Cybersecurity News & Commentary - July 2017

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.


July 10, 2017

 

WannaCry Raises the Need for VEP Tech Policy and More

Since WannaCry broke in May, an important lesson picked up by tech policy experts has been the need to improve what is called the “vulnerabilities equities process” (VEP). The NSA has long had this process to weigh the benefits of a spying tool (such as breaking into an adversary’s computer system) with the costs (such as leaving civilian computers open to the same attack). In 2013, I was part of President Obama’s NSA Review Group, and that administration accepted our recommendation to shift the VEP to the White House and involve more agencies and perspectives, especially to highlight the risk to the economy and our own infrastructure from vulnerabilities that are not patched. Experience with WannaCry shows, however, that improving the VEP is not enough to create good security...

Read the full piece by Peter Swire, associate director of policy for the IISP, in The Future of Privacy Forum.

 


China Deploys Facial Recognition and AI for Wholesale Surveillance 

Using its existing database of photographs from government-issue identification cards and from images harvested via social media, the Chinese government intends to roll out a massive facial recognition system.  The surveillance system, designed to influence behavior and to deter lawbreakers, will combine about 600 million networked cameras with artificial intelligence algorithms, and is expected to be in place by 2020.  As a part of the initiative, the government plans to institute a rating system for individuals’ behavior in professional, financial, and public settings.  According to The Wall Street Journal, while an orchestrated national campaign is still a long way off, facial recognition in China is already used in limited areas to make arrests and track people in restrooms, churches, and public parks.

 

IISP Analyst Holly Dragoo: "Surveillance networks that are far more extensive than in the U.S. have been around for some time, and it’s no surprise that authoritarian regimes like China are interested in implementing them. Think 1950s/60s Cold War Berlin; everyone and everything was suspect. The splashy new technology and ubiquity of cameras is straight out of dystopian future cinema, but that’s of lesser concern. The truly distressing new concept here is that it is designed to influence behavior. Cold War civil monitoring was about ferreting out spies and foreign government intentions; it wasn’t about jaywalking or getting someone to spend their money a certain way. Jaywalking might be a problem near Tiananmen Square, but is it really needed out in rural Qinghai or Gansu province? As one resident mentioned in the WSJ article, monitoring runners for cutting corners 'kind of takes the fun out of running.' My Western bias may be clouding everything, but it’s hard to imagine the security needs for anything like a 'behavior score' determined by a government. It’s a terrifying idea that will have widespread repercussions."

 

IISP Analyst Joel Odom: "My first computer, a TI-99, had four kilobytes of RAM.  My current pocket phone has about one million times as much RAM as my TI-99 had.  An exponential explosion in computing hardware and software capabilities over the past few decades implies that we can do things with computers beyond even George Orwell’s predictions.  In my opinion, our ability to create surveillance technology far outpaces our ability to set policy as to its proper use.  On one hand, who isn't in favor of stopping terrorists and human traffickers?  On the other hand, is the inherent loss of privacy that comes with wholesale surveillance worth the reduction in crime?"

 


Protecting What Doesn't Look Like a Computer...

Traditionally in manufacturing, there was a gap in connected devices on the manufacturing floor. A byproduct of that was that an industrial network was physically isolated and therefore less susceptible to cyberattacks. Now, the transition from closed legacy systems to modern, connected platforms is fraught with obstacles, notably around security, says ABI Research in a recent report, “Critical Infrastructure Security: Transportation.” The report outlines the market potential for better security of operational technologies.

 

IISP Analyst Chris M. Roberts: "Unfortunately, many corporations don’t understand why they need to protect all of their equipment from cyberattacks, not just the ones that look like computers.  When warned of the dangers of connecting their equipment to the internet, responses are often centered on the fact that being connected to the internet is a feature, not a liability.  The article, while limited in scope, does a good job of explaining the dangers of being connected.  Soon a time will come when businesses will be using cyberattacks not just to steal money and information.  If these systems aren’t protected, adversaries may find a way to make slight modifications to a competitor’s product, ensuring its failure and damaging their reputation to the point where companies will close their doors.”

 


New Cybersecurity Law in China Goes Into Effect

Chinese lawmakers passed a wide-reaching new cybersecurity law that went into effect June 1. Controversial measures include mandates for data storage residence in China, security reviews of goods and services, and sharing with government officials – all of which threaten to inhibit trade relations with international partners in an already contentious political environment. It’s still unclear how various tenets of the law will be carried out in practice, but steep penalties for non-compliance are already in place.

 

IISP Analyst Holly Dragoo: "Signs of these new restrictions have been forthcoming for a few years, but there was no indication the reforms would be this intrusive into business practices or how wide-sweeping they could be. Intellectual property concerns aside, mandatory security inspections of imported equipment and services will jump-start competition from domestically-produced alternatives. Data residency requirements will effectively cut off citizen’s access to a lot of mirror sites hosted outside of China on cloud service providers. This will certainly affect political dissent groups, but it will also slow down or stop access to educational sites or small businesses that don’t have a physical Chinese presence or can’t afford to start one. Mandating information sharing with government and law enforcement officials is certainly a serious privacy concern, but these types of arrangements do exist elsewhere."

 


Girl Scouts Bring New Meaning to “Patching Networks”

Palo Alto Networks and the Girl Scouts of America have partnered up to release new merit badges for accomplishments in cybersecurity. Designed to get youth thinking about secure coding, identity theft and online privacy, the program is part of a concerted effort by the Girl Scouts to broaden their existing STEM field investments. Current Girl Scout badges do address topics like geocaching or web development, but coding and security have not been a focus to date. Experts from Palo Alto Networks will advise on curriculum benchmarks and educational guidance for a series of 18 badges starting in the fall of 2018.

 

IISP Analyst Holly Dragoo: "Why didn’t we think of this earlier? What a brilliant way to address the severe labor shortage in the cybersecurity industry (projected to continue for years to come), and expose youth to new concepts in STEM – as young as 5 years old! Ironically, Boy Scouts of America have a badge for Digital Technology mastery, but hopefully they will be inspired by their female peers to look more at cybersecurity. The earlier you can get today’s plugged-in youth literate in how to be safe online, the better. It’s not clear how exactly it will reduce the barriers some girls face into entering the cybersecurity field, such as geography, income, or gender-related issues, but will certainly have positive ripple effects."