Russia is all over the news right now, and given that art imitates life, you’d think that we’d start to see this national concern spill over into our box offices any day. But the opposite phenomenon may be taking place–studios are reportedly writing Vladimir Putin storylines out of their movies. The studios are apparently concerned that they will fall victim to hacking if they insert the Russian leader into their films.

According to the Hollywood Reporter, two movies in particular have gotten this type of editing. “Red Sparrow,” which stars Jennifer Lawrence and is slated to come out next March, is based on a book that features Putin quite heavily. Although the screenplay went through a number of revisions, the Putin character was dropped and never brought back. There’s also “Kursk,” which tells the true story of a Russian submarine that sank in 2000. Despite the fact that Putin appeared in the book on which the movie will be based, and earlier drafts of the screenplay, he’s missing from the movie itself.

The fears of hacking are by no means unfounded. In 2014, Sony released “The Interview,” which poked quite a bit of fun at North Korean leader Kim Jong-un. Sony was hacked, and in the months that followed, thousands of emails and other files containing confidential information were leaked. North Korea is widely believed to have been behind the attack. It’s safe to assume that Russia has hacking capabilities that are the very least on par with those of North Korea.

Of course, Russia claims that the whole controversy is silly. According to the Russian-government controlled Sputnik News, the Kremlin doesn’t care about Hollywood depictions of Putin. Kremlin spokesman Dmitry Peskov told the news service, “We do not know anything about these movies. We do not know, who is filming them and what they are about. It is not our topic.” Since that’s pretty tough to believe, it makes sense that movie studios aren’t taking any chances.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Putin Storylines Cut from Movies Out of Hacking Fears appeared first on Law Street.

Medical information is usually viewed as a private affair. But due to the proliferation of technologically advanced devices–heart monitors, X-ray devices, and even fitness trackers–the ability to gain access to a person’s sensitive health information may be easier than most realize. Unsecured devices could lead to disastrous consequences, as any alteration to a patient’s device could be a life or death situation. Medical device hacking may be the largest cybersecurity threat faced by Americans in the coming years. This gigantic security concern is quietly lurking in citizens’ insulin pumps and pacemakers.

Despite having federal and state guidelines to protect and secure individually identifiable health information, accessing a person’s most detailed medical information may be as simple as pressing a few buttons. New Food and Drug Administration (FDA) guidelines issued at the end of 2016 may be able to combat easy access to medical devices, but only with cooperation from device manufacturers. There are also no current plans for enforcement of these guidelines by the FDA, as they are non-binding recommendations. Read on to learn about the security concerns presented by medical devices.

What is a Medical Device?

A medical device, as defined by the FDA, is “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory” that is used “in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Such devices are regulated by the FDA and may be utilized for animals as well as humans. Tongue depressors, bedpans, x-ray machines, and complex programmable pacemakers with microchip technology all fall under the broad definition of a medical device. Moreover, surgical lasers, wheelchairs, and even sutures and orthopedic pins are classified as medical devices. If the primary intended use of a product is achieved via a chemical reaction or metabolized by the body, then it will usually fall under the definition of a “drug.” The U.S. is the global leader in the medical device market, with a total market size of roughly $148 billion in 2016. The Department of Commerce determined that U.S. exports of medical devices in specific categories exceeded $44 billion in 2015. Research and development in this sector are also more than twice the average for all U.S. manufacturers.

Medical Privacy Laws

A person’s medical history is a deeply personal collection of information. Highly sensitive material ranging from mental health treatment and sexual history to genetic disorders and diseases can be contained in an individual’s medical file. Numerous laws have been passed in the U.S. on federal and state levels to ensure that Americans’ health information remains confidential and secure. The most comprehensive law ever passed in the field of medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act required the Secretary of the Department of Health and Human Services to develop regulations to protect the privacy and security of certain medical information. Under HIPAA, the government established national standards to protect individuals’ medical records and give patients control over who can access personal health information. Essentially, without direct patient authorization, specific entities are limited on the uses and disclosures of individuals’ medical records.

“Paper files of medical records” Courtesy of Newtown grafitti : License: (CC BY 2.0)

In 2000, the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) came into effect; the guidance comprehensively explains answers to questions about the privacy requirements of HIPAA. Generally, the Privacy Rule permits that incidental uses and disclosures are permissible only if they are a by-product of a reasonable or permissible disclosure. The rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information. It applies to health plans, health care clearing houses, and any health care provider who transmits health information in electronic form. Individually identifiable health information is information that relates to: an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care for the individual.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) also established national security standards for certain health information held or transferred in electronic form. The Security Rule particularly addressed technical and non-technical safeguards that covered entities must utilize to protect individuals’ electronic protected health information (e-PHI). Entities covered by the Security Rule must ensure the confidentiality and integrity of all e-PHI being received or transmitted, as well as protect against any reasonably anticipated threats to the security or integrity of such information. Under the intricacies of HIPAA’s Privacy Rule and Security Rule, the U.S. government has clearly gone to great lengths to protect citizens’ medical records from improper use or disclosure by entities without direct patient authorization. Certain medical devices utilized today may contain information regarding a person’s medical condition that is as detailed as their medical records–what ailments a person is being treated for, or what dosage of medicine a person takes daily. Therefore, protecting these devices from unwanted intrusion and hacking should be of the utmost importance to ensure patient health and privacy.

Medical Device Security and Privacy Concerns

The FDA has been warning hospitals and health providers for years that medical devices and hospitals are vulnerable to hackers. In early 2016, the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack, which infects a computer and then encrypts files until someone pays to have it unlocked. The attackers in California held patients’ medical data hostage until the ransom was paid, roughly $17,000 in bitcoin. Ransomware also hit other hospitals around the country.

One of the largest consumer concerns regarding medical devices is that individuals can do little to protect their devices themselves. It’s up to the manufacturers of a device’s hardware and software to employ proper security measures. Another issue plaguing medical devices is that most of the laws protecting medical privacy fall under the Health and Human Services’ umbrella; however, regulating medical devices falls in part under FDA jurisdiction. The disconnect explains how the interactions between medical device regulations and privacy laws lead to administrative issues. In a cybersecurity briefing, the U.S. government warned that pacemakers were easy targets for hackers.

Furthermore, in October 2016, Johnson & Johnson notified 114,000 diabetic patients that a hacker could potentially exploit one of its insulin pumps. The pump could be attacked by either disabling the device or altering the dosage of insulin. Some medical infusion pumps in hospitals are even connected wirelessly because it makes monitoring dosages easier. Patients in the hospital could potentially have their pumps controlled remotely by a hacker, which is relatively simple to do.

While the threat to medical devices has been common knowledge for the past few years, few people have attempted to rectify the glaring holes in the current system. Security researchers have managed to remotely control medical devices including pacemakers, insulin pumps, and defibrillators. Thus, it is quite possible that hackers may start setting their sights on specific medical devices, not just entire hospital systems. U.S. officials began investigating flaws in pacemakers in August 2016, when a batch ran out of battery three months earlier than anticipated. While that particular batch simply had a rare defect that caused them to fail, the months of investigation culminated in the FDA releasing 30 pages of guidance regarding medical devices’ security flaws.

New FDA Guidelines

The FDA first issued a guidance in October 2014 that contained recommendations for manufacturers to build medical devices with cybersecurity protections. These guidelines were expanded in December 2016; however, the recommendations to manufacturers were non-binding, making the document not legally enforceable and not a particularly strong stance on securing future medical devices. As part of the new recommendations issued, the FDA encourages manufacturers to swap information with each other and consistently deploy software patches and updates to fix any security vulnerabilities. Moreover, the agency has asked manufacturers to adhere to a checklist created by the National Institute of Standards and Technology. Early product development that focuses on protecting medical devices from hackers is of the utmost importance. The FDA also suggested that manufacturers join the Information Sharing and Analysis Organization to share details about detected security risks and attacks when necessary.

Conclusion

Researchers saw a rise in the occurrences of cyberattacks on a global scale in 2016. Technological advances in medical devices certainly encourage more effective health treatment, but the increasing reliance on vulnerable software potentially puts the health of citizens at risk. Thus, implementing a structured and comprehensive plan to manage cybersecurity risks is critical. While the new FDA guidelines are a respectable start to ensuring medical devices are free from cybersecurity threats, making the recommendations mandatory as opposed to voluntary may be the only way to keep individuals’ medical information safe from prying eyes. Many contend that while the recommendations could be more stringent, this is just the first step in a long road to addressing cybersecurity in the medical field. For now, the onus remains on the manufacturers to patch detected vulnerabilities in their devices and software and develop devices safe for consumers.

Nicole Zub

Nicole is a third-year law student at the University of Kentucky College of Law. She graduated in 2011 from Northeastern University with Bachelor’s in Environmental Science. When she isn’t imbibing copious amounts of caffeine, you can find her with her nose in a book or experimenting in the kitchen. Contact Nicole at Staff@LawStreetMedia.com.

The post Privacy Concerns: Can Your Medical Device Be Hacked? appeared first on Law Street.

President-elect Donald Trump may have dismissed the CIA report that Russia’s hacking was intended to aid his election efforts, but a bipartisan cohort of  politicians banded together to condemn the Kremlin’s actions over the weekend. Many have also called for a “bipartisan investigation” into the matter. Four senators–two from each party–released a joint statement on Sunday in response to the CIA’s conclusion that the hacks were pointedly aimed at putting Trump in the White House. 

“We are committed to working in this bipartisan manner, and we will seek to unify our colleagues around the goal of investigating and stopping the grave threats that cyberattacks conducted by foreign governments pose to our national security,” said the statement from Senator John McCain (R-AZ), Senator Lindsey Graham (R-SC), Senator Chuck Schumer (D-NY), and Senator Jack Reed (D-RI).

The senators said that the CIA’s report “should alarm every American,” adding that the hacks “cut to the heart of our free society.” McCain and Schumer appeared on “CBS This Morning” on Monday, reiterating their concern over the hacks. Contradicting Trump’s Twitter flurry denying the CIA’s report, McCain said: “there is no doubt about the hacking. Let’s establish that.”

Trump continued his Twitter tirade on Monday morning:

Can you imagine if the election results were the opposite and WE tried to play the Russia/CIA card. It would be called conspiracy theory!

— Donald J. Trump (@realDonaldTrump) December 12, 2016

He continued:

Unless you catch “hackers” in the act, it is very hard to determine who was doing the hacking. Why wasn’t this brought up before election?

— Donald J. Trump (@realDonaldTrump) December 12, 2016

Russia’s hacking into the Democratic National Committee’s email servers, and its assist to Wikileaks, which in turn unleashed the damaging emails, has been on the CIA’s radar since at least July. But last week, the agency concluded that the Russians also hacked into the Republican National Committee’s servers, but held back on releasing what they had dug up. Based on a new analysis of previously known, and largely circumstantial evidence, the CIA concluded Russia intended to help Trump get elected over Hillary Clinton.

Trump and Clinton presented Russia with two very different futures, depending on which candidate U.S. voters elected into office. As secretary of state, Clinton clashed with Russian President Vladimir Putin several times. For instance, he blamed her for instigating anti-Putin protests in Moscow in 2011. Trump on the other hand, has shown nothing but admiration for Putin on the campaign trail. Trump has praised Putin as “a strong leader,” and has questioned the effectiveness of NATO, a key check against Russian aggression in Baltic states in Europe.

While some top-ranking Republicans have spoken out against the Russians, others have remained largely silent. Speaker of the House Paul Ryan issued a statement on Sunday, saying “foreign intervention in our elections is unacceptable” but also added that he “rejects any politicization of intelligence matters” and did not call for a deeper probe into the matter. But for McCain, Schumer, Graham, and Reed, Russia’s meddling “cannot become a partisan issue.” They said in their statement: “The stakes are too high for our country.”

Alec Siegel

Alec Siegel is a staff writer at Law Street Media. When he’s not working at Law Street he’s either cooking a mediocre tofu dish or enjoying a run in the woods. His passions include: gooey chocolate chips, black coffee, mountains, the Animal Kingdom in general, and John Lennon. Baklava is his achilles heel. Contact Alec at ASiegel@LawStreetMedia.com.

The post Bipartisan Group of Politicians Express Outrage Over Russian Hacking appeared first on Law Street.

Tesco Bank, the British retail bank run by the UK’s largest supermarket chain, lost approximately 2.5 million pounds this month after hackers broke into the accounts of more than 9,000 customers. The bank has pledged to reimburse customers who lost money and ultimately decided to suspend online banking for all of its 136,000 customers. Spokespeople claimed that personal data had not been compromised in the hack and that customers do not need to change their passwords, yet the sheer scope of the attack has made security experts uneasy.

The company first caught on to the breach on Saturday, November 5, and immediately began texting customers who had been affected. Many customers saw their money being moved out of Tesco accounts via overseas transactions to Spain and Brazil. Although there was initial concern that the hack was an inside job, aided by a bank employee, it is now being marked up to general human error and a failure to create a truly secure system.

This attack represents a major modern shift in cybercrime, from attacking individual customers to attacking an entire bank in one go. Perhaps the most troubling discovery in the wake of the hack was that Tesco had been warned by the security firms CyberInt and Codified Security about the weaknesses in its system, which the company did not respond to. No company can be expected to track every spam email about cybersecurity that floods its inbox, but in this case, if the reports from Codified Security truly were purposefully ignored, it reveals a dangerously cavalier attitude toward cybersecurity at the Tesco Bank headquarters.

Defenders of the bank have argued that the hack was successful because it took place during the weekend, when the technical staff were not at their desks, responding to customer reports and warning signs like they would during the work week. Regardless of the timing of the attack, the amount of money shifted from customer accounts is disturbing, especially as it is only the latest in a string of high profile hacks this year. Almost two years ago, the Bank of England highlighted cybercrime in the meetings of its financial policy committee, noting that banks were woefully unprepared for large scale attacks on their databases, but that warning came and went with very little impact.

It is not only smaller, less conventional banks like Tesco that have been targeted: in January of this year, HSBC shut down its mobile banking platform after a distributed denial of service attack. Tesco Bank is a relative mom and pop bank compared to the global behemoth that is HSBC, which explains why it did not have the same early warning notifications and success that HSBC did when shutting down the January hack. No bank, either electronic or brick and mortar, is definitively safe but when hundreds of accounts are being attacked, there is a clear issue with security. Tesco Bank will take a major hit in the wake of the attack but rather than lying back and celebrating the decline of a competitor, other UK banks–and banks around the globe–should be rushing to their own cybersecurity teams to repair the weaknesses that could be exploited in the next great hack.

Jillian Sequeira

Jillian Sequeira was a member of the College of William and Mary Class of 2016, with a double major in Government and Italian. When she’s not blogging, she’s photographing graffiti around the world and worshiping at the altar of Elon Musk and all things Tesla. Contact Jillian at Staff@LawStreetMedia.com

The post Startling Holes in Our Cybersecurity Network: The Tesco Bank Hack appeared first on Law Street.

An independent audit into the private email account of Hillary Clinton–used during her tenure as Secretary of State–found her as acting irresponsibly in regards to repeated warnings from the State Department. The audit–78 pages in total–said Clinton ignored directives from the State Department in regards to private email as concerns about the legality of passing classified government documents through a private account were brushed aside. It also acknowledged that her private home server might have been breached by hackers, a point Clinton’s aides deny.

Other notable takeaways from the audit:

• Though she was briefed about cybersecurity risks in a memo in 2011, Clinton’s account did not meet minimum security guidelines as outlined by the State Department and as required under the Federal Records Act.
• Before her duties as Secretary of State ended in 2013, Clinton should have turned over all emails to the department. She released only half of those emails, and only after her use of a private server was revealed by media reports in 2015.
• Although Clinton and her aides have agreed to cooperate in an ongoing FBI investigation into the affair, none would comply with the independent audit. But on CBS’s “Face the Nation” this month: “I’ve made it clear that I’m more than ready to talk to anybody, anytime. And I’ve encouraged all of (my staff) to be very forthcoming,” Clinton said.

As expected, Clinton’s aides rushed to her defense and Republican critics seized the audit as proof she is unsuitable to be president.

“The inspector general documents just show how consistent her email practices were with those of other secretaries and senior officials at the State Department who also used personal email,” said Brian Fallon, Clinton’s campaign spokesman, in regards to the audit’s findings that previous secretaries–including Colin Powell–have used similarly private servers in the past. But according to the report, Clinton’s methods were “considerably more detailed and more sophisticated” than past secretaries.

Reince Priebus, chairman of the Republican National Committee, saw the findings as more than a mere slip-up: “The stakes are too high in this election to entrust the White House to someone with as much poor judgment and reckless disregard for the law as Hillary Clinton,” he said.

What Wednesday’s report means for the ongoing FBI investigation into the matter is unclear, but as the November election inches closer into view, it’s an issue to keep an eye on in the coming months.

Alec Siegel

Alec Siegel is a staff writer at Law Street Media. When he’s not working at Law Street he’s either cooking a mediocre tofu dish or enjoying a run in the woods. His passions include: gooey chocolate chips, black coffee, mountains, the Animal Kingdom in general, and John Lennon. Baklava is his achilles heel. Contact Alec at ASiegel@LawStreetMedia.com.

The post Independent Audit: Clinton At Fault For Private Email Scandal appeared first on Law Street.

Many countries have been victims of cyber attacks but may not realize it until long after the security breach occurred. In the recently revealed hack on the Office of Personnel Management (OPM), it took authorities four months to even realize that the hack occurred. While it may still be too early to understand the exact scale of this attack, all evidence suggests that it is likely one of the largest security breaches in United States history. With news of recent security breaches finally reaching the public, many people are wondering if the government can adequately protect itself from future attacks.

“The United States of America is under attack,” warned Rep. Elijah Cummings at a House Oversight and Government Affairs Committee hearing earlier this month. Katherine Archueta, the director of OPM, faced harsh criticism at the hearing for failing to upgrade databases despite known security issues. An OPM audit carried out last November–shortly before the breach–concluded that several databases still did not meet federal security standards, a problem that was initially identified back in 2007. Authorities had knowledge of a “significant deficiency” in OPM security governance prior to the hack, yet failed to fix security problems that have existed for nearly seven years.

According to the New York Times, federal databases have not been updated with the latest protocols and defense systems that create more barriers for hackers to break through. In the case of the OPM breach, hackers were not subject to multi-factor authentication–meaning they were not required to use an access code to verify their identification. The OPM Inspector General was also unsure if the hacked social security numbers were encrypted. When asked why hackers were not subject to multi-factor authentication, Donna Seymour of OPM told the Times the following:

Installing such gear in the government’s ‘antiquated environment’ was difficult and very time consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.

The U.S. has been a victim of hacking before, but the recent OPM hack was different because the hackers accessed the Federal Employee Database, which allowed them to retrieve federal employee information dating all the way back to 1985. Recently, officials believe that (SF) 86 questionnaires, which all individuals applying for national security positions must fill out, may have also been compromised in yet another hack. Access to such forms could provide hackers with extremely intimate information about individuals with security clearance, and in the wrong hands could lead to blackmail.

Cybersecurity Experts believe China wanted this information to build a network of current and former government employee information to conduct future attacks. This shows the U.S. government’s inability to protect 14 million people’s personal information and keep Americans safe from cyber attacks. The hackers involved are believed to be a Chinese group, the same one responsible for hacking Anthem Insurance earlier this year.

Not only is the United States ill-equipped to prevent these attacks, it often does a poor job of responding to them after the fact. In response to the recent hack, OPM has notified four million current and former federal employees who may have had their personal information stolen and offered 18 months of free credit monitoring and $1 million in identity theft protection. But is that enough if identities are already compromised? Many federal employees do not believe so and took to commenting on OPM’s Facebook page to express their anger. Federal employees are demanding higher security standards and better responses from the agency because so many people’s personal information is at stake.

This is not the first time that the government failed to learn from past attacks. Back in April, officials revealed a cyber attack that penetrated the White House computers, reportedly tracing its origins to Russia. According to the White House, attackers managed to penetrate the unclassified system of White House computers giving them important details about the president’s schedule. Investigators believe the Russians used a tactic called “spear phishing,” where hackers pretend to be a friend or coworker and ask for account information. Authorities believe the OPM hackers used similar methods.

While officials believe the hack was not on behalf of the Chinese government, the government seems to be doing little to crack down on hackers within its borders. The United States indicted five senior Chinese officials last year for stealing trade secrets from computers of American companies and passing them on to Chinese competitors. In retaliation for the indictments, China said it suspended a working group on cyber-related matters, further preventing collaboration between the two countries.

With cybercrimes becoming more prevalent, strengthening government security by updating U.S. systems with the latest defense technology must be done to prevent future attacks. Government officials have knowledge of significant security weaknesses, yet little has been done to secure important systems. It is likely these attacks will continue in the future, and unless the United States is able to bring security measures in line with established standards, the government’s ability to protect itself will continue to falter.

Jennie Burger

Jennie Burger is a member of the University of Oklahoma Class of 2016 and a Law Street Media Fellow for the Summer of 2015. Contact Jennie at staff@LawStreetMedia.com.

The post Can the Government Protect Itself from Cyber Attacks? appeared first on Law Street.

The infamous hacker group “Anonymous” reportedly conducted an attack against the Canadian government on Wednesday. This attack made multiple government websites go dark, including Canada.ca and the websites for the Department of Foreign Affairs, Transport Canada, Citizenship and Immigration Canada, and Justice Canada. This hack was supposedly in protest against the government’s controversial new security legislation. Bill C-51, or the Anti-terrorism Act, that would broaden the mandate of the Canadian Security Intelligence Service (CSIS). Exact ramifications of the attack are unknown, but it’s almost certainly the latest in a string of efforts by Anonymous to protest increased surveillance in various nations.

The act would give the agency new powers to disrupt perceived security threats and make it easier for federal agencies to increase surveillance and share information about individuals. Anonymous believes that this bill is not in its favor, stating as much in a video posted on YouTube. The video said the anti-terrorism law violated human rights and targeted people who disagree with the government, saying:

A bill which is a clear violation of the Universal Declaration of Human Rights, as well as removing our legal protections enshrined in the Magna Carta for 800 years. Perhaps it was fate that the day the Magna Carta arrived in our country to go on display to the populace that our corrupt government was symbolically pissing upon it and us all.

Soon after the hack,  Twitter user @Blakeando10 took credit for the cyberattack. He is pictured on his account as wearing a Guy Fawkes mask, which is usually associated with an act of this sort committed by Anonymous.

It was your move senators, now it’s ours. http://t.co/Fs67YrqOTH#cdnpoli#Opcyberprivacy#opC51 Huffpostcanada

— SplendidMass29 (@blakeando10) June 17, 2015

evasiv3 Your sites were not secure. A gov that can’t protect its own cyberspace can’t protect yours. Get it?

— SplendidMass29 (@blakeando10) June 17, 2015

Treasury Board President Tony Clement confirmed that the government’s servers were hit with a denial of service attack. “I can tell you, I’ve just been through a briefing on it. There has been an attack on Government of Canada servers, GC servers. It is as a result of a, of a — what we would call a cyberattack,” he said. By 3 PM, most of the websites were back online, although exact damage was still unknown. Liberal Defense critic, Joyce Murray, believes that this cyber attack should be a wake-up call for the Canadian government. Nadeem Douba, who has previously advised governments on security issues, told iPolitics the hack was not a very sophisticated one.

It definitely is more about optics than anything else. If we were looking at a denial of service attack similar in nature to StuxNet, where critical infrastructure was impacted, then I would consider it more of a security threat. The same could be said if the attack were able to create any kind of political unrest or economic instability. However, as far as we know now, this attack is more of a nuisance than anything else.

Government websites should be some of the most secure in the world. There is no reason why a group of people should be capable of hacking into them, especially if these sites hold valuable information. Steven Blaney, the public safety minister, criticized the cyber-attackers, telling reporters that there were many other more democratic ways for Canadians to express their views. Blaney also said the government is implementing efforts to improve its cyber security. Hopefully that’s not too little, too late.

Taelor Bentley

Taelor is a member of the Hampton University Class of 2017 and was a Law Street Media Fellow for the Summer of 2015. Contact Taelor at staff@LawStreetMedia.com.

The post Anonymous Strikes Again: Canadian Government Experiences Security Breach appeared first on Law Street.

Hacking attacks are estimated to cost the global economy a whopping $400 billion each year. With recent attacks on Sony and U.S. Central Command, it seems like nothing online is completely safe. The United States is scrambling to improve cybersecurity and prevent attacks that could otherwise have major impacts on national security, the economy, and personal safety. Here’s what you need to know about cybersecurity policy, government efforts, and what to expect in the future.

What is cybersecurity?

In the increasingly digital world with an ever-growing e-commerce sector, cybersecurity is of vital importance. Cybersecurity is a broad concept that resists a precise definition; it involves protecting computers, networks, programs, and data from cyber threats. Cybersecurity can help protect privacy and prevent unauthorized surveillance and use of electronic data. Examples of cyberattacks include worms, viruses, Trojan horses, phishing, stealing confidential information, and control system attacks. Because of it loose definition, it is hard for the government to regulate how businesses should protect their systems and information. A number of different measures are used to ensure at least a basic level of cybersecurity.

How does cybersecurity work?

Cybersecurity helps to prevent against the risks associated with any cyber attack, which depend on three factors:

1. Removing the threat source. Determining who is attacking can indicate what kind of information or advantage they are seeking to gain. Cyberattacks may be carried out by criminals, spies, hackers, or terrorists, all of whom may do it for different reasons.
2. Addressing vulnerabilities through improving software and employee training. How people are attacking is important in trying to set up the best cybersecurity possible. This can be likened to an arms race between the attackers and defenders. Both try to outsmart the other as the attackers probe for weaknesses in their target. Examples of vulnerabilities include intentional malicious acts by company insiders or supply chain vulnerabilities that can insert malicious software. Previously unknown, “zero day” vulnerabilities are particularly worrisome because they are unknown to the victim. Since they have no known fix and are exploited before the vendor even becomes aware of the problem, they can be very difficult to defend against.
3. Mitigating the damage of an attack. A successful attack may compromise confidentiality, integrity, and even the availability of a system. Cybertheft and cyberespionage might result in the loss of financial or personal information. Often the victims will not even be aware the attack has happened or that  their information has been compromised. Denial-of-service attacks can prevent legitimate users from accessing a server or network resource by interrupting the services. Other attacks such as those on industrial control systems can result in destruction of the equipment they control, such as pumps or generators.

Examples of common cybersecurity features include:

• Firewall: a network security system to control incoming and outgoing network traffic. It acts as a wall or barrier between trusted networks and other untrusted networks.
• Anti-virus software: used to detect and prevent computer threats from malicious software.
• Intrusion Prevention System: examines network traffic flows to prevent vulnerability exploits. It sits behind the firewall to provide a complementary layer of analysis.
• Encryption: involves coding information in such a way that only authorized viewers can read it. This involves encrypting a message using a somewhat random algorithm to generate text that can only be read if decrypted. Encryption is still seen as the best defense to protect data. Specifically, multi-factor authentication involving a two-step verification, used by Gmail and other services, is most secure. These measures (at least for the time being) are near impossible to crack, even for the NSA.

Watch the video for a basic overview of cybersecurity.

What is the role of the federal government in cybersecurity?

Most agree the federal role should include protecting federal cyber systems and assisting in protecting non-federal systems. Most civilians want to know online shopping and banking is secure, and the government has tried to help create a secure cyber environment. According to the Congressional Research Service, federal agencies on average spend more than 10 percent of their annual IT budget on cybersecurity measures.

There are more than 50 statutes that address various issues of cybersecurity. While much legislation has been debated in recent years, no bills have been enacted. The most recent and significant cybersecurity legislation came in 2002 with the passage of the Federal Information Security Management Act (FISMA), which requires each federal agency to implement and report on cybersecurity policies.

Over the past several years, experts and policymakers have shown increasing concern over protecting systems from cyberattacks, which are expected to increase in both severity and frequency in the coming years. Most proposed legislation and executive branch action with regard to cybersecurity focus on immediate needs, such as preventing espionage and reducing the impact of successful attacks. Historically there has been an imbalance between the development of offensive versus defensive capabilities. Coupled with slow adoption of encryption technologies, many programs were vulnerable to attack. While the cybersecurity landscape has improved, needs still exist with regard to long-term challenges relating to design, incentives, and the environment. Overcoming these obstacles in cybersecurity remains a challenge.

Design

Developers of software or networks are typically more focused on features than the security of their product. Focusing primarily on the product’s features makes sense from an economic standpoint; however, shifting the focus away from security makes these products more vulnerable to cyberattacks.

Incentives

The distorted incentives of cybercrime make it hard to prevent. Cybercrime is typically cheap, profitable, and relatively safe for criminals. In contrast, cybersecurity is expensive, often imperfect, and companies can never be certain of the returns on the investments they make in cybersecurity.

Environment

Cybersecurity is a fast-growing technology. Constantly-emerging properties and new threats complicate the cybersecurity environment. It is very difficult for the government or private companies to keep up with the pace of changing technology used in cyberattacks. What laws and policies do exist are almost always out of date given the rapid pace of change in cybersecurity.

Watch the video below for an overview of the difficulties of cybersecurity policy.

Has President Obama taken any action on cybersecurity?

With recent attacks and data breaches at Sony, Target, Home Depot, and the Pentagon’s Central Command, the need for toughened cybersecurity laws has been highlighted. Cybersecurity is an issue where both sides of the political aisle see the need to work together. It is clear that a comprehensive policy playbook is needed to guide the government’s response to such serious cyberattacks.

On January 13, 2015, President Obama announced a new cybersecurity legislative proposal, which consists of three parts:

1. Enabling cybersecurity information sharing: The proposal enhances collaboration and cybersecurity information within the private sector and between the private sector and the government. The proposal calls for the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Sharing information about cyber threats with the NCCIC would shield companies from liability. The bill would require the Department of Homeland Security to share threat information as quickly as possible with other agencies like the FBI or NSA. The proposal would also require private entities to comply with privacy restrictions like removing unnecessary personal information and taking measures to protect any personal information that must be shared.
2. Modernizing law enforcement authorities to fight cybercrime: This ensures that law enforcement has the proper tools to investigate and prosecute cybercrime. These provisions would criminalize the sale of stolen U.S. financial data, expand authority to deter selling of spyware, and shutdown programs engaged in denial-of-service attacks. Other components criminalize various cybercrimes.
3. National data breach reporting: Many state laws require businesses that have suffered from breaches of consumer information to notify consumers. The proposed legislation would simplify and standardize these existing state laws. The proposal would also put in place a timely notice requirement to ensure companies notify their customers about security breaches.

Watch the following video for an outline of President Obama’s plan.

On January 16, 2015, President Obama and British Prime Minister David Cameron promised to cooperate with regard to cybersecurity. Cameron expressed concerns about encryption technologies that might make it easier for would-be terrorists to avoid detection. Cameron hopes to outlaw certain forms of encryption. President Obama did not as easily dismiss privacy concerns, but did state that he believes the government can do a better job of balancing both privacy and security.

Why is it hard to implement effective cybersecurity policy?

Congress has tried for years to pass legislation encouraging companies to share information from cyberattacks with the government and with each other; however, liability issues and privacy concerns stopped such laws from passing. Many privacy advocates are speaking out against President Obama’s proposed legislation for the same reasons. They fear that such information-sharing legislation could further the government’s surveillance powers. Some groups caution that substantial National Security Agency reform should come before considering any information-sharing bill. Privacy concerns such as these have made it difficult to pass cybersecurity packages in Congress in the past; however, the recent Sony attack may prove to be a game changer in passing new cybersecurity bills.

Even if President Obama and Congress can implement the above changes, it will still be difficult for the government to enact more effective policy changes. Technology can easily mask the identity or location of those organizing cyberattacks. This can make identifying and prosecuting those responsible near impossible. Justifying an appropriate response to attacks is even harder.

Legislatures and citizens also tend to be kept in the dark due to extreme security regarding a country’s cyber capabilities. Edward Snowden’s revelations about the NSA sparked public interest in cybersecurity and in the extent of the government’s capabilities. But still, information regarding the U.S.’ cyber policies remains classified and not open to general discussion. Without transparency, it is hard to exercise oversight or explain to the public the government’s cybersecurity activities.

Critics also contend that President Obama’s proposal leaves large gaps in cybersecurity policy. The policy fails to establish ground rules for responding to cyber attacks once they have occurred and it remains unclear how the United States might respond to cyberattacks against government networks or even private sector entities like Sony. While attacks may be criminalized, prosecuting these cases with limited evidence is difficult.

A recently uncovered 2009 U.S. cybersecurity report warned that the government was being left vulnerable to online attacks because encryption technologies were not being implemented fast enough. While the country has come a long way since 2009 there is still much room for improvement. A 2015 review of the Department of Homeland Security stated that:

DHS spends more than $700 million annually to lead the federal government’s efforts on cybersecurity, but struggles to protect itself and cannot protect federal and civilian networks from the most serious cyber attacks.

Conclusion

More needs to be done in the realm of cybersecurity to prevent against cyberattacks. While less legislation may have worked in the past, the scale of recent cyberattacks shows the vast potential for damage to the government, companies, and individuals. President Obama’s recent proposal may be a good start, but more long-term policies are needed to protect citizens from serious cyberattacks. No cybersecurity solution is permanent, so public policy must constantly evolve to suit the needs of its citizens in the cyber realm.

Resources

Primary

Department of Homeland Security: Federal Information Security Management Act

White House: Securing Our Cyberspace: President Obama’s New Steps

Homeland Security and Governmental Affairs Committee: A Review of Missions and Performance

Additional

Congressional Research Service: Cybersecurity Issues and Challenges

National Journal: Obama’s New Cybersecurity Proposal Facing Skepticism

UMUC: Cybersecurity Primer

Forbes: Why a Global Security Playbook is Critical Post-Sony

Guardian: Secret U.S. Cybersecurity Report

Reuters: Obama Seeks Enhanced Cybersecurity Laws to Fight Hackers

NPR: Obama, Cameron Promise to Cooperate on Cybersecurity

Yahoo: Obama Says Hacks Show Need for Cybersecurity Law

Huffington Post: What’s Wrong with America’s Cybersecurity Policy?

Alexandra Stembaugh

Alexandra Stembaugh graduated from the University of Notre Dame studying Economics and English. She plans to go on to law school in the future. Her interests include economic policy, criminal justice, and political dramas. Contact Alexandra at staff@LawStreetMedia.com.

The post Cybersecurity: Will We Ever Be Safe? appeared first on Law Street.

United States Central Command (CentCom) reported today that its social media accounts had been hacked by people claiming to be from ISIS. CentCom, part of the Department of Defense, has played a main role in recent conflicts in Iraq, Afghanistan, and others. Based in Tampa, Florida, it’s responsible for American security interests in more than 20 different nations. Here’s what the account looked like before it was suspended:

DEVELOPING: CENTCOM’S Twitter account appears hacked http://t.co/TYVHIsjUN1 (Twitter screenshot) pic.twitter.com/FS8AFYRGjO

— USA TODAY (@USATODAY) January 12, 2015

Whoever hacked the account posted threatening messages to American troops such as “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS.” There was also a tweet that linked to a longer statement that included:

In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate under the auspices of ISIS continues its CyberJihad. While the US and its satellites kill our brothers in Syria, Iraq and Afghanistan we broke into your networks and personal devices and know everything about you.

You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. With Allah’s permission we are in CENTCOM now. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!

ISIS propaganda photos were also posted on CentCom’s YouTube page. Its Facebook page, however, appears to be untouched. Central Command has confirmed that its accounts have been compromised.

The hacking occurred while President Barack Obama was delivering a speech to the Federal Trade Commission (FTC) about cyber security. As of now, however, the only thing that the White House has said is that they’re “obviously looking into” the breach.

Most concerning of all, whoever hacked the accounts claimed that they had also gotten access to confidential information from CentCom, although that’s yet to be confirmed, and Defense officials have said that they don’t believe any information was taken. Some of the posts linked to documents, but those documents could have been found on Pentagon websites, among other places. They’re surely a far cry from damaging confidential information.

This comes less than a day after “hactivist” group Anonymous declared war on the organization.

Cyberwar has become a real issue, and it appears that no one is completely safe.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post ISIS Supporters Hack US Central Command Online Accounts appeared first on Law Street.

Welcome back to work! OK, so if you’re like me you’ve been back to work for a week now, but it still feels like the first Monday after vacation doesn’t it? In case you weren’t into your normal routine of obsessively scrolling through the news last week, you can catch up on Law Street’s top three articles. Number one was brought to you by Marisa Mostek in her series about the dumbest laws in the United States–this time it was Utah and Nevada. The number two story was from Hannah R. Winsten who had five actionable ideas for making this your most feminist New Year yet. And the third most popular story of the week was an issue brief on hacking as a tool of war by Mike Sliwinski. ICYMI, here is the Best of the Week from Law Street.

#1 The Dumbest Laws in the United States: Utah and Nevada

Nevada is home to legal prostitution and Sin City. Yet, it is surprisingly not home to many stupid laws. However, its neighbor Utah makes up for that with a whole long list of weird laws on the books. Let’s start with Nevada. In Reno, sex toys are outlawed, and it is illegal to lie down on the sidewalk, no matter how drunk and tired you are. Read the full article here.

#2 Five Resolutions for a More Feminist New Year

Folks, the New Year is upon us. Time to break out your most bedazzled dress, pop the champagne, and party your way into 2015, am I right? Fuck yeah I am. But, while New Year’s Eve is a night of epic intoxication, huge crowds, and glittery debauchery (if you’re at the right party), it’s also notorious for being the pre-game to a little thing we all do every New Year’s Day. Resolution making. Read the full article here.

#3 Hacking: The New Kind of Warfare

Following the recent fiasco at Sony, hacking has been catapulted squarely into the spotlight. But hackers are doing more than just delaying movie premieres–they are causing serious damage and have the capability to cause much more. Before we get too scared of these anonymous boogeymen, however, it is important to understand what hacking is and who the hackers are. Read the full article here.

Chelsey D. Goff

Chelsey D. Goff was formerly Chief People Officer at Law Street. She is a Granite State Native who holds a Master of Public Policy in Urban Policy from the George Washington University. She’s passionate about social justice issues, politics — especially those in First in the Nation New Hampshire — and all things Bravo. Contact Chelsey at staff@LawStreetMedia.com.

The post ICYMI: Best of the Week appeared first on Law Street.

Fingerprint technology has long been hailed as the next great frontier in security features. Whether that’s because pretty much every spy movie includes a fingerprint scan scene, or because of all the hubbub over various tech companies like Apple releasing fingerprint technology for their new devices, it’s hard to tell. But for a long time a lot of us have believed that fingerprints are so unique that they would make for safe security features. Unfortunately, that may not actually be the case. According to a German hacker, it may be pretty simple to copy fingerprints…and all you need is a camera and some luck.

Hacker Jan Krissler (alias “Starbug”) of the hacking group Chaos Computer Club (CCC) in Hamburg, Germany, presented his fingerprint-stealing theory at a conference earlier this week. Krissler chose German Defense Minister Ursula von der Leyen as his example target. He used high resolution photographs that had been taken of von der Leyen–and he had a lot to choose from, given that she’s a pretty high profile figure in Germany. The photographs were all able to be zoomed in on to see her fingers. Then, using a readily available app called VeriFinger, he processed and reproduced her fingerprint.

CCC, which says that it’s the largest hacking group in Europe, has long tried to show how relatively unsafe fingerprint technology is. When Apple released the iPhone 5s last year with fingerprint scan technology included, CCC claimed that it was able to easily bypass Apple’s security system. Taking a photograph of a fingerprint and then making a wax-model of it allowed them to break into iPhones.

Krissler personally has long rallied against this technology that’s supposed to keep our devices and information safer. It’s not just fingerprint technology–he also has a serious problem with computers and other devices that unlock based on facial recognition, explaining that that kind of technology can be hacked by using a photo of a person. He also explained another probably less probable security concern with our current device mechanisms: “Reading a user’s PIN code from reflections in their pupils while taking selfies.”

The chances that these hacks are actually used in practice don’t seem very likely. I mean, how often do you have very high resolution photographs taken of your fingertips? Furthermore, in order to actually break into a technological device with a copy, you’d need said device.

This is not me saying that we all need to go off the grid and live in a cave to protect our information–I would fare horribly in a cave, as there probably aren’t many caves with good access to Netflix. However, I think the point that Krissler makes–that we rely too much on technology at face value–is a point well taken.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post German Hacker: Fingerprint Scans Can be Hacked appeared first on Law Street.

Following the recent fiasco at Sony, hacking has been catapulted squarely into the spotlight. But hackers are doing more than just delaying movie premieres–they are causing serious damage and have the capability to cause much more. Before we get too scared of these anonymous boogeymen, however, it is important to understand what hacking is and who the hackers are.

What are hackers and what do they do?

So, first of all, what is a hacker? While the answer to that question is very complicated, for clarity’s sake a succinct and clear explanation of a computer hacker and computer hacking is this:

Computer hackers are unauthorized users who break into computer systems in order to steal, change or destroy information, often by installing dangerous malware without your knowledge or consent.

This definition is of course limited, as hacking is not relegated solely to computers and is not always a negative thing. Below is a video that offers a fuller picture.

While not all hacking is negative, much of it is, and it is important to understand specifically what the intentions of many hackers are and how they operate. Hackers often lure their unsuspecting victims with bogus scams sent through emails or websites. Some hackers also prefer the approach of directly attacking a computer if it does not have the requisite protection in place, such as a firewall; however, while hacking may appear as simple as pressing a button in a movie, it is more complicated than that. More specifically, what a hacker does is infect another person’s computer with malicious software or malware. Once the unsuspecting user has activated the malware, either by clicking on a link or opening an email, his computer can then become infected with a virus. If a computer does become infected the hacker essentially has unlimited access to the operating system. This then enables him to have virtual control over the user’s computer and internet activity. Normally the hacker will try to maintain a low enough profile so the user is not alerted; in the meantime he will attempt to obtain sensitive information. Whatever way hackers choose to attack, they often try to steal things like passwords, account numbers, and means of identification such as a social security number.

The purpose behind all of this is nefarious; stealing an individual’s money, abusing their credit, or even turning a profit by selling the acquired information to a third party is often the end goal. Two prime examples of this are the major hack of Target’s credit card system in 2013 and the similar hack of EBay this year. Nonetheless, while hackers seem to have similar motives, the group is in fact quite heterogeneous and can vary from countries to individuals.

State Actors

The first type includes hackers utilized by a country’s government or military. In this way, hackers are used like other weapons such as tanks or missiles. In this regard, perhaps no country employs hackers and hacking more than China. According to a 2013 article from Bloomberg, China accounted for 41 percent of hacking assaults in 2012–four times that of the second place country on the list. While there’s no way to say definitively whether those hacks came from the Chinese government, the idea comes as no surprise to those familiar with the United States’ claims that China has long hacked American corporations in order to steal trade secrets and then passed them along to Chinese companies. For example, there were hacking accusations against China earlier this year by American corporate icons such as U.S. Steel and Alcoa.

However, the United States is far from an unwitting victim of these attacks. In fact the number two country from the same list of top hacking nations was the United States. In 2012, for example, ten percent of hacking attacks originated from within the United States. In addition, the United States military has increased the portion of its budget focused on cyber warfare. In 2015, the U.S. Cyber Command plans to spend $5.1 billion on cyber combat. The video below explains the threat of cyber warfare.

There is already evidence of suspected U.S. cyber warfare at work. Aside from unpublicized U.S. attacks against the Taliban in Afghanistan, there’s the more notable example of the Stuxnet virus that infected the Iranian nuclear infrastructure and severely damaged its nuclear program. There is also the recent shutdown of North Korean internet access that many suspect was American retaliation for the suspected North Korean hack of Sony.

Along with the United States and China, other countries where hacking is a major weapon include Taiwan, Turkey, and Russia.

Non-State Actors

Indeed non-state actor hackers may pose an even bigger threat to global systems than government operations. One reason why is while government operations are generally strictly military or defensive in nature, non-state operations run the gamut.

Patriotic Hacking

One example is something known as patriotic hacking. In essence, these groups are self-appointed to represent a particular country and will respond in kind to any perceived slight against the nation they represent. One such group formed in China in response to the accidental bombing of a Chinese embassy in Belgrade by the United States during the war in Kosovo. Similar groups have also formed in many countries such as Israel, India, Pakistan, and the United States.

An example of a patriotic hacker–or “red hacker” as they are known in China–is Wan Tao. Wan Tao hacked everything from the U.S. government to Japanese political email accounts. While it is believed they he was never explicitly ordered to do so, the hacker’s targeted attacks fell in line with Chinese Governmental actions. As if to emphasize the underlying nationalism in his attacks, Wan Tao even had a name for his group, the China Eagles.

Hacktivists

Another type of non-state hacking group is known as hacktivists, which are people who use both legal and illegal means to achieve some political goal. Perhaps the best example is the group known collectively as Anonymous. Known for dawning the Guy Fawkes mask, Anonymous has been involved in hacking cases related to social issues ranging from the Occupy Wall Street movement to the shooting death of Michael Brown that set off the protests in Ferguson, Missouri. A more expansive definition of hacktivism is provided in the video below.

Other Non-State Actors

There are countless other non-state hacking groups at play today. One example is the massive hack of JP Morgan Chase in October 2014. In this case, the personal information of 83 million bank customers was stolen.  While Chase was quick to deny any information such as account numbers was taken, experts in the field remain more skeptical.  Regardless of what exactly was stolen, the culprits were again believed to be Russian hackers who stole personal information with the intent to sell it or profit off of it through other means such as fraud. There is also the persistent fear of terrorist hackers, although little has yet to come of this.

Putting Up a Firewall

While governments and individuals swarm to the attack there are also efforts to fight back against hackers, and like hackers and hacking these efforts take many forms. At the highest level are government efforts like those of the United States government. Specifically, as touched upon earlier, the United States has created a cyber command capable of launching retaliatory strikes against its enemies through cyber space if the U.S. were attacked. In essence then the United States is creating a deterrent through cyber space much like it already has through both conventional and nuclear means.

There are also altruistic attempts such as the ones being undertaken by organizations like I Am the Cavalry, which allows researchers to share their findings and help improve the security of four major sectors: medical devices, automobiles, home services, and public infrastructure.

In addition, there are more classical capitalist efforts employed by corporations. Several major corporations such as Apple, Facebook, Google, and Microsoft are actively courting hackers, often holding competitions with prizes like lucrative job offers. The goal of this approach is to pick up where traditional IT efforts leave off. Traditional efforts are geared at creating defensive measures so hackers cannot break into a system; however, this new approach utilizes hackers themselves specifically because they have the opposite mindset and are looking for the vulnerabilities to attack. By harnessing hackers’ aggressive skill sets and playing off their competitive mentalities these companies and many more are, in essence, using hackers to prevent hacking.

Conclusion

As the world becomes more digital and connected the threat of hacking will increase. In the future everything from cars to even toasters can and will be vulnerable to hacking and misuse. Furthermore, this threat will not necessarily come from other countries, but also non-state actors and even individuals. The motivations and allegiances of these people and groups vary widely and make the problem infinitely more complex.

Nonetheless, while efforts to prevent hacking can seem hopeless, like trying to keep a ship with a million leaks afloat, all is not lost. Indeed there are already efforts underway to fight back, which vary as much as those of the hackers themselves. As history has shown, no ship is unsinkable. Thus hacking is always likely to be a problem and an increasingly dangerous one; however, it can also offer an avenue for improvement and a channel to voice social concerns. While hacking may be the next great threat, like previous scourges it may also present unique opportunities for change and improvement for society as a whole.

Resources

Primary

Center for A New American Security: Non-State Actors and Cyber Conflict

Additional

Bloomberg: Top Ten Hacking Countries

CNN World: North Korea Denies Sony hack

Forbes: The Top 5 Most Brutal Cyber Attacks of 2014

Time: Here’s What Chinese Hackers Actually Stole From U.S. Companies

Time: China’s Red Hackers

WebRoot: Computer Hackers and Predators

Bloomberg Business Week: Target Missed Alarms

Washington Times: Cyber Command Investment Ensures Hackers Targeting US Face Retribution

The New York Times: North Korea Loses its LInk to the Internet

New York Post : Hackers Steal 83 Million Chase Customers’ Info

Mashable: Hacktivism

International Business Times: What is Anonymous?

CDR Global Inc: Hacking for Good

Guardian: There are real and present dangers around the internet of things

I Am the Cavalry: Homepage

Michael Sliwinski

Michael Sliwinski (@MoneyMike4289) is a 2011 graduate of Ohio University in Athens with a Bachelor’s in History, as well as a 2014 graduate of the University of Georgia with a Master’s in International Policy. In his free time he enjoys writing, reading, and outdoor activites, particularly basketball. Contact Michael at staff@LawStreetMedia.com.

The post Hacking: The New Kind of Warfare appeared first on Law Street.

Another day, another leak. It seems like the leaking of some information to do with Hollywood–whether it be nude photos, salaries, or emails–happens on pretty much a weekly basis now. However, this leak from entertainment super-company Sony is probably going to go down in history to top all others. And I don’t think it’s quite done spitting out Hollywood gossip and insider information.

A few weeks ago, hackers got into Sony’s computer system and freed all sorts information. Some of it was sort of run-of-the mill hacker leaks–personal information about who worked for or were affiliated with Sony. This includes information that could very easily lead to identity theft–things like Social Security numbers, credit card numbers, and usernames and passwords. Sony has promised a year of identity theft prevention services to its employees in the wake of this particular realization.

But then there were also some things released that were much more about show biz. For example, Sony is now getting flack after it was leaked that the female stars of American Hustle–Jennifer Lawrence and Amy Adams–were compensated less than their male counterparts. Other emails revealed Sony’s courting (or lack thereof) of particular stars such as Leonardo DiCaprio and Ryan Gosling.

On a lighter note, probably the most adorable email ever written by Channing Tatum was released. As Gawker so aptly put it: “He writes email like a dog with a stick wags its tail.”

There were also many conversations about various kinds of liability that Sony now has to deal with. For example, there’s an all-female Ghostbusters project in the works, and members of the studio had conversations about whether or not to sue Bill Murray to get him into the movie. There was also a discussion about how angry Kim Jong-Un was going to be after the release of the movie The Interview, which happens to be about assassinating the North Korean leader.

There’s more, but just take my word for it that Sony has had to do a lot of apologizing, back-tracking, and the like in the last few weeks. Its entire Public Relations department probably deserves a raise.

The hackers probably aren’t going to stop releasing information anytime soon. The group is called the Guardians of Peace and they’re kind of holding the studio hostage. They’ve promised a “Christmas Gift,” but not a particularly nice one. In fact, it’s going to be more like coal in Sony’s stockings, in the form of even more private information and correspondences leaked. The message from the Guardians of Peace says:

We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.

They are threatening that the information is even more interesting than what’s already been released–and that’s been pretty juicy. The hackers have said that they would not release certain people’s information if they responded with their names and business titles. It all seems like it could be a ploy, but given the amount of seemingly private information that has already been released, Sony has every reason to be freaked out.

And it’s not just Sony that has reason to be freaked out. Seth Rogen, who stars in The Interview–a particular target of the Guardians of Peace hackers–has announced he will be canceling many of his appearances. His co-star James Franco is taking similar steps. The Guardians of Peace have hinted at a violent attack on the theaters showing The Interview–even referencing the terrorist attacks of 9/11. The message specifically reads:

The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.) Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment.

The trend of hackers with higher technical abilities messing with celebrities or others in the public eye doesn’t seem like it’s going to be left behind in 2014. This seems like an entirely new situation though–the Guardians of Peace don’t appear to just be after celebrity nudes or gossip. This controversy has taken the entertainment world by storm, and people are rightly concerned.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Disturbing New Developments in the Continuing Sony Hacking Scandal appeared first on Law Street.

Hey y’all!

Last week Rachel Craig, 28, from Waynesboro, Virginia was convicted under the state’s new revenge porn law. She faces up to one year in jail and a $2,500 fine. The revenge porn law went into effect in July and it criminalizes posting nude pictures of someone on the Internet without the individual’s consent. Craig was said to have been in an argument with her former boyfriend when she allegedly stole a picture of his current girlfriend from his phone and posted it on Facebook. Craig even took full credit for the act and warned the victim “not to mess with her” according to Sgt. Brian Edwards of the Waynesboro, Virginia Police Department.

Okay. I’m sorry. What!?! I have so many questions. First of all, if he is your former boyfriend why are you still even communicating with him? Secondly, what was she doing with his phone at all? Third, don’t you think at 28 you would be mature enough to not take this to Facebook? I don’t get it. I don’t get the blatant disregard for an innocent bystander and the maturity level of this woman. I also kind of wish there was a stupid clause tacked on to the law to give this girl an extra six months to sit in solitude and think about how dumb this whole situation is. Craig might go to jail and have to fork over $2,500 for something petty that could have been avoided if she just stopped and thought about what was the real issue and not harming an innocent bystander.

Two months ago another woman in Virginia — Crystal Cherry — was also charged with revenge porn because she posted nude photos of her boyfriend’s former girlfriend on Instagram and Twitter just days after the new law went into effect. Again, another one of these women who is dumb enough to take to social media and create issues that could be avoided at all costs if she could just handle her problems like an adult.

I like this law. The only thing that concerns me is that if this is a first-time offense, both Crystal and Rachel will probably not do any time and will just pay the fee. I know prisons are crowded and our tax dollars are hard at work with sustaining life for idiots who like to break the law, but maybe there should be something a little bit more that we could do. Maybe a class on how to not be so stupid? Or teach kids the proper way to use social media?

I like Facebook and Instagram and I admittedly have a serious love of Twitter, but I don’t need to know everything that you are doing. I don’t need to read about your daily drama. And I definitely don’t want to see you posting nude photos of another woman just because you’re mad at some dude who probably won’t matter to you in five years. Craig and Cherry get to be reminded of that every day now for the rest of their lives when they have to include their misdemeanor convictions on any application they fill out.

This month Jennifer Lawrence is on the cover of Vanity Fair and in her interview she mentions the celebrity nude hacking scandal that she was a part of. J-Law called it a “sex crime not a scandal,” and I tend to agree with her. Not only did this hacker violate someone’s privacy but also committed a cyber crime. Hundreds of celebrities’ nude photos were splashed across the internet, violating their privacy. Some people say that when you choose the life of a celebrity you choose to give up your privacy, but I completely disagree. Celebrities are still people. But I will criticize anyone who is dumb enough to take nude photos and save them anywhere. iCloud is not secure. Your computer is not secure. There is always someone trying to hack into something that will violate you in some way and they may just be doing it for the fun or just because they can.

Even some idiot Pasadena, Texas school teacher gave nude photos to a student she was having an affair with who ultimately ended up sharing them with others. Ashley Zehnder, 24, had reported that nude photos of her were being shared throughout the school where she taught. An investigation revealed that she was sleeping with a student who shared them. Will anything happen to the student who was having the affair and sharing the nude photos? Probably not. But Zehnder lost her job, will go to jail, and will probably have to register as a sex offender. Can we say Mary Kay Letourneau?

I think that there is a lesson in all of this. People need to be more cautious about what they are doing and where it is being saved. Craig and Cherry’s victims are on the same side as Jennifer Lawrence and other celebrities. The only difference is Craig and Cherry got caught. Zehnder is the predator and the victim. Her private nude photos were shared with an entire school but she also preyed on a student.

Word to the wise: if you are going to take nude photos use a Polaroid and burn them when you are done if you don’t want them to be shared. Or better yet, just don’t take them. Have a little modesty and respect for yourself. If you want to share being nude do it in person where the only other person looking at you can only use their memory, not a hard copy that could be sent out to the world.

Allison Dawson

Allison Dawson was born in Germany and raised in Mississippi and Texas. A graduate of Texas Tech University and Arizona State University, she’s currently dedicating her life to studying for the LSAT. Twitter junkie. Conservative. Get in touch with Allison at staff@LawStreetMedia.com.

The post PSA: Nude Photos Will Send You to Jail appeared first on Law Street.

You can’t make everyone happy all the time. That’s an old principle that Arizona is learning this week as its new revenge porn law draws ire, outrage, and even a few lawsuits. Most critics are claiming that the law is way too broad and will criminalize people for things that probably don’t qualify as revenge porn.

Revenge porn is absolutely a real problem. There are countless stories of women whose jilted exes, or men they rejected, submit nude photos of them to be ridiculed by the denizens of the internet. Or the women whose faces are flawlessly photoshopped onto naked bodies. Or the women who have their emails hacked, and their nude photos stolen for no apparent reason other than that the hacker wanted to shame, ridicule, or ogle them.

Revenge porn has made headlines recently because its victims have gotten notably more high profile. Two releases of nude photos in the past month have targeted celebrities such as Jennifer Lawrence, Gabrielle Union, and Ariana Grande. Sometimes a threat of revenge porn is enough to make headlines. After Emma Watson’s inspirational speech on feminism earlier this week, internet trolls have been threatening to release nude photos of her…because speaking out about inequality is clearly a crime punishable by public humiliation and degradation.

It’s within this context that Arizona passed a new revenge porn bill this week. The idea behind the bill is good, truly. But the execution is a little rough. As Wired summed it up:

The law makes it criminal to disclose, display, publish, or advertise any images of a person who is ‘in a state of nudity or engaged in specific sexual activities’ if the person who shares or publishes the images ‘knows or should have known’ that the person depicted in the image did not consent to ‘the disclosure.’

The worry is that this could criminalize a whole bunch of stuff — for example a picture of a woman whose breast is partially exposed while breast feeding, or a historical book that includes a nude photo, or that iconic image of the “Napalm girl” from the Vietnam War, or hundreds of other things that certainly aren’t revenge porn. It also will cause problems for book stores and libraries, as they’ll have to make sure that everything they receive, including magazines, have pictures with specific consent. While they probably do, the off chance that this law could be accidentally broken will probably make book sellers air on the side of caution.

The American Civil Liberties Union (ACLU) has now filed a suit against the Arizona law. The organization claims that the law violates the First Amendment. Legal Director of the Arizona ACLU Dan Pochoda, stated,

On its face it will affect a goodly amount of protected speech that has nothing to do with the prototypical revenge porn scenario. There’s a reason why so many media folks, bookseller folks, have joined (the lawsuit,) because a number of things they do in a normal course would be criminalized by this law.

On Arizona’s part, it really does get an A for effort. In an environment where many people are not only accepting but encouraging the release of the nude photos of those young female celebrities, it’s important that states take serious action against revenge porn. But the issue with this law is that it seems to fundamentally misunderstand what revenge porn is.

Revenge porn isn’t just about the sharing of nude photos without explicit consent — that seems to be more of a copyright issue. Revenge porn is about the intent behind it, and that’s usually revenge. It’s used to put a woman in her place, or shame her for being sexual, or put her in a compromising position with family and friends and work. It’s not necessarily about the nakedness, it’s about the vulnerability and helplessness that comes with it. So while Arizona’s law is a really, really great start, it fails to focus the criminalization, and instead criminalizes everything. Some narrowing could fix these problems; let’s hope that Arizona gets that and focuses on what really matters: making sure those who legitimately distribute revenge porn are punished.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Arizona’s Well Intentioned Revenge Porn Law Totally Misses the Point appeared first on Law Street.

If you’ve been on the internet in the last few days, you’ve probably seen news stories about a massive leak of celebrity nude photos. In a rather uncouth display, the mass release has been dubbed “The Fappening” by the internet. It’s a mix of “The Happening,” and…I’ll let you figure out the other part on your own. Celebrities included on the steadily growing list include Jennifer Lawrence, Rihanna, Mary Elizabeth Winstead, Kirsten Dunst, Kaley Cuoco, Ariana Grande, Kate Upton, Victoria Justice, and more. Some, like Mary Elizabeth Winstead, have acknowledged that the photos were real, while others like Victoria Justice claim they are fakes.

The pictures mostly surfaced on reddit and 4chan beginning on August 31. The photos then made their way to Twitter and other more mainstream sites. Most of the photos seem to have been obtained through hacking iCloud accounts. Put extremely simply, that means that the photos had been stored by the celebrity users to their personal accounts that included storage in the iCloud network. Benefits of the iCloud include the ability to access it from multiple accounts and locations, as well as freeing up space on a hard drive or other storage device.

How exactly the hackers obtained the nude photos is uncertain — they could have exploited a security flaw that Apple was unaware of, or they could have obtained the celebrities’ emails and then managed to gain access to their passwords by guessing security questions or some other method. Since celebrities seem to have been specifically targeted, the average user probably shouldn’t be too worried about sensitive material being stolen off their clouds right now — but the whole controversy does raise questions about cloud-type storage. The FBI has now gotten involved in the scandal and it appears to be searching for the hacker(s) who managed to get into the iCloud accounts and released the photos.

The whole fact that the photos got out in the first place is concerning. Celebrity pictures are leaked frequently, but usually just one or two. These leaks encompass hundreds, perhaps thousands, of photographs of young women whose privacy was seriously invaded for no other reason than the fact that they are both attractive and good at their jobs. And not only have their private accounts been hacked, the omnipresent internet trolls are more than willing to make fun of them for their concerns. Many have said that because the women took the pictures and uploaded them to the cloud at all, they deserve to have them released en masse.

Seriously? These women took pictures in the privacy of their own homes, with no intention of releasing them to the public. True, uploading them to a possibly hackable network was their own choice, but it was far from a damnable one. Imagine that these women had nude pictures taken of them by a peeping tom or a stalker. I have to think the public outcry would be greater — at least I hope it would be — but I don’t really see a huge difference. Either way, privacy is being ignored. The photos that have been leaked were stolen, plain and simple. And now that they’re out there, they’re going to be almost impossible to get down.

There’s a reason that one of the classic nightmare archetypes is realizing that you’re naked somewhere. I have a feeling that even if you’re a famous celebrity, that holds true. To all the people who are looking at the photos right now, please remember that those are real people who did not consent to have these pictures released to the public. Remember that before you look, and think about how you’d feel to have the entire world see your naked photos. I have a feeling it’s eerily similar to a nightmare.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Massive Celebrity Nude Photo Leak is Major Privacy Breach appeared first on Law Street.

The recent attack on the New York Times by a group of Chinese Hackers has once again brought the issue of cybercrimes to the forefront of the nation’s consciousness, serving as a forceful reminder to the United States Government that computer-based crime is something that they can no longer afford to ignore.

Just last year, the Internet Crime Complaint Center (IC3) received 262,813 complaints from consumers who collectively lost more than $781 million in losses. This number represents a 48.8 percent increase in losses from 2012, and while the data is not yet available for 2014, it seems apparent that cybercrime is a very real problem for thousands of Americans, and it is not going anywhere anytime soon.

In fact, the United States leads the world in the number of complaints related to internet crime, monopolizing a whopping 90.63 percent of all complaints worldwide. Despite this not-so-prestigious position, legislation has not been able to keep pace alongside the rapid advance of technology, and there is a great deal of ambiguity on just how the perpetrators of cybercrimes should be punished.

Some people argue that the sentences for cybercrimes are far too lenient, often allowing for criminals to profit from their crimes and failing to deter other criminals from committing similar offenses. For example, Albert Gonzalez, the perpetrator of the infamous hacking of TJX Companies, was only sentenced to serve two concurrent 20 year sentences in prison. This means that despite the fact that he had stolen credit and debit card numbers from approximately 45.6 million people, he could be out of prison by 2025 if he is on his best behavior.

Had Gonzalez committed the equivalent of this crime in the real world (for example, robbing a bank for the money he stole, or physically stealing 45.6 million credit/debit cards from their rightful owners) he would most likely be in prison for the rest of his life. Yet despite the fact that the damage done inestimably larger than if he had committed his crime in the real world, the punishment is somehow less severe even though his actions quite literally affected the lives of millions.

Perhaps these discrepancies are what led the push for harsher maximum sentences for cybercrimes, or maybe it was a direct response to a flawed report released from  MacAfee stating that cybercrime costs the United States economy about $1 trillion a year (though that number was later amended to somewhere around $140 billion). Whatever the reason, there is now the fear that the government has gone too far in light of recent reforms meant to intimidate cybercriminals.

The Electronic Frontier Foundation (EFF) is a San-Francisco based group that believes that legislation such as the Computer Fraud and Abuse Act (CFAA) is too broad and vague to be fair, imposing harsh maximums on relatively harmless crimes. They advocate for changes in the legislation, stating that more precise language is needed in order to protect relatively harmless offenders from harsh and lengthy prison sentences and fines.

For example, the recently deceased Aaron Swartz faced 13 felony counts of hacking and wire fraud at the age of 26 simply because he used MIT’S computer network to download millions of articles from JSTOR without permission. Despite the fact that the crime was non-violent and relatively harmless, Swartz faced both the possibility of decades of jail time and backbreaking fines for those illegal downloads, a sharp contrast to violent crimes that carry much lighter sentences.

It seems inherently illogical that in today’s society that illegal downloads should carry a higher maximum sentence than violent crimes such as rape. Yet it also seems impractical that someone who steals millions of dollars from credit and debit cards should be in jail for less time than if they had gone through the trouble to physically rob a bank.

To say the least, cybercrime sentencing is an issue that needs a lot more exploration than it has currently been given. Current laws may even require new sentencing guidelines made specifically to accommodate internet crime. Cybercrimes fail to be contained within traditional modes of sentencing and punishment, and often the sentences given seem to be too harsh or too lenient to fit the crime.

Donald R. Mason, a professor at the University Of Mississippi School Of Law, suggests that more attention needs to be focused on post-conviction matters such as sentencing and victim impact, as well as alternative resolutions that are tailored to meet the complex issues raised by the complex nature of these crimes.

For example, if the motivations for cybercriminals are radically different from the motivations of traditional criminals, the existing models may no longer serve as effective deterrents to crime. Along those same lines, if the scope of internet victimization is hard to measure or not detectable until long after the incident occurs, traditional models of measuring harm may no longer be applicable or effective either.

Though much attention has been given up to this point on the subject of detecting, apprehending, and prosecuting cybercriminals, more attention needs to be paid to what happens next. Doing so is the only way to ensure that the punishment truly does fit the cybercrime, and that the victims of these offenses receive the justice they deserve.

Nicole Roberts

Nicole Roberts a student at American University majoring in Justice, Law, and Society with a minor in Mandarin Chinese. She has a strong interest in law and policymaking, and is active in homeless rights advocacy as well as several other social justice movements. Contact Nicole at staff@LawStreetMedia.com.

The post Cybercrimes: Does the Punishment Actually Fit the Crime? appeared first on Law Street.

Security breaches among major companies such as Target, eBay, and Neiman Marcus dominated news headlines this past year and led many to wonder about the safety of the information stored with organizations throughout the United States. The statistics from the May 2014 US State of Cybercrime Survey are far from reassuring.

The survey, a combined effort of PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the US Secret Service, states that the number of cybercrime incidents and the fiscal losses they incur are rapidly rising. The findings reveal that this is mainly because the companies could not adequately defend themselves from cyber-attacks. According to the 2014 survey, the top five methods for cyber-attacks involve malware, phishing (the attempt to acquire sensitive information such as usernames or passwords), network interruption, spyware, and denial-of-services attacks.

The report covered information from 500 different corporations and government agencies, including law enforcement, and stated that “three out of four had had some kind of security breach just in the last year, and the average number of incidents per organization was 135.”

Fourteen percent of those surveyed reported that monetary losses attributed to cybercrime have increased in the past year. The actual costs are generally not known, as the majority of those who reported a cyber attack were unable to estimate the associated financial costs. Of the few survey respondents that could, the average yearly loss was around $415,000. Businesses are beginning to feel that cyber security is an issue that is out of their control and that cyber attacks are costing them an increasing amount of money.

 Why the Rising Rate?

One of the major problems associated with the rising rate of cybercrime is that few companies, only 38% according to the survey, are adequately prepared to combat cybercrime. These rising rates are not simply due to inadequate defenses, but also increasingly sophisticated techniques used by cyber criminals. According to an article on Time.com, the most pertinent threats to cyber security in the United States come from Syria, Iran, China and Russia.

There are two kinds of big companies in the United States: those who’ve been hacked by the Chinese and those who don’t yet know that they’ve been hacked by the Chinese.

-FBI Director James Comey

The 2014 report lists major reasons why these attacks are on the rise. It claims that a few reasons are that most organizations do not spend enough on cybersecurity and do not properly understand cyber security risks. According to the survey, there is also a lack of collaboration among companies that have experienced a breach or other form of cyber attack, specifically that “82% of companies with strong protection against cybercrime collaborate with others to strengthen their defenses.” Other pertinent issues leading to increased cybercrime are insufficient security of mobile devices and lack of proper evaluation of attacks within organizations.

What can be Done to Lower the Rate of Cyber Attacks?

According to the 2014 survey, one major way for corporations and agencies to prevent cybercrime is through company-wide employee training which has been shown to be effective but is no currently used frequently enough. According to an article on CSO’s website, many organizations aren’t running information security training programs that are up to date. The 2014 survey recommends that the main focus of companies should be protecting the private financial information of their consumers. Perhaps as companies continue to strengthen the efforts of their cybersecurities, the rate of attacks from online adversaries will begin to lower, causing the 2015 report to reflect a decrease in cybercrime.

—

Marisa Mostek (@MarisaJ44) loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

Featured image courtesy of [geralt via Pixabay]

Marisa Mostek

Marisa Mostek loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

The post Criminals Availing in Cyberspace appeared first on Law Street.

In the 21st century, many people do not consider how vulnerable their high-tech gadgets are to outside hackers. Information can be stolen at the swipe of a password, and it will take some time before you notice anything is wrong. The same can be said for governments fighting to stay on top of the latest technologies — especially the type that can help defend them against various enemies. These enemies, however, are no longer those we traditionally think of (‘evil’ governments and terrorists), at least not for our elected officials. In fact, the challenge of our time according to many top feds and military officers, is defending against cybercrime.

Following the hacking onslaught against retail giant Target, the Federal Bureau of Investigation (FBI) warned that more attacks are on the way, considering the attraction for additional cyber criminals to score easy money off of unsuspecting businesses. According to a paper released by the Ponemon Institute in 2012, cybercrimes cost businesses at least $8.9 million annually , and if they do not modernize security practices soon, hackers may get away with a lot more than just someone’s credit card information.

The National Institute of Standards and Technology (NIST), a federal technology agency, released a 39-page report on Wednesday to set industry standards implementing adequate protections so that businesses do not continue to get hit with hacking attacks from all over the globe. The report itself focuses on three main points:

1. Framework Core: “A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors…that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”
2. Framework Implementation Tiers: “Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which a organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework.”
   
3. Framework Profile: “The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity.” 

Even though the goals are well-intentioned, the fact the report comes out of an executive order from the President could throw a wrench into the implementation within Congress, as the members are already at odds as to whether or not the President should have more freedom interpreting legislation. However, there may still be a shot at cooperation between the two branches on this front, as business executives continue to pressure lawmakers at cybercrime hearings.

And they may not have a choice but to work together, as Joint Chiefs of Staff Chairman Martin Dempsey explained at a speech in June 2013 that “strengthening our cyber defenses on military systems is critically important, but it’s not enough in order to defend the nation.” Citing an investment of $23 billion into cyberdefense, four thousand new Cyber Command recruits, and three new teams focusing on defense of the nation, battlefield commands, and global military networks, Chairman Dempsey indicated that the United States is mounting intimidating offenses but that the country has a lot of catching up to do. In another hearing in February 2012, Senator Lindsey Graham inquired of Dempsey about cyberattack threats from China, often an alleged source of hacking. In response, the Joint Chiefs Chairman replied that China’s hacking seems to target intellectual property and trade secrets more than anything else, but if they were to attack the United States’ infrastructure, they should expect a similar response.

As major nations all around the globe come to grips over the rising tide of cybercrime, the United States is most certainly ramping up its defenses. While military leaders warn that what we have in store is not enough, federal officials continue to release new indicators that they’re serious about tackling the issue. Despite all of the rhetoric, business leaders in the nation continue to experience cyber crimes, having their secrets stolen and clientele information hacked. There is still a lot of work to be done if the United States is going to be ready for a future of relentless cybercrime.

—

Dennis Futoryan (@dfutoryan) is an undergrad with an eye on a bright future in the federal government. Living in New York, he seeks to understand how to solve the problematic issues plaguing Gothamites, as well as educating the youngest generations on the most important issues of the day.

Featured image courtesy of [elhombredenegro via Flickr]

Dennis Futoryan

Dennis Futoryan is a 23-year old New York Law School student who has his sights set on constitutional and public interest law. Whenever he gets a chance to breathe from his law school work, Dennis can be found scouring social media and examining current events to educate others about what’s going on in our world. Contact Dennis at staff@LawStreetMedia.com.

The post Is America Ready to Fight Cybercrime? appeared first on Law Street.

How was your weekend, loves? Mine was fabulous!

But Obamacare’s weekend was kind of rough.

On Sunday, The Daily Kos reported that the frustrating, glitchy, failure-face of a website that is Healthcare.gov is such a mess, in part, because of coordinated conservative hackattacks.

That’s right. You heard me correctly.

Conservatives are hacking into Healthcare.gov to prevent it from working correctly.

Specifically, hackers have been launching DDoS attacks—an acronym that stands for Distributed Denial of Service—against the site, which function to make a network unavailable to users.

Sound familiar? I think so! How many gazillions of stories have you heard about uninsured, Obamacare-enthused folks getting kicked off the site, denied access to sign up for their government-sponsored health benefits?

Probably a lot.

These cons are SERIOUSLY getting on my nerves.

And that’s not all. In addition to these hackattacks—which are being launched with a tool called “Destroy Obama Care,” no joke—conservative lawmakers are encouraging insurance companies to fraudulently screw over their customers, and blame Obamacare for the ridiculousness.

For example, in Florida, douchebag extraordinaire Governor Rick Scott required insurance companies to blame Obamacare for any canceled plans, even if their reasons for canceling those plans had NOTHING AT ALL to do with Obamacare.

Lie, he said. It will be profitable, he said.

But actually. Because let’s be real here. Insurance companies make a lot of money for doing very, very little. They make healthcare prohibitively expensive. They’ve made medicine less about saving lives, and more about making money.

I mean really. The U.S. is the only country in the world where Breaking Bad makes any goddamn sense.

So when conservative lawmakers freak out about how horrible Obamacare will be, they’re really just lamenting the oncoming fall of big business. Of insane wealth disparities. Of that line in the sand that separates the haves from the have-nots.

Because what LOGICAL reason exists to vehemently defend the existence of companies that make healthcare INACCESSIBLE to the vast majority of Americans?

Seriously. Let’s look at a hypothetical example, shall we?

Mom gets breast cancer. It’s fairly advanced, but not untreatable.

She doesn’t have health insurance, because it’s way too expensive. She made a choice between paying for her monthly groceries, and electricity, and heat, and part of her mortgage payment—OR paying for health insurance. Years ago, she chose the former.

So now, here we are. Breast cancer. It wasn’t caught earlier because Mom lives in a state where women’s health funding has been slashed. Her local women’s clinic closed down. (Thanks Republicans.) She hasn’t had a mammogram in years. Preventive care wasn’t readily available to her.

Now that she has her diagnosis, Mom faces a choice. She can get treatment for her breast cancer, but she’ll go bankrupt paying for it. Or, she can forgo treatment, continue scraping by for now, and wait for the inevitable.

This is a bullshit choice.

The reality for Americans without insurance is completely absurd. They live in a wealthy, developed nation, where there are clean hospitals, abundant medicine, and well-equipped doctors. Quality medical treatment is right here. It’s there for the taking.

But it’ll cost you your house. And your groceries. And the clothes on your back. Actually, if you take advantage of all those lifesaving facilities, you’ll likely wind up bankrupt and homeless.

So really, for these Americans—for this fictional, hypothetical working mom with breast cancer—what’s the point of being American? What’s the point of living in the United States? She might as well live in a struggling, rural nation that has very few hospitals, and very little medicine. Her access to those facilities would be roughly the same.

And that’s completely insane. It makes no sense that uninsured people in the United States must choose between two life-destroying options: forgo treatment and wait for death, or go into total financial ruin.

I really wish I was, Chelsea.

The only reason anyone should forgo medical treatment is if treatment does not exist. You can’t go to the hospital for chemotherapy if there is no hospital, if there is no chemo.

But we do have hospitals. We do have chemo. And so, people should be able to use them. While also keeping a roof over their heads and food in their mouths.

This is not a difficult argument to make. This is just common sense.

But conservatives are abandoning that logic. They’ve made it their mission to defend a system that clearly isn’t working. They’re defending a healthcare system that bankrupts people. They’re defending insurance companies that lie and swindle their customers. They’re encouraging those insurance companies to act fraudulently.

This is stupid, am I right?

So lovelies, let’s try and put an end to this madness, mmkay? Obamacare is not ideal, but it’s a step in the right direction. It’s a step toward affordable and accessible healthcare for all. So let’s get behind it.

—

Featured image courtesy of [LaDawna Howard via Flickr]

[Featured image courtesy of the LA Times]

Hannah R. Winsten

Hannah R. Winsten is a freelance copywriter, marketing consultant, and blogger living in New York’s sixth borough. She hates tweeting but does it anyway. She aspires to be the next Rachel Maddow. Contact Hannah at staff@LawStreetMedia.com.

The post Conservatives Are Deliberately Hacking Healthcare.Gov appeared first on Law Street.