Some thoughts on Representative Tom Graves's discussion draft of a bill that would create a defense to liability under the Computer Fraud and Abuse Act (CFAA) (18 USC 1030) for “active cyber defense measures."
Latest in cyber attribution
The legitimation of cyber privateering is not without its problems: it would open the door to unnecessary escalation, potential for reprisal, and what is, for the United States, a strategically undesirable international norm.
Yesterday, Scott Charney, Microsoft’s Corporate Vice President for Trustworthy Computing announced a new white paper about cybersecurity norms for nation-states and the global information and communications technology industry, “From Articulation to Implementation: Enabling Progress on Cybersecurity Norms.”
I haven’t yet had a chance to digest it thoroughly, but so far it looks the best corporate statement on this problem to date.
Assistant Attorney General John Carlin speaks with Benjamin Wittes at the Atlantic Council.
Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names, but two weeks after his tweet, Hussain was killed in a US airstrike.
Cyber Changes Everything, Cyber Changes Nothing: On Admiral Rogers' Vision and Guidance for Cyber Command
In June, US Cyber Command issued Beyond the Build. It presents Admiral Michael Rogers’ vision and guidance for the command and its subordinate units. With little fanfare, the document was publically released in September by the Department of Defense. It has yet to receive much attention. Here’s why everyone should read it.
Reports that China (most likely) has breached Office of Personnel Management (OPM) systems and stolen personal information (PI) of over four million current and/or former federal employees raises all sorts of questions regarding the government’s responsibilities to protect PI it has in its possession; the government’s enforcement against the private sector for failing to prevent similar losses of information; and setting appropriate priorities across branches of government for protecting privacy.