Tag Target

The article below sums it up nicely: the Protecting Cyber Networks Act passed by the Congress this week was a surveillance bill in disguise.

Check out this video by the Anonymous:

House of Representatives Passes Cybersecurity Bills Without Fixing Core Problems

April 22, 2015 | By Mark Jaycox

The House passed two cybersecurity “information sharing” bills today: the House Permanent Select Committee on Intelligence’s Protecting Cyber Networks Act, and the House Homeland Security Committee’s National Cybersecurity Protection Advancement Act. Both bills will be “conferenced” to create one bill and then sent to the Senate for advancement. EFF opposed both bills and has been urging users to tell Congress to vote against them.

The bills are not cybersecurity “information sharing” bills, but surveillance bills in disguise. Like other bills we’ve opposed during the last five years, they authorize more private sector spying under new legal immunity provisions and use vague definitions that aren’t carefully limited to protect privacy. The bills further facilitate companies’ sharing even more of our personal information with the NSA and some even allow companies to “hack back” against potentially innocent users.

As we’ve noted before, information sharing is not a silver bullet to stopping security failures. Companies can already share the necessary technical information to stop threats via Information Sharing and Analysis Centers (ISACs), public reports, private communications, and the DHS’s Enhanced Cybersecurity Services.

While we are disappointed in the House, we look forward to the fight in the Senate where equally dangerous bills, like the Senate Select Committee on Intelligence’s Cybersecurity Information Sharing Act, have failed to pass every year since 2010.

Contact your Senator now to oppose the Senate bills.

Time to brace up for further loss of privacy as the PCNA would amount to voluntary wholesale transfer of data to the NSA (see story below).

And the Congress actually believe it’s in the name of stopping hackers and cyber attacks?

House Passes Cybersecurity Bill Despite Privacy Protests

Andy Greenberg
04.22.15

Congress is hellbent on passing a cybersecurity bill that can stop the wave of hacker breaches hitting American corporations. And they’re not letting the protests of a few dozen privacy and civil liberties organizations get in their way.

On Wednesday the House of Representatives voted 307-116 to pass the Protecting Cyber Networks Act, a bill designed to allow more fluid sharing of cybersecurity threat data between corporations and government agencies. That new system for sharing information is designed to act as a real-time immune system against hacker attacks, allowing companies to warn one another via government intermediaries about the tools and techniques of advanced hackers. But privacy critics say it also threatens to open up a new backchannel for surveillance of American citizens, in some cases granting the same companies legal immunity to share their users’ private data with government agencies that include the NSA.

“PCNA would significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” reads a letter signed earlier this week by 55 civil liberties groups and security experts that includes the American Civil Liberties Union, the Electronic Frontier Foundation, the Freedom of the Press Foundation, Human Rights Watch and many others.

“The revelations of the past two years concerning the intelligence community’s abuses of surveillance authorities and the scope of its collection and use of individuals’ information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous,” the letter continues. “[PCNA] fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”

Specifically, PCNA’s data-sharing privileges let companies give data to government agencies—including the NSA—that might otherwise have violated the Electronic Communications Privacy Act or the Wiretap Act, both of which restrict the sharing of users’ private data with the government. And PCNA doesn’t even restrict the use of that shared information to cybersecurity purposes; its text also allows the information to be used for investigating any potential threat of “bodily harm or death,” opening its application to the surveillance of run-of-the-mill violent crimes like robbery and carjacking.

Congressman Adam Schiff, who led the advocacy for the bill on the House floor, argued in a statement to reporters that PCNA in fact supports privacy by protecting Americans from future hacker breaches. “We do this while recognizing the huge and growing threat cyber hacking and cyber espionage poses to our privacy, as well as to our financial wellbeing and our jobs,” he writes.

“In the process of drafting this bill, protecting privacy was at the forefront throughout, and we consulted extensively with privacy and civil liberties groups, incorporating their suggestions in many cases. This is a strong bill that protects privacy, and one that I expect will get even better as the process goes forward—we expect to see large bipartisan support on the Floor.”

Here’s a video [above] of Schiff’s statement on the House floor.

PCNA does include some significant privacy safeguards, such as a requirement that companies scrub “unrelated” data of personally identifying information before sending it to the government, and that the government agencies pass it through another filter to delete such data after receiving it.

But those protections still don’t go far enough, says Robyn Greene, policy counsel for the Open Technology Institute. Any information considered a “threat indicator” could still legally be sent to the government—even, for instance, IP address innocent victims of botnets used in distributed denial of service attacks against corporate websites. No further amendments that might have added new privacy restrictions to the bill were considered before the House’s vote Wednesday. “I’m very disappointed that the house has passed an information sharing bill that does so much to threaten Americans’ privacy and civil liberties, and no real effort was made to address the problems the bill still had,” says Greene. “The rules committee has excluded amendments that would have resolved privacy concerns…This is little more than a backdoor for general purpose surveillance.”

In a surprise move yesterday, the White House also publicly backed PCNA and its Senate counterpart, the Cybersecurity Information Sharing Act in a statement to press. That’s a reversal of its threat to veto a similar Cybersecurity Information Sharing and Protection Ac in 2013 over privacy concerns, a decision that all but killed the earlier attempt at cybersecurity data sharing legislation. Since then, however, a string of high-profile breaches seems to have swayed President Obama’s thinking, from the cybercriminal breaches of Target and health insurer Anthem that spilled millions of users’ data, to the devastating hack of Sony Pictures Entertainment, which the FBI has claimed was perpetrated as an intimidation tactic by the North Korean government to prevent the release of its Kim Jong-un assassination comedy the Interview.

If the White House’s support stands, it now leaves only an upcoming Senate vote sometime later this month on the Senate’s CISA as the deciding factor as to whether it and PCNA are combined to become law.

But privacy advocates haven’t given up on a presidential veto. A new website called StopCyberspying.com launched by the internet freedom group Access, along with the EFF, the ACLU and others, includes a petition to the President to reconsider a veto for PCNA, CISA and any other bill that threatens to widen internet surveillance.

OTI’s Greene says she’s still banking on a change of heart from Obama, too. “We’re hopeful that the administration would veto any bill that doesn’t address these issues,” she says. “To sign a bill that resembles CISA or PCNA would represent the administration doing a complete 180 on its commitment to protect Americans’ privacy.”

Was that a brainfart?

President Barack Obama signed an executive order Wednesday that permits the US to impose economic sanctions on individuals and entities anywhere in the world for destructive cyber-crimes and online corporate espionage – see the Bloomberg article below.

Now what’s this about? An all-out effort on cyber-criminals or just plain window dressing?

For all their abilities to trace the attacks right down to the identities of the hackers, have the US authorities been able to do anything? Recall the Mandiant Report two years ago that allegedly traced Chinese hackers down to the very unit of a military base in Shanghai?

Recall also the five Chinese military hackers (above) on the FBI wanted list last year? Where has that led to (see video clip below)? And what about the alleged North Korean hacks on Sony Pictures?

With all good intent and seriousness to go on the offensive, Obama has yet to put his words into action on this front…

Hackers, Corporate Spies Targeted by Obama Sanctions Order

by Justin SinkChris Strohm

President Barack Obama signed an executive order Wednesday allowing the use of economic sanctions for the first time against perpetrators of destructive cyber-attacks and online corporate espionage.

That will let the Treasury Department freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The federal government also will be able to bar U.S. citizens and companies from doing business with those targeted for sanctions.

“Cyberthreats pose one of the most serious economic and national security challenges to the United States,” Obama said in a statement. “As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens.”

Under the order, sanctions only will be used if a cyber-attack threatens to harm U.S. national security, foreign policy or the broader economy. It’s aimed at cybercriminals who target critical infrastructure, disrupt major computer networks, or are involved in the “significant” theft of trade secrets or intellectual property for competitive advantage or private financial gain.

Data Breaches

The administration is using the threat of sanctions to help prevent large-scale data theft after breaches at major U.S. corporations, including retailer Target Corp., health-insurer Anthem Inc. and home-improvement chain Home Depot Inc. It’s also a recognition that companies are facing increasingly destructive attacks, such as the hack against Sony Pictures Entertainment that crippled thousands of computers and delayed release of a comedy movie.

Sanctions imposed under the executive order will help disrupt the operations of hackers who may be in countries outside the reach of U.S. law enforcement, John Carlin, U.S. assistant attorney general for national security, said in a phone interview.

Banks and other companies connected to the U.S. financial system will be required to prohibit sanctioned hackers and entities from using their services, cutting them off from valuable resources, Carlin said.

“It’s a new powerful tool and we intend do to use it,” Carlin said. “It has the capability to significantly raise the cost for those who steal or benefit through cybercrime.”

Transcends Borders

The unique aspect of the executive order is that it allows the U.S. to impose sanctions on individuals or entities over hacking attacks regardless of where they are located, White House Cybersecurity Coordinator Michael Daniel told reporters on a conference call. While other sanctions are tied to a particular country or group of persons, hacking attacks transcend borders.

“What sets this executive order apart is that it is focused on malicious cyber-activity,” Daniel said. “What we’re trying to do is enable us to have a new way of both deterring and imposing costs on malicious cyber-actors wherever they may be.”

The order is a signal of the administration’s “clear intent to go on offense against the full range of very serious cyberthreats that are out there,” said Peter Harrell, the former principal deputy assistant secretary for sanctions at the State Department.

“This is a message that if folks around the world don’t cut out these activities, they’re going to find themselves cut off from the American banking system,” Harrell said in an interview.

Hidden Identities

Harrell said there are potential stumbling blocks to effective implementation. For one, hackers work hard to conceal their identity. Even though the U.S. and private companies have improved their ability to trace attacks, attribution can sometimes be difficult.

Daniel acknowledged that determining who is actually behind hacking attacks is still a challenge but said the U.S. is getting better at it.

In other cases, diplomatic considerations may be at play. The administration’s decision in 2014 to file criminal charges against five members of the Chinese military over their role in cyber-espionage strained relations with Beijing.

In January, Obama authorized economic sanctions against 10 North Korean officials and government entities in connection with the Sony attack. The North Korean government has denied any involvement in the Sony case.

Overseas Governments

Harrell said the use of sanctions can provide leverage as the U.S. registers complaints with governments overseas about cyber-attacks. Targeted use of the new sanctions powers also may help deter criminals.

“A number of these cyber-attacks are organized by fairly significant actors out there — large hacking collectives, or organized by foreign intelligence agencies,” Harrell said. “They all have real potential costs if they were put on sanctions lists.”

The Obama administration has been under pressure to take action to help companies protect their networks from cyber-attacks. In early March, Premera Blue Cross announced that hackers may have accessed 11 million records, including customer Social Security numbers, bank account data and medical information.

Home Depot in September said 56 million payment cards and 53 million e-mail addresses had been stolen by hackers. And just days earlier, JPMorgan Chase & Co. announced a data breach affecting 76 million households and 7 million small businesses.

The highest-profile breach, however, may have been the hacking of Sony Pictures. The U.S. government said North Korean hackers broke into the studio’s network and then exposed e-mails and private employment and salary records. U.S. authorities said it was in retaliation for plans to release “The Interview,” a satirical film depicting the assassination of leader Kim Jong Un.

Amid continuing Sino-US spats on cyber-espionage and related matters, China is beefing up its cyber and national security in a big way as it is reportedly just months away from launching the longest quantum communications network on earth stretching some 2,000 kilometer between its capital Beijing and financial center Shanghai to transfer data close to the speed of light with no hacking risks – initially to transmit sensitive diplomatic and classified information for the government and military with personal and financial data also on the cards for the near future.

And that’s ahead of the previously announced plan for 2016 to become the first country to launch a quantum communications satellite into the orbit.

Looks like Snowden was spot on again. In a post just a month ago, I wrote what he said about how the US (would and) is paying the price for focusing too much on the cyber offensive at the expense of cyber defense.

Meanwhile, following the recent cyber-attack on Sony Pictures, President Barack Obama’s homeland security and counter-terrorism adviser Lisa Monaco announced earlier this week a new intelligence unit – the Cyber Threat Intelligence Integration Center – to take the lead in tracking cyber-threats by pooling and disseminating data on cyber-breaches to other US agencies.

“Currently, no single government entity is responsible for producing coordinated cyber threat assessments,” according to Monaco.

China nears launch of hack-proof ‘quantum communications’ link

Published: Feb 9, 2015 11:13 p.m. ET

Technology to be employed for military and other official uses

BEIJING (Caixin Online) — This may be a quantum-leap year for an initiative that accelerates data transfers close to the speed of light with no hacking threats through so-called “quantum communications” technology.

Within months, China plans to open the world’s longest quantum-communications network, a 2,000-kilometer (1,240-mile) electronic highway linking government offices in the cities of Beijing and Shanghai.

Meanwhile, the country’s aerospace scientists are preparing a communications satellite for a 2016 launch that would be a first step toward building a quantum communications network in the sky. It’s hoped this and other satellites can be used to overcome technical hurdles, such as distance restrictions, facing land-based systems.

Physicists around the world have spent years working on quantum-communications technology. But if all goes as planned, China would be the first country to put a quantum-communications satellite in orbit, said Wang Jianyu, deputy director of the China Academy of Science’s (CAS) Shanghai branch.

At a recent conference on quantum science in Shanghai, Wang said scientists from CAS and other institutions have completed major research and development tasks for launching the satellite equipped with quantum-communications gear.

The satellite program’s likelihood for success was confirmed by China’s leading quantum-communications scientist, Pan Jianwei, a CAS academic who is also a professor of quantum physics at the University of Science and Technology of China (USTC) in Hefei, in the eastern province of Anhui. Pan said researchers reported significant progress on systems development after conducting experiments at a test center in Qinghai province, in the northwest

The satellite would be used to transmit encoded data through a method called quantum key distribution (QKD), which relies on cryptographic keys transmitted via light-pulse signals. QKD is said to be nearly impossible to hack, since any attempted eavesdropping would change the quantum states and thus could be quickly detected by data-flow monitors.

A satellite-based quantum-communications system could be used to build a secure information bridge between the nation’s capital and Urumqi, a city that’s the capital of the restive Xinjiang Uyghur Autonomous Region in the west, Pan said.

It’s likely the technology initially will be used to transmit sensitive diplomatic, government-policy and military information. Future applications could include secure transmissions of personal and financial data.

Plans call for China to put additional satellites into orbit after next year’s ground-breaking launch, Pan said, without divulging how many satellites might be deployed or when. He did say that China hopes to complete a QKD system linking Asia and Europe by 2020, and have a worldwide quantum-communications network in place by 2030.

Success stories

In 2009, China became the first country in the world to put quantum-communications technology to work outside of a laboratory.

In October of that year, a team of scientists led by Pan built a secure network for exchanging information among government officials during a military parade in Beijing celebrating the 60th anniversary of the People’s Republic. The demonstration underscored the research project’s key military application.

“China is completely capable of making full use of quantum communications in a regional war,” Pan said. “The direction of development in the future calls for using relay satellites to realize quantum communications and control that covers the entire army.”

The country is also working to configure the new technology for civilian use.

A pilot quantum-communications network that took 18 months to build was completed in February 2012 in Hefei. The network, which cost the city’s government 60 million yuan ($9.6 million), was designed by Pan’s team to link 40 telephones and 16 video cameras installed at city government agencies, military units, financial institutions and health-care offices.

A similar, civilian-focused network built by Pan’s team in Jinan, the provincial capital of the eastern province of Shandong, started operating in March 2014. It connects some 90 users, most of whom tap the network for general business and information.

In late 2012, Pan’s team installed a quantum-communications network that was used to securely connect the Beijing venue hosting a week-long meeting of the 18th National Congress of the Communist Party, with hotel rooms where delegates stayed, as well as the Zhongnanhai compound in Beijing where the nation’s top leaders live and work.

Next on the development agenda is opening the network linking Beijing and Shanghai. Pan is leading that project as well.

If all goes as planned, Pan said, existing networks in Hefei and Jinan would eventually be tied to the Beijing-Shanghai channel to provide secure communications connecting government and financial agencies in each of the four regions. The new network could be operating as early as 2016.

No room for hype

A quantum code expert said that so far, quantum-communications technology development efforts in China have basically focused on protecting national security. “How important it will be for the public and in everyday life are questions that remain unanswered,” said the expert.

To date, Pan said, technical barriers and the high cost of systems development have kept private capital out of what’s now almost exclusively a government initiative. Moreover, it’s still too early to tell whether the technology has any potential commercial value.

Pan has warned the public not to listen to investment come-ons that hype the money-making potential of quantum-communications businesses. At this stage of the game, he said, the focus is still on technological development, not commercial applications.

Nevertheless, since 2009, USTC has been building a commercial enterprise called Anhui Quantum Communication Technology Co. to produce equipment based on technology developed by Pan and his team. The company is China’s largest quantum-communications equipment supplier. Last September, it said it had started mass-producing quantum-cryptography equipment.

Anhui Quantum general manager Zhao Yong said the company’s clients include financial institutions and government agencies seeking to supplement, not replace, conventional communications systems. Their shared goal, he said, is to improve data security.

Once the technology has matured, said Wang Xiangbin, a physicist at Beijing’s Tsinghua University, its range of applications should be targeted to specific industries and regions because of its high barrier in technology and cost. Quantum communications is not a technology suitable for mass use via the Internet, for example, Wang told a group of scientists at a 2012 seminar.

Some experts say it’s wrong to assume that quantum communications is a flawlessly secure means of transmitting information. Another Tsinghua physics professor, Long Guilu, said quantum communication is only theoretically safe, since malfunctioning equipment or operational errors can open doors to risk.

Experimental systems built in 2007 by Chinese and U.S. physicists reportedly achieved secure QKD transmissions between two points more than 100 kilometers apart. But the experiment also taught scientists that data can be intercepted by a third party during a transmission.

In addressing the naysayers, Pan admitted that quantum communications is not perfect. But he defended it as safer than conventional means of communication. In fact, he said, no means of protecting data is more secure than quantum communications.

To test the capacity and safety of the network linking Beijing and Shanghai, Pan said his team plans to ask other communications experts to carefully study the system and look for potential security holes. The network could then be modified in ways that close any detected gaps and reduce hacking risks.

“Assessments and testing will be conducted after the network is completed,” said Pan, who remains convinced that any network using quantum cryptographic technology is more secure than any other communications channel.

Pan has been working on quantum-communications technology since the late 1990s, when he was a researcher at the University of Vienna and working in a partnership with Austrian physicist Anton Zeilinger. That team is credited with developing the first protocol for quantum communications.

Pan worked with Zeilinger about a decade after U.S. physicist Charles Bennett and colleagues at IBM Research built the world’s first functioning quantum cryptographic system. Based on their research, the first network was installed in the U.S. city of Boston.

Like their counterparts in China, researchers in the United States, Japan and European countries continue work to advance the technology. A key effort is aimed at extending that potential reach of quantum-communications systems, which for years were used only to span short distances.

Some experts have even wondered whether the new technology has been misidentified, since its key feature is high-level cryptography, not electronic communications.

“What we can do now is merely encrypt data, which is far from real quantum communications,” said one expert who declined to be named. “Theoretically it can’t be hacked, but in practice it has many limitations.”

Guo Guangcan, director of USTC’s quantum-communications lab, said networks now operating and those being built in China “achieve encryption only,” whereas true communications networks “involve content.”

“It’s not accurate to call it quantum communications,” said Guo.

Whatever it’s called, China appears determined to push ahead with the research and development that paves the way for a new era of secure communications. And according to Pan, that era is still at least a decade away.

“It will take 10 to 20 years to really put (the technology) into practice,” said Pan.

Rewritten by Han Wei

In what looks like the opening salvo in response to the major cyberattack on Sony Pictures Entertainment, the United States slapped North Korea with a new round of sanctions last Friday when President Obama signed an Executive Order authorizing the imposition of sanctions and designated 3 entities and 10 individuals for being agencies or officials of the North Korean government.

According to a Treasury Department statement:

The identifiers of these 10 individuals are:

But the US government knew sanctions have had limited impact on the Hermit Kingdom. The new sanctions might be deemed as swift and decisive measures in some quarters but it is really nothing more than a window-dressing of sorts – much like animating a gun with one’s fingers under a coat as a first warning at best. Consider, for example, what kind of impact should one expect from these new sanctions anyway? The 3 organizations were already on the US sanctions list and the 10 North Koreans are highly unlikely to have assets in the US, at least not under their name.

In any case, the horizon ahead of 2015 is likely to be proliferated with more headlines about catastrophic data breaches.

And the Sony cyberattack actually pale in comparison to other data breaches on record, as shown (below) by independent data journalist and information designer David McCandless – you can also click on the bubbles to find out about these cases shown in the chart and table nicely compiled and presented in his blog.

Time for Standardized Data Breach Law

The latest hack on Bitcoin exchange Mt.Gox, leading to its sudden bankruptcy late February, and the spate of recent cyber-attacks have prompted warnings of a wave of serious cybercrimes ahead as hackers continue to breach the antiquated payment systems of companies like many top retailers.

Stock exchange regulators like the American SEC have rules for disclosures when company database were hacked but the general public is often at the mercy of private companies less inclined or compelled to raise red flags.

The private sector, policymakers and regulators have been slow to respond and address the increasing threats and sophistication of cybercriminals – only 11 percent of companies adopt industry-standard security measures, leaving our personal data highly vulnerable.

Time for a standardized data breach law?

Find out more from my latest column posted here and there.