The 2016 National Defense Authorization Act (NDAA) passed US Congress last week and has interesting implications for US cybersecurity policy. The NDAA instructs US Cyber Command to undertake cyber ‘war games’ to ensure the nation’s cyber capabilities rival its opponents’ in a future offensive cyber conflict. The Act explicitly identifies Russia, China, Iran and North Korea as the countries that the US must be most prepared to confront in cyberspace. It also authorises a budget of up to US$200 million for the Secretary of Defense to perform an ‘evaluation of cyber vulnerabilities of major weapons systems’. The move is partly in response to an inspection of the weapons program last year, which revealed widespread network vulnerabilities, unpatched software and weak passwords. Finally, the NDAA entrusts US Cyber Command with its own procurement budget designed to facilitate the rapid adaptation required for effective cybersecurity. All 1,300 pages of the Defense spending bill are set to be approved and signed by President Obama this week.
War gaming seems to be the theme of the week, with the US and the UK teaming up to test the cyber resilience of their financial institutions. Last Thursday’s exercise involved each state simulating an attack on the other’s financial sector to test the levels of information sharing, communication with the public and management of the incident. Participating actors included the White House National Security Council, the US Department of the Treasury, the FBI and the US Federal Reserve Bank of New York on the US side, and the UK Intelligence Community, the Bank of England and Her Majesty’s Treasury on the British side. Originally announced by President Obama and Prime Minister Cameron back in January, this war-game was designed to enhance transatlantic cooperation and collective resilience in cyberspace.
Privacy is a significant concern for internet users and apparently prison inmates are no exception. Securus Technologies, a leading provider of phone services inside US prisons, suffered a data breach that revealed the company has been recording all inmates’ conversations. The Intercept released a report claiming that a hacker provided them with Securus records of over 70 million phone calls that not only includes the call metadata (time, date, duration etc.) but also a ‘recording URL’ of the conversation audio. Now, it’s actually a widely accepted procedure to monitor inmates’ personal phone calls for security reasons. What makes this revelation interesting is that at least 14,000 of them are between inmates and attorneys. If that’s proven to be the case, it may have undermined inmates’ Sixth Amendment rights to a fair trial and has been described by David Fathi, Director of the American Civil Liberties Union, as ‘the most massive breach of attorney-client privilege in US history’. While Securus is currently denying the existence of those illegal records, the company is also claiming that the data in question wasn’t obtained through a hack, but leaked by an individual with authorized access.
A number of recent events have revived questions around the relationship between the FBI, Carnegie Melon University (CMU), and arrests of dark net users. Tor Project Director Roger Dingledine is claiming that the FBI paid CMU at least US$1 million for its research that de-anonymises Tor users. Last July, two CMU researchers, Alexander Volynkin and Michael McCord, were going to hold a talk at the Black Hat Conference titled ‘you don’t have to be the NSA to break Tor’; however they pulled out at the last minute. Shortly after, the FBI conducted Operation Onymous, a multi-agency effort that took down multiple Tor-based websites, including Silk Road 2.0, and led to 17 arrests. Court documents from the proceeding trial of drug distributor Brian Farrell reveal the prosecution based Farrell’s involvement with Silk Road 2.0 on information obtained from ‘a university-based research institute’. According to Dingledine, the implied collaboration between CMU and the FBI to expose Tor-users’ information isn’t only unethical, but also a violation of the Fourth Amendment if the FBI didn’t obtain a warrant. The FBI has stated that those accusations are ‘inaccurate’, although speculation remains over whether it’s the accusation or the amount paid that’s inaccurate.
The tragic terrorist attacks that occurred in Paris last weekend have reverberated in cyberspace. The events re-opened the debate around encrypted messaging technologies and whether tech companies should be required to provide law enforcement with ‘back-doors’ to their encrypted communications. It was only last month that the Obama administration decided to not force companies to open their backdoors, however ISIS’ use of encrypted apps, such as Wickr, Signal and Telegram, to broadcast responsibility for both the crash of the Russian jet in the Sinai Peninsula at the end of October and last weekend’s Paris attacks has intensified demands. It’s suggested that ISIS exploited the encrypted connections of PlayStation 4 to execute the Paris attacks. Many are blaming the continued prioritisation of privacy over security following the Snowden revelations.
You might also be interested to know that hactivist collective Anonymous has joined the coalition and declared war on ISIS with #OpParis.
And finally, speaking of cyberspace and terrorism, check out this great Sydney Morning Herald article that distinguishes between cyber terrorism in Hollywood and reality.