Bad news for the social media team at US Central Command (CENTCOM) this week: on Monday their Twitter and YouTube accounts were hacked by Islamic State (IS) sympathisers. The hackers replaced the banner and user image with pro-IS messages, posted a few threatening tweets, and released publicly-available documents that showed the email addresses and phone numbers of US military officers posted overseas.
It appears that the group only gained access to the accounts and not sensitive information. According to a CENTCOM media statement, ‘Centcom’s operational military networks were not compromised and there was no operational impact to US Central Command’. The release continued that ‘we are viewing this purely as a case of cybervandalism’. But, for IS the value in the attack isn’t so much vandalism but propaganda. The hack contributes to a narrative of IS growing stronger by depicting the ‘cybercaliphate’ group as capable hackers which helps to attract new members to the cause.
Embarrassingly, the attacks came minutes after US President Obama pitched new cybersecurity initiatives at a Federal Trade Commission event. Obama pushed for federal legislation that would force companies to be more forthcoming when credit-card data and consumer information are lost in data breaches. The Personal Data Notification and Protection Act would require companies to tell their customers within 30 days about a breach. According to a White House fact sheet, ‘the proposal helps business and consumers by simplifying the existing patchwork of 46 state laws into one federal statute, and puts in place a clear requirement to ensure that companies notify their employees and customers about security breaches’. Obama also pushed for a consumer-privacy bill of rights (a proposal he outlined in 2012) and a student digital privacy act, with both giving Americans more control over what personal information gets collected and how it’s used.
‘Cyber threats are an urgent and growing danger…if we’re going to be connected, then we need to be protected’ said Obama. On Tuesday, the US President unveiled further cybersecurity initiatives (with two more expected before his upcoming State of the Union address). The legislative proposals announced include enabling cybersecurity information-sharing between the private sector and government, and modernising law-enforcement authorities to combat cybercrime. The information-sharing legislation will give companies legal immunity for sharing information on attacks so that countermeasures can be coordinated. While the law-enforcement proposal contains provisions that would allow for the prosecution of the sale of botnets, it would criminalise the overseas sale of stolen US financial information like credit-card and bank-account numbers, as well as expanding law-enforcement authority to deter the sale of spyware.
There has already been some opposition to the President’s proposals. Mark Jaycox, an analyst with the Electronic Frontier Foundation, has questioned the proposed ‘targeted liability protection’, instead arguing that existing rules allow sufficient public–private coordination. Also, to become law, the new cybersecurity proposals will have to win over the Republicans. So far that looks promising. In one statement, the office of House speaker John Boehner said that ‘Republicans are ready to work with both parties to address this important issue and put some common-sense measures on the president’s desk.’
If you managed to get through most of your holiday reading, add one more to the list, Amnesia. Australian novelist Peter Carey—inspired by the actions of Julian Assange—explores the lives of eccentric hackers and the US–Australia political relationship. See the Wall Street Journal’s and The Economist’s reviews here and here.
Finally, the latest issue of the journal International Security has a heated academic correspondence (PDF) between Jon Lindsay at the University of California and Lucas Kello at Oxford University. In the piece, Lindsay critiques Kello’s article ‘The meaning of the cyber revolution: perils to theory and statecraft’. It’s worth reading for the authors’ exploration of the evolution of technology and strategy, the offence/defence debate, policy/technical problems, and the topic of cybersecurity within strategic and security studies.