One of the things I like about computer security is how uncredentialed the whole field is. Very few senior computer security people started their careers in the field. One of the best I knew started her career as a nurse; others as cops; a few as lawyers. Some even started in computer science. But this… Continue Reading
On June 13, Stewart Baker commented on the House Intelligence Committee’s investigation of two Chinese telecom firms. Today, Stewart was quoted by Eliza Krigman on the fine balance between security and economic concerns that this investigation brings to light.
One can certainly understand the frustration of private companies that are repeatedly subject to cyberattacks, and seem to have little ability to keep the intruders out or to get overstretched law enforcement agencies interested in investigating. But the idea of changing the law to authorize “hacking back” is a dangerous one, and unlikely to fix… Continue Reading
Joseph Menn has an interesting Reuters article on a growing sentiment within network security circles: Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of US companies are taking retaliatory action. Known in the cyber security industry as “active defense” or “strike-back” technology, the reprisals… Continue Reading
The House Intelligence Committee is conducting a remarkably detailed and bipartisan investigation (subscription required) of ties between two Chinese telecom equipment giants, Huawei and ZTE, and the Chinese government. Widespread security fears have been targeted at these companies over concerns that their equipment would enable Chinese interception of US telephone calls, expanding American cybervulnerabilities from computer networks… Continue Reading
On June 18, Michael Vatis will be speaking at PLI’s 13th Annual Privacy and Data Security Law Institute in New York on “Legislative and Regulatory Trends in U.S. Privacy and Security Law.” For more information please visit the PLI website.
A new Washington Post poll suggests that the American public is divided over what to do about cyber threats. And the division does not correlate with party politics. People are divided pretty evenly on whether they are “very” or “fairly” concerned about major cyberattacks on US businesses or the government or “just somewhat” or “not… Continue Reading
Mikko Hypponen of F-Secure, an antivirus company, wrote an interesting post discussing the limits of antivirus software. Of particular note is that Flame, Stuxnet, and Duqu were all reported to antivirus firms months or years before they were flagged as malware. He suggests that his and other antivirus firms failed because of the sophistication of Western intelligence… Continue Reading
The White House today announced a pilot program to be led by the Financial Services Information Sharing and Analysis Center in which ISPs will share data about botnets with financial institutions. ISPs also announced a set of principles for fighting botnets. This is a positive announcement. You shouldn’t be engaged in online banking if your… Continue Reading
The EU competition bureau’s recent threat to punish Google because of “the way Google copies content from competing vertical search services and uses it in its own offerings” struck me. (Vertical search services are specialized search engines like Yelp and Kayak that help people find local restaurants or cheap flights and rental cars.) The EU’s vice president… Continue Reading
It’s taken two and a half years, but someone has finally developed a “dot-secure” network. After former Director of National Intelligence Mike McConnell called for a “dot-secure” network, a Silicon Valley startup with $9.6 million in funding has announced plans to launch one. Based on the description, this isn’t intended to be a wholly secure network,… Continue Reading
In his blog, Brian Krebs notes a surprising development: Cyberthieves who seem to be setting their victims up for cyberspying. What I find surprising is that this hasn’t happened long ago.
If you were wondering why CISPA is necessary, this New York Times article by Eric Lichtblau ought to tell the tale. Telecommunciatons carriers who volunteer to provide information to law enforcement get tagged with “deep concern” from Congress and the New York Times. Even a whisper of doubt about the legality of information sharing is enough to… Continue Reading
I joined security guru Dan Kaminsky earlier this year to fight SOPA because it was bad for cybersecurity. For the same reason we joined in a Politico op-ed today to rebut attacks on CISPA, the Cyber Intelligence Sharing and Protection Act: We may have thrown some of the first stones, but SOPA was ultimately buried by… Continue Reading
Earlier, I wrote an article for Foreign Policy about the foolishness of letting lawyers determine our cyberwar strategy. The ABA Journal has posted an extensive, no-holds-barred debate over the views expressed in that article. Gen. Charles Dunlap, a former deputy judge advocate general of the US Air Force, contradicts my article with passion, after which I… Continue Reading
“Do Not Track” is the buzz phrase of the moment among Internet companies, the advertising industry, privacy advocates, and privacy regulators on both sides of the Atlantic. The problem is that the various parties don’t even agree on what the term means, as discussed in a recent New York Times piece by Edward Wyatt and… Continue Reading
Chinese hackers call for “self-discipline” and an end to commercially motivated cybercrime. The Wall St. Journal (subscription required) suggests it’s because former hackers have grown up and become security professionals. But does it occur to anyone that the Chinese government might be worried about the rising tide of complaints about Chinese hacking, particularly cyber espionage against the… Continue Reading
General Keith Alexander, the head of US Cyber Command and the National Security Agency, testified to Congress yesterday that China continues to hack into “defense industrial base companies” and steal military technology (see Don Reisinger‘s latest blog post). And he confirmed what was widely believed already—that China was responsible for the hacks on RSA last… Continue Reading
With mixed feelings, I note that a European Parliament committee has recommended approving the latest PNR deal with the US. It’s a bit of a surprise, especially since the vote wasn’t especially close, and that makes it highly likely the Parliament will also approve the deal. That makes sense, this is a much better deal… Continue Reading
I wonder whether this strategy will really be all that effective. Apparently “Microsoft does not believe the operators of the facilities it raided on Friday, which rent space to clients on computers connected to the Internet, are in league with the people behind the botnets. And those operators said they had no idea that equipment inside… Continue Reading
An article by Nick Wingfield and Nicole Perlroth in the New York Times today details the recent raid Microsoft and United States Marshalls conducted in order to disrupt a string of botnets at work harvesting account and other personal information from millions of other computers. As cybercrime grows more profitable, the criminals are starting to match… Continue Reading
A few weeks ago, everyone agreed that the CFAA civil liability provisions were way overbroad, and the Senate judiciary committee proposed amending the CFAA to abolish CFAA liability for violating a website or webservice’s terms of service. That was the right decision; the unamended law essentially enforced commercial terms of service with criminal penalties. But… Continue Reading
In a recent Q&A with Howard Schmidt, White House computer security specialist, some might infer that it’s possible to hook any device to the White House network? Really? We can hook any device to the White House network? To be candid, this sounds crazy. And the only reason to worry about iPhone security is that… Continue Reading