Most people who follow the debate over unbreakable, end-to-end encryption think that it’s more or less over. Silicon Valley has been committed to offering such encryption since at least the Snowden revelations; the FBI has abandoned its legal campaign against Apple’s device encryption; and prominent national security figures, especially those tied to the National Security Agency,, have sided with industry and against the Justice Department.
Latest in Cybersecurity
Recent years have seen sustained calls to “unleash” the private sector to more assertively combat cyber threats. The argument has gained some sympathy in Congress, where Rep. Tom Graves (R-Ga.) recently reintroduced the Active Cyber Defense Certainty Act (ACDCA).
There have been many pieces, in Lawfare and elsewhere, about the weaknesses in America’s political and election systems. In my career as a security executive, I sometimes found it difficult to communicate risk to non-expert audiences when focusing on a specific vulnerability. It is often more effective to paint a dire but realistic scenario relying on the proven capabilities of real adversaries combined with a variety of known, systemic issues.
Paul Rosenzweig observed recently on Lawfare that there are “no universally recognized, generally accepted metrics by which to measure and describe cybersecurity improvements” and that, as a result, decision-makers “are left to make choices about cybersecurity implementation based on qualitative measures rather than quantitative ones.” Rosenzweig is working with the R Street Institute to build a consensus on useful metrics.
The Department of Justice wants access to encrypted consumer devices but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.
On Monday, Aug. 12, hackers leaked 700 GB of data obtained from the government of Argentina, including confidential documents, wiretaps and biometric information from the Argentine Federal Police, along with the personal data of police officers. The Twitter account of the Argentine Naval Prefecture was hacked as well, and used not only to share links to the stolen information but also to spread fake news about a nonexistent British attack on Argentine ships.
Cybersecurity is a bit like obscenity. It seems that we know it when we see it, but we have a great deal of difficulty describing it, categorizing it or counting it. Much as with obscenity, there are some obvious answers on which all can agree—having an “internet of things” system with a hard-coded password of “123456” is insecure by any measure—but there is a vast gray area in between the poles where tradeoffs, cost-benefit assessments, and issues of practicality and scalability lurk.
On July 29, the U.S. Attorney’s Office for the Western District of Washington filed a criminal complaint against Paige A. Thompson for violating the Computer Fraud and Abuse Act by hacking into protected computers belonging to Capital One. The complete charging document is available here and below.
On Tuesday, July 23, Attorney General William Barr delivered a keynote address at the International Conference on Cyber Security at Fordham University. The complete speech can be read below.
On March 1, 2018, the governor of Colorado issued the first-ever state emergency declaration based on a ransomware attack. He did so to deploy cybersecurity specialists in the state’s National Guard.