• National emergency alerts potentially vulnerable to spoofing

    On 3 October 2018, cell phones across the United States received a text message labeled “Presidential Alert.” It was the first trial run for a new national alert system, developed by several U.S. government agencies as a way to warn as many people across the United States as possible if a disaster was imminent. Now, a new study raises a red flag around these alerts—namely, that such emergency alerts authorized by the President of the United States can, theoretically, be spoofed.

  • The Budapest Convention offers an opportunity for modernizing crimes in cyberspace

    Governments worldwide are in the process of updating the Budapest Convention, also known as the Convention on Cybercrime, which serves as the only major international treaty focused on cybercrime. This negotiation of an additional protocol to the convention provides lawmakers an opportunity the information security community has long been waiting for: modernizing how crimes are defined in cyberspace. Specifically, the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C.§ 1030, dictates what constitutes illegal acts in cyberspace in the United States. Andrew Burt and Dan Geer write in Lawfare that without changing the CFAA—and other cybercrime laws like it—we’re collectively headed for trouble.

  • What a U.S. operation in Russia shows about the limits of coercion in cyber space

    The New York Times recently reported that the United States planted computer code in the Russian energy grid last year. The operation was part of a broader campaign to signal to Moscow the risks of interfering in the 2018 midterm elections as it did in 2016.  According to unnamed officials, the effort to hold Russian power plants at risk accompanied disruption operations targeting the Internet Research Agency, the “troll farm” behind some of the 2016 election disinformation efforts. The operations made use of new authorities U.S. Cyber Command received to support its persistent engagement strategy, a concept for using preemptive actions to compel adversaries and, over time, establish new norms in cyberspace. Benjamin Jensen writes in War on the Rocks that the character of cyber competition appears to be shifting from political warfare waged in the shadows to active military disruption campaigns. Yet, the recently disclosed Russia case raises question about the logic of cyber strategy. Will escalatory actions such as targeting adversaries’ critical infrastructure actually achieve the desired strategic effect?

  • New U.S. visa rules may push foreigners to censor their social-media posts

    Foreigners who decry American imperialism while seeking to relax on Miami’s sandy beaches or play poker at Las Vegas’s casinos may seek to soften their tone on Twitter. The reason? The U.S. State Department is now demanding visa applicants provide their social-media profiles on nearly two dozen platforms, including Facebook and Twitter.

  • “Vaccinating” algorithms against attacks on machine learning

    Algorithms “learn” from the data they are trained on to create a machine learning model that can perform a given task effectively without needing specific instructions, such as making predictions or accurately classifying images and emails. Researchers have developed a world-first set of techniques to effectively “vaccinate” algorithms against adversarial attacks, a significant advancement in machine learning research.

  • A Florida city paid a $600,000 bitcoin ransom to hackers who took over its computers — and it's a massive alarm bell for the rest of the US

    A Florida city agreed to pay $600,000 worth of bitcoin to hackers who took its computer systems offline with a cyberattack. Riviera Beach’s city council voted to pay the money after an attack in May affected the city’s online services, including email and 911 dispatches. The attack is part of a pattern that has targeted cities around the US. The disruption has cost millions of dollars. Sinéad Baker write in Business Insider that the U.S. Department of Homeland Security warned in 2018 that local-level governments around the U.S. were being hit with malware that is “among the most costly and destructive.”

  • NIST updates to help defend sensitive information from cyberattack

    An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets. The new companion publication offers enhanced security for information stored in critical programs and assets.

  • How cryptocurrency discussions – and disinformation – spread

    Computer scientists have mapped the ebb and flow of Reddit’s discussions about cryptocurrency — not only to see how online chatter can predict market behavior, but also to gain insights into how disinformation goes viral.

  • Cyber protection technology moves from the lab to the marketplace

    MIT Lincoln Laboratory’s technique to protect commodity software from cyberattacks has transitioned to industry and will soon be available as part of a security suite.

  • U.S. Cyber Command, Russia and critical infrastructure: What norms and laws apply?

    According to the New York Times, the United States is “stepping up digital incursions into Russia’s electric power grid.” The operations involve the “deployment of American computer code inside Russia’s grid and other targets,” supposedly to warn Russia against conducting further hostile cyber operations against U.S. critical infrastructure, and to build the capability to mount its own robust cyber operations against Russia in the event of a conflict.Michael Schmitt writes in Just Security that damaging critical infrastructure is clearly be out of bounds as responsible peacetime state behavior and would likely violate international law. But do these types of intrusions – seemingly intended to prepare for future operations or deter them, or both, without causing any actual harm – also run counter to applicable non-binding norms or violate international law during peacetime?

  • How not to prevent a cyberwar with Russia

    In the short span of years that the threat of cyberwar has loomed, no one has quite figured out how to prevent one. As state-sponsored hackers find new ways to inflict disruption and paralysis on one another, that arms race has proven far easier to accelerate than to slow down. But security wonks tend to agree, at least, that there’s one way not to prevent a cyberwar: launching a pre-emptive or disproportionate cyberattack on an opponent’s civilian infrastructure. Andy Greenberg writes in Wired that as the Trump administration increasingly beats its cyberwar drum, some former national security officials and analysts warn that even threatening that sort of attack could do far more to escalate a coming cyberwar than to deter it.

  • The challenges of Deepfakes to national security

    Last Thursday, 13 June 2019, Clint Watts testified before the House Intelligence Committee of the growing dangers of Deepfakes – that is, false audio and video content. Deepfakes grow in sophistication each day and their dissemination via social media platforms is far and wide. Watts said: “I’d estimate Russia, as an enduring purveyor of disinformation, is and will continue to pursue the acquisition of synthetic media capabilities and employ the outputs against its adversaries around the world. I suspect they’ll be joined and outpaced potentially by China.” He added: “These two countries along with other authoritarian adversaries and their proxies will likely use Deepfakes as part of disinformation campaigns seeking to 1) discredit domestic dissidents and foreign detractors, 2) incite fear and promote conflict inside Western-style democracies, and 3) distort the reality of American audiences and the audiences of America’s allies.”

  • Deepfake myths: Common misconceptions about synthetic media

    There is finally some momentum to “do something” about deepfakes, but crucial misconceptions about deepfakes and their effect on our society may complicate efforts to develop a strategic approach to mitigating their negative impacts.

  • European elections suggest US shouldn’t be complacent in 202

    In many ways, the European Parliament elections in late May were calmer than expected. Cyber aggression and disinformation operations seem to not have been as dramatic as in 2016, when Russian hackers and disinformation campaigns targeted elections in the U.S., France and elsewhere around the world. However, there is no reason to be content. The dangers remain real. For one thing, the target societies might have internalized the cleavages and chaos from information operations or self-sabotaged with divisive political rhetoric. As a reaction, Russia may have scaled back its efforts, seeing an opportunity to benefit from lying low.

  • Hackback is back: Assessing the Active Cyber Defense Certainty Act

    The “hackback” debate has been with us for many years. It boils down to this: Private sector victims of hacking in some instances might wish to engage in self-defense outside their own networks (that is, doing some hacking of their own in order to terminate an attack, identify the attacker, destroy stolen data, etc.) but for the prospect that they then would face criminal (and possibly civil) liability under 18 USC 1030 (the Computer Fraud and Abuse Act, or CFAA).  Robert Chesney writes in Lawfare that a tricky question of policy therefore arises: Should the CFAA be pruned to facilitate hackback under certain conditions?  On one hand, this might produce significant benefits in terms of reducing harm to victims and deterring some intrusions. On the other hand, risks involving mistaken attribution, unintended collateral harms and dangerous escalation abound. It’s small wonder the hackback topic has spawned so much interesting debate (see here and here for examples).