Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact
 

Obama watch

 

PODCAST: Check Point Software joins intelligence sharing alliance

By Byron V. Acohido

Barack Obama’s clarion call for wider sharing of threat intelligence is being heeded by a handful of top cybersecurity vendors.

I was in the audience at Stanford University in 2015 when President Obama signed a milestone executive order urging the corporate sector to dramatically advance the sharing of cyber attack intelligence among themselves and with the federal government.

Then last month, I was covering the giant RSA 2017 cybersecurity conference in San Francisco, when Obama’s longtime cybersecurity czar, J. Michael Daniel, was named as the new president of the rejuvenated Cyber Threat Alliance.

The idea for CTA came about a few years ago when senior executives from Fortinet, McAfee, Palo Alto Networks, and Symantec formed an exchange to share threat intelligence.

But the organization kept a low profile—until recruiting Daniel, and announcing his appointment. CTA also announced the addition of Israeli firewall pioneer Check Point Software and network tools giant Cisco as full-fledged members.

Industry wary of sharing

Keep in mind, the cybersecurity industry is obsessively competitive. Not only do security vendors rigorously cloak the secret sauce in their flagship products, they also tend to be very circumspect about sharing any deep intelligence, lest they give up a marketing advantage.

The result is a duplication of effort, on the part of the good guys, who also forgo the opportunity to put up a more unified defense against the bad guys.

The global cybersecurity community has long recognized the need for a higher-level intel sharing among tech security vendors—as well as between the government and the private sector. This was something Obama, with advice from his cybersecurity czar, Daniel, recognized. And it was something Obama championed with his 2015 executive order calling for wider sharing.

Daniel takes skills to nonprofit

So it’s fitting that Daniel now carries that torch into the private sector. Daniel built a 17-year career as an official of the Office of Management and … more

President Obama calls for sweeping new consumer privacy protections

By Byron V. Acohido

The White House has taken another step toward framing President Obama as the “privacy president.”  But it remains to be seen how assertively his administration will actually champion consumers’ rights in an age of unprecedented digital privacy invasion.

In a speech at the Federal Trade Commission today, President Obama stated the obvious: Identity theft is a growing problem, generating billions of dollars in commercial losses and posing risks to individuals that can “ruin your life.”

“This is a direct threat to the economic security of American families and we need to stop it,” Obama said. “If we are going to be connected, we need to be protected.”

More: Protecting your digital footprint in the post privacy era

Obama proposed a sweeping new federal privacy law that presumably would impose new rules on corporations for safer handling of personal data, as well as provide individual citizens with some level of control over the vast amount of online-tracking data generated and stored for consumers.

Devil in the details

But the devil is in the details. And both the corporate heavyweights making billions off of online tracking and privacy advocacy groups aim to influence the finer points. The White House is expected to deliver draft legislation in about two weeks when the president makes his State of the Union address

“One would hope it (the draft legislation) implements strong controls that empower consumers to protect against the collection of their sensitive data without their consent,” says Alvaro M. Bedoya, executive director of the Center on Privacy & Technology at Georgetown University Law Center.

With a newly elected Republican majorities in both house of Congress, Obama’s draft legislation may pick up a sponsor and get debated. But privacy and legislative experts say it has zero chance of being enacted as law.

So the thrust of Obama’s proposed Personal Data Notification and Protection Act will be strictly symbolic. Yet symbolism is important. Stiff federal sanctions, … more

Spying reforms seek to balance privacy, security

SEATTLE – President Obama this morning left all the major stakeholders tracking the debate over government spying slightly dissatisfied.

Given the complexity of the issues, some observers credited Obama for doing a commendable job of attempting to delicately balance privacy and national security.

“The public needs to understand that it’s a moving target given the rapid pace at which technology is developing,” says Stephen Cobb, senior researcher at antivirus vendor ESET. “The President likely failed to satisfy some people on different sides of the debate and that might be an indication he is taking the right steps, walking a fine line between competing ideals and incompatible practical concerns. The bottom line in terms of public concern is that the problem is out in the open and there is a willingness to make changes.”

Obama laid out a course that essentially leaves current intelligence processes largely intact while incrementally improving oversight, says Chris Riley, a senior policy engineer at Mozilla.

“We’d hoped for, and the Internet deserves, more,” Riley says. “Without a meaningful change of course, the Internet will continue on its path toward a world of balkanization and distrust, a grave departure from its origins of openness and opportunity.”

In a speech at the justice department in Washington D.C., the President announced new limitations to the government’s collection of telephone metadata, and banned U.S. eavesdropping of foreign leaders.

More: Obama attempts to balance privacy and national security.

However, the President acknowledged no wrong-doing by the National Security Agency, nor any changes in personnel.

“People who feel strongly about NSA overreach probably won’t be impressed,” observes Jeremy Rabkin, international law expert and professor at George Mason University School of Law. “Those who feel that NSA has been grossly negligent in protecting U.S. secrets will be even less reassured.”

Obama left unaddressed criticism of the National Security Agency’s Internet surveillance programs, including PRISM, XKeyscore and Tempora, exposed by whistleblower Edward Snowden.

“Surveillance … more

Syria’s cyber retaliation signals new era of warfare

The latest disruption to U.S. media outlets dealt out by the Syrian Electronic Army may be a precursor for warfare in the digital age.

One aspect of the frontal assault that ought not be overlooked is the timing: The SEA, which supports strongman President Bashar al-Assad, knocked down websites of the New York Times, Huffington Post and Twitter, a few hours after US officials indicated the US may launch missile strikes against the Syrian government.

And now a person claiming to speak for the group has stepped forward to tie those attacks directly to the rising likelihood of U.S. military action in response to al-Assad using chemical weapons against his own people.

A self-described operative of the SEA told ABC News in an e-mail exchange: “When we hacked media we do not destroy the site but only publish on it if possible, or publish an article [that] contains the truth of what is happening in Syria. . . . So if the USA launch attack on Syria we may use methods of causing harm, both for the U.S. economy or other.”

So you have the world’s largest superpower rattling a saber at a fractious third-world nation — and supporters of the entrenched regime retaliating by tossing a noisy grenade, threatening to use heavier cyber ordinance, observes Tim Sample, vice president of special programs at think tank Battelle Memorial Institute.

“The issue with the New York Times attack is whether it was just a nuisance or a capabilities test,” Sample says.

Sample and other geo-political experts are watching close to see how this latest iteration of escalating military conflict unfolds.

Take a scenario in which the U.S. were to launch a precision strike on Syrian chemical facilities. This might cause the SEA, perhaps in conjunction with some allies, to join forces and launch a wide scale cyber attack on U.S. media, e-commerce sites and financial institutions.

The websites of major U.S. … more

Tech giants ask Obama to help save cloud computing

SEATTLE – Edward Snowden’s whistleblowing escapades could seriously undermine the growth of cloud computing and thus stifle the growth models for America’s biggest tech companies.

And that appears to be the reason why Apple CEO Tim Cook, AT&T CEO Randall Stephenson, Google computer scientist Vint Cerf and other tech executives met behind closed doors with President Obama Thursday.

“The meeting appears to be for a variety of reasons, but basically the companies want to understand exactly what the government is doing with their systems as they try to assuage a lot of concerns from a lot of different stakeholders,” says Brian Henchey a privacy and information tech attorney at Baker Botts.

A group called the Information Technology and Innovation Foundation on Tuesday issued a report asserting that Google, Microsoft, Yahoo, Facebook and Apple stood to lose as much as $35 billion over the next three years as Europeans shy away from cloud services with suspect privacy safeguards.

European privacy laws are all about safeguarding the data within a nation’s geographical borders. Unfortunately, that doesn’t work for Apple, Google, Facebook and other cloud services providers who manufacture efficiencies by scattering data in far-flung data centers.

Snowden’s disclosures threw kerosene on simmering fears about the extent to which the US Patriot Act can compel the tech giants to break their promise to keep consumer data sacrosanct.

“Many people have known the extent of data collection by the NSA and other US authorities, but it hasn’t been laid bare in this kind of spotlight before,” says Wendy Nather,a research director at 451 Research. ” We may have known the potential amount of data, but it’s another thing entirely to know the actual amount. This is the kind of exposure that brings public discussion, makes it concrete in a way that applies to everybody, and hopefully prompts some adjustments in the law.

“Right now, US-based cloud providers are caught in the crossfire,” Nather says.… more

Obama moves to counter CEOs resistance to cybersecurity rules

SEATTLE — How do you get busy chief executives from a cross section of industry giants into one room, on short notice, to discuss cybersecurity?

Have the U.S. Justice department disclose data theft of top celebrities, assign two top U.S. security officials to testify before Congress about rising cyber threats – and then ask the corporate captains to show up at the White House for a presidential briefing.

That’s what the Obama administration did this week – and it worked.

On Wednesday, 13 CEOs dutifully adjusted their busy schedules to travel to the White House Situation Room for what was described as a “two-way” exchange of information between the president and the chief executives.

In attendance were CEOs from AT&T, Exxon Mobil , Bank of America, JP Morgan Chase, United Parcel Service, Xerox, Siemens, Northrop Grumman, Marathon Oil, Honeywell International, American Electric Power Company, ITT Exelis, and Frontier Communications.

They came after testimony at a Senate hearing on Tuesday from Army Gen. Keith Alexander, the director of the National Security Agency, and James Clapper, the Director of National Intelligence, describing the prevalent nature of network breaches by data thieves and cyberspies.

President Obama sought to grab the full attention of the CEOs and put a stop to petty resistance to his recently-issued executive order designed to get the federal government and private companies working more closely to protect the nation’s critical infrastructure against cyberattacks.

That executive order became necessary because private industry successfully stalled the passage of proposed cybersecurity legislation, which the White House contends is still needed.

Senate testimony from Alexander and Clapper “made the issue urgent,” says Alan Paller, research director at security training firm The SANS Institute.

“The CEOs have a position that says ‘government cannot tell us a thing about securing ours systems,” Paller says. Even so, corporate networks “are being penetrated multiple times every day and they generally cannot find how far the infections have … more

Cybersecurity experts react positively to executive order

With the ink barely dry on President Obama’s cybersecurity executive order, White House staff issued reactions from the security and privacy community, and response continues to reverberate this morning. Below are excerpts.

Michael Chertoff, Secretary of Homeland Security under President George W. Bush and Chairman of the Chertoff Group: “Today the President has taken a critical step in protecting America by addressing two vital aspects of cybersecurity; information sharing and development of a cybersecurity framework. These activities represent a down payment in the protection of our Nation’s cyber infrastructure.”

Pravin Kothari, Founder & CEO of CipherCloud, a San Jose, Calif. company that provides military grade encryption: “As SOPA, CISPA and the Cybersecurity Act of 2012 all died in debate, just having some form of cyber legislation is in theory a win for individuals’ right to privacy. Stopping short of forcing critical infrastructure providers to share user data, the administration is leaving room for providers to exercise their best judgment.”

Jose Granado, Ernst & Young, director of Information Security Services: “While this Executive Order is a good start and further affirms the reality of cybersecurity as a widespread issue that touches almost every industry, it is not the silver bullet we often seek. Going forward, we anticipate that there will be further discussions about what organizations need to report and what information they must share, as well some bumps in the road as they work toward implementation.”

Arthur W. Coviello, Jr. Executive Vice President, EMC Corporation and Executive Chairman, RSA, The Security Division of EMC: “EMC supports the President’s efforts via Executive Order to help drive improved collaboration between the public and private sectors, however, the Executive Order only partially covers what’s required. To protect our nation from threats in cyberspace, Congress must also pass legislation to provide the comprehensive resources and protections necessary to fully address cyber security.”

Tom Kellermann, Vice President of Cyber Security for Trend Micro: “As a … more