Last month the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center hosted the 13th annual “CyberWeek” event. The event, and activities surrounding it are a good jumping off point to look at what works, what could work, and what doesn’t work in public/private partnerships in a small but heterogeneous nation like Israel. For this article, we will put aside internal Israeli politics, but look at reasons that Israel has one of the highest per capita investments in cyber defense and cyber security and whether this is a sustainable model for other countries.

The Good

As a nation, Israel is known for its technological innovation and thriving cybersecurity ecosystem, both in the government sector and in the commercial sector. At the CyberWeek event, it was not unusual to see dozens of young Israelis with nametags identifying themselves as the “CEO” of some company — at an age where most people in the U.S. are looking to write a resume or find their first job. There appears to be a culture both of innovation, corporate and investor risk taking, and cooperation and coordination with the Israeli government. How much of this translates into either innovative product/solution or comprehensive adoption waits to be seen. But Israeli cyber defenders appear to be motivated to create and deploy home grown solutions, and to invest in them as necessary. While the cyber investment boom has been slowed somewhat by both COVID and the shrinking investment dollar, the skyline of Tel Aviv itself shows building after building springing up (oy, the traffic) many of which are dedicated to the high-tech sector in general and cybersecurity in particular. For a country the size of New Jersey, they have a disproportionate number of cyber companies, from tiny startups to well established concerns.

Israel’s cybersecurity landscape is fortified by robust public-private partnerships, emphasizing collaboration between the government, academia, and the private sector. These partnerships serve as a catalyst for knowledge sharing, joint research, and development, and effective incident response mechanisms. By pooling resources and expertise, stakeholders in the cybersecurity ecosystem foster a collective defense against evolving cyber threats. What is unclear however is the extent of cooperation between cyber-attackers (think Mossad, IDF) and cyber-defenders. While much of what was visible was standard cyberdefense strategies (intrusion prevention, incident response, use of AI, AI and AI for “cyber”) these same strategies can be (and are being) deployed by hackers and governments as well. Better defenders make better attackers and vice versa, AMIRITE?

There is also a genuine “go to market” strategy deployed in Israel. IDF officers, particularly those seeped in cybersecurity, are eager to commercialize what they have learned by starting or joining innovative cybersecurity commercial enterprises that dot the landscape of Tel Aviv. While this undoubtedly excludes classified military tech, start ups pop up all over with venture capital (a bit less these days, but still around) looking for the next thing – big and small.

Other countries, notably the U.S. and Western Europe, there is more distance (and in the U.S. more distrust) between the government (particularly the military) and the private sector. Years of movies like the Forbin project, War Games, Hackers, and Mission Impossible Dead Reckoning Part I reflect a genuine antipathy about government control of offensive and defensive cyber projects (unless a profit can be made in selling to the government). Government contracting regulations in the U.S. make many cybersecurity companies form separate divisions (or separate companies) to deal with “commercial” sales and “government” sales. The situation in Israel could be equally described as “cooperative” or, if you like, “incestuous.”

No Comprehensive Regulation of Cybersecurity

When it comes to Israel protecting its own infrastructure, the results are mixed.  Of course, information about how the government protects itself, particularly entities like Shin Bet, the Mossad, the Mishteret and the IDF, the tools and methods are, as one would expect, shrouded in secrecy.

When it comes to government actions to protect Israeli “critical infrastructure,” Israel, like many countries, falls victim to the “sectoral silo” problem. One critical challenge lies in the absence of universal cybersecurity requirements across industries. While Israel has implemented mandatory security requirements for critical infrastructure sectors, other industries, including healthcare, remain largely unregulated. This discrepancy creates vulnerabilities that adversaries could exploit, potentially undermining the overall cybersecurity posture of the nation. Essentially, the regulatory environment is split into thirds. “Critical Infrastructure” including power, water, telecom, etc., appear to be integrated into the nation’s Cyber command infrastructure, with individual CERTs for each sector (well, a room designated as a CERT for each sector). The national CERT takes feeds from each sector CERT, but incident reporting seems to be both automated and limited. The Israelis have set up a SCADA/ICS lab where they attempt to simulate (and resolve) attack scenarios on various ICS systems (including legacy ICS and IoT) with dozens of different ICS systems and controllers being simulated. This includes that German elevator company Schinder ICS systems being tested and evaluated,(“Schindler’s lift.”) So certain aspects of Israeli critical infrastructure is reasonably well protected — or more accurately, is the best protected of the infrastructures. Even here though, Israel takes a different approach to defining “critical infrastructure” based on its perception of threat and criticality. As an country with little access to fresh water, the water sector – generating, desalinization, distribution, storage — is critical. The Israeli National Cybersecurity Directorate applies basic cybersecurity principles of identification, protection, resilence and recovery to these infrastructures.

Another reason the critical infrastructure seems protected is the fact that they benefit not only from regulation, but also from information sharing with the government and the fact that Israeli CISO’s and cyber folk seem to be only a year or so removed from military service. While in the U.S. most cyber security people have little government experience and few government contacts in DoD, in Israel, there is near universal military service and therefore strong connections — both personal and technical — with the government.

Thriving Startup Culture: A Breeding Ground for Innovation

Israel’s vibrant startup culture has played a significant role in shaping its cybersecurity landscape. The nation’s entrepreneurial spirit, risk-taking mindset, and technological prowess have led to the establishment of numerous successful cybersecurity companies. These startups, led by young CEOs, bring fresh perspectives and cutting-edge solutions to address emerging cyber threats.

However, the lack of universal requirements for cybersecurity poses a challenge in ensuring consistent security standards across startups and small businesses. While some startups prioritize cybersecurity, others may fall short due to limited resources or a lack of regulatory frameworks. Bridging this gap is crucial to safeguarding the entire ecosystem and ensuring a resilient cybersecurity landscape. For companies outside the critical infrastructure, its a hard sell to ramp up their cybersecurity, and there, like in the U.S. cybersecurity is promoted as a good and reasonable thing to do, rather than regulatory compliance.

Government Initiatives and Regulatory Frameworks: Protecting Critical Infrastructure

The Israeli government has made commendable efforts to protect critical infrastructure and regulated industries through various initiatives and regulatory frameworks. For critical infrastructure sectors such as energy, water, transportation, finance, and communications, cybersecurity regulations exist to mitigate risks and protect essential services.

Similarly, regulated industries like banking and healthcare have implemented sector-specific cybersecurity requirements. For instance, the Bank of Israel and the Ministry of Health have established guidelines to protect sensitive data and maintain secure operations. However, the lack of universal regulations poses challenges, as unregulated sectors may become potential entry points for cyber attackers.

Challenges and Aspirations: Universal Requirements and CyberDome

Despite the progress made in specific sectors, the absence of universal cybersecurity requirements is a significant challenge for Israel’s cybersecurity landscape. Universal requirements would ensure a consistent and comprehensive approach to cybersecurity, reducing vulnerabilities across industries. Implementing such requirements would require concerted efforts from government bodies, industry leaders, and cybersecurity experts.

Additionally, the proposed CyberDome, inspired by Israel’s successful Iron Dome defense system, aims to protect critical infrastructure from cyber threats. However, the practicality of implementing CyberDome remains a subject of debate. The complexity of securing diverse and interconnected systems, along with the rapidly evolving nature of cyber threats, raises questions about the feasibility and cost-effectiveness of such an initiative.

Regional Cooperation: Strengthening Collective Defense

Israel has witnessed a growing trend of regional cooperation in the realm of cybersecurity. Despite political differences, countries in the region, including potential adversaries like the United Arab Emirates (UAE) and Saudi Arabia, recognize the mutual benefits of collaborating to combat cyber threats. This philosophy is based on the understanding that securing all nations’ digital infrastructure enhances overall stability and security, including that of Israel.

By engaging in regional cooperation, Israel expands its network of partnerships, shares threat intelligence, and collaborates on joint defense initiatives. This approach contributes to the collective defense against cyber threats, promoting stability and fostering trust among nations.

Call the Cybercops!

Israel has also established a national cybersecurity “call center,” where anyone — and I do mean anyone — can call a phone number (“119 – 911 backwards”) and reach a Tier 1 cyber responder. This ranges from a car salesman in Haifa to a elderly grandmother (Bubbie) in Bat Yam. While the call center numbers of responses is respectable (in the thousands), there are some issues I would raise. First, one party that seems to be missing in the infrastructure and response (maybe it just wasn’t that visible) was the Mishteret — the Israeli national police. Protecting critical infrastructure in Israel is seen as a technical, governmental and political issue – not as a law enforcement issue as far as I could tell. While U.S. hacking victims are encouraged to report to the FBI’s Internet Crime Complaint Center, Israeli’s appear to call engineers, not cops.

The Ugly

The coordination and relationship between the government and the private sector leads to problems like those the Pegasus problem — spyware created by an Israeli company and deployed in theory only to those entities which have a good track record on human rights. Right? The power of such software, and its ability to be deployed in ways that harm individuals and nations make the need for transparency urgent. When we speak of using the product for “good” purposes, who gets to decide? With the incestuous relationship between cyber companies and the Israeli government, those “good” purposes may simply be those that serve or benefit a specific government. That’s very dangerous.

Conclusion:

Israel’s cybersecurity landscape has achieved remarkable milestones, thanks to its public-private partnerships, thriving startup culture, and government initiatives. Collaboration between stakeholders has yielded innovative solutions and bolstered defenses against cyber threats. However, challenges such as the absence of universal cybersecurity requirements, practicality of proposed initiatives like CyberDome, and gaps in regulation across industries must be addressed for a more comprehensive and resilient cybersecurity ecosystem.

The philosophy of defending all countries, even potential adversaries, reflects Israel’s commitment to regional stability and security. By engaging in regional cooperation, Israel strengthens collective defense and fosters trust among nations.

As Israel continues to advance its cybersecurity ecosystem, a balance must be struck between innovation and regulation. Universal cybersecurity requirements, practical initiatives, and enhanced collaboration will ensure the nation’s continued leadership in cybersecurity and contribute to a safer digital landscape for all. L’Hitraot.

Mark D. Rasch, Esq.

Law Office of Mark Rasch

Admitted in MA, NY. MD

mdrasch@gmail.com

Tel: 301 547 6925

The post Lessons in Cybersecurity from Sabras – The Israeli Model of Innovation and Cooperation – the Good, the Bad, and the Ugly appeared first on Security Current.

The IRS, the Social Security Administration and other government agencies had a problem when dealing with the public. Scammers — often organized criminal groups or even state sponsors — impersonate genuine beneficiaries of entitlement programs (e.g. unemployment insurance, tax refunds or tax credits, social security retirement or disability benefits) and claim these benefits to themselves. The IRS has a publication devoted to helping people recover from ID theft in tax returns. The Treasury Department’s Office of Inspector General (its internal police department and auditor) found in 2020 that (as of 2018) “the IRS estimates it prevented the issuance of between $6.03 billion and $6.08 billion in fraudulent tax refunds (referred to as protected revenue). However, the IRS also reported that identity thieves were still successful in receiving an estimated $90 million to $380 million in fraudulent tax refunds (referred to as unprotected revenue).”

That’s a lot of cheese.

In 2019, the FTC reported that the losses to the Social Security Administration from identity fraud exceeded those suffered by the IRS.

So curbing ID fraud – particularly with respect to online filing – can save taxpayers a lot of money, and can save beneficiaries a lot of hassle. Strong authentication is great, multi factor authentication better, and multifactor authentication with a strong biometric is even better.

The IRS came up with a plan to allow a private company — ID.me — (as distinguished from its own authenticator login.gov) to collect the data to authenticate users — including the biometric data to bind them to their credentials, and then, using the biometrically authenticated credentials, to access the government sites. In that way, the government agencies would not themselves collect the trove of biometric data, but would benefit from its collection.

On February 7, in response to outcry from the public, privacy advocates, and data security professionals, the IRS abandoned this plan noting that it would “transition away” from private biometric authentication. This was in direct response to concerns about the massive collection, storage and use of an online biometric database. The id.me database not only collected the biometric data, but it also used biometric challenge/response (requiring the person seeking to be authenticated to interact on video with an id.me employee) to demonstrate identity.

Under the now-rejected proposal, if you wanted to file your taxes online, get social security benefits, or apply for a driver’s license, you would  have to provide a biometric sample to a private company (facial, voice or other biometric) which would then authenticate you (maybe), and provide you a token which you can use (instead of a weak userid and password) to log into the IRS or SSA website. While it’s clear that simple single factor authentication (userid and password) are insufficient for these financial transactions, those who are not comfortable with providing a biometric online to a private company which promises that it won’t sell it to anyone else — might just have had to file their taxes with an envelope and a postage stamp.

Years ago, at the main post office in Washington, D.C. (on Capitol Hill across from Union Station) a game was played on April 15. Taxpayers would drive to the main post office (now a postal museum) and postal workers would be outside with big canvas carts on wheels. Motorists and pedestrians would toss their completed tax forms into the basket, secure in the knowledge that, even though it was 11:30 at night, the returns would be postmarked April 15, and they would have been filed timely. Then the taxpayers would stop at the Irish pub (the Dubliner) for a pint (or more) of Guinness to celebrate. More than a few filers would actually print their 1040 forms — or their checks — on their T-shirts, and toss those into the bin (literally giving the government the shirt off their back). It was a simpler — and stupider — time.

However, there’s a new ritual for those seeking to file their taxes, or interact with the IRS, or interact with the Social Security Administration. According to a recent article by Brian Krebs in his blog Krebs on security, the proposal was to require users of the IRS or SSA websites to authenticate themselves through the commercial entity ID.me. As Krebs notes, “Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service. When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.”

So I popped over to the site. First thing it does is it wants to serve me cookies. If you aren’t a Girl Scout or a Double Tree Hilton, I don’t want your cookies. Their Privacy Bill of Rights notes that:

You have the right to privacy.

ID.me has built rigorous security and privacy requirements into our technology from inception. We are an ethical steward of your personal information and are committed to supporting your rights:

You are solely in control of your own data.

You must provide explicit consent before we will share any information.

You can see all authorized apps and data elements shared in your My Account portal.

You can revoke access to your data for any authorized app at any time.

You may destroy your ID.me credential and associated data at any time. ** Some data related to NIST 800-63-63 credentials will be retained after account deletion solely for fraud prevention and government auditing purposes.

Sounds good.  But even at the outset, inconceivable. Or, more accurately, “I do not think that word means what you think it means.” Once I turn over my biometric, authentication, data, etc. to ID.me, I am, almost by definition NOT in control over my own data. If ID.me is hacked, subpoenaed, a search warrant issued to them, etc., or any of their technological or business partners, I am NOT in control of my data. Sure, I can direct ID.me what entities I want them to give my credentials to (to authenticate me), but I certainly am not in CONTROL of the data that I transferred to them. And, unless that data is stored on their directories in a manner that is both encrypted AND for which I — and I alone have the decryption key (assuming the key is strong enough) or the data is forensically wiped from their machines, I most certainly am NOT in control of the data.

Same is true with respect to the statement that “You must provide explicit consent before we will share any information.” Have they never heard of a search warrant? A FISA warrant? A National Security Letter? A writ under the All Writs Act? Governments can (and do) not only compel entities to produce information ALL THE TIME, but government agencies and courts routinely compel the entity to which the orders have been directed to NOT tell their customers that the data has been sought or produced. Moreover, if a sophisticated hacker were to fake your identity to fraudulently obtain services or money that was yours, this policy seems to suggest that ID.me will not provide the information necessary to demonstrate that the person who faked your identity was not you, since they have agreed to not share THEIR data without THEIR consent. So the thief’s data is protected from disclosure? I hope not.

Additionally, there are concerns about the type of authentication that id.me does. Your iPhone or Android device has biometric authentication but the biometric is stored on and compared on the device itself. As far as has been reported the biometric is not ever sent to Apple or Google. The device asks the question, “Are you John Smith?” and Mr. Smith provides a biometric which is scanned and compared to the one stored encrypted in the device to answer that question. If the answer is “yes” then access to some protected credentials is then unlocked. But Apple and Google could not provide a fingerprint or face analysis to the government if compelled cause they don’t have it.

The ID.me mechanism is different because the private company would collect and store the biometric, making is vulnerable not only to hacking and theft but to compelled production. Not good for privacy.

The other problem is the 1-1 vs. 1-many problem. A 1-1 authentication merely asks the question “are you John Smith” yes, no or maybe (Magic 8 ball says, ask again later). The 1-many facial recognition says “here’s this unknown guy — who is that?” or “here’s John Smith — tell me every photo and surveillance video that has him in it.” A very different proposition from a privacy standpoint. While ID.me denied doing “1-many” facial recognition, the CEO of ID.me posted on his linkedin page that “ID.me uses a specific “1 to Many” check on selfies tied to government programs targeted by organized crime to prevent prolific identity thieves and members of organized crime from stealing the identities of innocent victims en masse. This step is internal to ID.me and does not involve any external or government database.” It starts with organized crime, then moves to international terrorism, then domestic terrorism, then child molesters, then thieves, robbers, tax cheats, and other “enemies of the state.” It’s not that there aren’t appropriate uses for facial recognition technology — its that, once created, it becomes too much of what the law would call an “attractive nuisance.”

 Third Party ID Verification

Another problem with using the ID.me model for authentication is the fact that many of the documents relied upon to establish identity — driver’s license, passport, etc., were actually generated using authentication credentials created or validated by — you guessed it — ID.me.

The idea of third party ID verification, whereby you prove to one party your identity with strong ID verification, and then obtain from them a credential which can be securely transmitted to authenticate you is nothing new. When you prove to your state government that you have the skills necessary to operate a motor vehicle, you provide your local DMV with some evidence of identity (birth certificate, baptismal record, naturalization record) as well as some evidence of residence (lease, utility bill, etc), and they create a biometric (your picture) and issue you a reasonably strong identification document (a driver’s license). The purpose of that ID was to show that it was YOU who was able to navigate a 1969 Dodge Dart through the crowded streets of Yonkers, New York in the summer of 1973 (actually, my first driver’s license was on unlaminated paper with no photo), but over time the driver’s license has morphed into some kind of universal ID. Now, if you want to vote, get into a bar, get a gun license (in states that require it) or get on a plane, you need to present the “Real ID.”

The ID.me model differs in a few ways. First, ID.me is a private company collecting massive amounts of identity information, with only the patchwork quilt of data privacy laws protecting that data from disclosure or use. Of course, there are few legal constraints on how your local DMV uses your driver’s data — which is routinely shared with law enforcement agencies and others. In fact, local DMV’s used to sell this data to marketers and others until celebrities were stalked and one killed from the use of DMV data. Second, because ID.me attempts to authenticate individuals remotely and digitally, it had to come up with a scheme to determine (to some degree) the identity of the individual. If you can fake a digital ID, you can effectively “be” that person for many different purposes.

ID.me says that the process of authentication is “simple.” They note that “The user takes a photo of their identity document (driver’s license, passport, or state ID) and a quick selfie. ID.me uses advanced facial recognition to compare the picture of the applicant on the ID document to the selfie.”

Not so simple. First, we assume that the driver’s license used is actually valid. It’s trivial to get a fake driver’s license from China. So, either ID.me is using the embedded authentication within the driver’s card, or has access to a database of driver’s license information to “validate” the driver’s license. If the latter, then what’s the point of “presenting” the driver’s license? If you have access to the picture taken at the time of issuance, then use that as the token. Second, this process depends on the authenticity of the DMV records. Guess what? ID.me is the one who collects the authentication documents needed for DMV. So they are at both ends of the authentication transaction — providing the documentation needed to get the strong ID, and then relying on that strong ID to issue a certificate. How does ID.me authenticate my birth certificate? How do they authenticate my water bill?

Identity management is tough. In fact, even a DNA sample would not necessarily distinguish me, a lawyer in Bethesda, Maryland from, say, a doctor in Pearl River, New York. (Sometimes it helps to have an identical twin, amirite?). The idea of a massive database of biometrics is too much even for the IRS. And that’s saying a lot.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Arm and a Leg – and Eyeball – IRS/SSA Mandate Biometric Authentication appeared first on Security Current.

A battle is brewing for your heart and soul — and your eyes.  In one corner is Augmented Reality — AR. In the other, Virtual Reality – VR. My money is on AR, but I have been wrong before (see predictions on crypto).

Let’s understand the difference in hardware, software and philosophy between AR and VR, and why I think that, at the end of the day, AR will prove to be more useful and adopted.

AR

In a well designed and implemented AR system, content will be available to users in a way that supplements or augments the real world. The best example would be some variant on the Google Glass model — you know, those high tech glasses that made you look like — well, a glasshole. A more sophisticated (and more modern) application would look like, and perform like regular eyeglasses in terms of fit, size, style and weight — hopefully with at least an all day battery life. While near term implementations would make the smart glasses the display for the adjacent smartphone, if the glasses get smart enough, the phone could be dispensed with entirely. For greater utility, the glasses would be photochromic — clear indoors and sunglasses outdoors. Another essential feature would be stealthiness — neither the sounds from the built in headphones nor the display should be capable of being observed or captured by third parties. Sort of like being in your own little world, while being in the regular world. Or, Augmented Reality.

The advantage of this kind of setup is that the glasses take the display currently on the phone and moves it to where it really needs to be — continuously within your field of vision. I say continuously for both good and bad reasons. There is some information you want to see immediately — maybe texts, alerts, etc., and some you want to be immersed in like videos, sports, etc. So the hardware and software will have to strike the appropriate balance, and provide safeguards to prevent that douche in the Ferrari from driving at 110 while logging into some asian porn site. It’s all about balance. But I must admit, being able to get driving/walking directions in my actual field of view (displayed over the street itself and not a map of the street) is pretty cool.  

With greater sophistication, hand gestures can take the place of finger swipes for input, selection, etc. A virtual keyboard could be displayed in front of the user, and they could type in the air. Or something else. Do I look like a software engineer?

One of the promises of Augmented Reality is the ability to put virtual objects into the real world. Think Pokémon GO or things like that. First person shooter games could be played in a physical world.  

Other uses are a mixed bag of great utility and terrifying invasion of privacy. You walk into a party and as you scan the room the camera in the glasses captures images of faces, and displays on your glasses the names of the patrons, their social media or bios, how you might be connected to them, and how you may have interacted with them in the past. Great for people like me who often have to pretend that they remember someone (“um, yeah….honey, this is…um…”) The idea of having an always-on camera right on my face is both useful and scary, and once it becomes ubiquitous, that sound you will hear will be the death knell of privacy. Or the last gasp.

But all told, it would still be cool to be able to multitask while in a meeting without it being obvious. It might make the cell phone, laptop, desktop, keyboard and mouse all unnecessary. The North glasses (absorbed by Alphabet) had a useful ring navigation device which seemed pretty cool. More data. More connection. More biometrics. What could go wrong, amirite?

VR

On the other end of the spectrum is VR. You know, those giant glasses you wear over your eyes that immerse you into a virtual world. Things like Oculus Meta, HP Reverb, or HTC Vive. These devices eschew the ability to see the “real” world and plunge their users into a virtual world — or a “metaverse.” They can interact with others in this virtual world in a more natural way — on virtual roads, buildings, etc. These virtual worlds will become photorealistic and potentially indistinguishable from a “real” street, building, etc. Take the red pill. In a VR world, one can see the grand canyon in the morning, the sistine chapel in the afternoon, and pilot the USS Kelvin at night.  

I honestly don’t know the future of this kind of metaverse, but I do know that many high tech companies — including Meta — are investing heavily in various iterations of it. To me, who grew up in the generation when parents sent kids out to play in the streets until nightfall without supervision (and we loved it — at least those of us who survived) the idea of sitting around with that kind of headset on my face and interacting with others that way seems stifling and weird.  But to others it might seem freeing and enabling. For now, I just want to get my messages and emails. OK Boomer.

Which brings me to my final point. Both AR and VR are immersive and transformative technologies which increase the link to and dependence on networks and technologies. As a result, before we go down either path we must make damned sure that we understand the moral, ethical, privacy, and autonomy concerns as well as the security and authentication concerns for the use of these technologies. If we get it right, it can be pretty cool. If not, we are stuck in a virtual nightmare of our own creation. And the only way to win is not to play the game. 

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post AR vs VR – A Meta World Fight appeared first on Security Current.

Traditionally, this time of year one either looks back at the previous year, or looks forward to the year ahead. While there have been great advances over the years with respect to informations security tools, technologies, training and awareness, significant challenges  remain. What follows is my estimation of the top information security challenges for 2022. Please note, that I could probably have written the same challenges for 2021, 2019, 2001, and perhaps even 1973. Some of these issues are perennial, some are new. As a lawyer, some of these challenges are ones faced by security lawyers rather than technical challenges which might be faced by CISO’s.

10. Document Retention Policies

People often forget that digital security is first and foremost about information management. It’s all about the data, not the hardware, not the software. At the end of the day, the goal of data security is to ensure that the right information gets to the right  people (with integrity) and that it does not go anywhere else.

To a great extent, this means doing things that are very very hard to do. It means mapping data flows (not networks). Knowing what data is located where, where it is supposed to go, and where it is backed up and stored. It also means knowing HOW the data flows through the system, where it passes through, what networks and devices it flows through, and how it is stored (permanently and temporarily). One problem is, much of the data created (think e-mail) may be stored or transmitted on or through third parties, or may be sent to third parties which may themselves retransmit the data, or incorporate it into other data streams. Sounds like fun, no?

After mapping the data flows, the next step is to classify the data. What’s secret, what’s confidential, what’s public? What data is critical from a confidentiality standpoint (what would happen to the enterprise or third parties if the data was released?) What  data is critical from the standpoint of data integrity (e.g., financial disclosures)? What data is critical from the standpoint of availability (e.g., that implanted pacemaker)? That’s just data classification from a data security standpoint. The data also  then has to be classified for a data retention and data destruction standpoint. How long do you have to keep it? How do you have to keep it? Where do you have to keep it? Can the data be exported? Can it be deleted? Must the data be “wiped” rather than  deleted? And, once again — if the data is to be deleted, do we know where it is?

These  issues are really hard because of — well, humans. People tend to want to keep data. They tend to want to keep it handy. Which means moving it from place to place — to thumb drives, onto mobile devices, and emailing it to themselves. They are also lazy. There’s little apparent utility in spending hours going through documents and emails and “classifying” them. So we end up with a huge pile of data that we never classify and never delete. Or more accurately, many huge piles of data. We have  no good tools  to automatically classify data, and automatically delete it. And if we did have such tools, of course, they would be powerful tools for hackers and fraudsters. So that’s a challenge right there.

9. Insurance

“Cyber” insurance has been around — in one form or another — for more than thirty years (although most carriers don’t know that). With the increase in “successful” ransomware and extortionate attacks (and claims related to them), carriers have responded by being  more selective in who and what they cover, by requiring prospective insureds’ to take certain actions as a precondition of coverage, by raising premiums, and by excluding certain losses from coverage. They have also responded by taking a narrow and defensive  position with respect to claims — rejecting for example claims related to files “damaged” by ransomware as not truly being “damaged.” In addition, insurance companies have forged relationships with digital forensics and investigation firms, as well as  cyber law firms to provide “one stop shopping” for risk reduction, risk mitigation, risk transfer, and incident response. The challenge for 2022 (like in the past) is to ensure that the insurance and the insurance market are poised to meet the actual threats  and challenges posed by the digital marketplace. Fraudulent wire transfers, supply chain interference, third party liabilities, business reputation management, and loss of cryptocurrency are all new threats (well, some are) for which most entities insurance  policies may be inadequate. Additionally, with the increase in the price of cyber-insurance, many Small and Medium Sized businesses are being priced out of the marketplace. Finally, the current commercial cyber insurance marketplace may be inadequate to meet two related problems — systemic supply chain (third party) claims, and claims related to state-sponsored cyber-attacks. It may be time for a government (or multiple governments) to step in to ensure that cyber policies are reasonably comprehensive, and are  reasonably affordable. Or maybe not. But it’s still a challenge.

8. Ransomware/Extortionware

Ransomware  remains a significant challenge for companies, not simply because it has become ubiquitous, but also because of the significant impact a single ransomware attack may have on a company and every company or customer that relies on that company.  Unlike previous  types of “hacks,” where data is stolen and then exploited or sold, ransomware and extortionware rely on payment by the victim themselves. Instead of having to steal data and then find a buyer for that data, a threat actor can sell the data (or mere access  to that data) to an already willing buyer — the victim themselves. Easy, peasy, lemon squeezy. With the ubiquity of anonymous payment processes through cryptocurrency, a threat actor may target a particular company, industry, computer or database, or may  simply go after targets of opportunity. The defenses to ransomware — whether they are intrusion prevention, network segmentation, data backup and restoration, or advanced incident response (including payment) are complex and not comprehensive. A classic  set up for a disaster.

7. “Supply Chain”

For these purposes, I take a very expansive definition of “supply chain.” For my purposes, a company’s “supply chain” is anything upon which the company depends for critical data, processes, or services. Software can be supply chain. Firmware too. Hardware  is part of supply chain. Services are part of the supply chain. People are included. When we talk generically of “supply chain security” or “supply chain resilience” (a better concept), we are really talking about examining all of our dependencies and interdependencies  (including who is dependent upon us) and asking hard questions like how do we know the provenance of that product or service, and what would happen if….  If the data was not available. If the cloud was not secure, if I could not access the data, etc. Supply  chains (under my definition) are hard to understand and ever more difficult to manage. Because of the interdependencies, the security (and resilience) of any entity is dependent upon the security (and resilience) of any and all of the hardware, software,  people, processes, etc., upon  which it depends. While third party audits, data protection agreements, and standards all may help, the problem is really complicated, and will likely persist.

6. Multi-Factor Authentication 

When we speak about authentication, we often mean “authorization.” Is the person accessing the data, computer, network, or process the person who is permitted to do so, and are they accessing and using the data etc. for a permitted purpose. Traditionally, we  have used “authentication” as a proxy for authorization by providing the authorized person with some form of credential which they then represent to us to establish authorization. In the transfer back and forth of such credentials, we create vulnerabilities, including MiTM attacks, spoofing, theft of credentials, etc. Cat, meet mouse. Or mole, meet mallett.   In addition, strong authentication can be an anathema to strong privacy, since a strongly authenticated individual can be tracked by their credentials through  every place they visit and everything they do. We can and will do better in authentication schemes (first thing, let’s turn on MFA by default) but, because of the power of authentication it is often the most ubiquitous thing attacked. It’s a difficult and  persistent problem, which is why it makes the list.

5. Data Protection Agreements

A corollary to the supply chain problem is the border problem. No, not THAT border problem. The problem that companies only directly control a tiny fraction of the infrastructure on which they depend. Their mail is provided by a third party cloud provider.  Same for their salesforce infrastructure, billing, invoicing, HR, etc., They employ consultants, independent sales representatives, lawyers, suppliers, vendors, etc., each of whom have access to data, networks, computers, etc. For any data or processes outside  our direct control, we can (and occasionally do) compel the third party to “do something” to protect our data.  Sometimes it is just a duty to inform us of a data breach. Sometimes it is a duty to comply with some data privacy or data security standard (think  ISO or NIST Security Standards). These agreements sit on a shelf like a ticking time bomb, until one of the companies suffers a data breach or other incident, and then we can sue them for breach of contract. In addition, we think that the fact that third  party has signed an agreement that they will protect our data, we are in the clear. So the problem with data protection agreements is like the problem with the food at the borscht belt hotel. It tastes terrible, and such small portions.

4. International Data Privacy Regulation

Just as we begin to achieve consensus on data privacy principles (limited collection, consent, legitimate use, data lifecycle, right to be forgotten, etc.) data privacy law and regulation becomes exponentially more complicated and difficult to comply with. The  other problem with privacy regulation is that the Internet has become dependent upon there NOT being data privacy — entities like Meta (Facebook, etc.), Alphabet (Google, etc.) Amazon, Apple and others depend upon the collection and analysis of massive amounts  of personal data. It is what gives the company value. The problem with data privacy regulation is that we want both privacy and the utility afforded to having third parties collect data for and about us. Like many other complex problems, they are problems  because we expect them to accomplish diametrically opposed goals. Sounds like fun.

3. Telework/Remote Access

If the pandemic has taught us anything it is that home is where the keyboard is. And the office too. The explosion of telework and remote access, together with some of the tools that enable such telework, has created a physical disconnect between the person  and the data. Data can be, and often is accessed anywhere and everywhere. The disconnect creates opportunities for hackers, fraudsters, and others to attack data and networks. And as people demand more remote services (thing telemedicine) and demand to be able to work remotely, the problem will only get worse.

2. Staff Shortages

We have always suffered from a shortage of good security peeps — partly because of the nature of the work itself.  A good security person follows complex rules. A good security person constantly disobeys complex rules and breaks things. A good security person  fixes things. A good security person knows how to connect with other people and share their insights. A good security person doesn’t care about other people and sharing insights, but wants to think creatively about how to exploit people’s vulnerabilities.  A good security person is a “team player.” A good security person can work for hours or days without any supervision. A good security person is a hacker at heart. A good security person would never do things that a hacker would do. And is it any wonder  why we have trouble recruiting and motivating good security people?

1. Security Awareness

We do lots and lots of security training. Well, not so much. The average employee is compelled to take a 15 minute training session on security (Alice shares her password with Bob… this is A good or B bad?) and then a refresher class every 18 months. It’s  a chore, and a passing grade is typically 75-80 percent, which means that they can be wrong 25 percent of the time and still “pass” their training. And yet, in many cases, users are either the first line of defense against attacks, or the first method of  furthering such attacks. We must find a way to go beyond training, beyond learning and to change and reinforce culture.  Sure, AFTER a major breach, AFTER a major ransomware attack, AFTER a major shutdown, everyone is more sensitive to data security. The  problem is both that many users don’t know what to do to maintain security, or that they don’t care. Most of the time, however, it is because users believe that it is either necessary or useful to bypass a security requirement in order to get their job done. Thus, part of the job of the CISO is to find out how and why people are bypassing security and find a way to help them get their job done. And to inculcate a culture of security, curiosity, and concern within and throughout the company. And unicorns. Because, why not?

So these are MY top 10 security challenges for 2022. And 2023. Most of these problems are intractable and are bound to be repeated. And they are hard to fix. If they were easy to fix, they wouldn’t be on the list.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Top 10 Security Challenges for 2022 appeared first on Security Current.

​

Forty-three years ago, on November 2, 1988, the Internet lost its innocence.  Now, in reality, the Internet was never truly “innocent,” and, let’s face it, in 1988, it wasn’t even really the Internet. It was the ARPANet, or DARPANet, or MILNet… a loose confederation of large institutions like banks, government agencies and academics connected through a series of common protocols through a disambiguated network that permitted them to both share resources and to communicate with each other. There were as many as 60,000 “Internet” users in the United States at the time — more or less. The “Internet” was a club — a fraternity — and its members considered themselves somewhat elite. The nascent network, already more than a dozen years old at that point, allowed a researcher in Chicago to take advantage of the power of a “supercomputer” in San Diego to run programs. It allowed users to play Star Trek games like Netrek (“you have entered a new quadrant… type “L” to look around”). While certain entities were dependent upon the fledgling “Internet,” it was yet to become a tool for massive electronic commerce, social media, and mass communications. In fact, connecting to the Internet meant mastery of things like DIP switches, PIN settings, baud rates, and dial-ups, or reliance on network administrators and contracts with companies like Bolt Baranek and Newman. It was an exclusive fraternity.

There had been computer crimes before November, 1988. Fred Cohen had already written his book on computer viruses. Dr. Joseph Popp was a year away from releasing the world’s first ransomware attack. John Draper and other phrackers had learned how to hack the nations’ phone system — mostly for free phone calls. Hacks — they were already called hacks — to various computers had been going on for years — decades perhaps, for various reasons. The Hannover hackers were motivated by espionage, politics and money when they attempted to steal information about the U.S. “Star Wars” program. Kevin Mitnick was just a teenager exploiting social engineering for the thrill of it. Hackers had stolen money from places like the Bank of America, and other online institutions. Hackers had also accessed and altered systems at U.S. military installations, intelligence agencies, and related institutions. Hacking was not completely novel.

But on November 2, 1988, a graduate student at Cornell University launched a computer program — a worm — designed not to do anything in particular. The worm was designed to penetrate computers using a series of attacks that would be considered mundane today. Password cracking. Exploiting FTP and Sendmail vulnerabilities. Using the finger daemon. It used variants of many of the techniques used today — social engineering, establishing a bulkhead and drawing the malicious code in, using the equivalent of buffer overflow techniques to induce a target machine to run code, getting the host to do something it was designed to do, but not what it was expected to do. You know, hacking.

The author of the worm had no destructive intent. And little malice. The goal of the worm was simply to spread, announce its presence, and remain resilient. A reboot would remove the worm entirely — until a reinfection. Cybersecurity was a hobby of the author — testing, probing, and exploring to see how things worked — breaking them to figure out how to fix them. The hobby came naturally to the author — he was the son of the Chief Scientist of the National Computer Security Center at the National Security Agency. Both father and son had attended Harvard, both had majored in sciences related to computers, both had a passion for tinkering. Both had experience at major security research institutions — Bell Labs. For both, communicating and experimenting online came naturally.   The father was one of the luminaries in the fields of computer science in general, math theory, and information security — indeed testifying before Congress in 1983 about the dangers (and the exaggerated dangers) of juvenile hacking — something the dad equated to nothing more than “joy riding.” The son even gave presentations to the NSA about hacking — how to do it, and how not to get caught.

Yet, on November 2, 1988 something changed. The movie “War Games” focused attention on the potential for destructive hacking — particularly by minors. Hacking was considered a mix of vandalism and the end of the world as we know it. Misinformation about what computers did — and what they could do — was abundant. Much of this was fear of the unknown. The worm attack was front page news for days, and many institutions felt that the attack was part of a broader attack on the nations’ critical infrastructure. The worm’s author tried to reign in the impact of the worm, but effectively had lost control of his own creation. Ultimately, he was tried and convicted for what he did in a single-count indictment which represented the first use of the federal Computer Fraud and Abuse Act.

Following the worm case, the nature and character of “hacking” offenses changed dramatically. Hackers were, for the most part, not simply curious engineers attempting to figure out how the technology worked and how it could be manipulated (and exploited). At least not the “hackers” who were the subject of criminal prosecution. A new breed of malicious actors saw the Internet — together with the World Wide Web, social media, the so-called “dark Web” — and all the technologies they enable as a platform for theft, destruction, extortion, manipulation, espionage, and a host of other crimes. The “internet” had lost its innocence. It was no longer an exclusive club for the cognoscenti. It was democratized — for good and for ill.

None of this was the fault of the worm’s author. If anything, the author (either deliberately or inadvertently) sounded a wake-up call with respect to data security. But the thing about wake-up calls is that they are so easy to ignore. Today, we are much more vulnerable to threats, and much more reliant on technology. Barely a minute goes by when we do not use the technologies enabled by the Internet. But, to a great extent, November 2, 1988 was a turning point in the history of the web. Which way it has turned is going to be up to us.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post November 2, 1988 – A Day of Infamy for the Internet appeared first on Security Current.

​

On June 3, the U.S. Supreme Court issued an opinion holding that a Georgia police officer could not be prosecuted under the federal computer crime law for accessing a criminal database accessible only “for law enforcement purposes” and then selling data that he received from that database. The Court did not say that the police officer could not be prosecuted — that he did not commit abuse of authority, embezzlement, conversion or misuse of property. The 6-3 decision written by Justice Amy Coney Barrett simply found that the federal “hacking” statute, which makes it a crime to “exceed authorization to access a computer” and thereby to “obtain information” didn’t apply to what the police officer did.

The case is significant not for its impact on Officer Van Buren, but as a wholesale redefinition of the nature and extent of computer trespass. The dissenting judges, Thomas, Roberts and Alito, point to the law of property and the law of trespass to point out that what the cop did clearly exceeded authorization and would be a crime in the real (non virtual) world. If, on a “day off” from school in Chicago you give your best friend’s dad’s Ferrari 250 GT California to a valet for safekeeping, and instead the valet takes it for a joy ride, Justice Thomas opines, they have done so without permission, noting “Both the common law and statutory law have long punished those who exceed the scope of consent when using property that belongs to others.”

The problem with this analysis is simply that information is a special kind of “property.” It’s not just that it is not tangible. It’s that questions of “ownership” and “rights to use” information are extraordinarily murky and difficult to decipher. Add to that the fact that the computer crime statute, first written in 1984 and then amended several times, by its terms deals not with “use of information” without authorization but with “access without authorization” or “exceeding authorization to access a computer.” It is the access to the computer which must be unauthorized — not the subsequent use of the information gleaned from an “authorized” access.

Uncivil Litigation

The Computer Fraud and Abuse Act, 18 U.S.C. 1030 has both criminal and civil provisions. Indeed, the overwhelming majority of cases arising under the statute are civil disputes — employer/employee lawsuits, divorce cases, unfair competition cases and similar matters. These cases often hinge on what the offending party was “authorized” to do on someone’s website, or with data that was shared between parties. For example, when a group of Korn Ferry employees used their computer access to take information they could use to compete with their (soon to be former) employer, Korn Ferry sued not just for unfair competition, but also under the Computer Fraud statute, alleging that the computer access “exceeded authorization.” The Ninth Circuit Court of Appeals found that this kind of dispute was not the kind of “hacking” prohibited by the statute — presaging the Supreme Court’s ruling on Thursday.

Similarly, when data analytics firm HiQ “scraped” public data from social media site LinkedIn (in violation of LinkedIn’s written policy that prohibited such scraping) LinkedIn sent a cease and desist letter alleging that the conduct violated the computer crime statute as it “exceeded authorization” to “access” the social media site. HiQ went to federal court to clarify the issue, and the Ninth Circuit found that the actions similarly did not violate the hacking statute.

These kinds of cases are the bulk of the matters that come under the CFAA — not going after Russian hackers, botnets and ransomware purveyors. As a result, the statute becomes a tool used by civil litigants to go after competitors, abusers, employees and others — often for violating contracts, terms of service, terms of use, or even just social norms.

Mother, May I?

The real distinction between the majority in Van Buren and the dissent focuses on the question of “authorization” or “consent” to access or use a computer or computer network (or data on them). A broad interpretation of the term “exceeding authorized access” would make it both a crime and a civil action to — as Justice Thomas noted — “joyride” not only on a computer network, but to “joyride” with data gleaned from a network. The scope of “authorization” to access a computer or to use data obtained from a computer is determined principally by reference to a contract or terms of service or terms of use meaning that violating any or all of these terms potentially renders ones’ access to a computer “unauthorized.” This means that a social media user who sets up a fake profile in violation of the hosting site’s policy is now subject to civil and criminal litigation. The Supreme Court noted:

If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals. Take the workplace. Employers commonly state that computers and electronic devices can be used only for business purposes. So on the Government’s reading of the statute, an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA. Or consider the Internet. Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.

Most people’s access to computers, databases or information online are dictated by Terms of Service, Terms of Use, Software License Agreements, Acceptable Use Policies, Data Privacy and Data Security policies, or the terms of employment or access agreements. These agreements can be hundreds of pages of legalese, and contain obscure, confusing and even contradictory or ambiguous terms that dictate what you may, or may not do online. For example, an Acceptable Use Policy may prohibit the use of a computer, network, or social media account for “abusive” or “improper” purposes, or for harassment, or to post information that is false, defamatory, or otherwise prohibited. So, if you link a Facebook or Twitter post to a broadcast by Fox News about Dominion Election Systems (which is now the subject of a multi-billion dollar defamation lawsuit), there is no doubt that the social media companies can determine that the posting violates their AUP, and restrict the posting. But can they have you arrested for “exceeding your authorization to access their computer?” I mean, when you signed up for Facebook, you agreed not to post false material; Facebook determined that the material was false (a factual issue you can dispute at your criminal trial); your access to Facebook was conditioned on your adherence to the AUP; you violated the AUP; therefore, you “exceeded your authorization” to access Facebook or Twitter. The slope is mighty slippery.

In other words, the things that can land you in Facebook jail can also land you in jail. That is probably not what Congress intended in 1984. As a result, the Court narrowed the definitions of unauthorized access and exceeding authorized access to the kinds of things we think of when we think of “hacking.” Things like breaking in, cracking passwords, bypassing security, etc. You know, crimes.

Forgive Me My Trespasses

One of the problems here is that Congress, in enacting the Computer Fraud and Abuse Act, was trying to emulate online the kinds of criminal activity it saw in the real world, and to fill in gaps that made it difficult to prosecute those crimes if they occured in cyberspace. For example, a real-world “theft” involved the “taking” or “property.” Online, such “theft” may simply involve the “reading” of “information.” Not a perfect analogy. In real life, one “trespasses” when one breaks into or remains unlawfully in a place without authorization to do so (or in excess of authorization to do so). Congress tried in the CFAA to emulate this type of crime with reference to “exceeding authorization to access” a computer. But the law of trespass is itself murky — as the dissenting judges point out. Justice Thomas points out that “A person is entitled to do something only if he has a “right” to do it”  and that “[e]ntitlements are necessarily circumstance dependent; a person is entitled to do something only when “proper grounds” or facts are in place.” If you don’t have permission to do something, you are not “authorized” and therefore you are trespassing. And you trespass in the real world not simply by virtue of your physical presence, but also by virtue of your authorization and your actions. If you are at a public hearing and become disruptive (or even off topic) your “authorization” to attend the meeting is expressly or impliedly revoked and you are “trespassing” — sometimes after having been asked to leave, but often not. If you sleep in a hotel lobby in violation of a “no loitering” sign, you can be arrested for trespass. If your access to a location is conditioned on a promise to do, or refrain from doing something (e.g., no eating on the subway, no weapons in a bar) then violation of those terms constitutes revocation of authorization and voila! Trespass.

So when Congress imported the law of trespass into the virtual world, in theory, they were importing this “permissions based” or “consent based” doctrine. Under this broad theory, it’s not that you are not permitted to be somewhere online — it’s that you are not permitted to be there for the purpose for which you are there, or that you are not permitted to do something you are doing there.

Problem is, there are no “walls” in cyberspace, and the rules are created and enforced on an ad hoc basis. A “permissions” based system for criminal law means that any violation of the conditions of access or use — a multipage turgid and indecipherable document — creates criminal liability. As Matthew 6:12-14 notes, “…forgive us our trespasses, as we forgive them that trespass  against us, and lead us not into temptation, but deliver us from evil.”

Online trespass is at least as murky as, and often murkier than that in the real world. The lack of defined boundaries, consensus on the acceptable or “authorized” access to or use of data (particularly semi-public data) confound and confuse the question.

There Ain’t No Such Thing as Computer Crime

Which brings us to the final problem. In the early 1980’s, as we were examining the problem of computer crime and attempting to craft a statute to deal with the problem, the legal construct spoke of distinct offenses of “computer crime” and “computer related crime.” Computer crimes were crimes where the computer was the subject or target of the criminal offense — viruses, worms, denial of service and the like. Computer related (or computer assisted) crimes were those that existed in real life, but were facilitated through computers. A pump and dump securities fraud could exist in real life, but could be amplified by email or message boards.

Over time, these distinctions — and indeed the entire concept of “computer crime” — have proved illusory. What we think of as “computer crimes” are in reality “information crimes.” Crimes targeting the confidentiality, availability and integrity of information. They may be things like revenge porn (confidentiality), extortionware (confidentiality), or ransomware (availability). They may be “theft” of personal information. They may be phishing or malware. They may be denial of service or botnets. They also include things like child pornography (and sexual abuse online), cyberbullying, threats, harassment, intimidation, drug trafficking, extortion, and any kind of human enedavor. What is criminal in the real world can be facilitated and/or amplified by the virtual one. NFT’s and cryptocurrency can be stolen. Intellectual property infringed. Secrets exposed. Information exported.

But in the end, crime is crime. It’s old wine in new bottles — bottles that sometimes don’t make a perfect fit. What the Court was attempting to do is to understand how the new bottle affects the wine inside. In the area of “unauthorized access” or “exceeding authorized access” the Court was concerned that defining the crime too broadly would make criminals out of everyone. And that’s probably not what Congress intended in 1984.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Why the Supreme Court’s Van Buren Case Really Matters appeared first on Security Current.

In the wake of the highly publicized attacks on both gasoline and food infrastructures by Russian-based ransomware attackers, the Biden administration on June 3 issued an advisory to business leaders directing them to take action to harden their systems against ransomware and to be more resilient against similar attacks. It has also been reported that President Biden intends to discuss the issue of Russian-based cyber attacks on U.S. critical infrastructure when he meets later this month with President Vladimir Putin.

The ransomware memo, issued by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger called upon private sector companies — particularly those in the critical infrastructure — to recognize and respond to the threats posed by ransomware attacks. Neuberger’s memo noted:

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” she wrote. “Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.”

“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”

When it came to solutions — particularly solutions that the government might make available to the private sector, the memo seemed a bit more ephemeral. It recommended that companies harden their systems against phishing attacks, the principal vector for ransomware infiltration, and to implement multifactor authentication as part of their anti-phishing protocols. The memo also recommended strengthening and training the security staff on ransomware responses, having more robust data backup and restoration, and encrypting data at rest to prevent or deter extortionware. This is in addition to things like patch management, restricting access to files and networks.

Among the steps Neuberger said companies should take are implementing multi-factor authentication, bolstering security teams, regularly testing backups and updating patches, testing incident response plans and separating and limiting internet access to operational networks.

In other words – duh.

At the same time that the government is recommending that companies be prepared for the threat of ransomware and have robust systems to respond to ransomware attacks, it is also threatening to criminally prosecute not the ransomware attackers, but the companies that, either directly or through digital incident response or insurance companies, pay ransoms to get access to their data back. Late last year, both the Treasury Department and financial regulators issued warnings that the payment of ransom by victims may violate U.S. and international restrictions on conducting business with “prohibited entities,” and that a license from the Treasury Department’s Office of Foreign Asset Control might be needed to be permitted to pay the ransom — particularly in cryptocurrency. The government also warned entities paying ransom that they are subject to prosecution for violating the “know your customer,” “anti-money laundering” and “money transfer agent” statutes, if they pay or facilitate the payment of ransom. That’s public/private cooperation for you.

While Neuberger noted that “The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices.” However, the memo did not commit the government — particularly the law enforcement or intelligence agencies — to sharing data about ransomware threat actors, their identity, their methodologies, or their networks with the private sector. It’s not clear that such robust information sharing would be successful in mitigating the threat of ransomware, but the government has certainly encouraged the private sector to report ransomware attacks and to share information with the government. It’s not clear that the government is committed to sharing this information the other way.

Moreover, while the government seems to see encryption of data as a partial solution to the problem of ransomware (actually, extortionware) the FBI and intelligence agencies have insisted that encryption technologies be developed and deployed that would allow the government (governments?) that would prevent “warrant-proof” encryption. In other words (and the government would disagree with this accurate assessment) backdoors to encryption.

The Neuberger memo also did not discuss whether the government could (or would) provide some kind of subsidy to companies that cannot afford the level of security that the government deems necessary, or provide resources (or tax breaks) to encourage the deployment of such security resources. It simply recommends that companies continue to have “good security hygiene” — you know, things we should be doing anyway. And even if every company did this, it’s not clear that this would prevent ransomware — just make it somewhat less pervasive, or make the attackers that much more clever.

It’s kind of like when you were a kid carrying a bunch of breakables, and your mom would say helpfully, “hey — don’t drop that…” Thanks, mom.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post White House Issues Advisory to Business Leaders on Ransomware Practices appeared first on Security Current.

The post Mark Rasch and Richard Stiennon Discuss Suspected Russian Hackers Use of SolarWinds to Break Into US Government Agencies appeared first on Security Current.

Both conservatives and liberals are convinced that “mainstream” social media “censors” their views and opinions. Liberals point out that so-called conspiracy theories like those peddled by Q-Anon, white supremacist and white nationalist organizations get traction from social media and are amplified by their algorithms, and that as a result, more conservative viewpoints are expressed online than progressive viewpoints. Conservatives point out actions by Facebook and others to restrict the dissemination of what Facebook deems to be “false” information, which they believe served to disenfranchise conservative views. While Mark Zuckerberg initially indicated that he would not restrict any viewpoints on Facebook — indicating that he wanted to be a forum for all ideas not a publisher of them — over time the social media site has taken on more “publisher” like features.

As a result, in the wake of the 2020 Presidential election, a large number of mostly conservative social media users have indicated that they were moving to a less-restrictive and more open (and more openly conservative) social media site – Parler. That site, unlike the “mainstream” sites like Facebook, Twitter and the like, does not censor viewpoints.

Or does it?

If you look at Parler’s Guidelines it’s all about content restriction. The first principle is that:

Parler will not knowingly allow itself to be used as a tool for crime, civil torts, or other unlawful acts. We will remove reported member content that a reasonable and objective observer would believe constitutes or evidences such activity. We may also remove the accounts of members who use our platform in this way.

Just so we are clear, the policy as stated notes that Parler will remove not only things that facilitate crimes or torts, but also “evidence” of such activity. So people can’t advertise unlawful gun sales, sales or sharing of drugs in violation of federal or state law, encourage people not to pay lawful taxes, promote unlicensed sports betting, solicit participants in unlawful assemblies, or any of hundreds of other things because these are “unlawful” and their posts and sharings will be taken down. They also cannot post information which would intrude into the seclusion of others, put others in a “false light,” defame or libel them, cause them severe emotional distress, or otherwise constitute a civil tort.

The policy is not unusual, and reflects Parler’s desire both not to facilitate crimes or torts and not to be potentially liable for such facilitation. It’s a reasonable policy depending on how it is applied. But it’s not the absolutist free speech position that advocates for the alternative social media site claim it to be.

Parler also indicates that it will restrict “content posted by or on behalf of terrorist organizations,” giving it the unilateral decision-making ability to decide whether the Proud Boys, the Knights of the Ku Klux Klan, or the Atomwaffen Division are “terrorist” organizations. If Parler determines that you are a member of such an organization, or that anything you post is on behalf of one – well, no soup for you! The same is true for prohibited content like child pornography (called CSAM), but also those memes and photos you post and repost? Sorry, dude. Copyright violation. You’re out. They also restrict materials that are “not safe for work” with an age validation and verification system.

There’s nothing strange or unusual about any of these restrictions. They are not “censorship” in the governmental sense because Parler, like Facebook, Instagram, and Twitter are not government agencies and have no legal duty to “carry” anyone’s message. Blocking spam and bots by ISP’s, providers and social media is not “censorship.” It’s responsible. The World Wide Web is not, and should not be a total free-for-all. It’s a community. With rules, and with people who violate these rules.

The Role of Providers

In The Wolf of Wall Street, the protagonists work for a company called Stratton-Oakmont – a wall street hedge fund and massive fraud scheme. Back in the mid 1990’s, shortly after the Internet was commercialized, services like America OnLine, Prodigy, and Compuserve provided dual functionality — they hosted and moderated user-created content through various forums, message boards and the like, and they acted as a dial-up gateway to the web itself. Prodigy hosted a finance message board (“Money Talk”) on which people posted information about Stratton Oakmont — and that information was not particularly favorable to the investment company. Stratton Oakmont sued the forum – Prodigy for defamation, asserting that Prodigy, like the New York Times, or the Wall Street Journal “published” the defamatory materials and was liable for the libel. They had the ability to read and cull the content (just like letters to the editor), and to moderate the forums, and in fact did moderate content, using what they called a message “board leader.” As a publisher, they should be responsible for the content they publish, irrespective of who wrote it. The New York State Supreme Court agreed, and found that Prodigy was, in fact, a publisher and was liable to Stratton Oakmont for the allegedly defamatory postings made by users of the forum.

So, apply that ruling to Facebook or Parler. Every time someone doxxes someone else online, posts mean messages, insults or lies, Parler would be liable for the tortious conduct of its users. It would either have to read every message and determine its truth and character before hand, or respond to demands to take down content. It would become a publisher of its members’ content in the true sense, and would take on not only the editorial function, but liability for breaching that function.

In response to the Stratton Oakmont case, Congress passed Section 230 of the Communications Decency Act (CDA) which generally gives Internet Service Providers and online content providers immunity from suit (not just immunity from a judgement) which asserts that they have liability as a publisher of offending content. Without going into a deep dive into the scope of Section 230, it is this provision which has permitted the growth of social media and user provided content — for good and ill. The benefits of Section 230 is that it permits and encourages forums like Parler and Facebook. The problem is that it disincentives content moderation or moderation (in all senses of that word) at all. Whether and how to moderate content is left to other laws (e.g., the child pornography laws) or more frequently to the marketplace itself. It also means that, if someone else posts content that is offending, improper, injurious or harmful (and sometimes deadly), it is exceedingly difficult to have that content removed, or to hold anyone responsible for that content. It also permits and encourages the coarsening of political discourse (on all sides), and irresponsible but protected speech.

There also may be a distinction between a forum’s liability as a “publisher” of a third party’s content and as a distributor of that content, or between a forum’s liability for truly third party content and for content that they create themselves. If a provider is liable when it exercises an editorial function (e.g., blocking some content but allowing others), then it would be encouraged to block nothing except that which it is legally mandated to block. In for a penny, in for a pound. That’s not the approach taken by Facebook. Or Parler.

Since its inception, there have been efforts to soften, weaken, modify, or exempt content from Section 230’s almost blanket immunity. On October 13, Justice Clarence Thomas issued a non-binding opinion questioning whether companies that provide a forum for content should be legally entitled to Section 230 immunity, noting that “a company can solicit thousands of potentially defamatory statements, “selec[t] and edi[t] . . . for publication” several of those statements, add commentary, and then feature the final product prominently over other submissions—all while enjoying immunity.” Justice Thomas went on to note that “by construing §230(c)(1) to protect any decision to edit or remove content, courts have curtailed the limits Congress placed on decisions to remove content. … With no limits on an Internet company’s discretion to take down material, §230 now apparently protects companies who racially discriminate in removing content.” Justice Thomas criticized decisions which, for example immunized content forum Backpages for the escort ads posted on its site, or permitting content on Facebook in which it was alleged that Palestinian organization Hamas used Facebook to post content that encouraged terrorist attacks in Israel. Justice Thomas suggests, like many conservative commentators and President Trump, that Section 230 immunity be pared back, permitting forums like Facebook and other “Big Tech” companies to be sued for the content posted by others, and for their own actions in filtering, (or not filtering), promoting, or excluding content. When an algorithm causes a user to see content based on their “interests” and that necessarily radicalizes them in one direction or another, does the creator of that algorithm bear responsibility for the consequences of that radicalization? Does it matter if that radicalization leads to a school shooting, a terrorist attack, or someone bringing a gun to a pizzeria? Should social media be liable for NOT detecting and reporting content relating to mentally disturbed individuals who threaten to kill or harm others? Should they take such content down? Should they have liability if they do? Should they have liability if they don’t?

Again, everyone is convinced that Big Tech is prejudiced against them and filters THEIR content while permitting that of their adversaries. There are some tweaks to 230 I would like to see — to bring the law of posting malicious and harmful content more in line with the law on posting infringing content. But for now, if everyone is unhappy, maybe the problem is not the forum, but the people. And that’s kind of what free speech is all about.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Parler Talk – Free Speech, Social Media and Section 230 appeared first on Security Current.

On October 28, 2020, officials from the FBI and the U.S. Department of Homeland Security assembled a conference call with healthcare industry executives warning them about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” and the government noted that they need to warn healthcare providers “to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The federal warning comes in the wake of reports published by Brian Krebs indicating that a Russian-speaking ransomware group known as Ryuk has discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

Healthcare entities need to be prepared for this urgent threat. There are a few things they can do in immediate preparation for an attack, during an attack, and in the aftermath of an attack to minimize the risk or impact. Healthcare entities need to  be able to prevent, detect, and effectively respond to threats involving ransomware. This includes navigating the legal minefield associated with ransomware payments, cyber insurance, regulatory requirements, healthcare licensing and regulation, third party liability, data breach reporting, and data forensics and investigation. Healthcare entities are particularly vulnerable to ransomware (and targeted because of this) because of the time sensitive and critical nature of the data and services they provide. If patient data is compromised, or access to healthcare or services impeded, providers simply cannot wait to engage in extensive forensics and data recovery. Particularly during a global pandemic, they need assurance that their data and services remain reliable, accessible, and secure. Hackers know this, and the fact that this increases the likelihood that targeted healthcare entities will pay large ransoms – and pay them quickly. As a result, they target healthcare entities for ransomware.

1. Prevent the Attack

Obviously. But easier said than done. If a healthcare entities does not already have a robust infosec training and awareness, anti phishing and anti malware and monitoring program, it needs to, at a minimum heighten its log and intrusion detection monitoring, partner with third party endpoint and other monitoring entities, and inform its IT staff and employees to “Be On the Lookout” for unusual activity and phishing attacks in the upcoming days or weeks It’s no substitute for a comprehensive NIST compliant program, but it’s a start.

2. Offset the Risk

In light of the imminent nature of the current threat, the first thing healthcare providers can and should do is to review their current cyber insurance policies to ensure that they cover first and third party liabilities for ransomware, include KRE (Kidnap, Ransom and Extortion) coverage, include coverage for ransomware payments, investigation, forensics and coordination with law enforcement, include legal and litigation costs, and include costs of business interruption and mitigation. Many policies are a “swiss cheese” of coverages, exclusions and deductions, and the time to review the policies is before a claim occurs.

Healthcare entities should review their state of readiness and compliance not only with relevant privacy laws (e.g., HIPAA), but with data security and incident response requirements (e.g., NIST Cybersecurity). While compliance with these regulations or guidelines are no guarantee that you won’t be successfully attacked, demonstrating good faith compliance goes a long way toward limiting your legal exposure and will help mitigate harm.

This should include a review of internal and external policies, contracts, data sharing agreements, cloud agreements, training and awareness programs for healthcare  staff generally or IT staff in particular on how to handle both data breaches and ransomware attacks. This can include guidelines on risk mitigation, forensic evidence handling, incident response notification, and regulatory compliance during an incident. Healthcare entities need to develop and deploy “tabletop” training programs for senior executives (including internal counsel) to enhance readiness for such incidents.

There are alternatives to fighting. Healthcare companies should consider alternatives to restoration or payment. While most entities believe that their sole responses to ransomware are to either (1) prevent it from coming in; (2) restore data after the attack; or (3) pay the ransom as demanded, UNIT 221B through its relationships can provide other – more palatable – alternatives. These include what is called “ransomware inoculation” – using sophisticated programs designed to “trick” the ransomware programs themselves that they have infected a “friendly” computer (a computer of the attacker themselves) and therefore not to execute. Alternatively, some ransomware variants have highly technical vulnerabilities in the ransomware itself which allow the ransomware to be “hacked” and diffused without paying the ransom. In addition, In some cases access to ransomware “keys” which can be tested and sometimes are effective in unlocking certain kinds of ransomware without paying the demands.

If you determine that it is in the interests of the healthcare entity to pay the ransom, recent decisions by the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) and its Financial Crimes Enforcement Network (FinCEN) substantially increase the potential fines and penalties not to hackers but to victims of ransomware attacks who choose to pay ransom. These include both civil and criminal penalties for violating U.S. and international export sanctions, money laundering, fund transfer crimes, and other bank regulatory offenses – even for healthcare entities responding to a sudden emergency. Work with experienced professionals that can help reduce or avoid the liability to healthcare companies in connection with their incident response to cyber attacks and ransomware.

Retain the services a highly technical and sophisticated cyber investigators and forensics companies, helping ensure that the internal investigation is, at least initially protected by applicable privileges, and ensuring that the healthcare entity has the maximum flexibility to investigate and respond to the attack, and to coordinate its response as appropriate with local, state, federal and international cybercrime investigators and law enforcement entities.

Work with counsel that are experienced in data breach notification advice and services. Globally, there are hundreds of different data breach notification statutes and regulations, each with different requirements for whom to notify, how to notify, when to notify, whether to notify, and what to say. Needless to say, this represents a potential landmine for healthcare companies that may – or may not – suffer a reportable data breach. Make sure counsel will help determine whether data breach notifications are required, and the best way to handle them consistent with the law and regulation. Remember, it is just as bad to report a breach that did not occur than to fail to report one that did.

Comply with healthcare regulation. Various laws and regulations impose duties on healthcare entities not only with respect to data security and integrity, but on the quality of healthcare services provided. A ransomware attack can impact these regulations. Ensure that the response to ransomware does not adversely impact patient care and treatment, and ensure continued compliance with these laws and regulations.

Prepare for post-incident litigation. If a healthcare entity is affected by a data breach, a cyber incident, or a ransomware attack, in addition to regulatory investigations (HHS, FTC), healthcare entities are also frequently the victims of class action litigation by patients, employees, or third parties impacted by the cyber incident. Healthcare entities must work with experienced counsel to  be  prepared for such litigation, and help defend such litigation with fact, investigation, and legal and technical expertise.

As a lawyer and a former paramedic (yes, I could chase my  own ambulances) I know the first rule of emergency situations is to take your own pulse. So, if you are in the healthcare arena particularly, you need to plan now for a potential ransomware attack in the near future. And while you are at it, mind as well download your resume and put it in a safe place. Just in case.

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.

The post Healthcare Ransomware Readiness – What You Need to Do Today, Tomorrow and the Day After appeared first on Security Current.