is preparing a broad new set of controls on complex surveillance and hacking software and cryptography. I suspect that the
cybersecurity
Hackback Backers’ Comeback?
The US-China Economic and Security Review Commission has issued its annual report. It reminds us that, while press and privacy campaigners have been hyperventilating over US intelligence programs, there are, you know, actual authoritarian governments at work in the United States — breaking into the networks of activists whom they dislike, newspapers whose sources…
NIST Issues Preliminary Cybersecurity Framework — Cybersecurity Hardest Hit
NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February.
I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms.
The result is a mixed…
European Webmail Privacy: Even Worse Than I Thought
I’ve been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.
His tale of disillusionment revealed three…
How NIST’s Cybersecurity Framework Could Reduce Cybersecurity
In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security.
My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement…
Is NIST turning weak cybersecurity standards into aggressive new privacy regulation?
Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s…
Who’s Afraid of the NIST Cybersecurity Framework?
Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order…
Cloud Computing: the US versus the EU
The International Association of Privacy Professionals has published my article on how US cloud providers and the US government can respond to the wave of hypocrisy from the EU over PRISM. The full article can be found here.
Intelligence Under Law – Judiciary Testimony
I will be testifying today to the full House Judiciary Committee about FISA, NSA and the Snowden flap. You can download my full prepared remarks here.
In short
- I used this opportunity to muse on the resemblance between today and the waning Clinton era;
- I discuss the (surprisingly short) history of viewing intelligence as
…
Using Attribution to Deter Cyberespionage
Foreign Policy has published my article on how attribution can be used to deter foreign governments’cyberespionage. Excerpts below:
The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China’s military and economic rise. And though Beijing may someday agree that…