The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions that are driving our research, and new projects underway.
December 5, 2016
Professor and Chair Co-Authors Cybersecurity Recommendations for U.S. President
Annie Antón, professor and chair of the Georgia Tech School of Interactive Computing, served on the Commission on Enhancing National Cybersecurity, which issued its consensus report on Dec. 2 in Washington, D.C. It addresses six imperatives and offers action items that can be implemented by President-elect Donald Trump and his team. The commission was created in February by presidential executive order as part of the Cybersecurity National Action Plan. The group, which had been working since April, was tasked to make detailed recommendations on ways to strengthen cybersecurity in public and private sectors. Read a summary of Anton's recommendations:
- Georgia Tech News Center: http://www.news.gatech.edu/2016/12/02/presidents-cybersecurity-commission-releases-report
U.K.'s Mass Surveillance Law Another Wrinkle in Trans-Continental Privacy
Aimed at thwarting terrorism, the new Investigatory Powers Act grants the British government broad electronic surveillance powers. The law requires ISPs to maintain records of all British Internet users' browsing histories, allowing nearly 50 British government organizations access to those records via a centralized search tool, usually without judicial oversight. The Act also requires technology companies to aid the British government in decrypting users' data and prevents the companies from disclosing those governmental demands for decryption. Technology companies must inform the British government about security features of new products before they are released. The law also provides a legal framework for bulk data interception and collection.
- Irish Times: http://www.irishtimes.com/business/technology/uk-investigatory-powers-act-sparks-major-privacy-fears-1.2887780
- BBC: http://www.bbc.com/news/technology-38134560
IISP Analyst Joel Odom: "This Act is noteworthy in that it indicates a national policy approach that could be pursued by others, and as the Irish Times rightly states in its headline, this raises well-founded fears of privacy loss. If this were adopted in the U.S., for example, it would mean Apple would have no recourse against the government’s mandate for a backdoor into its devices. It also would mean that dozens of federal agencies would have immediate access without subpeona to the records of every website you visited. While it’s unlikely such an extreme about-face of the law would hold muster in the United States, the justified concern here is that a close Western ally deemed the approach acceptable and it is in fact now the law. As noted in Georgia Tech’s 2017 Emerging Cyber Threats, Trends & Technologies Report, “the West is kind of backing into the same view that we have roundly criticized during peacetime in other venues."
Facebook and The Great Fake News Debate
Behind closed doors, Facebook employees have been having hard discussions about the alleged ‘fake news’ problem that likely had some influence over voters in the November election. An unspecified number of employees have formed a task force to review algorithms, policies, trending topic statistics and perceived lack of action since January 2015, when Facebook acknowledged they would ‘do better’ and instituted a tool for users to self-report dubious news stories. They also are working with third-party fact-checking groups to increase the detection of fake news. Since the November 2016 election, Facebook CEO Mark Zuckerberg has dismissed fake news as being only a small percentage of content, and has not publicly shared statistics on the effectiveness of the reporting tool or what other measures they have taken.
The head of Facebook’s news feed, Adam Mosseri, even acknowledged that, “We can’t read everything and check everything.” A damning article by BuzzFeed, however, shows that, “In the final three months of the U.S. Presidential campaign, the top-performing fake news stories on Facebook generated more reader engagement than the top stories from major news outlets such as The New York Times, Washington Post, NBC News,” etc. A source for Gizmodo confirmed that Facebook is equipped to stop fake news, but suggests decisions were made likely in fear of being perceived as politically biased, as right-wingers had alleged back in May. It’s not clear what the path forward is for the internal task force at this time, since they have not met with senior management yet, or if they will make public their findings.
- CIO.com: http://www.cio.com/article/3142782/internet/facebook-working-with-fact-checkers-to-weed-out-fake-news.html
- Thrillist.com: https://www.thrillist.com/tech/nation/leaks-reveal-facebook-knows-it-has-a-fake-news-problem
- Buzzfeed (Nov. 16): https://www.buzzfeed.com/craigsilverman/viral-fake-election-news-outperformed-real-news-on-facebook?utm_term=.ckol6Elbv#.liNrWGrO5
- Buzzfeed (Nov. 14): https://www.buzzfeed.com/sheerafrenkel/renegade-facebook-employees-form-task-force-to-battle-fake-n?utm_term=.dbq4VD4Qw#.fsxN18N59
- Gizmodo: http://gizmodo.com/facebooks-fight-against-fake-news-was-undercut-by-fear-1788808204
- Mark Zuckerberg's Post: https://www.facebook.com/zuck/posts/10103253901916271
IISP Analyst Holly Dragoo: "Good for Facebook employees for exploring the topic. They should be commended for encouraging discourse on a disquieting subject, and hopefully will engage in impactful exchange with senior management. That said, this issue cuts close to two much deeper concerns: 1) Facebook has not embraced its role as a fully-fledged media outlet, and 2) the election was unduly influenced by fake news from hyper-partisan sources and foreign powers.
"These ideas are not new, but Americans don’t seem to accept them; or at least they are not demanding explanations/accountability when they should. A Wired article from November states that fake news isn’t actually what won the election so much as Trump’s ability to embrace fundraising and “earned media” coverage (free press) using Facebook. Absolutely true, but again, to explain the election results that way shies away from the power of Facebook as a media outlet – not just for connecting socially with friends and family – and the fact that fake news was generated for deliberate crowd manipulation. Even Zuckerberg has painted himself into an awkward corner of having to explain why Facebook is a fantastic commercial platform for reaching consumers with its tremendous advertising power, but not responsible for affecting people’s political opinions.
"As we know, Zuckerberg has repeated the mantra that Facebook is “a tech company, not a media company”… which conveniently ignores that technology is a platform for media delivery. To distinguish between the two concepts is not as controversial (or dramatic) as linking handgun manufacturers with deaths by gunshot, but logically similar. They are both products that enable delivery of blanks and substantive content. I’m not saying that we should introduce gun control or fine-tuned legalese into the dialogue, but (rather sensationally) trying to make a point: there is a correlation between Facebook and the media, and it’s time to stop denying it. Hopefully the employees’ internal debate will have some success toward accepting this."
Ransomware Doesn't Go for a Ride, but Response Takes Off
San Francisco was victimized when a hacker penetrated the city’s transit system and installed ransomware. Workstations in the SFMTA’s (San Francisco Municipal Transit Agency) offices booted to the message: “You Hacked, ALL Data Encrypted.” As a result, ticketing machines and gates were offline over the final weekend in November, with all rides being free. Officials at the SFMTA said shutting down fare collection was precautionary and the only systems identified as hacked were their office computers. The hacker demanded a payment of 100 bitcoin (approximately $73,000 at the time of writing) for encryption keys to the locked data. SFMTA officials balked at paying and opted to restore their office workstations from backups.
- SFMTA: https://www.sfmta.com/about-sfmta/blog/update-sfmta-ransomware-attack
- Business Insider: http://www.businessinsider.com/san-francisco-muni-fare-system-hacked-rides-free-on-saturday-2016-11
- San Francisco Examiner: http://www.sfexaminer.com/hacked-appears-muni-stations-fare-payment-system-crashes/
IISP Analyst Stone Tillotson: "SFMTA’s response is praiseworthy for several reasons: they immediately took action to mitigate the breach, notified authorities, customers, and maintained back-ups. Ransomware threats often go unreported, from large corporate breaches to home users, depriving the threat of the attention it deserves. By collaborating with authorities and notifying the public, SFMTA pushes at the door to reining in this threat. Especially laudable is SFMTA’s commitment to its back-up policy. With that safeguard in place, they were able to essentially shrug off the hacker’s demands, not only because they could restore their systems, but also because they could examine back-ups to verify that no sensitive user data was contained in the breached computers. Their response should be taken as a model for responsible breach policy."