Cyber Scene #1 - Public-Private Sector Coordination on Cybersecurity

Cyber Scene #1

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Public-Private Sector Coordination on Cybersecurity

The Center for Cyber and Homeland Security at George Washington University (GWU) hosted its Annual Strategic Conference on 3 May 2016 focused on “Public-Private Sector Coordination on Cybersecurity.” Across multiple sessions, a swath of public sector leaders as well as US intelligence community “titans”—former heads of CIA’s Counterterrorism Center, the National Counterterrorism and Counterintelligence Centers, and present DHS officials—combined engaging presentations with vibrant Q & A exchanges open to the public and captured live by CSPAN. This session also included foreign audience participants and French embassy officials, following up the French Minister of Interior Cazeneuve’s 11 March GWU presentation on the heels of this year’s Paris attacks. Among other pressing issues, one panel predicted an upturn in the public’s interest in cybersecurity due to lawsuits against private sector companies deficient in providing sufficient cybersecurity—and attendant US congressional and judicial response to define and regulate such legal action. See (video or text): http://www.c-span.org/video/?409023-2/george-washington-university-national-security-cybersecurity-conference

As SoS outreach continues its transoceanic direction, the view on US private-public sector from the UK’s thoughtful Economist is enlightening. In 16 April 2016’s article entitled “Encryption and the law: Scrambled regs,” The Economist casts the present situation as a cold war heating up and putting “America’s technology firms on a collision course with its policemen and spies.” It too looks at US Congressional activity as well as the implication for US domestic rules that leave “the truly dangerous” using more robust software written overseas. See:  http://www.economist.com/news/united-states/21696937-cold-war-between-government-and-computing-firms-hotting-up-scrambled-regs.

Back to the Current Cyber Scene Article

Cyber Scene #2 - Cybersecurity: Raising the Bar

Cyber Scene #2

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Cybersecurity:  Raising the Bar

Legal perspectives on overarching academic, Intelligence Community, private sector industry, and Congressional concerns

(1) The American Bar Association Standing Committee on Law and National Security continues its work begun in 1962 on educating the Bar and the public on rule of law issues to preserve the freedoms of democracy and national security. To that effect, the Cybersecurity Working Group was founded in 2012, and by the end of 2013, had compiled, for “educational and informational purposes” — (many legal disclaimers here!) “The Playbook for Cyber Events” and “The ABA Cybersecurity Handbook.” The working group continues, with support from its Cybersecurity Legal Task Force, to convene and explore contemporary as well as future legal aspects of cybersecurity concerns and be poised, a priori, for action. Read more at: http://www.americanbar.org/groups/public_services/law_national_security.html and http://www.americanbar.org/groups/leadership/office_of_the_president/cybersecurity.html. 

Three events in Washington D.C. are slated for June–November 2016 to advance this forum’s discussion and understanding. They are:

1. 8 June 2016, NYU in Washington D.C. The Honorable James E. Baker, Chief Judge (ret.), U.S. Court of Appeals for the Armed Forces and Chair, ABA Standing Committee on Law and National Security will introduce a forum including the authors Zachary Goldman and Samuel Rascoff to discuss their book, Global Intelligence Oversight that addresses cybersecurity among related topics. ABA National Security Chair Harvey Rishikof will moderate.
   See: http://www.americanbar.org/content/dam/aba/images/law_national_security/book-talk-june-8-flyer.pdf
    
2. 24-25 August 2016, 11th Annual Homeland Security Law Institute, Washington Convention Center, Washington D.C.
   See: http://shop.americanbar.org/ebus/ABAEventsCalendar/EventDetails.aspx?productId=240666089
    
3. 14-15 November 2016, The 26th Annual Review of the Field of National Security Law, Washington D.C.
   See: http://www.americanbar.org/groups/public_services/law_national_security.html
    

(2) Relatedly, both formal publications (e.g., law reviews) and informal blogs are addressing legal cybersecurity issues on today’s table. The Harvard National Security Journal (http://harvardnsj.org/2016/02/volume-7-1/) is a law-student/think tank joint venture affiliated with the Harvard Law School - Brookings Project on Law and Security capturing both broad governmental perspectives (e.g., the Assistant Attorney General for National Security address to Harvard Law on future options) and animated blog-based exchanges. One such blog post, Susan Landau's “Don't Panic” from Harvard’s Berkman Center, posited that growth of strong encryption would not significantly hinder intelligence or law enforcement collection. This has launched an even more academic, legal, and Intelligence Community and Congressional spirited response over the last 2 weeks (through 21 May to date), including the Director of National Intelligence, Jim Clapper, who countered in a letter to Senator Wyden that Landau’s Berkman Center report was wrong, and that “the impediments to our efforts to protect the nation...cannot be fully mitigated by alternative means.” This debate continues to spawn a host of thoughtful legal opinions—law professors, students, the Journal of National Security Law and Policy, Heritage Foundation, Brookings and Stanford’s Hoover Institutions, as well as present homeland security consultants and present and former senior DHS and IC officials. See https://www.lawfareblog.com/ic-thinks-harvard-wrong-about-encryption for a sampling and useful links.

Back to the Current Cyber Scene Article

Cyber Scene #3 - US Executive and Legislative Branches’ Cybersecurity Activity; Private Sector Code Conference

Cyber Scene #3

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

US Executive and Legislative Branches’ Cybersecurity Activity; Private Sector Code Conference

The White House:

Cyber Scene #2 addressed the American Bar Association’s Law and National Security work on cybersecurity. On the executive side, the White House has called on Congress for legislative action to include over $22.1 billion in funding for the following Cybersecurity National Action Plan (CNAP) and its alliance with the private sector. CNAP highlights include calling upon working with the US Congress to:

• Establish a Commission on Enhancing National Cybersecurity;
• Establish a National Cybersecurity Alliance with private sector giants;
• Create a $3.1 billion IT Modernization Fund to replace legacy systems with cyber-secure systems across National, State, Local, and Tribal lines;
• Include $19 billion in the FY17 Presidential budget for protection of financial services systems such as PayPal, Master Card, and Visa in addition to private sector tech giants (and Alliance members) such as Google, Microsoft, Dropbox and Facebook; and
• Name a New Federal Chief of Information Security Office.

Read more at: https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan

Relatedly, the White House Office of Science and Technology Policy (OSTP) which is responsible, in partnership with the Office of Management and Budget (OMB), for advising the President on Federal S&T R&D prioritization and budget, and coordinating across those Federal agencies that have significant portfolios in science and technology, has released its R&D budget for 2017 to implement the CNAP. OSTP also administers the National Science and Technology Council (NSTC) which coordinates research initiatives across Federal S&T agencies.
See: https://www.whitehouse.gov/administration/eop/ostp/rdbudgets

Congress:

The U.S. House of Representatives Homeland Security Committee has established a bipartisan subcommittee on “Cybersecurity, Infrastructure Protection, and Security Technologies.”

This subcommittee has been holding hearings every few months, most recently on 24 May 2016, to probe particular complex and thorny issues. “Meet” the Subcommittee members (photos, bios) and activities, here.

Cyber Scene will continue to watch for any forward movement on implementation by Congress of any CNAP initiatives and continue to track ABA influence as well as Supreme Court actions related to cybersecurity.

Private Sector: Code Conference

The world's and US tech leaders concluded their 3-day, invitation only Code Conference on 2 June 2016 to project into the next 5 years of tech challenges and developments. The CEO’s of Amazon, Google, Twitter, the Gates, and many other brilliant luminaries who influence cybersecurity issues and the daily lives of everyone met over 3 days to exchange views. Among many outbriefs following the conference captured by PC Magazine, the NYTimes, and the media writ large, CISCO CEO Chuck Robbins cited as the #1 issue the need to dynamically defend against network threats now calculated at 20 billion per day. See more at: http://video.cnbc.com/gallery/?video=3000522641. For a broader readout of the conference and late-breaking off-shoots, see https://events.recode.net/events/code-conference/, and particularly explore both the press (including videos) and the trending drop downs.

Back to the Current Cyber Scene Article

Cyber Scene #4 - Post-BREXIT: Transatlantic Cyber Defense Issues

Cyber Scene #4

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Post-BREXIT: Transatlantic Cyber Defense Issues

Given the unlikely event of what the Economist on 2 July dubbed “...the possibility of an inelegant, humiliating, and yet welcome, Breversal,” the United Kingdom (UK) ushered in Prime Minister Theresa May and wrestled with its planned withdrawal from the European Union (EU) while the North Atlantic Treaty Organization (NATO) nations addressed cyber defense issues at the Warsaw Summit on 8–9 July 2016. The New York Times reported: “Europe, the anchor of the trans-Atlantic alliance, is battling centrifugal forces unleashed by Britain’s vote to leave the European Union.” As a counterweight, President Obama addressed the NATO Summit, stating “We haven't simply reaffirmed the alliance; we're moving forward with the most significant reinforcement of collective defense any time since the Cold War.” Recently, ex-Prime Minister David Cameron affirmed that despite its decision to leave the EU, the UK is not turning its back on Europe or on European security. The NATO Secretary General, former Norwegian Prime Minister Jens Stoltenberg, added that NATO was undergoing the biggest reinforcement to its collective defense in a generation.

Just prior to the Summit, NATO agreed to elevate cyberspace to the conflict domain of ground, air, sea, and space operations. This follows the February 2016 NATO Technical Arrangement on cyber defence cooperation with the EU, stating that international law applies to cyberspace. The US, for its part, published a list on 8 July entitled “U.S. Assurance and Deterrence Efforts in Support of NATO Allies” to underscore this direction. See: The Economist Special Edition Anarchy in the UK and particularly "Adrift" (p. 10) of 2 July 2016 in http://www.economist.com/news/leaders/21701479-leaderless-and-divided-britain-has-its-first-taste-life-unmoored-europe-adrift, http://www.nytimes.com/2016/07/09/world/europe/nato-unity-tested-by-russia-shows-some-cracks.html and http://www.nytimes.com/2016/07/10/world/europe/obama-at-his-final-nato-summit-meeting-acknowledges-challenges.html.

NATO Deputy Assistant Secretary General for Emerging Security Challenges, Jamie Shea, provides a dynamite summary of the ascendancy of cyber as a tool of warfare in NATO, particularly regarding cost-effectiveness, the ease of the use of proxies and anonymity, and the impact versus cost issue, in the following video clip: https://www.youtube.com/watch?v=j7y1vhCn3Hw. The recent creation of his post is in itself testimony to the shift in emphasis, even prior to BREXIT.

As the EU contracts, NATO expands, officially adding Montenegro in July 2016 to the accession process following Albania and Croatia’s joining in 2009.  Moreover, in addition to the existing NATO Cyber Defence Centre (sic) of Excellence in Estonia and the NATO Intelligence Fusion Centre in the UK, NATO Secretary General Stoltenberg announced the standing up of an intelligence fusion center in Tunisia to focus on Special Forces Training on anti-terrorism issues which have drawn in NATO members and partners.

Reinforcing NATO’s growth spurt in contrast to the EU, the Secretary General underscored that beyond the addition of the 29th NATO nation, NATO welcomes the nations who have chosen to be strong partners, such as Sweden, Finland, Austria, and Serbia. Some of these partners bring sophistication, experience, and geography to the cyber table. Interoperability, an enduring technical challenge for NATO, was tested just prior to the summit at a meeting attended virtually by 53 nations deemed “crucial security partners” by Deputy Secretary General, Ambassador, and former Pentagon Assistant Secretary for International Security Alexander Vershbow. See: http://www.nato.int/cps/en/natohq/topics_78170.htm 

For the latest on NATO’s cyber defense initiatives, see the NATO JULY 2016 FACT SHEET ON CYBER DEFENCE at http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2016_07/20160627_1607-factsheet-cyber-defence-eng.pdf

N.B. NATO officially uses British spelling.

Back to the Current Cyber Scene Article

Cyber Scene #5 - Cybersecurity threats, bench strength and talent search, and EU intelligence sharing follow-thru (or not)

Cyber Scene #5

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Cybersecurity threats, bench strength and talent search, and EU intelligence sharing follow-thru (or not)

In his presentation to the Aspen Institute on  28 July 2016, Director of National Intelligence James Clapper cited cyber threats, both from nation states as well as non-nation states, as the #1 threat.  He went on to identify Russia and ISIL as exemplars, respectively, of these two threats.

See https://www.youtube.com/watch?v=XpG9MXVoeQAn for his full discussion with Moderator Jim Sciutto and 15 minutes of Q & A.

As a corollary to the reference of cyber attacks from nation and non-nation states, the Federal Times has been running a series of articles on cybersecurity beginning with a Part 1 discussion of this domain's talent shortfall.  "Part 2, Known Unknowns of Cybersecurity Talent Shortfal l " by Steve Kirk of Fortinent, maintains that his company's research predicts that, on the heels of financial services and health care industries, "...manufacturing is likely to be the next industry specifically targeted by ransomware."  The disruption of automation would be the objective.

See http://www.federltimes.com/articles/known-unknowns-of-cybersecurity-talent-shortfall-part-2 of 30 Aug. 2016.

Addressing the scarcity of talent (Kirk's Part 1)as well, Anne-Marie Slaughter, former Dean of Princeton's Woodrow Wilson School, former senior State Department Policy Planning Chief and presently President and CEO of the think tank New America, writes on 22 Aug.  on the importance of celebrating a new breed of tech triathletes  who are capable of working across public, private and civic sectors over the course of their careers.  She underscores that despite work of entities like the Ford and MacArthur Foundations  now conjoined with Knight, Mozilla, and the Open Society Foundations in creating Net-Gain Partnership, the demand still outstrips supply.  She goes on to discuss how this public/private "ecosystem" backs into educational programs like the University of Chicago's joint degree program in computer science and public policy. LinkedIn founder Reid Hoffman has championed these efforts before Congress.  Slaughter closes by arguing that every think tank should also become a tech tank, and that "...tech heroes...should be trisector athletes."

https://www.ft.com/content/e47db7fc-65f5-11e6-8310-ecf0bddad227

As for those athletes who excel, the Economist documents how the Linux and Amazon Web Services (AWS) have been at the heart of the rise in cloud computing, and how open source software and cloud computing have launched what are known as "the cloud-computing wars" within the IT industry for a "once in a generation" battle.  They predict the dominance of AWS similar to IBM 360's in the 1980's and the insertion of antitrust regulation as well.

See http://www.economist.com/news/business/21705849-how-open-source-software-and-cloud-computing-have-set-up-it-industry

As a follow-up to CyberScene #4's discussion of the impact of Brexit on intelligence sharing, leaders of France, Germany and Italy met in late August in Naples to step up intelligence sharing arrangements-- distinct from the economically focused Brexiters.  Germany's Angela Merkel  called on national intelligence services across the EU to step up to the plate.  A follow-on meeting on 16 September with the remaining EU leaders was to focus on "...looking to peel off some low-hanging fruit to try to address issues ...borders, cooperation over terrorism..perceived to be at the forefront of (European) citizens' minds," per the Managing Director of the Eurasia Group.  This meeting, including all 27 EU leaders less Britain's Theresa May who was not invited, did in fact take place in Bratislava and compiled a "Bratislava Road Map.  Angela Merkel, who also gave a rare joint press conference with François Hollande, co-chaired the meeting with Polish leader Donald Tusk.  There was some success on identifying areas of  commonality and cooperation, but the most contentious issues continued to be out of reach and cybersecurity and intelligence sharing were not apparently deemed low-hanging fruit.

See: http://www.wsj.com/articles/germanys-angela-merkel-calls-for-more-sharing-of-intelligence-information-in-eu-1471886210?tesla=y and http://www.economist.com/news/europe/21707344-contentious-issues-about-growth-migration-and-european-defence-have-been-postponed-later

Back to the Current Cyber Scene Article

Cyber Scene #6 - The DNI and Congress: Last Round?

Cyber Scene #6

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

The DNI and Congress:  Last Round?

Director of National Intelligence, the Honorable James Clapper, testified before the House Permanent Select Committee on Intelligence (HPSCI) on 17 November 2016, announcing his resignation effective 20 January 2017 and, addressing the Members on cybersecurity among his top issues. 

Following his reaffirmation that he does not expect Russia to back away under the new administration from its aggressive cyber attacks,  he underscored the successful "internetted" fusion intelligence cells across the country, and added:

https://www.c-span.org/video/?418617-1/james-clapper-testifies-capitol-hill-submitting-resignation. 

Predicting the Cyber Future:  Other Voices

Domestic

Pre-election, several fora attempted to carry this view of the future into the arena of cybersecurity cooperation.  These included Atlantic Council coverage of Michael Chertoff, now Chair of the Center for Cyber and Homeland Security at George Washington University (6 October 2016); a Washington Post-sponsored Cybersecurity Summit on 13 October 2016; and both preceded by a Raytheon-sponsored Intelligence and National Security conference on "Securing Tomorrow" --the third in the series.  (All are covered by C-SPAN:  see https://c-span.org/video).  Post-election, however, has created a limbo regarding a clear view of the future while awaiting the cabinet + 4,000 political appointments that will afford some indicators of the future. 

Foreign

From abroad, despite BREXIT, Angela Merkel's recent commitment to run for re-election, and the run-up to the final French elections in two weeks (round #1 this weekend eliminating President Hollande in favor of party leaders François Fillon and Alain Juppé with Marine Le Pen in the mix), cybersecurity continues to rise to the surface.  The UK's chancellor of the exchequer, the reportedly lackluster "Spreadsheet Phil" Hammond,  declared on 1 November that not only was Britain developing its offensive cyber capabilities, but was doing so "...because the ability to detect, trace and retaliate in kind is likely to be the best deterrent."  New Prime Minister Theresa May, likewise "...wants the cornerstone of her government to be security,"  including the cyber variety.  https://theeconomist/news/britain/britain-flexes-its-cyber-muscles  (November 5th 2016, p. 50)

Simultaneously, US legal adjudication ramps up re: the limits of anonymous scientific criticism, deriving from  PubPeer's launch in 2012.  Google and Twitter filed a brief supporting PubPeer in January 2016, countering the argument that the law shouldn't protect anonymous commenters more than named ones. https://theeconomist.com/scienceandtechnology/the-watchers-of-the-web (November 5th 2016, pg 71.)

 In addition to the international extension of this PubPeer legal dispute, the European Court of Justice, which had declared in May 2014 that search engines such as Google can't continue to display links to information on people who have requested that it be removed, has brought to the surface both the issue of extraterritoriality and the fact that governments now care a great deal about cyberspace.  "As it has penetrated every facet of life, they feel compelled to control it.  The internet--and even more so cloud computing...has become the world's uber-infrastructure."  

https://theeconomist.com/news/britain/lost-in-the-splinternet (November 5th 2016, pp 51-52)

China's Controling Interest

Related to this issue of control, China's new cybersecurity law is raising alarms from foreigners as well as the co-CEO of Huawei, who believes that China will never have true info security if it doesn't bring in the world's best technology (!). The law would impact both domestic as well as foreign firms on Mainland China, requiring among other still vague laws the Chinese retention of any important data that is gathered in China as well as obtaining security certifications from Chinese authorities for network equipment and software, foreign and domestic. http://theeconomist.com/news/china/the-noose-tightens  (November 12th 2016, p.42)

Back to the Current Cyber Scene Article

Cyber Scene #7 - Cybersecurity Transition

Cyber Scene #7

Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Cybersecurity Transition

The President's Commission on Enhancing National Cybersecurity delivered its urgent recommendations in December 2016 for president-elect Trump, identifying actions to be taken over the next 10 years, which has now been followed by the new administration's revised draft Executive Order examining cybersecurity.  The 12-member commission, comprising business, academic technology and security's "brightest minds," addressed public-private sector information sharing on cyber threats.  Since spring, the present administration reportedly requested a 37% increase in cybersecurity resources for 2017 but found Congress unwilling to fund the Cybersecurity National Action Plan (CNAP) budget proposal outlined in Cyber Scene #3.   (see the Associated Press article in its entirety at

http:///www. miamihearald.com/news/business/technology/article118665973.html)

Economist's Special Report on Espionage Spotlights Cyber Prominence

Permeated with explicit as well as implicit cyber security issues, the Economist executed a particularly pithy five-part deep dive on Espionage (Nov. 12, pp 3-12). This analysis begins with technology and ends with the road to improvement under legal constraint/oversight on both sides of the Pond.  Peppered with photos of the usual distorted Hollywood "spies," the unforgiveable typo of "SIGNIT" in a graph, and source tributes "to all who remain anonymous" (one being Oleg Kalugin), the analysis is nevertheless excellent and worth a complete read.  For the time-constrained, a pre-digested cut follows.

Shaken and stirred  (Overview)

The introduction opens with Perestroika ("The Mitrokhin Archive" which revealed Kim Philby, inter alia) and fast forwards to Snowden, contrasting  typed manuscripts with digital downloads.  The analysis contrasts the world where Western intelligence agencies, whose masters were their governments, were pitted spy v. spy, with the present where the services are part of everyone's world.  Beyond protecting society from terrorism, these services are now "...held to account in the press, parliaments,and courts."  The analysis tracks this transition, still in progress, which is in part due to the revolution in technology.  The Utah Data Center and GCHQ's "hum" of computers inside the "donut" in Cheltenham, UK, are raised as examples of how the revolution "...has brought spying closer to ordinary people."  The mission, now globalized, has also evolved:  coded short wave messages and drop boxes of old have morphed into computers and smartphones "...identical to those in your pocket."  The services, particularly pre-emptive counter-terrorist ones, morph as well from "gatherers of evidence" to "hunters of conspiracies."  The public no longer accepts "trust us" but is thirsty for transparency, whence the inherent polarity re: secrecy.  The UK success in keeping the Enigma secret during World War II is juxtaposed with US journalists publishing Bin Laden's cell phone use as the impact of this so-called "need to know" harming the intelligence services' ability to protect.  The special report looks at intelligence transgressions but notes that the "savage criticism" of late (re U.S. and U.K. services) is overblown.  It acknowledges that "freewheeling James Bonds" (as in the report's photos) or mass surveillance are myths, and that the criticism is particularly unfair when it comes from outside the Five Eyes (US, UK, CA, NZ, AU) community, which has oversight in place.

Tinker, tailor, hacker, spy (Technology)--Who is benefiting the most from the cyberisation of intelligence--the spooks or the foes?

The report now looks at the dual-edged sword--that "the computer was born to spy"-- but also that said technology becomes supercharged in a multi-polar, multi-dimensional world.  At $3.4 trillion, the internet has resulted in cyber leaps and "signals intelligence gushing in torrents. The trick is to make sense of it."

The report enumerates cyber opportunity and threats:  contact chaining, "data exhaust,"  so-called intelligent home appliances, and many other attack surfaces for hacking which include open source data sets.  Despite the exponential growth, the intelligence services "...not only do more, but spend less" when compared with $175,000 per month for a HUMINT tail.  But tracing data is also problematic:  protocol issues; online gaming, chat rooms and steganography; encryption; shear volume; and less human error to name a few.  One 11/15 Paris bomber reportedly directed that a call be relayed via Syria to pass through a lightly monitored Turkish network.  NSA and GCQH should bring vulnerabilities to the attention of the software companies for patches, but "...in their role as attackers, (the SIGINT agencies) need some reserve."  Pew Research Center charts note that Americans themselves don't know what the balance should be. 

Standard operating procedure (Governance)--How the war on terror turned into a fight about intelligence

The "whipsaw" effect of the intelligence services' immediate 9/11 ramp up, following the proverbial seven years of famine, and then severe scrutiny, serves as "...a case study in how democratic, law-abiding societies struggle to govern bureaucracies that act behind a veil of secrecy...The thing to remember, however, is that in other countries the debate barely took place at all."

So procedures such as the President's Surveillance and CIA interrogation programs, deemed legal were revisited with the opposite decision and particular acrimony with Snowden's massive 2013 leaks.  Some claims of the former may have been overstated, and one defendant of the latter argued that the three individuals who were waterboarded were "walking libraries." Reasonable and highly unreasonable complaints were co-mingled, with press coverage pointing to services being "out of control" rather than simply highly bureaucratic and subject to the complexities of the laws.  The press also skewed the facts, and as General Mike Hayden, former NSA Director notes, should have reported the headlines to have been:  "NSA damn near perfect."  Former GCHQ Director Iain Lobban, when asked if his workforce were asked to snoop, replied "I wouldn't have a workforce; they'd leave the building."  Despite the tendency to achieve balance, the trade-offs between intelligence effectiveness and winning public trust are a constant.

China and Russia:  Happenstance and enemy action--Western intelligence agencies are turning to the old rivalry with Russia and the new one with China.

While many Western intelligence agencies establish strong liaison ties with the biggest ones (e.g., CIA or DGSE), and particularly for SIGINT or IMINT support, rivalry is a bigger global story:  in 2015, the DNI James Clapper told Congress that China and Russia were  America's main cyber threat.  Recent hacks (e.g., Simone Biles' medical records and the DNC and former Sec State Powell's e-mails) underscore the unrestrained nature of active measures.  RT, Russia's overseas television network, has taken to slurs the Economist dubs "insinuendo," destabilizing former Warsaw Pact democracies with devastating Crimean results. Russia leads the way, with China in fast pursuit and moving from an internal focus to "Ugly Gorilla" and PLA-related intrusions leading to DOJ indictments. While US-Russo relations remain  strained, Economist authors believe that intelligence holds the possibility of calming US-China tensions, but Gen. Hayden notes that with China,  "No one else is in the same area code.  It's pass-fail."  A chilling chart, "Habitual Intruders," tracks 12 years of suspected Chinese hacks.

The solace of the law--How to do better

Linked to Cyber Scene 2's legal discussions, the concluding segment calls to mind the arguments of just war theory, underscoring five guiding principles for the legal ramifications of the future of a particularly "cybernised" world:

• the accessibility of the law           
• the necessity of spying, regardless of the means
• proportionality                      
• oversight and monitoring, and 
• redress by an independent tribunal for those mistreated.

As CIA Director, General Hayden added "politically sustainable" to his Venn diagram, a notion echoed by Michael Leiter, former Director of the National Counterterrorism Center when he called "translucence" the need for the public to have a broad outline, but not details of what services do.  This vast agenda before the intelligence services also requires the highest of standards: the article closes by noting that critics must understand that "the intelligence services are often the best protection ordinary people can hope for."

(See: http://www.economist.com /news/special-report /21709778-intelligence-services-both-sides-atlantic-have-struggled-come-terms?frsc=dg%7Cd  for the entire report, www.economist.com/ rights for reprints, and www.economist.com/special reports for a list of named sources.

Cyber Scene #8 - Checking out, out of, and in with the U.S. Senate on Cyber Security

Cyber Scene March 17, 2017 Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

Checking out, out of, and in with the U.S. Senate on Cyber Security

During the first nine weeks of 2017, the U.S. Senate has called up both departing or departed U.S. cyber authorities as well as an incoming nominees testifying for confirmation to discuss the harrowing rise and sophistication of foreign cyber threats. Open hearings have addressed the following:

Cyber Security Hail and Farewell from DNIs

Mr. James Clapper had just bid farewell to the U.S. Senate, with accolades from both sides of the aisle, when he was recalled to lead joint testimony on 5 January 2017 before the Senate Armed Services Committee on Intelligence (SASC). Committee Chairman Senator McCain opened the hearing with his own welcome, thanked Mr. Clapper for his extensive service, and provided the framework for the hearing on cyber threats to the U.S. He was followed by the ranking Minority Member and other committee Members in rank order.

Mr. Clapper, then still incumbent Director of National Intelligence, presented his statement for the record which had been submitted to the SASC in advance, and responded to a flurry of questions about the future of cyber security. He was flanked by Adm. Mike Rogers, Commander of CYBERCOM and Director of NSA, and Under Secretary of Defense for Intelligence (USDI) Marcel Lettre. They each responding to questions analyzing the nature and severity of the recent Russian threat, as well as the US posture of cyber deterrence pursued by the Obama Administration which Mr. Clapper had earlier explored in a televised discussion with Charlie Rose.

Given the open nature of the hearing, the Senators posed questions dealing with the harm to the US, the political process, the integrity of U.S. systems, and privacy threats to their constituents and allowed for a follow-on closed hearing which did in fact occur on 7 February. Closed hearings are classified and unavailable for inclusion in this publication.

Mr. Clapper was also called to a double feature session on 10 January before the SSCI--the Senate Select Committee on Intelligence. This time he was joined again by Adm. Mike Rogers as well as CIA Director John Brennan and FBI Director James Comey. SSCI Chair Senator Burr welcomed those testifying and particularly thanked the departing DNI and CIA Director for their service. He judiciously asked that the Members not ask any question that might be classified, or that might elicit a classified response, as they would have that opportunity in the follow-on closed (classified) session which occurred later that day.

In response to his prepared testimony and a follow-on question from a SSCI Member, Mr. Clapper noted that the controversy in the U.S., incited by Russian cyber intrusion, would only encourage more threats. He added that Russia would not hesitate to use all available tools for more offensive attacks. He responded to another question, affirming that this was the new normal. All four guests were asked individually whether they had ever seen this level of cyber threat to the U.S. in their broad experience, and all four independently answered "no."

This open session was followed directly by a closed session which remains classified and unavailable.

DNI then Nominee Dan Coats appeared before the Senate during his confirmation hearings on February 28, 2017, also addressing cyber security issues. Referring to the recent Russian cyber attack, the Honorable Mr. Coats reconfirmed his intent to keep intelligence apolitical, and that any cyber security threats needed to be investigated and addressed. He placed cyber threats at the top of his concerns. He pointed out that recent classified information had not been available to him, as he had only received his clearances days before the testimony. He reaffirmed his pledge to provide unvarnished intelligence assessments to the administration, and that he well understood his responsibility to keep intelligence out of policy formulation for political purposes, particularly in the present charged issues of cyber security. He promised transparency to the American people regarding potential political influence through cyber attacks such as "definitely" occurred in the recent Russian case. The SSCI advanced his candidacy by an 13-2 vote on 9 March, and the Senate confirmed him on 15 March 85-12. A text version of DNI Coats' statement for the record is also available.

For those unfamiliar with the process for testimony before the Congress, questions from respective committee Members are sent just in advance to those testifying. Formal, written testimony is provided by those called upon to testify in advance of the hearing to the entire Committee. Needless to say, all of the above could take only a few days. Those called to testify also present their statements for the record orally, in person, at the hearing (open or closed). Then the committee Members, beginning with the Chair and succeeded in rank order by the Minority Ranking Member and then in declining rank, pose their questions to any of those testifying. Those testifying then respond, as they are called upon, to the individual questions each Member may ask. While the Senate website delivers the video of the process, the DNI website provides the formal, official written text for the record.

Cyber Scene #9 - Private Sector Cyber Voices Speak as Congressional Committees Move to Closed Sessions

Cyber Scene Cyber Scene is intended to provide an informative, timely backdrop of events, thinking, and developments that feed into technological advancement of SoS Cybersecurity collaboration and extend its outreach.

As we read in our discussion last month of cyber security seen from the optic of Congressional testimony, cyber has been politically weaponized and is now a 21st Century tool of warfare. Such an application has occurred in the U.S., directed by nation states with the collaboration of private sector players, and is presently, reportedly, playing a role in the French presidential election.

In an effort to inform this already tech-savvy readership of additional perspectives, we now look at the threats as seen by intelligent thinkers--the New York Times, Johns Hopkins University, a cyber expert legal authority, and briefly, a British Member of Parliament--before returning to a short update on extraordinary Congressional cyber events.

National Security Journalists

As cyber attacks come to be viewed as ubiquitous and the possibility of avoiding any threat restricted to an isolated 12th century-like monk, the New York Times Magazine started 2017 with a detailed analysis of the global high-tech theft ring which has put the politicization of cyber hacking to lucrative use. Author Mattathias Schwartz, a national security investigative reporter who has published in a wide-ranging spectrum of media, explores the nefarious industrial surge in cyber security in the "Cyber War, Inc." (print version) or "Cyber for Sale "(electronic).

He analyses the global industrialization of email theft with the point of departure being the hack of a surveillance software maker. In his study he explains, for the general populace, means of hacking into email accounts and the way hackers turn this theft into attacks on individuals, institutions, agencies, and governments. He identifies private firms that facilitate, for little money and scant expertise, such "terrifying" intrusions. Joel Brenner, former NSA IG, is quoted saying: "The technology is morally neutral. The same program that you use to monitor your babysitter might be used by Bashar Assad or Abdel Fattah el-Sisi to keep track of whomever they don't like." Schwartz goes on to look into the relationship with one of the hacking leaders, Hacking Team, and their relationship with Russia's FSB, formerly the KGB. The company located an American subsidiary in Reston VA in 2015 and pitched DOJ, US military, and even Royal Canadian Mounted Police as future hires. He also quotes FBI Director James Comey's "Going Dark" speech, noting that "The law hasn't kept pace with technology, and this disconnect has created a significant public-safety problem." At variance with the US Government urging, US businesses have expanded the sales of powerful cyber tools world-wide. One perspective he cites equates privacy with secrecy, and secrecy with terrorism.

Another national security and technology journalist, also linked like Schwartz to The Intercept, is Jenna McLaughlin who writes in Johns Hopkins Magazine on what she calls the "Internet of Bad Things," underscoring the fact referenced by Schwartz that computers connect everything, ..."and that's the problem." She expands on Joel Brenner's example of the babysitter monitor, including so-called innocuous gadgets such as a fitness watch, an E-Z Pass toll transponder, or your locks securing your home as examples of threats. She probes a distributed denial of service (DDOS) attack on a prominent cybercrime reporter that took down his system for days. She discusses the roots of these insecurities, originating with the creation of the internet. One such internet architect now at Google, Vinton G. Cerf, regrets that they didn't focus on how the system could be ruined intentionally. Addressing the inevitability of attacks, she closes in the only hope that one is not "...interesting enough to be a target."

Legal and British Views

To return the Government's role in Personal Privacy and National Security, legal cyber expert Stewart Baker addressed the issue in a presentation on 22 February 2017. A private practice lawyer and former General Counsel of NSA in the early 1990's, Baker delved into the challenges in protecting individuals, from George Soros to those with pacemakers. He noted that despite increased funding, security has worsened due to:

1. new incentives to exploit security holes
2. nation-states "enthusiastically" engaging in stealing secrets, from China's theft of OPM records to the more recent Russian cyber security involvement in the US election.

He cautioned to expect more intrusions. Both political and economic motivation is at play, and builds on past success. He felt encryption was oversold as a solution to intrusion, and that the US Government is hampered by intruders moving at the "speed of light, not the speed of lawyers." He underscored the remnants of "digital DNA" left all over the world and closed by saying that we need to accept the fact that we are losing our privacy as we "embrace the Internet of Things." (See below for CD info)

As a reminder of the global impact of these threats, Baroness Margaret Jay, both a Member of the British Parliament and a board member of British Telecom, presented on The Aftermath of Brexit in the same Global Issues forum on 13 February 2017. In a follow-up question by your author following the MP's presentation, she confirmed that collaboration across the Pond between the UK and the US would most certainly continue post- Brexit, given that we share both the threats as well as the technology and generally unity of political will to counter them. Both presentations in their entirety are available for purchase through the Global Issues Program at the Sarasota Institute of Lifetime Learning.

Back on the Hill

Returning briefly to Congress, SecDef General James Mattis, who now commands both the Commander of CYBERCOM and the Director of NSA (dual-hatted), soberly cautioned that the biggest cyber attacks may still be to come in his confirmation hearings before the Senate Armed Services Committee (SASC). Since then, the SASC held an open hearing on Russian Influence and Unconventional Warfare Operations on 29 March, and a closed hearing on Cyber Threats to the United States on 4 April. As for the Hill Intelligence Committees, following the front page news of the tectonic recusal of Senator Nunes as Chairman of the House Permanent Select Committee on Intelligence (HPSCI) hearings on the cyber influence/involvement of Russia in the U.S. elections, the duties passed to his Majority No. #2, Representative Conaway. The HPSCI has not held open hearings, per their own recordation, since then.

The Senate Select Committee on Intelligence (SSCI) chaired by Senator McCain has forged full speed ahead, with eight closed hearings and one open one which we will dissect in appropriate detail our next edition of Cyber Scene.

Cyber Scene #10 - Cyber Insecurity: the Optic of Informed Outreach Pragmatists

Cyber Scene #10

Cyber Insecurity: the Optic of Informed Outreach Pragmatists

In the wake of a month of cyber-linked, below-the-surface icebergs rising to the top half of digital daily newspapers, to include dramatic Russo-US investigations and the Manchester bombing, this Cyber Scene will focus on broad issues that feed into the creation of policy and its implementation intended to direct and fund countermeasures, technology, and legal support.

The Cyber Savvy: Thoughts from Private Sector Former US Officials

As promised last month, the Senate Armed Services Committee (SASC) hosted Gen. (Ret.) Keith Alexander, CEO and President of IronNet Cybersecurity (more famously former COM/CYBERCOM and DIR/NSA) along with three non-governmental cyber experts: Dr. Craig Fields, Chief, Defense Science Board (DSB); Honorable James Miller, Member DSB and former Undersecretary of Defense for Policy; and Mr. Matthew Waxman, Columbia Law School Professor of Law. In addition to their open testimony on 2 March 2017, Gen. Alexander's written statement focused on the USG building connectivity and interoperability with the private sector on cyber; Fields and Miller submitted written testimony and jointly addressed cyber deterrence regarding both great powers and non-state threats, and Mr. Waxman discussed the yet un-reconciled issue of a cyber attack's relationship to an act of war, addressed earlier in this Cyber Scene series and framed by Waxman in the context of a violation of the UN Charter's prohibition of force. He noted that NATO's Article 5 does include cyberattacks--a footnote of interest in light of the US President's public failure to endorse Article 5 in his visit with NATO on 25 May 2017, an omission addressed by US Ambassadors to NATO under both George W. Bush and Barack Obama. According to Waxman, the expectation is a bar set at deterrence, not elimination of a cyber threat. Fields and Miller added that there is a "thin line" of a cyber secure force to create cyber resilience at this time. Their collective testimony referenced the broad role of the DSB to collaborate across universities, Federal Funded R & D Centers (FFRDC's), National Labs, the National Academies of Science and Engineering, etc.

Gen. Alexander's testimony triggered a return Hill visit on 30 Mar. 2017 to discuss, relatedly, Russia before the Senate Select Committee on Intelligence (SSCI)--the SSCI's first open hearing on this subject.

Threats:

In its April 8 2017 edition entitled "Why computers will never be safe," The Economist pursues the story of a British high school student (Response "a" above) to illustrate its subject "Computer Security: Why everything is hackable." It cites examples of why hackers don't need to deal with chip design and manufacture to create havoc, whether for purposes of "show-of vandalism" or criminality. In addition to efforts by Google, Microsoft, Amazon and others to develop standard encryption protocols, DoD's DARPA, which arguably can lay claim to inventing the internet, continues to work against its vulnerabilities. The article includes a catchy chart mapping the lines of text and source code starting roughly with 1985's Super Mario Bros. to today's Google products. The Economist also examines various attempts to bake security into software under development, including work at the University of Cambridge by a Dr. Watson (not THAT one!) on innovations to be added to existing chips used by INTEL and others. Another angle proposes that the myth of cyber security hinges on economics, not technology and that the market will, in the final analysis, drive innovation.

Since this 8 April article went to press, aftershocks from the RANSOMEWARE attacks, which did in fact impact the daily lives of many in the UK and elsewhere, were the subject of the 14 May edition of the New York Times. The globalization of the internet, and the number of things it entails, as well as the wall-free borders well beyond Schengen given the origin of the attack, spotlight the impact on everyday life worldwide.

As a follow up to discussion of SecDef Mattis's confirmation hearings last Cyber Scene, his reference to deterrence continues the previous administration's policy, laid down in an Executive Order "naming and shaming" to include Iranian and Chinese hackers resulting in the US Treasury Dep. being directed to impose financial sanctions on hackers.

However, operational options remain on the table. The SASC hearing of 9 May chaired by Senator John McCain underscored concern about a lack of strategy on cyber security and the need to create a whole of government approach to enable DoD to counter threats in cyberspace. This hearing noted the elevation of Cyber Command last year to a full combatant command, the possibility of extracting lessons learned from the US Coast Guard's domestic and international authorities as a model, and discussion of creating a cyber service. ADM Rogers, Commander of CYBERCOM, opined that a cyber force would create a narrow and isolated set of technologies rather than the role of cyber in a much broader context in need of a whole of government focus. He also added that implementation of this approach needed to fall under the policy aegis of and coordinated with the US Undersecretary of Defense for Policy.

Looking further forward, post-Manchester, new DNI Dan Coats spoke before the SASC on 23 May 2017 underscoring two reasons for the severe risk represented by cyber threats to the US. First, growing numbers of nation states to terrorist organizations are becoming bolder and more capable. Secondly the potential impacts of these threats are "amplified by the ongoing technology on our critical infrastructure and our daily lives."

Come here, Dr. Watson (DARPA, and innovators of the universe); world needs you.

Cyber Scene #11 - Views from...

Cyber Scene #11

Views from...

The Bench: Lawyering Up.

The cyber world has long bemoaned a dearth of legal opinion on both offensive and defensive cyber issues. 11 September 2001 provided a speed-of-light thrust to improve U.S. law, but technology continues to move faster than the courts. A Harvard Lawfare Institute/Brookings duo is picking up the pace in exploring the application in the courts of misdemeanor and felony crimes to the cyber world. In light of Russian hacking issues and discussion of collusion emanating like tidal waves from NYC and D.C. over the last few weeks, a Harvard Law Review editor Helen Klein Murillo paired up with Susan Hennessey, General Counsel of the Lawfare Institute (current Brookings fellow and former Office of the General Counsel attorney at NSA), to dissect pertinent legal precedence by which our 200+year old Constitution is interpreted for cyber purposes. This includes recent case law which defines "aiding and abetting in furtherance of any criminal or tortious act in violation of the U.S. Constitution" and distinguishes a misdemeanor from a felony. Needless to say, in such a sensitive environment, what is admissible for public record entails a balance of foreign relations policy, intelligence sources and methods, Congressional involvement, particularly of the Senate Judiciary Committee, and possibly, in the final analysis, Supreme Court engagement.

Starting 6 July Lawfare is also electronically linked with Foreign Policy which in itself is brimming with a broad spectrum of views on international affairs and legal issues that provide a backdrop for cyber security issues. But the courts, although still playing catch up, are moving forward. In a politically charged climate, readers might find this fact-based approach to US Constitutional law to be informative. The legalese should be largely digestible to this readership.

For further study, see the Lawfare cybersecurity subcommittee topic discussions on legislation in process by the Senate Select Committee on Intelligence (Senators Burr and Feinstein) and other Hill actors, the military which includes international defense issues, deterrence (with some military overlap) and crime and espionage as well as dozens of other topics that have cybersecurity components.

The UK: The Economist Special on Terror and the Internet

Cyber issues permeate the June 10-16, 2017 across-the-pond edition of the Economist. First the cover focus, Terror and the Internet, calls upon tech giants to take more responsibility for their networks, noting that "...for every Spotify there is a WannaCry." The Economist acknowledged that perfect security is unattainable; there is more to be done with dismissing "fake news" and maintaining (or perhaps reinstating) a reputation for truth. The editorial (Leaders section), as the introduction to the special deep dive itself, calls on legislators balancing security and liberty, or trying to, to "translate offline legal norms into the cyber domain." The Economist cautions, however, about ignoring unintended consequences in the process.

In the Britain section, the backdrop of the 3 June attack in London--one of three recent ones--gives rise to the question of how to prevent terrorist recruiting by combating on-line recruitment.

The International section discusses the early June terrorist attack from a broader perspective, looking at extremism across national borders to include IS recruiters on YouTube both in the Middle East and in the U.S. This cyber reach is linked to what a London-based counter-extremism think tank notes as "Documenting the Virtual Caliphate"--a report plus a video released 40 times a day in multiple languages. This leads to "crowdsourcing" action vice lone wolf activity. Facebook's CEO, Mark Zuckerberg, is quoted saying that he wants to develop artificial intelligence to identify and delete these terrorist tools on line, but that it will take many years to get there. Across the pond collaboration on these issues is cited as waning following the Snowden leaks. The former GCHQ chief, Robert Hannigan, adds that it is not in the public's interest to weaken encryption. Despite the gloomy immediate future, the article closes by referencing Microsoft President Brad Smith's testimony before the US Senate Judiciary Committee in May arguing for a legal framework which eases the international constraints that restrict American tech firms overseas.

Lastly, and reverting to that lone wolf issue, the special edition looks to the Israeli Defence Forces (IDF) for an example of how to marry up algorithms monitoring social media and tripwire terms to seek out "martyrs" before they strike. The article does not, however, discuss how to scale the monitoring of walled Palestinian enclaves to the "world Caliphate's" international, borderless issues. We have looped back to legal discussions, across countries with different legal foundations (Common Law, Napoleonic Code, both, neither, etc.).

NATO: How Many Legal Systems to Counter Cyber Threats???

Given the political black eye of Russian hacking a decade ago into Estonia's Cyber Defence Centre of Excellence, NATO has applied Article 5 ("an attack on one is an attack on all") to cyber. Lately, in the wake of both the belated reference to Article 5 by the U.S. President following, not during, the May NATO Summit, NATO has emphasized as one of its 10 core principals the role of cyber defense . To that end, on April 26 2017, Estonia hosted Locked Shields 2017, "...the largest and most advanced cyber defence exercise in the world." It was organized by the same NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, involved over 800 participants and 25 nations to include leadership engagement from the US EUCOM, the British Army, Scandinavian defense universities, and industry. With NATO expansion, 29 countries are now NATO members, and an increasingly close working relationship between NATO and the EU is developing across 40 member and non-member partners to include Jordan and Iraq.

On the Hill: The Enemy of my Enemy is my Friend?

Congress continues hearings on Russian Interference in the 2016 Election. While former FBI Director Robert Mueller and his investigative team work behind the scenes, the Senate Select Committee on Intelligence Chair Sen. Richard Burr (R. NC) and Vice-Chair Sen. Mark Warner (D. VA), made a joint statement to the press following one of the sessions with former FBI Director James Comey on 8 June underscoring the bipartisan manner in which the SSCI is proceeding as well as "how significant the Russian interference was." Mr. James Comey's open testimony is viewable (or readable) in its entirety at C-SPAN in case readers somehow missed it.

As for the investigation itself, it will likely be considerable time before Mr. Mueller and his team engage in any open testimony but his legal team is expanding to include expertise in financial malfeasance, per the New York Times of 20 July. He is too lawyering up.

Cyber Scene #12 - Divided or United??

Cyber Scene #12

Divided or United?? (no, not the U.S.--CyberCom and NSA)

The Cybersecurity Committee of Lawfare Blog addressed the Aug. 2017 GAO report presenting the DoD view on separating NSA and CyberCom. University of Texas/Austin Law School Associate Dean and Professor Robert Chesney notes that the report's exclusive DoD perspective is limited, and underscores the exclusion of consultation with the Office of the Director of National Intelligence among other missing views. Chesney's discussion raises more questions than it answers-not a criticism, but rather an acknowledgement of the need for in depth, detailed, nuanced understanding of the pros and cons of separating the two entities.

The Chairman of the Senate Armed Services Committee Senator John McCain argued, in 2016 under the last administration, that he would oppose dividing CyberCom and NSA.

The Law Fare Blog also published a 7 Aug. 2017 article by, most recently, former NSA Deputy Director Rick Leggett arguing why NSA should not reveal all cyber vulnerabilities, as has been discussed in the public/private sector perspective on privacy vs. security.

As a follow up to recent Cyber Scene discussions of the need for more precision in U.S. domestic legal discussions of cyberwarfare, Bloomberg Businessweek published on July 20, 2017, an interesting cyberwarfare "Focus/Security" discussion from another (or perhaps THE other) side entitled "Why We Need Cyberwar Rules of Engagement Now." The Berlin-based journalist, Leonid Bershidsky, recently emigrated from Russia to Germany following the Crimean invasion, calls for discussions between the world's two preeminent cyberwarfare countries. He cites sanctions damage, of course, but includes references to the updated 2017 Tallinn Manual, from NATO's Cooperative Cyber Defense Center of Excellence in Estonia. As mentioned in an earlier Cyber Scene, the Center is steadfastly anti-Russian, particularly after being famously, and embarrassingly, hacked by said country in 2007. Skeptics might question why Russia would choose to follow such rules, but the article itself, read carefully, is nonetheless interesting and includes a closing look at "quantum cybercrooks."

No Rest for the...Congress

Congress is in a truncated recess. However, since 11 July 2017, the SSCI has held seven closed sessions and one open hearing, under Chairman Richard Burr (R-NC) and Mark Warner (D-VA). The hearings on 19 July addressed the nominations for three senior IC positions: Principal Deputy Director of National Intelligence Susan Gordon, Treasury's Assistant Secretary for Intelligence and Analysis Isabel Patelunas, and NSA's Inspector General Robert Storch. These positions now require Senate confirmation.

The HPSCI conducted a closed hearing on Russian Interference with Jared Kushner; the acting Chairman (Chairman Nunes having recused himself) Rep. Mike Conaway (R-TX) and Minority Ranking Member Rep. Adam Schiff (D-CA) gave a brief news conference highlighting the 3 hrs hearing's productivity, and the cooperation of Mr. Kushner who offered to return.

Come Together, Right Now

The House has passed the FY 2018 Intelligence Authorization Act, which enjoyed strong bipartisan support with a 380-25 vote (!). Cybersecurity is underscored in the second sentence whereas Russian interference in the U.S. election figures at the end of the following verbatim synopsis:

"This legislation provides the Intelligence Community (IC) the necessary resources and authorities to ensure they remain capable of protecting and defending the United States. The bill supports critical national security programs, particularly those focused on countering terrorism and cyberattacks. The total funding levels authorized by the bill are slightly below the President's budget, balancing fiscal discipline and national security. This legislation:

• Focuses the Defense Intelligence Agency (DIA) on core missions by eliminating several DIA components and functions or realigning them to other IC elements;
• Defends against foreign threats to elections by requiring the Director of National Intelligence to electronically publish an unclassified advisory report on foreign counterintelligence and cybersecurity threats to election campaigns for federal offices;
• Bolsters intelligence oversight by ensuring that IC contractors can meet freely with Congress; and
• Improves IC accountability to Congress by requiring the IC to provide reports on:

• Investigations of leaks of classified information;
• Security clearance processing timelines;
• The process for reviewing information about computer vulnerabilities for retention or potential release; and
• Russian influence campaigns directed at foreign elections and threat finance activities.

The Act makes no changes to any surveillance authorities, including those set to expire later this year, which will be addressed in separate legislation."

In the Senate, the SSCI cleared the Intelligence Authorization Act as of 18 Aug. 2017, where it will move forward for a full Senate vote upon return from recess. This would point to a likely enactment of the bill, since the differences between the House and Senate would have been addressed in House and Senate intelligence committees, respectively.

N.B. FY 2018 starts 1 Oct. 2017 and Congress has only 44 days remaining in CY 2017, with not only the Intelligence Authorization Act but questions of a government shutdown, furlough, and budget looming large.

Cyber Borders or "Splinternet?"

The Economist revisits the rise of the global tech leaders in "Chaining Giants," investigating what actions governments worldwide, to include the U.S., China, U.K., Canada, Russia and others, are taking to impose constraints on the most powerful of the biggest multinational technology giants, even as the firms themselves have been looking at their own commercial barriers ("walled gardens" to control services) to bolster their success. U.S. and European constraints include holding tech firms such as Microsoft, Alphabet (Google), Microsoft and others responsible for what their users say. These are not, however, the same garden vegetables the firms themselves are cultivating.

Cyber Scene #13 - Cybersecurity: Getting Personal

Cyber Scene #13

Cybersecurity: Getting Personal

Perhaps off-gridders living in yet unmelted igloos are untouched, but the Equifax breach has jolted the uninitiated half (not/not this audience) of the US population into the path of the hackers' express. While Equifax Chairman and Chief Executive Richard Smith was cited as blithely stating on 17 August 2017 that the only difference among companies are those who know they were hacked and those who don't, this hack hits millions where it hurts most: identity and wallet. For those having been hit by the OPM or other social security and financial breaches, it magnifies the risk. For this readership, personally at risk as well, it provides bitter "I told you so" bragging rights. For any igloo inhabitant readers who crave a chilling experience, the same WSJ story offers one analysis beginning with Cisco's 8 March 2017 discovery of its software weakness and urgent plea with users to upgrade. One would hope that a service that posts credit information in a nanosecond would also act in the same timely manner to patch vulnerabilities once known.

Bricks and Bits

Just as one reflects on how bad this is, Mark P. Mills, in his Wall Street Journal Op-Ed, "The Cyber Age Has Hardly Begun", points out that cyber issues are just getting started. On looking not at breaches but economic stimuli, he discusses sector industries and infrastructures from the perspective of "cyberphysicality." The example of Amazon's market value, following the recent acquisition of Whole Foods being twice that of Walmart and 500-fold greater than century-old Sears, is indicative of seismic changes in the economy driven by cyber. The current status of this merger is the equivalent of the U.S. economy in 1920. These cyberphysical corporations point to the eventual decline and/or eclipse of today's two-speed economy. Mills concludes: "It's a sign that America is about to shift to the next level, driven by cyberphysical software. Economic growth and jobs will follow." So will the risks.

Houses of Bricks and Bits: Beware of the Big Bad Bear

As the brick and mortar sector takes a major hit--physically from the recent spate of North American hurricanes, tornados, wildfires and earthquakes as well as what your author dubs "merger and acquisition climate change," the Security and Exchange Commission (SEC) which regulates and protects U.S. firms, suffered its own cyber breach. "Edgar" may now be your next corporate houseguest: it is the Electronic Data Gathering, Analysis and Retrieval System which processes 1.7 corporate filings per year and is cast as the SEC's "crown jewel." Unlike Equifax, SEC senior executives reportedly became aware of the 2016 hack only months later. As the former SEC Chairman Luis Aguilar noted, the SEC should foster transparency, "...particularly an agency that expects full and fair disclosure from publicly traded companies." Unfortunately, the disclosure of, not from, publicly traded companies may be far more "public" than the firms and regulators anticipated. Mr. Aguilar, notably, now works for Falcon Cyber Investments, LLC, which invests in cybersecurity. So yes, the breach made firm actions immediately transparent to the hackers; the SEC execs, however, were guilty only of ignorance and faulty public sector cybersecurity protocols. The Senate is holding a hearing on 26 Sep. 2017 to explore SEC oversight issues.

As for the houses of bits, Facebook is now facing up to a legislative call for more transparency regarding that Bear. For those who assumed that Facebook discloses and shares everything on line, that is not so. Only your personal subscriber data is disclosed. Jim Rutenberg took Facebook to task in a comprehensive 18 Sep 2017 NYT article for its "stunning lack of specificity about foreign interference" with regard to Congressional calls for information regarding the Russian-related "fake ads" which seemed to focus on "amplifying divisive social and political messages across the ideological spectrum" during the 2016 elections. Under pressure from the "4th branch" (media) as well as Congress, Facebook caved as of 22 Sep 2017 and agreed to disclose information on thousands of Russian-backed ads to congressional investigators. Changes it intends to initiate include disclosing its requirements for political ads, more stringent requirements for said ads, and adding over 250 employees to monitor election integrity. However, in an apparent reference to the 1st Amendment, CEO Zuckerberg said, in the same article, that it would not censure ads prior to publication, stating: "Freedom means you don't have to ask permission first, and that by default you say what you want." Ex post facto measures would include removing the offending post and/or suspending the accounts of the guilty. Facebook has been under the Congressional gun--both the House and Senate Intelligence Committees (HPSCI and SSCI, about which Cyber Scene has written)--for underwhelming cooperation. Facebook had previously held back, noting that only a search warrant would move Facebook to disclose. That has apparently come from Robert Mueller's investigation on Russian interference and influence. According to the WSJ analysis, Facebook is giving Congress only 3,000 ads created by one Russian entity, the Internet Research Agency, which generated $100,000 of income for Facebook. Mueller is presumably to receive more. He and his team, however, are not talking.

They're Back! Congress Ramps Up

Both Intelligence Committees intend to help Mr. Zuckerberg in his efforts to balance his privacy responsibilities and his reluctant efforts to disclose Russian influence to Americans. According to the above New York Times and the Wall Street Journal of stories, legislative leaders and others are considering social media requirements similar to television and radio requirements with public disclosure of sourcing for political ads. There has been strong bipartisan support in both legislative bodies to disclose and curb foreign interference in U.S. elections. There is also a Democratic Senate initiative (Warner, VA and Heinrich, NM) to require new Federal Election Commission rules to curb foreign spending on political advertising and identify the sourcing as the 18 Sep NYT Rutenberg article cites: "I'm Vladimir Putin and I approve this message!". However, the 22 Sep WSJ article notes that this initiative would not have prevented the genre of "hot button" ads that were traced to Russian interference.

Both Intelligence committees, however, are keeping a lid on their hearings. The SSCI has held five closed hearings on "intelligence matters" in Sep. The HPSCI is also tight-lipped. On the other hand, both the House and Senate have been open and active since the curtailed recess regarding FY2018 authorization activity. As a follow-up to Intelligence Act activity (officially on the Senate's calendar) cited in Cyber Scene last month, the Defense Authorization Act for FY 2018 was passed by the House and by the Senate with one insignificant (author's comment) amendment on 19 Sep. The Senate's Commission on Security and Cooperation in Europe also convened on 14 Sep. to examine "the scourge of Russian disinformation."

Bear Territory

On that Russian front, the Senate Foreign Relations Committee held a 19 Sep 2017 hearing featuring former Governor of Utah/former Ambassador to China/former Presidential candidate Jon Huntsman, Jr. as the nominee to be Ambassador to Russia, succeeding Russian expert John Tefft. Author comment: the most prestigious ambassadorial appointments are usually political. Ambassador Tefft, who had retired following his ambassadorial post to Ukraine in July 2014, was recalled as a political nominee, confirmed by the Senate and accepted by Russia in November 2014; he had previously served in Russia as #2 under career Ambassador Thomas Pickering as well as Ambassador to Georgia and Lithuania. Given Congressional unity regarding the importance of Russia, it is likely that Jon Huntsman will receive favorable support and confirmation. Your author is less certain as to whether Russia will graciously agree to allow him to present his credentials; Ambassador Tefft has understandably dealt with some Russian flak.

As of this Cyber Scene publication, 69 ambassadorial posts, not counting Iran and North Korea, are vacant.

Bravo, R & O Contributors!

To conclude on a positive note, for those of you who have explored and published on hackable self-drive cars, cloud vulnerabilities, password weakness, two-factor authentication, and related issues, the Wall Street Journal of 18 Sep 2017 has issued a special report (nine articles, six pages and its own section) dedicated to cybersecurity for the masses. Perhaps new to you, however, is the article entitled "Insurance Grows for Cyberattacks." This is a growth industry (think tornadoes spinning off from hurricanes) used by companies to protect themselves from liability-related legal action. As many of you have seen, Equifax includes a "check here for extra protection; this also prohibits you from suing us" box. Since lawsuits continue to pile on Equifax anyway, companies may find insurance cheaper than legal counsel. This new insurance application is driving more cybersecurity risk analysis.

So back to you, dear R & O readers! As was noted above, we are but at the beginning of a cybersecurity era.

Cyber Scene #14 - Trick or Treat?

Cyber Scene #14

Trick or Treat?

OLD HAUNTS

China: 1,000 cyber flowers

"What scares me is that vulnerabilities with the highest consequences of failure are also the least covered," cites PTC software Chief Security Officer Joshua Corman, adding that if it is a bedside pump, it is fatal, or a turbine, explosive. Bloomberg Businessweek goes on to detail a 19 October 2017 report from cybersecurity company Recorded Future which tracks the ability of the U.S. and China to discover vulnerabilities. Despite the existence, since 1999, of the NIST's "common vulnerabilities and exposures" (CVEs) database, the Chinese have outpaced the U.S. in "spotting" (or, editor's comment, actually publishing) cyberthreats. China maintains a 20-day advantage.

The latest Equifax fiasco is one such example, where the Chinese published the Apache announcement in one day in its National Vulnerability Database. Back in March 2017 the House Committee on Energy and Commerce asked Mitre and DHS, which oversees Mitre's contract to manage the CVE database, how it was progressing. The speed Mitre needed to meet this "explosion of CVEs" was, of course, insufficient to counter the Equifax horror show.

North Korea: 6,000 hackers wolves in sheep's clothing? Zombie sleeper cells?

Back to bedside manner, the 15 October New York Times debunks the "laughable" state of North Korea's cyberpower. In the May ransomware attack, the British National Health Service system was crippled. North Korea missed out on a $1B cyberheist--"real money" (except for Bitcoin) per Everett Dirksen--only because of a possible character flaw: misspelling "foundation" as "fandation."

The North Koreans have certainly read Sun Tzu's "The Art of War" though, in profiting from their "primitive" reputation and element of surprise. Former GCHQ Director Robert Hannigan admitted that the North Korean cyberthreat "crept up on us; because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn't take it seriously." Former NSA Deputy Director Chris Inglis, speaking in October at the Cambridge Cyber Summit, cites the North Korean use of cyber as "tailor-made" due to is low cost, asymmetry, anonymity and stealth. And it's a source of income. One wonders when the digital sleeper cells reportedly planted in South Korea's critical infrastructure might come to life. A ghastly combination. And who is burying whom?

TRICK, TRICK, TREAT

Israel demasking Russia for the U.S.

According to Nicole Perlroth and Scott Shane (NYT 10 October), it was the Israelis who first identified Russian hackers in US systems. Although both CIA and NSA avoided using Kaspersky software, and CIA's former Russian expert reportedly discounted that company's hollow attempt "...to convince the U.S. government that it was just another security company," many US agencies were unfortunately less skeptical. The article identifies several such agencies who were snookered by a convincing mask. Spy vs spy vs spy. As Georgetown Russian Professor Peotr Pirogov once said in 1971, "Where today are Boris and Natasha?" Everywhere, apparently.

Come as you are? Futuristic bits? Quantum mechanics and the "facial-industrial complex"

Google's southern California quantum computing team of physicists and engineers is moving beyond a universe, according to a Wall Street Journal 16 October article which predicts a quantum computer that "could change the world." In addition to providing a primer in quantum mechanics for the WSJ's wider readership, the study investigates progress among scientists such as Scott Aaronson, chief of the Quantum Information Center at University of Texas at Austin, who believes that quantum mechanics is "fundamentally a new way of harnessing nature to do computations" as researchers look to "Y2Q", roughly 2026, when a vastly different and large-scale quantum computer is expected to come on line.

Meanwhile, The Economist (31 August 2017) opines that the Chinese will be the first to deploys quantum-cryptographic satellite networks capable of, inter alia, determining whether a message has been intercepted so that the receiver would know if it arrived "secure" or not. (See paragraph 1 above re: the Chinese advances.) The Chinese reportedly launched the world's first quantum-communications satellite in 2016. It is, notably, named after a 5th century Chinese philosopher who studied optics. Yes, China has had a head start over the U.S.

With a quantum-computing satellite watching over us, terrestrial technology is also advancing with facial recognition providing "Nowhere to hide," (The Economist 9 September). The version of facial recognition cited in the article focuses on reading facial expression for the gamut of reasons ranging from denoting violent intentions among football game attendees to detecting those who dissemble "which helps grease the wheels of daily life." Both trick and treat, the use of this increasingly sophisticated biometric data still lacks legislation to mitigate its misuse, certainly on a global level. This is big business, as the follow-on study portrays--the "facial-industrial complex." With reportedly 300,000 companies worldwide engaged, the technology is particularly embraced by...the Chinese. The journalist's tour of Beijing's Megvii Hqs. was cast as being "...like visiting Big Brother's engine room." On the counter-measure side, the Israeli start-up, D-ID, is developing a way to thwart facial recognition. And, the West is pegged as being behind.

Congress: Role of disclosure or witch hunt?

Three US Senators--Senator John McCain (R AZ), Mark Warner (D VA), and Amy Klobuchar (D MI)--are collaborating on the Honest Ads Act in response to the deceptive ads bought by Russian operatives believed to have had a bedeviling impact on the 2016 presidential elections to force Facebook, Google and other internet companies to disclose their sources. The NYT 19 October article goes on to examine the challenges facing the bill as well as some history. The latter includes pushback from the internet companies in 2011 when the Federal Election Commission attempted to strengthen online disclaimer requirements, as it also attempted in 2016.

The House Permanent Select Committee on Intelligence is slated in early November for an open hearing on the Russian Investigation Task Force whereas the Senate Select Committee on Intelligence has held five closed hearings in October on "intelligence matters."

The Senate Committee on Banking, Housing and Urban Affairs met in open session on 17 October on consumer data and credit bureaus to grill Mr. Smith (no, not the former Equifax CEO but)--Andrew M. Smith, Partner in Covington and Burling, LLP who represents the Consumer Data Industry; Marc Rotenberg, President of the Electronic Privacy Information Center; and Chris Jaikaran, a Congressional Research Service cybersecurity policy analyst.

Cyber Scene #15 - Cyber Tuesday

Cyber Scene #15

Cyber Tuesday

Regs and Rulers

The Economist in "Big Tech and Washington: Capitol Punishment" on 28 October examines the possible application of regulatory steps to US tech giants similar to those that have been (and are being) applied to the US banking sector. Despite differing US political views, technology firms are a big target but employ "fewer workers per dollar of market value." The article goes on to explore "anti-social networks" and the US Senate bipartisan initiative to scrutinize these operations, addressed in last month's Cyber Scene, in the Honest Ads Act.

As a follow up to the Chinese, Russian, and North Korean cyber attacks, the regulatory pendulum is reversing course. We ended last month's Cyber Scene with Equifax testimony before Congress, and open this month on the same subject: testimony by the General Counsels of Facebook, Twitter, and Google before the Senate Select Committee on Intelligence (SSCI) on 1 November regarding the social media influence on US 2016 elections. SSCI's seven other hearings in November were closed.

The House, likewise, followed on 2 November with a House Permanent Select Committee on Intelligence "open in closed space" testimony by Carter Page. The session was in fact closed, but the testimony was redacted and then published on 6 November. Audience, beware: the written testimony included many historic exchanges between Mr. Page and the HPSCI and ran 207 pages. Viewing (not allowed) might have been worse: the session began at 9:40 a.m. and ended at 4:58 p.m. CSPAN does cover all the truly open sessions, but when it does warns that the text version is "uncorrected closed caption." It is unintentionally quite humorous. Readers may be better served by the Congressional text links/transcripts while viewers might enjoy the atmospherics on CSPAN, including occasional verbal mortar fire that loses something in the textual translation.

The House Judiciary Committee on 14 November pursued testimony regarding the Investigation into Russia's Role in the 2016 Election with Attorney General Sessions. Following a surprising declaration by AG Sessions of the possibility of the appointment of a second special counsel, and a few new admissions, discussion then turned to changes to FISA 702 citing the exception issues of foreign intelligence or crime, the original Patriot Act, the USA Liberty Act itself, and the eternal challenge of balancing security and privacy. The same day, CNN's Mark Short on "State of the Union" hosted former DNI James Clapper and former CIA Director John Brennan. Mr. Clapper stated that "The (Russian) threat is manifest and obvious...to paint it any other way is astounding and poses a peril to our democracy."

The Senate Foreign Relations Subcommittee on East Asia, the Pacific and International Cybersecurity Policy on 14 November, also in an open session, hosted Michael Pillsbury (from the conservative Hudson Institute) and Graham Allison (from the less conservative Harvard Kennedy School)--both exceedingly serious and longstanding (for Dr. Allison, back to the Cuban Missile Crisis--really!) enlighteners of public policy issues who offer think tank and academic perspectives on cyber policy. The full Senate Foreign Relations Committee met earlier, on 7 November, in a closed hearing on North Korea's Cyber Capabilities and US Policy Response. The SSCI, however, only obliquely identifies the subject of its closed hearings as "intelligence matters."

Uber Alles

Not to be outdone by Equifax, on 21 November 2017 Uber disclosed a major hack from October 2016 affecting the names, emails, and phone numbers of 57 million riders and the licenses of over 600,000 drivers. The cover up included paying off the hackers ($100,000) to conceal the breach, per the Wall Street Journal (21 November) . Bloomberg Technology spokesperson Eric Newcomer (video 22 November) elaborated. The Washington Post (21 November) added that Uber has hired Matt Olsen--former Director of the US National Counterterrorism Center, DOJ Deputy Assistant Attorney General, former National Security Agency General Counsel and presently President and Co-founder of IronNet Cybersecurity (yes, all one person) for help going forward. Mr. Olsen has his work cut out for him, as Uber, under a new CEO, is also dealing with five US criminal probes and several civil suits including well-heeled Alphabet Inc. (aka Google). London had revoked Uber's license earlier this year.

Is HAL Back?

On the one hand, technology fashions the future as regulators scurry to catch up. The Economist (21 October) looked at artificial intelligence outsmarting humans and learning to "work things out for itself, without being taught by people." In Germany, the Economist (9 November) looks at Bosch, a tech firm that "closes London's Tower Bridge" and operates factories across a production spectrum from robotic lawnmowers in Germany to food in India, through 440 subsidiaries in 60 countries. Bosch now looks at remaking itself into an "ultra-secure technology platform." Its Smart Home chief, Peter Schnaebele, notes that "Orwell's 1984 is kindergarten compared to the IOT world. When it comes, and people re-evaluate privacy, Bosch will be prepared." Such a multinational behemoth seems to defy circumscription and regulation.

Bloomberg Businessweek Special Issue (6 November 2017-8 January 2018--they are already ahead of the future!) is devoted to "The Year Ahead 2018", singling out cybersecurity as one of its top five technology concerns. Shedding some light on the future before the electrical grid is taken out (as in western Ukraine), Bloomberg Businessweek's Max Chafkin and Dune Lawrence examine the use of the malicious software, Trojan, which left Kiev in the dark two years ago and calls upon its readership to be aware that this attack is heading west. They cite a 20 October FBI and Homeland Security alert warning of a "multistate intrusion campaign" aimed at critical infrastructure. In addition to the "usual suspects" cited in Cyber Scene paragraph 2 above and the US, of course, Iran is the only additional country noted in the article by unidentified intelligence analysts as possessing the capability of taking out a power grid. In the Ukraine attack, the Kremlin-backed group Sandworm used NotPetya, a variation of a well-known ransomware program, Petya, getting into the system through a tax-filing application, destroying the data, spreading the virus and paralyzing the country. The authors cite evidence (not further specified) that this was just a warmup for a hack in the US. Apparently, Sandworm's code has already been identified in computers at a dozen US power plants, one of which is nuclear. The greatest concern, per the author, Martin Libicki, of Cyberspace in Peace and War is that this could lead to outright war. The Senate Foreign Relations Committee might be thinking the same thing.

And Now the Good News...for Job Hunters

On the job front, NARFE, the National Association of Active and Retired Federal Employees, magazine cover article of its November edition (available by subscription and unavailable on the NARFE webpage), features the need for more cybersecurity professionals in the federal workforce. It cites the well-known severe shortages in the pool of professionals vis-a-vis the magnitude of the threats. The USG is facing challenges in competing with the private sector, both "...in a footrace to recruit, train and retain these professionals." The future looks overwhelming: the article projects "1.5 million unfilled cybersecurity positions globally by 2020." Two studies are underway by the Government Accountability Office (GAO): one to be released in December 2017 on Homeland Security, and the second in December 2018 on the entire federal government. The article concludes by addressing some public/private sector compensation allowances and mapping cybersecurity functions and their definitions for present readers/future recruits.

Cyber Scene #16 - Holiday Gift: Nothing But Net

Cyber Scene #16

HOLIDAY GIFT: NOTHING BUT NET

The New National Security Strategy on Cybersecurity

On 19 December, the White House released its National Security Strategy (NSS) for 2017. In keeping with the tradition of former administrations, the NSS is a distillation of the major challenges and threats facing the US today and in the near future. This one seems quite balanced, in the absence of anything strident, while calling out the US's largest threats to our democracy: China and Russia. It is somewhat deficient in terms of any particular technology challenges, while yet weaving cybersecurity threats through the document. If you lack the time to analyze it yourself, read a very rational and apolitical "executive" assessment of the NSS by Dr. Michael Sulmeyer, Harvard Kennedy School's Cyber Security Project Director and former Pentagon Director of Plans and Operations for Cyber Policy. He observes that cybersecurity broadly permeating the NSS underscores the ubiquitous aspect of cyber challenges as opposed to a threat-specific issue, and exists as a front burner issue in three of the NSS's four "pillars." Professor Sulmeyer applauds the criticism of both Russia and China, although he notes the absence in the NSS of specific reference to cyber intrusion regarding US elections. The NSS also addresses what Sulmeyer calls "trickle-down cybersecurity" which describes how attacks are perpetrated with maximum dissemination processes in place, and the weak NSS discussion which neglects nipping this broadening of the threat in the bud rather than later when the damage is more difficult to mitigate. This article will also lead you to a treasure trove of other cyber issues addressed by some very bright minds at Lawfare, which have been neglected lately in Cyber Scene. For a more critical view of this NSS, see former National Security Adviser Susan Rice's op-ed in the 20 December New York Times.

Net Neutrality-the Death Knell

As the FCC's recent dictum impacts the future of the net in its entirety, many cyber network experts have been protesting (in vain in the near term) and demonstrating for hundreds of internet companies just how painful the expected, eventual slowdown for the small potato companies and individual users would be, per Cecilia Kang's expose in the 7 December New York Times. The "Fight for the Future" nonprofit out of Worchester MA, has at least for now lost that battle. The youngest internet junkies are also speaking up, well, the older ones (teens) as opposed to the babes, who have grown up with the expectation of an open net and are speaking up in protest now (NYT 20 December). Although major internet providers have stated that the status quo would be largely in place for the next year, you, gentle readers, will find out soon enough what the scope and pain level will be. Perhaps many of you have already anticipated and graphed the impact. The uninitiated among us can simply Google your graph, assuming that it is Google who ends up with the search monopoly.

Betting on Bitcoin?

Meanwhile, as the world continues to move from the tangible to the ether, Bitcoin surges ahead as a forward observer. The Bitcoin bubble has expanded in part, as reported in a 18 December NYT op-ed by Tim Wu (Columbia law professor), due to a growing distrust of human institutions. He believes that tech trust in Bitcoin soared in 2009 out of "...a carnival of human errors and malfeasance" leading to a crisis in confidence in governments and their central banking system. His discussion, In Code We Trust, posits that the popularity of Bitcoin is predicated upon an inherent distrust of government and the banking sector it spawns. But as Bitcoin is not backed by anything (and certainly not T-bills or gold) it is rather dependent on the "blockchain" technology that "...decentralized public ledger and rigorously tracks transfers. It is maintained by its users." Trusting in code seems to have replaced, at least in the Bitcoin world, the old adage: In God We Trust; All Others We Monitor. Bitcoin has been hacked, but its founders don't seem to mind: the Winklevoss twins, profiled in the December 20 New York Times, are already billionaires and investors are doing well. Goodbye Bretton Woods?? As the casino croupiers say, "place your bets; rien ne va plus" (or was that a commentary on an open internet?).

Electric Cars Stalling... Cyber downstream...It's Elementary

In Jack Ewing's NYT Business Day article also on 18 December, he analyzes why electric car sales are still stalling. Demand is lower than anticipated because prices are high due to...good ol' fashioned minerals. It isn't all in the ether quite yet. Cobalt (from the dicey southern end of the Democratic Republic of Congo/DRC) prices are up 114% and lithium (managed--see the NSS above-by our old friend China as well as Chile) is up 45%. Although projections point to a surge in customer support by 2024, right now it is (still) the (electric car) economy, stupid. Cobalt and lithium have a tech application as well, so electric car sales could drive more than just the individuals behind the wheel, but the big wheels ahead of the individuals. (N.B. Think about who runs China and the DRC.)

Congress NOT Stalling, at Least Not Now

The pre-holiday rush has had both House and Senate sprinting to the calendar year's finish with passage of an 11th hour tax reform with impact for a decade+, warding off yet another government shutdown for another month, starting to address senior political appointment nomination vetting (recently resorting to the customary grilling and often non-confirmation), and generally picking up the pace. Since multiple committees in both the House and Senate have been quite active, here are a few of the highlights that touch upon cybersecurity.

The House passed the Cybersecurity and Infrastructure Security Act of 2017, HR3359, on 11 December. It amends the Homeland Security Act of 2002 to create a new Agency under the Department of Homeland Security (DHS). It was introduced on 24 July 2017 and approved as amended after working its way through four House committees. It left the House on 12 December for the Senate. Its thrust is to better safeguard US infrastructure and cybersecurity by creating an agency under DHS to do so. The bill itself includes authorities, responsibilities, structures, and resourcing goals including DHS's option of reallocating resources it has, and detailing cybersecurity experts from NSA, CIA, DIA, NGA, FBI, and other sector-specific Intelligence Community agencies, to the new Agency.

Open hearings on the Mueller investigations continued in early December with FBI Director Christopher Wray and Deputy Attorney General Rod Rosenstein in the hot seats, with agents of a foreign power issues on the front burner. These issues were more muted in the House Permanent Select Committee on Intelligence (HPSCI) bill HR4478 on 1 December 2017. The 1 December HPSCI markup to the Foreign Intelligence Surveillance Act (FISA) of 1978 touches, but does not focus, on a foreign power which "...engages in international malicious cyber activity that threatens the national defense or security of the United States." Rather, the HR4478's core deals with enhancements, external authority and other issues. The bulk of the amendments submitted by GOP Chair Nunes (vice Ranking Member Schiff's version) treated safeguards related to Section 702's connection to the Constitution's 4th Amendment (illegal search and seizure). It passed 13-8 and moves forward (four House committees have a hand in it) and to conference with the Senate before a floor vote. If the Congressional labyrinth created to pass a bill is a very distant memory, a refresher course is available in Schoolhouse Rock's "I'm Just a Bill." More cynical readers among you may enjoy the SNL November version that addresses Executive Orders or the iconoclastic and "unconstitutional" November 2017 Simpsons version.

Cyber: Is it a Blast?

For those who read the "call for cybersecurity experts" in last month's Cyber Scene who have not already applied to the projected nascent agency at DHS, another cyber future may rise to meet you. Ben DiPietro, in 21 December's Wall Street Journal, discusses former NSA Director and former Director of National Intelligence Mike McConnell's call to cyber arms on the level of a Manhattan Project. ADM McConnell (ret) states:

"If a nation-state achieves quantum, it essentially could defeat all other nation-states in the digital world in terms of breaking cryptography, obtaining secrets, breaching access points, defeating security mechanisms. Quantum is very important and the U.S. needs to be in that pursuit, analogous to the Manhattan Project. We need to be there first." He and Patrick Gorman, former INFOSEC Director for Bank of America, have released a paper this week making recommendations on how to fill cybersecurity job shortages, starting with education and training.

Cyber Scene #17 - Accelerating Responsible Tech Driving into the Future

Cyber Scene #17

Accelerating Responsible Tech Driving into the Future

If those of you attending this January 2018 CES conference in Las Vegas were excited about where cybersecurity technology is headed, be mindful of the less appealing side of the double edge sword. It was bad timing with the generally concurrent release to the public of Intel chip vulnerabilities (Meltdown and Spectre). Class action suits are underway but Intel maintains it is not a flaw but a weakness. Per the 11 January Economist in "Silicon Meltdowns," there is no easy fix, and business favors speed over security, with more such issues anticipated.

The world economy is refocusing thanks to cyber. But beyond the general need to retrain the present general workforce for greater cyber job creation (see Cyber Scenes #15 and #16) there is also a loss of many labor-intensive jobs. Two examples of the reshaping the workforce due to tech advances come to mind. Thomas L. Friedman's New York Times op-ed "While You Were Sleeping" (he addresses the masses, not this readership) of 16 January 2018 discusses his visit to IBM's quantum computing lab and looks at AI's future; and/or visit Forks WA, "logging capital of the world" where "twilight" is dimming job prospects as programmed machines fell, stack and transport trees in minutes. Both Friedman and this author's personal Forks, WA source note that lives are improved and saved, respectively, but jobs present are lost. Loggers are not likely candidates for cybersecurity work. Likewise, the cyber world tech giants are beginning to face up to social responsibility. And one Intel tech vulnerability--or weakness-- is someone else's access--a Newtonian footnote perhaps.

On the same op-ed page as Tom Friedman's 16 Jan 2018 article is a likely unwitting companion piece, "Facebook Doesn't Like What It Sees in the Mirror," addressing the "inflection point," per author Noam Cohen, of Silicon Valley's awareness (commentary by Mark Zuckerberg) that the tech experts who may have viewed "their powerful inventions as neutral platforms" now consider the downside of technology and, per Facebook's CEO, are "steering users to healthier interactions." Zuckerberg adds, "History tells us that helping people is always a better path than shutting them out." Yes, but India, per author Cohen, said incomplete access to FB is a worse path.

Will FB refashion social engineering tools to take into account the health of society broadly defined? This is not a new issue. Brilliant Cold War "radioactive reservist"-mathematician Tom Lehrer, still with us in body and spirit, delights and provokes with more-than-apocryphal Manhattan Project era lyrics, cited in the FB article: "Once the rockets are up, who cares where they come down? That's not my department, says Werner von Braun."The downstreaming of rockets and other technological inflection point discoveries are as topical today as then, even as this readership creates the future--with a seer's mindful conscience. And on that role of history and fake news (no, not Pope Francis on Eden),

More On Steering: Twitterpated By The Russians Or Read Squarely?

As we consider steering of the future past, Twitter recalculated to date, per the 19 January 2018 WSJ:

• 3,814 accounts with 175,993 postings during the 10-week 2016 election period from the Kremlin-backed Internet Research Agency, a "shadowy so-called troll farm" and an IRA that won't fund your retirement (this author's comment)
• 677,775 U.S. persons impacted, and
• over 50,000 bot accounts with Kremlin links related to U.S. election interference.

This data, per the WSJ, missed Senate Select Committee on Intelligence deadlines, but Ranking Member Mark Warner (D, VA) is "encouraged to see the company beginning to take responsibility and notify its users of Russia's influence campaign on its platform."

And Even More Steering: Crimea Sailing and Horizon Not So Clear

The Economist annual crystal ball (World in 2018), among many Cyber Scene worthy issues to be examined next month, looks at how cyber "Hacking Gets Physical." Fake news is impacting not only elections/infrastructure/cybercrime but also old fashioned physical safety. False GPS readings just east of the new Russian Crimean coast informed 20+ ships--not/not USMC amphibians--that they were 35km inland and not afloat. Economist Todd Humphreys, UT Austin, also worries about the New York Stock Exchange, as the National Physical Laboratory which runs the atomic clock could also be spoofed. Beyza Unal at Chatham House (a very well-regarded UK foreign policy think tank) is worried about nuclear weapons which might receive fake data. Dr. von Braun, we are full circle or, as Stephen Colbert once said: "Remember what they say about history...I forget."

NSA's Former Deputy Director Chris Inglis addressed more than a thousand, presumably non- or low-tech, members of the public across two cities and three presentations (Sarasota Institute for Lifetime Learning Global Issues, Sarasota and Venice, by subscription) on 9 and 10 January, a week before both the US House and Senate agree to underpin cybersecurity for six more years with a 265-164 and 65-34 respective vote to renew the original Foreign Intelligence Surveillance Amendment Reauthorization Act (FISA Section702). Beginning with the Constitution, and providing a brief outline of NSA's cryptologic history, Chris Inglis explained how security and privacy in the cyber world are protected and aligned. His second presentation focused on Snowden and how damage mitigation continues. One audience member asked what good, if any, can be drawn from the experience. Chris Inglis pointed out that if your house burns down (this is a cyber arsonist of which we speak/write), you get a new house. But much is lost (things of inestimable value, sense of security, etc.) and you reinforce and rebuild a stronger, more resilient house, painfully and regrettably. He was also asked about what he thought of Snowden (your author will focus on the most relevant issues here). He noted in response that Snowden was not a whistleblower, and contrasted him with Daniel Ellsberg (think: "The Post" and Pentagon Papers). Salient among the other contrasts (GED, scant experience, little conscience vs. USMC captain, Harvard PhD, extensive experience, respect for the Constitution), Ellsberg tried to work through channels and stayed to stand trial to defend his beliefs in the democracy he was trying to protect. Snowden, in contrast, fled to China (not very democratic) and Russia (even less so) where he remains enjoying Moscow snowdens of yesterday (your author's comment, not that of Chris Inglis). And that IS physical.

For a perhaps less passionate yet related discussion of "FISA Section 702," please read on. Two incredibly experienced legal experts and law professors you may have seen on CNN or MSNBC, associated with the National Security Institute and on the faculty of the Scalia School of Law at George Mason University who have served across all three branches of US Government and in the private and academic sectors, examine Section 702 in readable yet considerable detail: Darren Dick, Director of Programs at the Scalia School of Law and former Staff Director for the House Permanent Select Committee for Intelligence, and Jamil Jaffer, Founder of the National Security Institute and former Associate Counsel to the President under the Bush Administration (both with incredible bios beyond these titles) offer an outstanding legal readout of this program.

Cyber Scene #18 - Thinking Globally, Acting Locally

Cyber Scene #18

Thinking Globally

Tech Olympiad: Higher, Faster and Perhaps Lower Poles (and others) in the Tent

The Economist gives a "high five" salute to 5G discussions from the U.S White House as the future of the internet--centralization or decentralization--enters a new realm. China has certainly left its mark on this issue as it has harnessed its own and foreign tech participants in its homeland. The U.S., as noted in the Economist's "Next-generation thinking" , went through a decentralization of the telecom industry in 1984 when MA Bell was forced to put her children up for adoption. Now, this subject, in the U.S. and elsewhere, surfaces again. The Economist's take is that the White House National Security Council 5G proposal that the U.S. create and run the next gen mobile network is not such a bad idea. The proviso would be that firms lease capacity to create networks without having to build them just as firms use smartphones and app stores to reach their clientele. This would lead to an even more vibrant IOT. (Disclaimer: The Economist is a stellar, balanced British-based publication in business since Abe Lincoln was writing lampoons and dealing with new in-laws (1843); it is not a White House instrument.)

Former Intelligence Community Senior Alum (State/INR, CIA, National Intelligence Council Deputy), author of "Intelligence: From Secrets to Policy" and Jeopardy Grand Champion Dr. Mark Lowenthal endorses the creation of a new (a second) internet--one that cannot be tampered with by Best Buy purchases capable of an OPM-level hack. In response to questions as to how to secure what we have might be, he said (Sarasota Institute for Lifetime Learning, 10 February 2018, by subscription) that the U.S. is still "working its way" through deterrence.

Several past Cyber Scenes have discussed this unimagined expansion and application of the internet not envisaged by DARPA or Al Gore. On a grand scale, the security and privacy issues addressed by former NSA Deputy Director Chris Inglis (see Cyber Scene #17) have also preoccupied the tech ramp-up to the Olympics. Competing nations are mostly playing defense while some superstars, including the nation uninvited, are reportedly on offense. The New York Times wrote on 8 February 2018 (Nicole Perlroth, "Despite Security Being on Alert...") of a Homeland Security warning to Americans that cybercriminals were likely targeting the games. The Olympic Committee's Security Command Center including security experts from around the world was monitoring North Korean threats and network probes in Pyeongchang, South Korea. Russians had reportedly penetrated Olympic-related organizations months earlier. Over 300 related computer systems were hit and many compromised, according to McAfee's statement cited in the Times article. Further, a McAfee official added that these hacks were well organized, well resourced, and bore the "hallmarks of a nation state." In January 2018, the Russian-backed cyberespionage group Fancy Bear posted emails from the International Luge Federation and the International Olympic Committee accounts as well as attacked the International Ice Hockey, Ski, and Bobsleigh and Skeleton Federations and the International Biathlon Union. South Korea reportedly has tens of thousands of security personnel including cybersecurity analysts as well as 50,000 soldiers to protect the Olympics. Moreover, each participating nation has its own security delegation on the ground. And at least one nation not officially represented is there in spirit even if not there demonstrably in body.

As for China, the Economist (17 Feb Schumpeter) looks at how the Sino-American tech race is going and who is expected to win, particularly now that "techtonic" plates are shifting. The editorialist "Schumpeter" dispels the notion that the U.S. can continue to pat itself on the back regarding the enduring nature of its tech lead. After three rounds, the author maintains that in the fourth stage China is reaching parity and the age of "imperial arrogance" is about to end. He examines, through U.S. (Bloomberg, Goldman Sachs, McKinsey, etc) as well as Chinese sources, 3,000 listed global tech firms 226 "unicorns" (unlisted startups worth over $1 billion) and Huawei. After probing and poking at each country's tech weaknesses, he notes that the Chinese scientists are improving at breakthrough innovation reaching 89% of the U.S. achievement. He warns Silicon Valley: "It is time to get paranoid." He concludes dramatically by noting that in the past, U.S. tech execs could see the world's cutting edge by walking out the door." Now they must fly to China, too. Let's hope the airports still work."

Acting Locally

"Playing to the Edge" (Michael Hayden 2016 work on intelligence and terrorism) evolves to "Computing to the Edge" (Economist 20 Jan 2018 "Life on the edge") where cloud computing emerges from centralization to local networks and devices. This is seen as a significant reversal pendulum swing which is projected to lead to upheaval and a big tech food fight as the best of the big athletes fight for control of the Internet of Things (IOT). Microsoft, for example, has replaced its motto "mobile first, cloud first" with "intelligent cloud, intelligent edge." Like Olympic hockey players, what goes around, comes around, since the pendulum has reversed direction before in computer adolescent years. But economics, better algorithms, and speed are creating an "increasingly moveable feast" of bits and bytes, and leads the Economist to suggest "air" replace "cloud" computing, as "it is everywhere and gives things life." And at a race pace.

National, State and Local Threats: Game On

The top U.S. intelligence officials testified before the Senate Select Committee on Intelligence (SSCI) on 13 February 2018 to present the Intelligence Community's Annual World Threat Assessment, first in a two-hour open hearing followed by a closed one in the afternoon. The six who testified (DNI Coats, FBI Wray, CIA Pompeo, DIA Ashley, NSA Rogers and NGA Cardillo) awarded a gold first (no surprise here) to cyber, underscored by DNI Coats as he deviated in his opening statement from what his written version submitted earlier. Questions from Chair Burr, Vice Chair Warner and most other sitting SSCI members, after visiting the trails of the Korean Peninsula, China and other competitors, raced downhill to Russia and the 2018 U.S. midterm elections. While the DNI noted that "The Russians have a strategy that goes well beyond what is happening in the U.S." he added "...clearly they upped their game in 2016." Despite chastisement (think doping and the retracted Winter Olympics invitation), the Russian intrusions and successful infiltration continue uncontained. All six officials responded "yes, no change" when asked pointedly and individually by the SSCI. At the national level, Warner pointed out that Russian bots have sought to portray the Department of Justice and FBI as "infected by partisan bias"--something the SSCI, reminiscently, remarkably and admirably-- does not display (author's editorial). The New York Times (Feb 14 2018, above the fold with photos) provides a comprehensive if lengthy executive summary. Graphic learners and those who like to see democracy in action will prefer the SSCI video.

Relatedly, the Department of Justice announced on 20 February the formation of a Cybersecurity Task Force to protect the integrity of US elections. Attorney General Jeff Sessions identified its principal mission as fighting foreign interference in U.S. elections, deterring attacks on infrastructure and curbing online terrorist recruiting. This may have been prompted by recurring questions from SSCI Members to the testifiers: "Who in the US Government is in charge of Cyber Security?" DNI Coats had stated on 13 Feb that there was no plan to create a cyber czar. Unfortunately, there already is one. He just isn't on our team and his country invented czars.

The 22 Feb. 2018 view from across the Pond, "Russia's Dirty Tricks: How Putin meddles in Western democracies and why the West's response is inadequate" , however, is that France, Germany and Finland have taken some measures whereas the U.S. response is insufficient. In fact, in the SSCI testimony, preemptive measures to secure the integrity of the U.S. federal, state and local election process was addressed. Although countermeasures are being developed, the open testimony called attention to the fact that some elections in the U.S. start in March, which is in days, not months or years from now. Let us hope (not a plan, granted) that the closed testimony shines some positive light on viable countermeasures. Meanwhile, Twitter, Facebook and others are now combating Russian fake news regarding the NRA and the Parkland shooting from, as the Mueller investigation is revealing, the safety of St. Petersburg (Russia).

Cyber Scene #19 - The Russians: Vlad the Cyber Impaler

Cyber Scene #19

The Russians: Vlad the Cyber Impaler

LTG Paul Nakasone, the nominee to the position of Commander, Cyber Command and Director, NSA testified before two senate committees: the Senate Armed Services Committee (SASC) on 1 March 2018 and the Senate Select Committee on Intelligence (SSCI) on 15 March 2018. He enjoyed twice the fun, given the dual authorities (ODNI and Pentagon) of NSA and the overlapping and very high profile of the Cyber Command and its future. He pointed out to the SASC that "Ten,15, 20 years ago, we were concerned about what we said on phones. Today we're concerned about what our soldiers wear, where they're talking, where they're able to be monitored," and went on to say: "This is indicative of how we have to approach the future. We are technologically informed--we also have to be informed for operational security as well." He noted that, facing the Russian election interference, plans were in place to strike back at Moscow but Russia took little heed of this cyber counteroffensive option. He stated, "I would say right now they do not think much will happen to them. They don't fear us." An executive summary of this hearing is also available, courtesy of the 5 March NYT and David Sanger and William Broad. Their article, "A Russian Threat on Two Fronts Meets an American Strategic Void", annotates the Pentagon's view that newly "re-elected" Vladimir Putin's cyber arsenal is stronger than his nuclear one. However, the article closes by citing ADM Rogers, whom LTG Nakasone will replace, the former stating that the U.S. was probably not doing enough, and that sanctions approved by Congress in 2017 were ineffective in changing the "calculus or the behavior of Mr. Putin."

Relatedly, the Economist 22 Feb 2018 clearly agrees with ADM Rogers in an series of articles entitled "How Putin Meddles in Western Democracies", "Russian Disinformation Distorts American and European Democracy" on the impact of Russian disinformation campaigns--both old-fashioned and cyber), and "How to be a Dadaist troll:" (not a Scandinavian folk tale) subtitled: "Inside the Internet Research Agency's Lie Machine." The trilogy reviews the 2014-present development of Russian attacks from Vladimir Putin to what his chef, Yevgeny Prigoshin, cooked up running the Internet Research Agency. This last article is prefaced with a quote from early 20th century French Dadaist Tristan Tzara who states: "Thought is made in the mouth," which speaks volumes about the modern day impact of cyber/social media "mouthpieces."

Two weeks after the SASC hearing, the SSCI conducted its own open nomination hearing of testimony of LTG Nakasone on 15 March prior to the full Senate confirmation process. In addition to the live video coverage, LTG Nakasone presented his statement for the record, answered questions prior to the hearing (he responded in writing to 46 of them!), and questions following the hearing from Senators Feinstein, Collins, Wyden and King. The latter were particularly insightful and informed, zeroing in on particular cyber threat issues, infrastructure threats, FISA, protection of U.S. persons if the U.S. engages in offensive cyber attacks, and how the current NSA/Cyber Command workforce would support Cyber Command upon its elevation to a unified command. General Nakasone's lifelong cyber career, annotated in his bio included in the transcript, allowed for credible responses to even very detailed and specific questions from the SSCI Members. Complete transcripts of the written testimony and his bio are available online. The Senate's video, however, is less friendly than CSPAN's linked above. LTG Nakasone is viewed as a shoe-in for confirmation, having "sailed through" the SSCI. The final, full Senate vote has not yet occurred, as of this submission. N.B.: please ignore the Senate's mistake: "Lieutenant General" is abbreviated LTG in the Army, Lt Gen in the Air Force, and LtGen in the Marine Corps. LTG Nakasone is an Army three-star, but his most probable confirmation as Commander, Cyber Command, would promote him to the rarified rank, particularly in Military Intelligence, of four stars. ADM Roger's predecessor, General Alexander, simply referred to himself as Gen A, which I presume was unrelated to his age in comparison with Gen X'ers.

SSCI, predictably, held another session, this one surprisingly open, on election interference on 21 March 2018.Testifying were Homeland Security Secretary Kirstjen Nielsen, former DHS Secretary Jeh Johnson, and Assistant Secretary (DHS) for National Protection and Programs Directorate for Cyber Security and Communications Jeanette Manfra. US Commissioner of Elections Thomas Hicks, Co-Director of Harvard's Kennedy School Belfer Center Eric Rosenbach, the Director of the National Association of State Election Directors Amy Cohen, and Vermont Secretary of State Jim Condos. DHS Secretary Nielsen opened with affirming the Department's role in providing cybersecurity assistance for election infrastructure similar to that which is provided to a range of other critical infrastructure entities such as financial institutions and electric utilities. In other words, it places cybersecurity election issues on a par with the U.S. financial or electric grid. She outlined DHS actions in establishing state and local partnerships, info and tech assistant sharing, risk and vulnerability assessments, and cyber hygiene for internet-facing systems. (Multiple U.S. press reports cite a clamor for a return to paper ballots!)

The SSCI also conducted closed hearings (no further information) on 20 and 22 March 2018,

Facebook and Cambridge Analytica: Which is the Mouthpiece?

Meanwhile, the borscht thickens. The flood of breaking news the week of 18 March 2018 highlights the role of Facebook in relation to collecting private information from 50 million (likely most of you, dear readers!) users for election related profiling. The company is registered in Delaware (yes, U.S.), American owned (Steve Bannon and Robert Mercer), with offices in New York City (co-located with another firm of Kellyanne Conway and Steve Bannon) and London. The publicity of this data analytics firm's relationship with Facebook has occasioned a precipitous drop in Facebook stock prices, the removal of the Cambridge Analytica's managing director, and a hue and cry from angry Congressmen calling for Facebook CEO Mark Zuckerberg's (head) appearance before Congress, first off the blocks being the Senate Judiciary Committee. (NYT, 19 March 2018, "Facebook Role in Data Misuse Sets off Storm.") Following six days of silence, Zuckerberg spoke out saying, wanly, "We let the community down, and I feel really bad and I am sorry about that." (NBC News, 22 March 2018). Facebook may be facing litigation from certain U.S. states and the UK. New York and Massachusetts are among four states leading the charge as well as the British national justice system, as this data gathering is considered to have breached both US and British law. It is more certain Mr. Zuckerberg will face grueling testimony from adamant members of Congress in sharp contrast to the generally smooth testimony of LTG Nakasone.

If you have somehow missed it, view the NBC Nightly News clip kindly provided by Lester Holt on 19 March showing a chilling hidden camera recording, courtesy of British Channel 4 journalists, with a Cambridge Analytica chief officer explaining how their product impacts elections worldwide.

For Hire

As a counterweight to the above, and as was highlighted in several earlier Cyber Scenes, the US Intelligence Community (IC) continues its search for cyber tech experts. The 3 March Economist, in Spooks for Hire," looks at how the IC is challenged to find, hire, and retain talent. The article cites an ODNI official, looks at the Pentagon's Central Command at MacDill AFB in Tampa, and includes an overview of a new public-private partnership created at the National Geospatial Intelligence Agency under Director Robert Cardillo. Recall that LTG Nakasone also talked about the public-private partnership in his SSCI testimony in his written responses to pre- and post-hearing transcripts. This theme familiar to regular SoS readers.

Cyber Scene #20 - Facebook Faceoff

Cyber Scene #20

Facebook Faceoff

In the wake of the Cambridge Analytica and Russian election interference cyber disasters, Facebook CEO Mark Zuckerberg was subjected to a 10-hour doubleheader--amazingly his first testimony ever before Congress--under scrutiny from the Senate Judiciary and Commerce, Science and Transport Committees on 10 April and the House Commerce Committee on 11 April. Sen. Chuck Grassley (R-IO), Judiciary, and Sen. John Thune (R-SD), Commerce jointly chaired the hearing and allotted 5 minutes to each of their committee members, in descending rank order. Despite dismissing his hoodies for a suit, Mr. Zuckerberg was clearly a novice before Congress. The Members, well-practiced in the art of interrogation, began with the 43 Senators launching specific questions and expecting specific answers. Mr. Zuckerberg resorted quite frequently to the old "I'll get back to you on that" response. (These will be written responses to QFR's--Questions for the Record.) The only Senator who seemed to go easy on him was, surprisingly, Orrin Hatch (R-UT) who seemed to barely wait for a response to a soft-ball question before asking the next--a shadow of his old piercing self when he chaired the Senate Judiciary Committee. The other Senators largely poked and probed, often in an edgy manner, while two pressed Mr. Zuckerberg for an answer as to why the 87 million users were not notified of the data issue in 2015, and another noted that Facebook had the talent, but perhaps not the will to fix the problems--this following several repeated "We are working on it" responses from Mr. Zuckerberg. The most pointed question came from Sen. Dick Durbin (D-IL): "Mr. Zuckerberg would you be comfortable sharing what hotel you stayed at last night?" ("No") "and who you texted yesterday?" ("No"). 87 million of us likely feel the same. Since the Members have only 5 min. each, when Mr. Zuckerberg detoured in his responses, they did preempt him. He rarely responded with a yes or no although he was asked to do so.

The Heat Rises

The House Energy and Commerce Committee the following day was more aggressive. The House Members in fact interrupted Mr. Zuckerberg frequently (N.B. This is not unusual but only the interrogator is allowed to interrupt; it is not reciprocal.) Rep. Greg Walden (R-OR) chaired, noting that the intent of the House testimony is two-fold: to examine Facebook's breach of trust and to look at how the tech industry may need to be regulated. He noted that although Facebook has grown, he is less certain that it has matured. The issue of regulation, which Chair Walden noted has up to the present been absent from Facebook, was surfaced by both sides of Congress.

Although Mr. Zuckerberg presented the generally same opening statement as was done before the Senate, the House approach to him was markedly different. While Chair Walden was largely balanced, Ranking Member Frank Pallome (D-NJ) cited legislation he had worked on in 2017 (not passed "due to Republicans") and vowed to introduce more regulation. He apologized for his harshness to the Chair, who thanked him, "I think" for his comments, moving through humor away from partisan politics. Chair Walden, however, in his own questioning, zeroed in on the "selling of data" and privacy protection.

All Together Now

The subject matter is, if nothing else, a forcing factor for bipartisanship.

This level of inquiry is atypical. Sen. Hatch, who at age 84 has participated in untold hearings, stated that this was "the most intense public scrutiny I've seen for a tech-related hearing since the Microsoft hearing." In fact, this NYT article compares these two tech giants and notes that Mr. Zuckerberg has learned from Bill Gates' mistakes by adopting a more conciliatory manner. However, Mr. Zuckerberg rarely answered direct questions directly, citing complexity. When questioned about what kind of company Facebook is, as it has evolved beyond imagination since its inception, he bypassed the question, sidestepping what kind of regulation he might suggest.

But regulation is coming. Both the Senate and House, on both sides of the aisle, are increasingly working together to introduce new privacy protection laws, "Honest Ads" about which Cyber Scene wrote, and easy means for Facebook users to "opt out." Mr. Zuckerberg noted that the terms and conditions for data sharing on Facebook are spelled out. However, Members underscored the fact that reams of pages of small print caveats are not user friendly.

Mr. Zuckerberg has his work cut out for him. His QFRs due to both committees are extensive but will be posted on the respective committee webpages when they are completed. The April 11 NYT "Mr. Zuckerberg Has a Lot of Homework to Do": enumerates 23 major sweeping issues such as "Support for Legislation," "Russian Misinformation," "Improper Data Transfer," etc.

The call for regulation has assuredly spilled outside the august halls of Congress. Tech journalist David Kirkpatrick, writing this time for Time Magazine's Technology section which he harkens back to Mr. Zuckerberg's notion of Facebook's mission, not considering it as a business, but a money-maker it is now that selling ads is part of this mission. Per the article, Facebook is expected to make $21 billion in 2018. It is user data that is the cash cow, as repeatedly surfaced in testimony. Mr. Zuckerberg himself noted that "Facebook is more like a government than a traditional company." Mr. Kirkpatrick posits that Facebook will try to regain the trust of the world and be willing to sacrifice the sale of personal data.

Zeke Faux explores this for Bloomberg Business Week in "How Facebook helps shady advertisers pollute the internet," quoting the Cambridge Analytica candid camera victim. For the graphic readers, he diagrams how affiliates profit from Facebook. Meanwhile, as the "business" burgeoned, into revenue "billions" (THAT is real money!) few engineers were hired to catch people with bad intentions.

Good News?

Things will change. Bipartisan legislation will "encourage" Facebook to take seriously the protection of data. Terms of usage will become usable and humanly intelligible. Scams and scum will be weeded out of all of this with prodding and enforcement. Meanwhile, on the job front, Nellie Bowles in the 12 April NYT entitled "After Cambridge Analytica, Privacy Experts Get to Say 'I Told You So'" writes that as the great "Facebook Sequoia" is felled, the community of privacy researchers and developers is due for a boom.

Coming to a Computer Near You!

On 16 April, David Kirkpatrick writing with Ron Nixon for the NYTimes announces that the US and UK issued a "first-of-its-kind" warning about Russian cyber attacks, not just on governmental or industrial targets, but also on individual homes and offices. One of their sources is the former director of GCHQ, the UK's counterpart to NSA. But there will be more jobs out there for you privacy protectors!

Cyber Scene #21 - Facebook Follow up and Fall Out

Cyber Scene #21

Facebook Follow up and Fall Out

Mark Zuckerberg presented his mea maxima culpas to the European Union Assembly in Brussels on 22 May, following up with them on the apologies he made in his two Congressional hearings in April (recounted in the April 2018 Cyber Scene). His own data compression talent was displayed in his distilling the 10 hours of his congressional testimony into his allotted 75 minutes (which reportedly ran only 15 minutes over) before the EU. On 22 May Stephanie Bodoni from Bloomberg cast this breach impacting millions of Europeans as well as American Facebook users as a game changer in data protection. The Facebook CEO summarized, saying "Whether it's fake news, foreign interference in elections or developers misusing people's information, we didn't take a broad enough view of our responsibilities. That was a mistake, and I am sorry."

Mr. Zuckerberg's meetings, public and private, with the EU, French President Macron and other senior European leaders are well-timed: whereas the US Congress is considering additional regulation in light of the Facebook issues, the EU is lightyears ahead and is flexingits pan-European regulatory clout through its General Data Protection Regulation (GDPR) set for implementation on 25 May. Mr. Zuckerberg understands better than most the global impact of the EU GDPR and the need to "calm tension with regulators" cited by the 16 May Wall Street Journal over their "Outcry Facebook's Data Use" in the 16 May New York Times.

The EU's GDPR center of gravity sits in the Republic of Ireland, recently evolved into the Silicon Valley in Europe (NYT 16 May, "New Privacy Rules"). Northern Ireland is part of Brexit while the Republic of Ireland remains in the UK. Helen Dixon, Ireland's data protection commissioner, will take the EU lead with new authority to investigate the flourishing tech industry. She intends to "use her powers to the fullest." The Facebook CEO is setting an example that other global companies would be wise to follow: the European headquarters for Airbnb, Apple, Google, Twitter and Microsoft which owns LinkedIn are in Ireland and subject to Ms. Dixon, the GPRD and the EU.

Global Ripples

In its "FT BIG READ, GDPR", the Financial Times journalists Sarah Gordon and Aliya Ram on 21 May dive into the details of the new regulations for data privacy. The UK, home to the Financial Times, is Brexiting but still, like the US and the rest of the world, deeply impacted by the GDPR. Two years in the making, the regulations, which will protect the privacy of users across several domains, have added wind to their sails thanks to Cambridge Analytica's use of Facebook data. Even Sheryl Sandberg, Facebook's chief operating officer, admitted (per the Financial Times) that Europe was way ahead on this. GDPR applies to existing users and partners, and mandates that any country wanting to sign a trade deal with one of the EU's 28 member countries will have to sign up to respect the GDPR. Other rules are documented in the GDPR's 200 pages. Given the article's reference to 75% of the world population in 7 years being connected to a digital device, the impact is beyond huge. (N.B. The Financial Times is by subscription only, however a four week trial digital subscription is only $4 U.S.)

Readers of last month's Cyber Scene may be expecting a synopsis of Mr. Zuckerberg's responses to Congress, but they have not arrived yet even as Congress adds more questions.

Read This One

And just in case you feel that GDPR (and perhaps this Cyber Scene) are consuming way too much of your time, New York Times's Brian X. Chen cautions in "Tech Fix: Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them" on 23 May that the new law may merit its reputation as the world's strongest protector of digital privacy rights. It underscores the global nature of digital life, requiring "every commercial entity that touches the web" to make changes to its apps and sites to comply. He goes on to single out several exemplars of the game-changing nature of this regulation that touches us all.

War Cries; Re-Made in China

On several planes, cries of 21^stCentury war have lately been heard in the cyber world. The 3 May NYT Op-Ed by Christopher Kirchhoff, "Silicon Valley Must Go to War" departs from a recent Google engineer workforce call to prevent Pentagon use of technology "for evil" and moves to note that impact of cyber on that kind of war is history. The author, who presently serves as Visiting Technologist at Harvard's Institute of Politics also led the Pentagon's chief interface with Silicon Valley. He marks the Constitution as the cornerstone of collaboration between the two entities.

The Economist looks at both the world of arms control in "A farewell to arms control" (5 May) and a "Not so phony war" on 21 April. The former looks at how technology's race pace advances and recent political crises in the making are leaving the SALT agreements in the dust. The role of cyber is crucial: Daryl Kimball of the Arms Control Association think tank says that "cyber attacks on nuclear command and control systems could vastly increase crisis instability." The latter appears rather instable as it is.

In the realm of "coming back home to haunt us," on 21 April, The Economist wrote in "Not so phony war" on the Chinese telecom ZTE issues which as of this writing are far from resolved. The article cites the bank, UBS, estimate that its products relied 80-90% on American parts and notes that the initial ban on ZTE coming back to the US in contravention of a seven-year ban with US parts it isn't supposed to have had particularly roiled the Department of Commerce. The plot continues to thicken.

Not So Cryptic Currency; Should You Bank On It?

In the age of the onslaught of cryptocurrency concerns, Bloomberg Businessweek examines on 23 April Palantir, a data-mining company that initially supported the financial services sector in monitoring computer use to protect against rogue traders, but has evolved into what the article terms "Wall Street meets "Apocalypse Now.'" The authors cite a litany of applications deriving from countless domains of privacy and include a diagram of the web of developer Peter Thiel that links 50+ big tech players and their organizations, FANGs to Tesla, in and out of this world.

As perhaps a deep dive echo, the New York Times Magazine of 2 May features nearly a dozen articles--backdrops to the status of global financial services as well as the criminal applications--probe the status of potential victims and the creativity of cyber criminals. With regard to the growth industry aspect of money still making the world go 'round, now at unimaginable speed, the series featuring rigging a lottery to insider trading to offshore tax havens present cyber insecurity lessons for all tastes.

An across-the-pond "companion piece" is the Economist's 5 May "special Report" article on financial inclusion entitled "Exclusive access" which discusses how the last quarter of the world's population that remains unbanked will be moving to phone banking. Mobile banking in the Third World where other means of communication and an absence of brick and mortar banks across most of the quarter of the world creates opportunities, for good and evil, that will expand commensurately with the surge of mobile, cyber-hackable banking leading to if not the best of times, and least better ones for a quarter of the world with the flip side of worst-of-times vulnerabilities.

Cyber Scene #22 - All Cybersecurity Politics Are ...

Cyber Scene #22

All Cybersecurity Politics Are:

Local

The OPM breach "wake-up call" as conveyed by the 20 June Washington Post's "Cybersecurity 202" by Derek Hawkins will be echoing across the 22 million federal active and retired workforce as hackers on 18 June admitted in federal court to have cashed in on personal identifying information gathered in the breach. In this instance, they worked through the Langley Federal Credit Union accounts of the victims for loans, then cashed the checks. The worst nightmare might be well into the future and beyond the 2026 credit monitoring scope offer from OPM...coming to a credit union near you?

National

Point. Apple has announced a new iPhone block to make law enforcement access to smartphones more difficult. The Wall Street Journal's Robert McMillan (13 June) reported that Apple's development under beta testing, the USB Restricted Mode, blocks other devices from accessing the phone data via its Lightning port beyond one hour after the phone is unlocked. This could eliminate a security loophole that forensic companies attempt to penetrate. However...

Counterpoint. The following day (14 June), Mr. McMillan follows up regarding the success of a Gwinett County (Atlanta region) district attorney investigator in unlocking the iPhone thanks to a $15,000 device from Grayshift LLC welcomed by law enforcement forensic officials. McMillan recounts the 2016 legal battle between Apple and the FBI's effort to unlock the phone of the 2015 San Bernadino shooter. This readership may recall that the issue was resolved by the Israelis unlocking it for the FBI. However, the FBI (to assuage any intelligence naysayers) also warned U.S. internet users in late May of the need to reboot home routers to remove "foreign cyber actors'" malware, per Harvard Law Professor Jonathan Zittrain's New York Times article, "From Westworld to Best World for the Internet of Things (IoT)" of 3 June. He goes on to note that such vulnerabilities fall into two categories: first, endangering users such as the issue of the 1.4 million recalled Jeeps with hackable brakes or coffee makers subject to overheating and fires; and second, IoT's 10 billion+ networked things producing, collectively, threats much larger when scaled up such as a fleet of hacked Jeeps. He suggests two solutions as well: for attacking life-cycle issues, imposing a "life cycle bond" on internet-enabled products that can be cashed in by consumers if the company reneges on continued support of the product and second, that vendors need to establish a means of communication across their products (he uses the Mac and PC positive example, not regional DVD systems!) to free the consumer from being locked into a non-interoperable technology.

Global

In the shadow of Europe's new DPRA (see& Cyber Scene #21) rules on cybersecurity, the Economist's Technology Quarterly of 2 June entitled "Data Detectives" explores the notion of justice with the first chilling article, "I know what you'll do next summer." It continues to explore surveillance, encryption ("Read my phone"), electronic monitoring ("Home, home within range"), predictive policing ("Algorithm blues"), and the need for rigorous oversight ("Watching the detectives"). While the titles are catchy, the analysis attempts to be balanced by the conclusive need for citizen engagement driven not by oversight per se but by political will. In a democracy, this is not only possible but required.

Meanwhile, technology surges forward. The Wall Street Journal Report, "Cybersecurity" of 29 May looks at global tech developments from the perspective of the tech CEO and asks "What keeps them up at night?" The answer: everything --partners, rivals/enemies, disclosures, oversight, as well as tech attacks of all manner. The report continues by exploring how the knowledge that the technology will be attacked has not resulted in improved behavior and modification by the workforce. However, some companies are paying their own workforce with bonuses to find flaws before the attackers do, and they still struggle with encryption issues and the need for security patches. They also struggle in hiring, with two articles devoted to the gap between supply and demand and one specifically the search for cyber women (recurrent Cyber Scene job hunters). To avoid too much optimism, there are also articles about Huawei and ZTE (our old Chinese friends) and a return to paper ballots in the US (Note from the author: when the new African Union building was built by the Chinese several years ago, African leaders returned to paper ballots as well.)

As captured by Lawfareblog, the Senate has made progress with individual contributions as well as collective ones in June. Senator Mark Warner (D-VA) familiar to this readership as Vice-Chairman of the SSCI, addressed NSA on Law Day (12 June) on the subject of cybersecurity law and policy. As a tech leader himself (co-founder of future Nextel) for 20 years prior to governorship of VA, Senator Warner addressed the gathering hosted by the NSA General Counsel Glenn Gerstell, he too a tech and cybersecurity expert. The Senator opened with a historical backdrop of the Sons of Liberty and Bletchley Park (a surprise coupling) and the rule of law needed to fortify our institutions (think: need for paper ballots and the not-so-Cold War). He notes that in the olden (Cold War) days, at least "politics stopped at the water's edge" whereas today we live in a globalized world where we are "divided from within and not sufficiently resisting efforts to divide us from without." He then addresses the need for "new norms in the digital age" supported by a cyber doctrine. He notes several examples of "no rules of the road in cyberspace" risking an accidental conflict, and the lack of rules when an intended response to one is required. China and Russia figure prominently in his discourse. He calls upon the need to work with other democracies to establish international legal standards even as we "uphold the rule of law at home."

And collectively, on 18 June the Senate passed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 including a cyber amendment (Section 1634). This Act is generally viewed as a "must pass" bill. Since the House had passed its own version, the two bills go to reconciliation. One aspect of the Senate's amendment, as noted by UT/Austin's International Security and Law Professor Charles Francis, is the call for a "Cyberspace Solarium Commission" --a charge to develop a consensus on a cyberspace strategy to protect US advantages and defend against those who would erode them. Modeled after Eisenhower's Project Solarium to overcome divisions re: the US strategy regarding the Soviet Union, it is formed as a 9/11 Commission with more access and clarity. The creation of Senator Ben Sasse (R-NB) who serves on both the Senate Judiciary (see Cyber Scene #20) and Armed Services Committees, the Commission is framed broader than cybersecurity, encompassing a full spectrum of threats and challenges (Prof. Francis calls it "something of a SWOT analysis"). Francis sees the US at a strategic inflection point regarding many public and private sector capabilities as well as vulnerabilities. He cites the Russell/Goldsmith "Hoover paper" ("Strengths Become Vulnerabilities" of 5 June from Stanford's Hoover Institution) as an excellent "vulnerabilities" reference. He underscores the balance between capabilities and vulnerabilities being adversely impacted of late due to private sector distrust of the USG and the global income tilt of US-based companies. Section 1634 lays out specifics re: the composition of the commission to ensure that it is bicameral and bipartisan and includes the DNI Principal Deputy Director (PDDNI), DEPSECDEF, DEPSECDHS, and staff at its disposal from DoD and ODNI. The bonus is that it would hold subpoena power.

Cyber Scene #23 - Denials and Affirmations

Cyber Scene #23

DENIALS AND AFFIRMATIONS

July's Pandora's Box of front burner, headline grabbers exploded. This reality-challenging explosion includes indictments against a dozen Russian cyber attackers and discussion (now thankfully dismissed) of a "hostage" (author's injection), on site, interview exchange including a Moscow trip (?one way?) for a former US diplomat and ambassador, the incarceration in the US of an Anna Chapman wannabe flight risk and above the fold (if you still read print) presidential credence in an old KGB chief's intelligence over that of the US Intelligence Community. Only mushrooms (no Cyber Scene readers) could miss this. Below the surface, however, the current of steady ramming speed oars of growing cyber threats and countermeasures continues digitally afoot, or "a-fin" to not mix metaphors. The drumbeat will predictably continue, if not increase, in intensity.

DENIAL

FACEBOOK: FACE THE NATION (and China and UK)

The media giant has understandably snared headlines of late. Recently, (NYT 24 July) the explosive Chinese news (no, not the bomb outside the US Embassy on 25 July) was of momentarily approval by Chinese authorities for a Facebook innovation lab in China, 10 years in the making--a nanosecond on China's timeline. (If memory serves, Johns Hopkins SAIS/Nitze School Prof. David Lampton once said: "China has had a few bad centuries but is making a comeback.") However, the approval lasted only one week: after concerns by China's Cyberspace Administration which had not apparently been consulted, the Chinese Government withdrew approval on 25 July (NYT 25 July). Per the New York Times's Paul Mozur and Sheera Frenkel, the Chinese Communist Party considers all social media destabilizing, unless of course it controls said media. Readers may recall that over this same decade of Facebook effort, Google was "Sino-cized" by Chinese authorities to be permitted to conduct business there. According to the NYT piece, Facebook CEO Mark Zuckerberg stated last week that the company was "a long time away from doing anything" in China. He was more prescient than he may have realized. Things move quickly on a 21st Century tech timeline, including tech bottom line precipitous drops.

Mr. Zuckerberg has been in overdrive of late. In response, as your author promised, to the April grilling from Congress on data use, the CEO responded in 747 pages to the House of Representatives on 29 June, captured in miniature in the Wall Street Journal above-the-fold (WSJ 1 July) front page, entitled "Facebook Reveals Apps, Others That Got Special Access to User Data." This bombshell (vice the Beijing sort) included an acknowledgement that Facebook gave dozens of companies special access to user data in contrast to earlier statements. The WSJ had previously published info in June about customized sharing agreements with companies such as Nissan. As Cyber Scene predicted in April, Facebook's delay in response left the window open for more questions from Congress: in June the response was 450 pages to the two Senate committees, but the 747 pages for the 29 June deadline was to the House. It also revealed that it gave 61 app developers a nearly six-month extension after it said it stopped access to user data in 2015. Five other companies may have had access to user Facebook friends' data. And the Securities and Exchange Commission is also looking into such data-security breaches, most recently regarding the "son of Yahoo," Altaba Inc. per WSJ journalists Dave Michaels and Georgia Wells (WSJ 12 July).

Across the Pond, the UK imposed a maximum (but per Facebook-math, infinitesimal) fine of $660,000 in early July for data-protection violations as a result of the 14-month investigation of Cambridge Analytica. In addition to failing to safeguard user data, it also "failed to be transparent about how people's data was harvested by others" (NYT 11 July). The fine represents the landmark first fine of its sort world-wide. The UK continues to investigate companies associated with Cambridge Analytica which is now "decommissioned." Given the paltry fine, one might opine that Mr. Zuckerberg's European tour this spring was a success unless there is more restrictive fallout. In a possibly related move, however, Google was fined $5 billion ("real money" per the apocryphal Everett Dirksen comment) by the European Union referred to in the 18 July Wall Street Journal editorial "Europe Fights the Last Google War." The charge is that Google violated Brussels rules in forcing smartphone makers to preload Google browser apps. The WSJ maintains that this is an antiquated issue, and that Google is guilty of far more serious infractions. The editorial does, usefully, underscore the fact that tech innovations travel at a speed incalculably faster than the regulators, implying "so catch us if you can."

DENIAL: FACEBOOK AND FRIENDS but Jefferson? Not So Much.

The US Congress (again and still), however, is more relentless and possibly more timely. In a "lively exchange" over several hours on 17 July, the House Judiciary Committee hosted three policy chiefs from Facebook, Twitter and Google ("YouTube" subbed for parent Google) respectively. In the wake of DNI Coats' prior reference to the country being under attack, Congressman Nadler (D-NY) cited a national emergency and asked Chairman Goodlatte (R-VA) for an executive session (presumably closed) which was voted down 12-10. Nevertheless, the questions were probing--no love fest--covering the gamut from social media platforms to fake news to transparency. Facebook's Monica Bickert noted that it coordinates with both the Republican and Democratic National Committees to counter election interference, hiring five companies to do so which digressed into "which companies and what political leanings" and conspiracy theories. Twitter's Nick Pickles found himself in one when asked about the 1st Amendment which he, being British and only recently on this side of the pond, didn't seem to understand meant freedom of speech, but partially redeemed himself by noting that Twitter can eliminate 95% of terrorist tweets before they are transmitted. While the British may still consider Thomas Jefferson a terrorist cousin, Congress does not and was beyond dismay to find out that the Declaration of Independence was preemptively removed from Facebook. Much discussion ensued regarding particular, partisan removals on both sides of the aisle. Google's representative, Juniper Downs of YouTube, also faced her share of questions with a similar answer-to-the-question ratio as her two comrades. The Judiciary Committee seemed to be seriously distressed with evasive responses, having dealt with the CEOs themselves--more savvy and all-encompassing than the policy chiefs. Congressman Raskins (D-MD) suggested that the Committee should, like the EU, initiate legislation to protect privacy. That did not happen. Facebook was asked why the "InfoWars" page alleging that the Sandy Hook shooting didn't exist and that the Parkland FL victims were actors was not taken down, but the response, unacceptable to the Committee, was that while that page repeatedly violated Facebook's content standards would be suspended, "the threshold varies depending on the severity of different types of violations" (WSJ, 17 July, Big Tech Asked How it Fights Fake News). Another noted that a hate posting proposing another shooting similar to the one of Republican Members VA baseball practice must also be taken down. Despite partisan divergence, the hearing concluded on a quasi-bipartisan note with two Members (the Chair being one) supporting each other in demanding that hate posts (such as ones cited against both the Republicans and Democrats) be removed preemptively. NBC covered the "Declaration as hate speech" round on 5 July but to see not the 1976 Rotunda photo of the Declaration but our Congress in full action, "attend" the session itself.

MORE DENIALS... OF POWER

The Department of Human Services noted, per the WSJ's Rebecca Smith on 23 July ("Russia Hackers Reach U.S. Utility Control Rooms"), that Russian hackers who worked for "Energetic Bear" broke thru air-gapped servers to position themselves to "throw the switch" and take down US electricity utilities managed by vendors trusted by DHS. The hackers entered via smaller companies with weaker cybersecurity, stealing credentials to gain access to the utilities themselves. They vacuumed info to be able to appear as normal daily users. DHS is also concerned that the Russian hackers may automate their attacks. DHS is planning four briefings to improve the public-private sector exchange as it seeks to counter such attacks.

...OF LOCAL GOVERNMENT SERVICE (aka, Not Playing in Peoria)

As an unfortunate reminder that hacking hits home, local government servers in several small mid-west towns and Atlanta were recently held hostage by a ransomware hacker/hackers. The Poneman Institute (WSJ "Ransom Demands and Frozen Computers" of 24 June) research company believes that 38% of the public sector entities its samples (out of 1,000) this year will report ransomware attacks. The entities are scrambling to prevent this denial of service.

...OF SECURE HEALTH DATA

In the "not-so-healthy and getting personal" category, the health care industry is also a target of ransomware attacks. Following attacks on Atlanta International Airport and the UK National Health Service canceling appointments and diverting ambulances, LabCorp of America has also reported a broad cyberattack similar to ransomware on its genetic testing units, as reported by WSJ's Rob Copeland and Melanie Evans (WSJ 19 July "Medical Giant LabCorp Hit by Cyber Attack"). In this latest attack, the hackers demanded bitcoin payment to unlock all encrypted devices. The company wasn't proactively notifying customers but is "working to respond to specific customer inquiries." You might want to check.

AFFIRMATION--ALL EARS

Even as systems we depend on are increasingly denied to us, small microphones are proliferating rapidly and burrowing into our lives. Christopher Mims (WSJ 12 July "Your Gadgets Will Soon Be All Ears") predicts that "If every tree falling in every forest might soon be heard by an internet-connected microphone, what hope is there for our privacy?" The world talks to Siri and Google, but we can also talk to our trash can, and as the illustration conveys, your dog can too. The author anticipates an increasing anthropomorphism (your author's term) of things (a la Siri) leading to naming your oven or dishwasher, as in "David Bowie, preheat the oven to 350 degrees. Frank Zappa, wash the dishes." If only these affirmations were 100% humor...

Cyber Scene #24 - Spectrum Analysis: PRIVACY---------------?---------------SECURITY

Cyber Scene #24

SPECTRUM ANALYSIS: PRIVACY---------------?---------------SECURITY

SIRI-OUSLY, THE EYES (VICE JULY CYBER SCENE EARS) ALSO HAVE IT NOW

As an 10 August Wall Street Journal prelude to this Cyber Scene and the to New York Times Magazine feature discussed below, WSJ writer Matthew Hennessey examines the "grand bargain" between Silicon Valley and we individuals as we give up privacy for "cool stuff." Given the inclination of most people to share, he sums it up as "vanity trumps privacy." Big Tech has its FANGs ready to optimize this default. Hennessey looks not only at anecdotal stories (a 6-year old with a $162 purchase order) but cites a UC Berkeley's (aka "Cal") Center for Long-Term Cybersecurity study underscoring the IoT "heralding a qualitative shift in how privacy is managed, by people and by the organizations that create, sell, and operative internet-connected devices." The study tracks how consumers lose the capability of controlling data about themselves with no perception of the downstream impact of their own decision. Hennessey goes on to address worse impacts on families (hacked webcams and baby monitors) and also briefly notes the USG role in designing malware to exploit corporate cyber systems. Could a kryptonite webcam sticky or another variation on Newtonian action/reaction be in our future?

DATA MINING OF PII A LIMITLESS NATURAL DEPOSIT?

The New York Times journalist Nicolas Confessore, in the 14 August Magazine cover feature, pursues the monetization of the IoT privacy invasion in "Bic Tech's War on Privacy," underscoring that the trillion dollar industry has good reason to fight privacy issues. Oakland businessman Alastair MacTaggart ended up thrusting himself into fighting what Confessore terms a Silicon Valley resource grab. MacTaggart's attempt to impose a measure of control on PII access resulted in the Big Tech players lawyering and "lobbying" up. Fast-forwarding, the prior administration had just begun to work on a consumer-privacy bill when the Snowden IC revelations occurred. The press and industry fought back. The watered-down version of the proposed Congressional bill angered consumer privacy advocates. Following untold alternative approaches, MacTaggart succeeded in getting a California state law passed, effective in 2020, to curb some excesses. The present US administration is already looking at a new national privacy standard that would override the not-yet-effective California state law. Stay tuned!

FACEBOOK AD LIBS

The privacy debate has been ratcheted up: with the issue of Facebook ad manipulation rising in the run-up to midterm elections country-wide, the tension between privacy and democracy itself has come to the forefront. NYT's Natasha Singer sees the Facebook ad service as being a tool of external political trickery in her 16 August study. While the Kremlin-connected Internet Research Agency in London is digitally shuttered, and more recent transgressors undergoing some wing-clipping, Singer continues to believe that midterm primaries as well as November elections are prime targets for politically motivated ad placement with a view to clipping the wings of democracy itself.

APPLE--PRIVACY HERO? HOLD OFF ON THOSE LAURELS

As Apple posts its first trillion dollar bill on its wall of fame and continues to pointedly distance itself from those invasive Facebook and Google folk in support of "privacy as a human right," it too faces the same security problems with regard to its apps and the misuse of data that ensues. Bloomberg's Sarah Frier explores this on 13 August. iPhone developers have gathered phone numbers, home addresses, and social security numbers. Once developers get this info, it is no longer visible to Apple, whence the control issue. Although a new rule in July 2018 now prohibits the re-selling to data brokers, political campaigns, or postings on the internet, it is still not difficult "for developers to harvest this information." Frier notes that a blow up similar to Facebook/Cambridge Analytica could happen. However, Apple differs from Facebook in that it doesn't make money from advertizing. When users turn off sharing, for example, Apple does not delete data already shared. Google has a similar problem, Frier reports, but Google does not claim to be an advocate for consumer privacy.

GOOGLE REVISITS CHINA

Google, however, is an advocate of doing business in China, and, per New York Times correspondents Li Yuan and Daisuke Wakabayashi's 1 August article filed in Hong Kong, Google is picking up its work on a censored search engine for China to curb anti-government commentary as well as other expressions deemed at variance with the country's leadership. They reported that Amnesty International said Google's censorship program for China would be "a dark day for internet freedom." Some other Big Tech companies also feel threatened as foreign websites including Facebook, Twitter and the New York Times are at risk as well. Ironically, Google would find itself not as a harvester of personal data, but a silencer of it. The NYT article goes on to say that in addition to the Chinese to be censured, Amnesty International, and others, some Google employees themselves are also disappointed about the corporate direction to squelch expression.

BIG TECH ON THE HOME FRONT

The issue of technology leaders taking responsibility for fashioning policies that protect individual privacy rights while connecting the world (make that the free world, wherever it may be) is complex and fraught with pitfalls not envisioned until lately. Farhad Manjoo, writing on "State of the Art" in the NYT business section on 25 July, lays out a broad analysis of how the tech industry, under pressure, is trying to determine where its responsibilities lie. He notes that the lines drawn at present by Big Tech are fuzzy. He cites tech growth as the reason for the heretofore hands-off approach to addressing these responsibilities. (The grueling Congressional testimony Mark Zuckerberg endured may have motivated the FANGs to speed up their thought process about privacy protection and other attendant issues.) Manjoo probed inside as well as outside these big tech companies, impressed by the thoughtfulness of the discussions, but a defined course is still lacking.

NOT PRIVATE ENOUGH BY HALF: US ELECTIONS

As Big Tech ponders deep thinking on seemingly intractable issues, there's trouble in River City. National Security Advisor John Bolton expressed concern on 19 August, per Carol Morello of the Washington Post, that not only Russia, but also China, Iran and North Korea may meddle in US midterm elections. He added that "what we want is not war in cyberspace; we want peace in cyberspace." However, the Chairman of the Senate Select Committee on Intelligence (SSCI), Republican Richard Burr, in an interview to Associated Press Mary Clare Jalonick filed 18 August did single out Russia. The Senator said that the Mueller investigation must run its course, frustrating as the probe is, and that he does not want to be responsible ex post facto, for overlooking something important on his committee (of which Cyber Scene has written frequently). He said that when the SSCI's role in the probe began, "I don't think any of us...understood just how coordinated the disinformation and societal chaos campaign was." As noted in earlier discussion, the SSCI holds a stellar position as one of the few truly bipartisan entities on the Hill.

GIRDING UP THE GRID:

Following earlier discussion of additional attacks on critical US utilities, US leaders are working with the National Infrastructure Advisory Council, State Department's cybersecurity chief Deputy Assistant Secretary (DAS) Robert Strayer, Homeland Security, private sector experts, and former NSA and CyberCommand Director General Keith Alexander (who briefed the House Armed Services Committee) as well as New York Governor Andrew Cuomo inter alia to move forward with hardening the defense of the US grid. Rebecca Smith, writing for the Wall Street Journal on 5 August, notes that US officials are seeking stronger penalties for hackers from Russia, China, Iran and North Korea. On 17 August, President Trump took action to loosen the rules of engagement for US cyberattacks. (John Bolton's opinion on this action is not known.) According to Dustin Volz in his Wall Street Journal article of 15 August, this pronouncement generated several questions about how the military would move to offensive cyber strikes and whether this would escalate hostilities. While those issues are not likely to be discussed openly, the President's action is a big change from the interagency process prevalent during the 2008-2016 period. Many of the issues surfaced in this article stem from comments by Tom Bossert, the former homeland security advisor who was reportedly forced out of his job when John Bolton stepped in as National Security Advisor. In any event, this seems to go well beyond "prevent defense" and address the loss of national security treasures that keep this country running.

Cyber Scene #25 - CRAZY (CYBER) RICH...

Cyber Scene #25

CRAZY (CYBER) RICH...

North Koreans: Column A menu

Over 50 fake social media profiles have reportedly bolstered North Korean IT sales to obtain needed hard currency by avoiding sanctions, according to the 14 September Wall Street Journal. The operatives posed as Japanese, while in fact working on the Chinese side of the North Korean border (see combo platter segment below) and duping unsuspecting web designers as well as those sucked into the trap. One of the suspects was linked to the killing in the Kuala Lumpur airport following an apparent high profile assassination. LinkedIn as well as many additional legitimate cyber entities were also duped.

In early September, the US released 176 charges against a North Korean operative linked to a "cyber army", according to Aruna Viswanatha and Dustin Volz of the Wall Street Journal. The US charges focused on the 2014 attack on Sony, but also cited the $81 million theft from Bangladesh's account at the New York Federal Reserve Bank.

Chinese: Column B menu

In addition to Equifax's major and much publicized hack of customer data, the Wall Street Journal reported on 12 September on Equifax's fear of Chinese corporate spying two years before the consumer financial data attack. In 2015, Equifax sought the help of the FBI and CIA, as the company feared that employees who subsequently went to work for Chinese companies had downloaded proprietary corporate data related to how credit scores were obtained, algorithmic applications, and other corporate secrets. It appeared that Chinese firm Ant, an affiliate of Alibaba, had offered to triple salaries to certain Equifax employees to jump ship.

And just as the CEO, Jack Ma, of China's e-commerce tech giant Alibaba announced on 10 September that he will soon retire, changes are occurring in the face of some limited regulation resulting in Ant Financial (the above-mentioned affiliate of Alibaba) and Tencent (known for WeChat) are re-branding their work. Rather than refer to this as "fintech" they are now calling it "techfin" intended to "play up technology offerings instead of financial services."

Russians: Column C menu (part Asian/Tatar too!)

First and foremost, two New York Times seasoned intelligence journalists Scott Shane and Mike Mazzetti launched a 12-page special report on 20 September entitled "The Plot to Subvert an Election: Unraveling the Russia Story So Far" which delves into the overwhelming power of Russia's hacks, leaks, and social media "fakery" to include online trolls reaching an audience of "nearly as many Americans as would vote in the (2016) election." In addition to including some seemingly new material (e.g., the Russian-based fake twitter which drove the pro-Putin "peacemaker" banner in Manhattan), the report includes activity back to 2014 and an 8-page timeline ending, so far, in September 2018. The scope of the report, mirroring the magnitude of the cyber activity it examines, warrants attention. The timeline itself is stunning and aids in digesting Russia's role in the 2016 election, giving one pause about the 2018 midterms in November.

Combo platters:

Chinese-Russian: Back to Alibaba, China's financial services firm has taken a 10% stake in Mail.Ru Group, one of Russia's biggest commercial tech players, as reported by the Wall Street Journal. A Russian head of a state-owned investment fund noted, following the Putin-Xi Jinping meeting in mid-September, that "Russo-Chinese cooperation in tech is one of the most promising avenues for bilateral relations."

Chinese-North Korean: See above regarding the Chinese platform in Shengang near the North Korean border aiding North Korean operatives bilking US IT users.

BIG TECH: Keeping up with the tech-rich catch-up connections

Just as cyber technology seeks to connect the world digitally, users and regulators are now picking up the pace of connecting (the dots) with the connectors. The last four weeks of media discussion have generated a huge data dump. Even Congress, wedged between an August recess for the House (the Senate canceled its recess) and mid-terms looming ahead, ominously for some and excitedly for others in November, has resumed its inquiries.

The Rein/Reign of Congress?

The Senate Select Committee on Intelligence (SSCI, now a probably household acronym) summoned tech leaders Larry Page (Google), Jack Dorsey (Twitter) and Sheryl Sandberg (Facebook) to testify on 5 September. But Larry was a missing Page, and Senators "tore into" the seat where Mr. Page should have been with terms such as "arrogant" (Sen. Rubio) and "outrage" (Sen. Collins) (See www.senate.gov/ssci for the unabridged version). They were not alone: Bloomberg Businessweek published a long article on 13 September entitled "Where's Larry" noting that the 45-year old tech giant has a very small footprint these days, or a very clever early retirement as he maintains control of Google but has passed along much of the tech direction to subordinates. The 7 September New York Times print article entitled "A Tech Dialogue, Minus Apologies and Grandstanding" by Farhad Manjoo also criticized Mr. Page for his absenteeism, noting that it was a big mistake. He notes that Google, unlike other tech giants, did not take a pose as an upstart but rather as the "grown-up in the room." This reputation is now quite tarnished. The relationship between tech and Congress is critical, particularly as regulatory issues are increasing. Time Magazine's Haley Sweetland Edwards on 17 September noted that as Washington takes on the threat of Big Tech, the relationship has moved from "once darlings" to "decidedly cooler." Mr. Manjoo notes that Facebook COO Sheryl Sandberg and Twitter CEO Jack Dorsey also testified before the House Energy and Commerce Committee where the latter testifier "overflowed with candor." Just prior to the testimony, Ms. Sandberg was the subject of a lengthy examination by the Wall Street Journal's Betsy Morris, Deepa Seetharaman and Robert McMillan on how she was put in the PR hot seat to defend Facebook's reputation in the wake of the Cambridge Analytica expose and opined about how she was now responsible for fixing the mistakes. She seems to have fared better than the absent Mr. Page. Two days before the Senate testimony, Barron's Jon Swartz had described the tension between Congress on the one hand and Facebook and Twitter on the other as "white-hot intensity." Tension is also impacting one-third of the Senate and all of the House, with seats up for re-election or grabs, in a matter of weeks. So open hearings also provide a podium from which those now reigning may have a platform to try to continue to do so. As discussed in earlier Cyber Scenes, tech is moving much faster that the regulators who are playing catch up.

The Cyber Offensive Beyond the Beltway

In addition to the regulatory aspect of dealing with cyber and the tech giants that wield it, the reach of the US Government now includes suing spies, per the 13 September Economist. In addition to discussion of the North Korean leading the "cyber army" attack on Sony and the NY Fed Bank "heist" discussed above, the 2014 White House began indicting cyber attackers in a broader pattern that also included five Chinese army officers indicted for industrial espionage. (Sadly, these were not the ones involved with Equifax's first hit.) Five Russian FSB members and nine Iranian elite Revolutionary Guard operatives were also charged. The move toward the courts comes as a double-edged sword, but American officials are "seeking to draw a line between old-fashioned spying, which is seen as fair game, and piratical deeds, like election sabotage and spying for profit."

Big cities are also bracing as they seek cyber insurance to protect against vulnerabilities in their systems, as seen in the Atlanta hack. The Wall St. Journal's Jon Kamp and Scott Calvert explore this new business in their discussion of 25 most-populous US cities and how they are bracing even as they stave off attacks. Per Andrew Duehren in the 19 September Wall Street Journal, companies such as Symantec, Microsoft, Cloudfare and Synack are also jumping in with free services to states or campaigns to help candidates and campaigns with issues such as identifying fake webpages.

Dave Weinstein's op-ed (WSJ 29 Aug) looks however at a sea change in the difference between cyber defense and cyber offense, and how the present administration with delegation to US Cyber Command has more authority to attack rather than defend. He notes that "cyber policy is shaped by a trade-off between deterrence on the one hand and intelligence collection and diplomatic standing on the other." His discussion concludes that if US Cyber Command is perceived as having its hands tied, enemies do not see much risk in continuing cyber attacks.

Cyber Scene #26 - INFO WAR OF THE WORDS

Cyber Scene #26

INFO WAR OF THE WORDS

The Wellness Factor: Wells, Welles or Orwell?

History does repeat itself. The "War of the Worlds" broadcast on CBS radio on 30 October 1938 celebrates its 80^th anniversary. As this readership was unlikely to have heard the broadcast, the storyline deals with an intergalactic alien invasion of the U.S. which much of the listening audience assumed was real. Today the multifaceted media, which in the past provided us with verifiable information, has been tainted by the infusion of fake news, trolls, hackers, and other alien invaders and purveyors of misinformation, not for theatrical effect but more nefarious intent.

Cyber Scene has probed many of these instances before, but the scope, intensity, and sophistication of attacks revealed over the last month is chilling. They range from concerns at one extreme about divisive Internet Research Agency tweets regarding the famous NFL national anthem non-fair catch "knee-taking" (nor associated with a "Hail Mary" or the genuflection in mathematician/songster/Army signals analyst Tom Lehr's refrain in "Vatican Rag"). ("WSJ 22 October "Trolls Fueled Controversy"). At the other extreme, there is justifiable concern about the upcoming midterm elections. If the Russian intelligence service cared enough about National Football League activities to invest an effort in using them as a wedge in the upcoming elections, the United States is a huge target.

States are taking action to provide backup systems to electronic voting. The New York Times Magazine of 26 September in an article entitled "The Crisis of Elections Security" outlined the problems of the 2016 election stating that a failure at the ballot box was a failure of democracy. Also in mid-September the Wall Street Journal indicated that 13 states were "voting without net" as they had no paper backup system to the existing electrical one. As of 19 October, the New York Times editorial entitled "Elections Could Be Hacked, Vote Anyway notes that only five states remain unprotected by paper backups. The editorial referred to a test in April 2018 whereby Florida state election officials replicated their data; despite many upgrades to election machines, an 11 year old boy needed only 10 minutes to hack into the database. Russians have been seen as focusing 24/7, 365 days/yr. on hacking issues.

Vet Army Of One

The New York Times editorial called each of its readers to vote anyway, so too did one veteran take on another war--the war of disinformation (WSJ 17 October). Kris Goldsmith, age 33, who worked for Vietnam Veterans of America, discovered fake Facebook pages related to their interests. After being told by Facebook to contact the authors, Facebook agreed to delete the pages within two months. Mr. Goldsmith flagged Facebook pages with millions of followers "..targeting military personnel and veterans through patriotic messages and fomenting political divisions." Since then, two dozen additional pages which had 20 million followers were purged of Russian- and Iranian- linked disinformation campaigns. This success leads to the manager of FireEye, which tracks misinformation, establishing a conference call with Mr. Goldsmith, Facebook, and the House Intelligence Committee staffers and a subsequent meeting at Facebook's office in Washington.

Cyber Spy vs. Spy vs. Spy

As discussed in previous editions, the Chinese have been particularly engaged in hacking. Now however it appears that the Chinese themselves are being hacked beginning an Asian version of Boris and Natasha. On 2 October, Robert McMillan of the Wall Street Journal explored the problem facing cyberespionage experts as to who is exposing China's hacking army. In the cyber world, holding ones cards closely is sometimes an advantage. However an anonymous group, Intrusion Truth, has itself intruded into state sponsored intrusion efforts. The playing field seems to be expanding.

Google Apps or Google Oops

For those users on the sidelines however, Google had bad news in October: hundreds of thousands of users of its social network Google+ had their private data exposed. Relatedly, the Senate Commerce Committee held a hearing on 10 October to address this public disclosure to look to further regulatory scrutiny through bipartisancongressional action. The chairman John Thune (R., S.D.), called for a national standard on privacy. Senator Mark Warner (D., VA) expressed his concern about the understaffed Federal Trade Commission (FTC) being able to meet its challenge.

50,000,000 FB Users Can't Be Wrong(ed)!

Google has company: during the same time frame, Facebook disclosed the exposure by hackers of data of 50,000,000 users (NYT 28 September). These users included Mark Zuckerberg, Facebook CEO, whose work, appearing and not appearing, at congressional hearings, has been covered in earlier Cyber Scenes. Facebook has also moved forward to purge invalid photos and videos that have been linked to a collection effort by Russian actors. More than 60 accounts have been connected to facial recognition software makers for Russia. Both Google and Facebook fall under surveillance of the Federal Trade Commission.

Rounding Up Some of The Usual Suspects

Against this backdrop of gloom and doom there have been notable public successes. Several Russian bad actors have been named and indicted. Recently added to the list is Elena Alekseevna Krushyaynova of St. Petersburg (the Leningrad St. Pete), a close ally of Putin, who directed an info war against midterm elections in the U.S. She is also connected to the 13 Russians indicted in the Mueller-led investigation. Russia was also cited in the New York Times 23 October article in an attack with malicious computer code to control take control of a chemical plant safety shut-off system in Saudi Arabia. Russia has been accused of infrastructure attacks in the past.

Will the Real Investigator Please Stand Up

In a cyber game twist, the US, UK and Dutch caught Russians red-handed, so to speak, hacking the very global institutions that were in the process of investigating Russia (NYT 4 October). This occurred outside of the Mueller investigation, although 3 of the 7 were also indicted in July by the Mueller team. The attacks were world-wide and included British governmental agencies, FIFA and 250 athletes and the anti-doping organization investigating Russian athletes, and the agency in the Hague, O.P.C.W., investigating the use of Novichok in the attempted murder of the Skirpals in Salisbury. The success was an outgrowth of transatlantic collaboration.

Going Chinese: Brussels Sprouts an Extradition While the Allies Go Public

And little Belgium did its part as well, as Belgian authorities helped to make US history in arresting and then extraditing to the US a Chinese intelligence officer accused of stealing US avionic trade secrets. This international sting operation marks the first time an indictment, extradition and open trial will have occurred involving a Chinese intelligence officer. The Economist (13 October) offers its UK perspective, underscoring how unusual a spies' press conference conducted in the UK is. This time however, the British and Allies decided that the benefits of exposing the Kremlin outweighed the risk of tipping their own hands, a according to former UK National Security Adviser Sir Mark Lyall Grant.

CYBERCOM Takes Aim at Global Warming of Cold War

The transatlantic cybersecurity alliance successes above are also linked to success in keeping Russia from having an influential vote in US midterm elections. The post-WWII Fulda Gap has now transformed into a hot cybersecurity war. According to Julian E. Barnes of the NYT (23 October), the US is undertaking cyber operations in Europe to protect US elections in early November. This marks the first time, according to the Department of Justice, of information warfare involving cyberoperations overseas to counter Russian election threats. These are reportedly linked to Russian activities in Europe. CyberCom is said to be targeting specific individuals. This falls within the recent broadening of the Command's responsibilities. This redefinition has been advanced by both SecDef Mattis and National Security Advisor Bolton.

Cyber Scene #27 - Data Redefined: Heading Toward an Inverted Dutch Disease Calamity?

Cyber Scene #27

Data Redefined: Heading Toward an Inverted Dutch Disease Calamity?

Prior to addressing the panoply of earth-shaking cyber events of the past 30 days, let us begin from theory to specificity this round. The Economist calls upon us to move toward a new way of thinking about data in its "Identity" piece, "Les stats, c'est moi." It likens data to new oil: "...all those 1s and 0s are of little use until they are processed into something more valuable. That something is you." The article goes on to discuss how the world's 10 most valuable companies are tech, except for Apple which is nevertheless hugely connected. Although all of us (excluding, of course, most of this readership) have not changed behavior until we are personally targeted, the litany of companies and organizations victimized by breaches -- from Google to Panera (and more personally, OPM and Marriott), grows longer. So what's with Dutch disease? Closet economists (your author included) as well as professionals have examined the downside of too much of an unregulated good thing with the Netherlands discovery of gas fields leading to a demise in its manufacturing sector. The article underscores the importance of "data-protection regulation and new laws surrounding the use of algorithms." As previous Cyber Scenes have discussed, the US Congress is struggling to do so. But the article's thrust is that "...it is not the data that is valuable. It is you."

DIGGING DOWN TO CHINA: THE DIRT

As our tech sleuths struggle to identify all perpetrators, China keeps rising to the surface. While false flags are possible, other issues appear indisputable. Wired's Brian Barrett examines "How China's Elite Hacks Stole the World's Most Valuable Secrets." He sketches out how, since 2014, China has circumvented the locked data doors via its "APT10 advanced persistent threat" hacking group. He notes that given the "no hacking agreement" of 2015 between the US and China, China "can't handle the truce."

--Huawei or the Highway?

The detention of Huawei's CFO in Canada reported in the New York Times and the reciprocal detention of three Canadian citizens (two are still being held as of this writing) in China underscore how this data issue is very personal for them. The immensity of the US national security threat is more ominous. Last month Barron's cover story by Jack Hough, "New Missile Signals a Renewed Arms Race," analyses how the Pentagon is turning to Big Tech (Silicon Valley in particular) to help. Since then, the Wall Street Journal's Brian Spegele and Kate O'Keefe examine how China sought to contravene US regulations prohibiting the export of satellite technology, in this case from Boeing. The 15-16 December Journal went on to write on how Chinese hackers breached US Navy data including satellite data; Gordon Lubold and Dustin Volz continue to address incidents over the past 18 months termed "some of the most debilitating cyber campaigns linked to Beijing." In the same issue, Rob Taylor (Canberra) and Sara Germano (Berlin) cite discussions among Western "spy chiefs" including the Five Eyes (US, UK, Canada, New Zealand and Australia) during a July conference which underscored vocal (unusual) concern about Huawei and generally Chinese-made gear. This follows Wall Street Journal's Dustin Volz article the prior week on the US charges against Chinese hackers. The article includes a chilling quote from cyber expert Rob Joyce: "We view it as the platform the Chinese are using for whatever they need...and that's why you are seeing the government saying, we've got to deal with it, push them out, make sure they don't have that toehold."

--Back to the Satellites

NBC's Lester Holt Nightly News of 28 December features a Richard Engel special on his attempted visit to a remote but gargantuan Chinese satellite station in Patagonia, Argentina. It is unlikely to help Chinese GPS hikers, but rather follows a 40+ year (per your author's knowledge) of Chinese Southern Cone lower tech investments: railroads, hospitals, soccer stadiums, infrastructure projects to include parliamentary buildings and airports, and now upping the collection ante. And, yes, money, creating massive Southern Hemisphere indebtedness. Is "loan shark" in Chinese "dim sum of its parts?"

--George Kennan's Containment, Sino-Style

As the "high tech arms race" heats up, trade tensions run cold, hot and hotter. The impact hits farmers in the mid-west, exporters in the far west, manufacturing everywhere, the White House and Congress. But back to "you." If you have visited Starwood Hotels and Resorts Worldwide back as far as 2013, you might be in the unlucky 1/3 of 500 million impacted by the breach. See David Sanger & Co.'s New York Times account, "Marriott Data Breach Traced to Chinese Hackers." New passports, anyone? Or are those USG officials furloughed?

--and Back to Kennan's Soviet Version: Russia's Window to the West (Vlad, not Peter)

Amid the flurry of a likely Mueller investigation conclusion in the near term, Scott Shane and Sheera Frenkel (familiar names to this readership) examine the targeting of African-Americans in Russia's operation to influence the 2016 election. The New York Times journalists cite two emerging reports tracking "the energy and the imagination of the Russian effort to sway American opinion and divide the country, which the authors said continues to this day." One report was produced by a cybersecurity company, New Knowledge, with contributions from Columbia University researchers and Canfield Research, LLC, and obtained by the New York Times. The other was written by Oxford University's Computational Propaganda Project with support from the company Graphika, specializing in social media, and was released by the Washington Post. The Shane-Frenkel article embeds both of the reports. LAWFARE points out that the Senate Select Committee on Intelligence, which had commissioned the studies, also released them to the public on 17 December.

--And Pre-Furlough House "Interest" in Google

In what seemed a command first performance, Google CEO Sundar Pichai appeared before the House Judiciary Committee chaired by Bob Goodlattee (R-VA) on 11 December. Over three hours of "discussion, Congressional-style," the Google Chief fielded all manner of questions including: "How is personal identifying information safe with you?" (Hank Johnson (D-GA);."How do you differentiate what you do with data?" (Ted Poe, R-TX) ; repeated questions regarding Google's plans for China (CEO says no plans now, but did not say "never"); and the Chairman's request for a delineation of differences between US and EU data use, following discussion earlier (Eric Swalwell D-CA) of EU's new regulations. Several Members cited the need to allow users to "opt in, not out" and the one humorous exchange and noteworthy "soft shoe" response from the CEO occurred when Congressman Poe (R-TX) displayed his cell phone and asked the CEO if locational capabilities could identify his move across the aisle to one of his Democratic colleagues. The latter said he would welcome him warmly were Poe to come over. The CEO, however, dodged answering the question. In comparison with what Facebook has been battling in December (see the next R & O's Cyber Scene), the New York Times condensed reports of "grilling" seemed extreme, but one pointed comment may be interpreted as a warning shot: Ted Deutch (D-FL), who has sponsored privacy legislation, stated:."If the government steps in to regulate, you won't like it."

--Engagement from last Three of Five Eyes

In early December, the UK Parliament released 250 pages of Facebook documents as part of its Parliamentary investigation of how Facebook uses data. As reported by the Wall Street Journal on 29 December, these indicated that the CEO seemed to downplay the risk of developers sharing Facebook data among themselves.

Down under, Australia has passed a bill that allows it to monitor all online communication, per The Economist. The bill is now in effect, albeit difficult to implement. The Aussie Government can now require tech firms to bake backdoors into their systems to allow authorities to access online communications. Non-compliance charges are $7.2 for firms who defy the law and $50k for individuals. Exposing this process (the Economist says "snooping") can land one in prison for five years.

And little New Zealand, per the New York Times, is blocking telecommunications gear from Huawei, despite the request from one of the largest Kiwi telecom carriers, Spark, to need it for its 5G expansion.

Cyber Scene #28 - Regulation: Variations on a Theme

Cyber Scene #28 - Regulation: Variations on a Theme

Regulators Unite en Marche (or not)!

Under the rubric of the Internet Governance Forum which convened in Paris mid-November, French President Macron called on nations to join forces to regulate the tech industry given the dominance in daily life of cyberspace "in every aspect of our lives ... as the shared responsibility...to improve trust, security and stability in cyberspace." Labeled the "Paris Call for Trust and Security in Cyberspace," President Macron's appeal to Europeans as well as the US to move forward as a unit seeks a global reach. His address established nine criteria for strengthening cybersecurity globally, removing or preventing illicit cyber activity and protecting privacy, and calling for 2019 forums (Paris Peace Forum and the Internet Governance Forum in Berlin) to revisit progress on this regulatory initiative. France itself will undertake a 6-month regulatory pilot program studying how Facebook (FB) removes certain illicit content, with work extending from its Silicon Valley to Dublin locations. The US, per President Trump who was in Paris at the time of this initiative for the anniversary of the end of WWII, will not participate following a reportedly tough exchange with his host. Your author agrees with legal expert Paul Rosenzweig (Lawfare blogger and legal eagle extraordinaire) who opines that international regulatory action may come, and that a presidential "contretemps" should not overshadow the importance of Macron's call to action. He also recommends reading Macron's "Call" in its entirety.

On the other hand, the US regulatory role was underscored, also in mid-November, by NSA's General Counsel Glenn Gerstell who addressed the annual American Bar Association National Security Law Conference. General Counsel Gerstell traced the legal regulatory authorities back to 1928, citing prescient commentaries decades ago and the need for such regulation of the nascent internet. He notably does not dispute the preeminence of judicial review, as confirmed by the blockbuster Marbury v. Madison case, as the acting Attorney General nominee recently maintains. It should be noted that one of Mr. Gerstell's predecessor NSA general counsels, Stewart Baker, Esq., is the lead voice on Lawfare's National Security reporting. He is also a partner with Steptoe & Johnson, LLC, which has spawned several US Trade Representatives, past and likely future as the intertwining of trade and cybersecurity have of late been "above the fold" (for tactile readers) top news items. Lawfare itself is a Harvard Law School/Brookings Institution joint venture. As regulation of cyberspace develops, so too should the readership of Lawfare.

New Regulating Regulators -- Undaunted Courage: Is a cyber regulatory map in the 2019 forecast?

A leitmotiv apparent to regular Cyber Scene readers has been how Congress can, or should regulate cyberspace via its high tech FAANG command posts. Whether this spills into both chambers' foreign affairs committees relating to Macron's call to action or not remains to play out in 2019 with significant changes to the players on the field. The following developments since last month may provide some projections.

The Regulated -- Will FAANGs' claws be clipped?

As the Dow dips against a drop in US-based tech stocks despite Amazon's HQ2 expansion (and coincidentally, so close to Congress and Wall Street!), discussions continue internally among FB and others about how to address past lapses and future fixes. In the realm of whether a strong defense is always a sufficient offense, Mark Zuckerberg returns to the center ring as FB seeks to acknowledge past sins and obtain a pass for delays in reporting the extent of the Russian infiltration. Several Senate committees -- and these will likely remain intact come January 2019 -- are expecting more solid explanations even as the House moves toward change in committee leadership. Notable among them is Adam Schiff, in line to assume the HPSCI chair. He starts out restrained, likely sardonically replying "that's a good one" to a presidential tweet replacing the last two consonants of his name rather than jumping into a tweet-for-tat (or that). But with Rep. Nunez's incendiary chairmanship ending, Schiff and other new committee chairs will likely move out to put subpoena teeth into talk of regulation. Which end of "getting mad or even" is in the fore remains to play out. But not to miss out on lame duck opportunities, the House Judiciary Committee has just issued subpoenas for former FBI Director James Comey and former Attorney General Loretta Lynch regarding Hillary Clinton's (but not Ivanka Trump's) emails under outgoing chairman Robert Goodlatte (R-VA) and possible ties between the Trump campaign and Russia, per the Black Friday New York Times.

This follows New York Times analysts Nicholas Confessore and Matthew Rosenberg reporting on the onset of "open warfare" between Silicon Valley tech industries and former Democratic supporters on the Hill in the wake of revelations that FB execs were less than forthcoming regarding evidence of Russian activity on FB for longer than first disclosed while, on the other hand, hiring a Republican-linked research firm to attack George Soros, billionaire Democratic supporter. Senior Senate statesmen such as Senators Elizabeth Warren (D-MA) and Chuck Schumer (D-NY), the latter a particular "Facebook friend," who have supported the FAANGs in the past now seem ready to take to task the lack of accountability and "the dark side of technology." Four Senators including Amy Klobuchar (D-MN) have specifically written FB to inquire whether it, or any FB affiliates, used "vast financial and data resources available to them to retaliate against their critics, including elected officials who were scrutinizing them." This calls to mind last month's Cyber Scene discussion of who's hacking the hackers. As NYT contributor Mike Isaac's continuing reporting on FB notes, CEO Zuckerberg defended FB's actions in both a Q & A with his employees and a conference call with reporters. While it seems fact-based that Zuckerberg and COO Sandberg who both testified as reported in Cyber Scene in the spring before Congress about preventive FB measures, were unaware of the extent of the problem when informed by their security chief as noted by Wall Street Journal's Deepa Seetharaman, it is likely that they and other "-AANGs" will face intense scrutiny and more/some regulation from both sides of the Hill once the post-midterm election lull subsides. For those looking for FB heads to roll, the CEO seems untouchable. Against a backdrop of queries about #2 and COO Sheryl Sandberg's survivability, FB announced that its Communications and Policy Chief Elliot Schrage issued a written apology for targeting George Soros, for which COO Sandberg also apologized to employees. She remains, while Mr. Schrage is leaving FB.

On cyber issues, changing dynamics of the Senate committees as referenced above include the ire of some former supporters of FB. Along with changes in House leadership as a result of the midterms, both the House and Senate will be anxious for future congressional hearings, whether bipartisan or not. Recently, apart from court appointments in six Senate open hearings, two Senate Select Committee on Intelligence (SSCI) held closed hearings as one third of Senate seats were in the midterm mix. The midterms suspended most hearings the House as its elections occur every two years. The pace is already picking up.

Good News: Election Threats to Constitution Neither Foreign Nor (Hardly) Domestic

Given intense work on cyberoperations to protect US elections this round, particularly under the direction of new Cyber Command Chief General Paul Nakasone, the elections ran without the blatant interference of 2016. Both Julian Barnes and old intelligence hands David Sanger and Sheera Frenkel outlined what was expected and that countermeasures were in place to prevent any deja vu scenarios from abroad. The election grid, however, did suffer from underinvestment, old machinery, understaffing, obfuscating ballot designs, inconsistent voting methodology, and a large dose of human frailty. Some would add voter suppression. These cannot be blamed on Russia, China, Iran or North Korea and are correctable with political will and funding. Congress does hold America's purse strings. The courts will be dealing with some of the other attendant election issues. But the large voter turnout did not include Russians or historic Chicago underground residents.

To counter any sense of complacency, a NYT op-ed of 19 November by Ari Mahairas, an FBI NYC Cyber Division chief, and Peter J. Beshar, the general counsel of Marsh & McLennan Companies, whose business includes risk management, sounds the alarm regarding the safety of the US water supply. Citing the second hacker attack on North Carolina's water supply in the aftermath of Hurricane Florence causing "catastrophic loss" via data encryption locking out employees, these two experts cautioned against complacency: "Our water supply is increasingly digitized, and increasingly vulnerable." They advocate defense and note that while the cyber world has changed, the concept is not new. They cite the Assyrians in the sixth century B.C. poisoning enemy wells and 1939 Nazi plans to blow up Hoover Dam. And your author would also include the "Cassandra of the 60's" Tom Lehrer whose prescient piece, "Pollution" tells his listeners: "don't drink the water and don't breathe the air." As usual, this ever-present mathematician-philosopher subscribes to "plus ca change, plus c'est la meme chose." N'est-ce pas, Monsieur Macron?

Cyber Scene #29 - Geopolitics, Trade and Tech: No "Global-exit"

Cyber Scene #29

Geopolitics, Trade and Tech: No "Global-exit"

No News Is Not Good News

Like fake news, no news turned out to be bad news for the Tribune press conglomerate on 29 December as its printing system experienced a disruption in their universe due to a malware attack from outside the US. From California to Florida to New York and Chicago in between, both the Tribune family and some of its former "children" (e.g., the LA Times) across the US scurried to restart. The digital versions were unaffected. No, it was not an elusive option for erasing fake news, but rather another reminder of the frailty of our digital life and quite a different, heavy-handed approach than subtle Russian 2016-and-beyond election meddling in the US and EU including, for at least the next 8 weeks, the UK. The Russians have been careful in picking their poison.

Another Not-So-Mighty Goliath Pen Versus Little David Hacker

German politicians, celebrities, and yes, once again journalists were subjected (Economist 12 Jan. "cyber-crime" Germany finds G0d") to dealing with G0d--a most ungodlike 20-year old hacker ("script kiddie") named December G0d who released the victims' phone numbers, addresses, credit card info, and sometimes private photos on Twitter. Sparing the "Alternative for Germany" far-right end of the country's political spectrum, the hacker said he was annoyed at the centrist and left-leaning Germany's politicians. But unlike most of the rest of the world who may empathize regarding at least distrust and dismay at many flavors of politicians but who have not taken up digital arms, he snatched code from some other hackers and apparently acted alone.

Despite the new European General Data Protection Regulation (GDPR), discussed in several prior Cyber Scenes, the Economist article cites Matthias Schultze from a German think tank who observes that Germany has lagged behind some of its neighbors, seeking help from the US in this script kiddie case, and from the Brits in the 2015 probable Russian cyber-attack on the Bundestag's servers. Rounding up a lone wolf cub in his parents' house, cliche that it is, continues to hound global cyber users. The article closes with an admonishment, inter alia, to users to take personal action to use better passwords as "cleanliness is next to G0dliness."

For a deeper dive into this German attack, including discussion of why the "cub reporter" selected only those critical of the German far right and the political implications of this action, see Melissa Eddy's NYT piece (1/5/19), "Hackers Leak Details of German Lawmakers Except for Those on Far Right."

Beyond password composition suggestions, cautionary tales of consequences, past and future, abound. Cyber/intelligence reporter David Sanger reports in the NYT on the Marriott breach discussed in the past included unencrypted passport numbers of up to 5.25 million. Unlike the credit cards that were breached in the heist in which "all but 354,000 had expired by September 2018," passports are good for 10 years. State Department said not to panic, given that the newer passports are hard to recreate, and although Sanger notes that Marriott offered to pay for a new passport if it could be connected to a verifiable fraudulent event, it did not offer to replace those stolen. Sanger concludes by noting that the absence of verifiable fraud points to governmental foreign spies, vice a "lone wolf cub" (your author's term) in the basement, as the former would seek info for their own and larger nefarious purposes vice short-term financial gain. As this article "goes to press," the US Government shutdown is showing signs of resolution in the coming weeks (back to that empathy re: politicians!) so State Department might be able to replace your compromised passport and the TSA security contingent at your local airport may be working in full, paid force, along with air traffic controllers. And the Secret Service? (oops, not furloughed).

Cyber Alchemy: Data into Ads

The implementation of the GDPR is, however, taking hold. Ask Google, just fined on 20 January by the French for a whopping $57 million (Euros 50 million) due to not disclosing properly the collection of user data on search engines, Google Maps and YouTube. This is the fourth and largest GDPR fine so far, and certainly not the last. Google did receive a larger fine prior to GDPR: Euros4.3 billion for mobile phone market abuse. The GDPR is now being cast as "Europe's Aggressive Watchdog."

Apple's CEO Tim Cook, however, asked for US rules that would mirror the GDPR. As Cyber Scene has discussed in the past, US legislators are struggling with how to proceed on this issue. Regulation surfaced repeatedly in the Google CEO testimony in mid December before the House Judiciary Committee discussed in the most recent Cyber Scene.

Voters Bought a New House

Now that the new, post-mid-term Members of Congress are taking their seats (save one, it seems), there may well be more regulatory bipartisan action on the issue of GDPR-like regulation. Readers may be interested to see the breakdown of the 116th Congress Standing, Select and Joint Committees in the House and Senate.

As observant readers have noticed, the Senate and House do not standardize their web pages, just as they distinguish party affiliation on line in different manners. They do agree on this: that Chairs (#1) are always the majority party, and Ranking Members (#2) hail from the minority party. If you missed it, they split in the Nov. 2018 midterms: the Senate remains Republican but House flipped Democratic, so leadership changes have taken place on all House committees whereas retirements or defeats or personal preference changes among Members of the Senate result in far fewer committee assignment changes this round.

Is Free Trade Really Free?

The following scientific research national breach is not exactly "trade" and not free for the victim: Robert Pear (NYT 1/7/19) looks at NIH-funded scientists and researchers who now need to better protect US universities' biomedical research which may be on a fast cyber boat to China. In a scientific panel out-brief on "foreign influences on research integrity," NIH Director Dr. Francis S. Collins and FBI Director Christopher Wray referred to nontraditional collectors of information whereby data thieves in "shadow laboratories" share data with the Chinese government.

Bloomberg Business also launched a huge 14 January edition focused on globalized trade from multiple cyber-related perspectives. From the individual to the global, let us begin with Fortnite. Bloomberg's Shawn Donnan looks both at its US-Sino child, Epic Games Inc. in North Carolina, and includes it among the dual citizen status of "new agents of globalization." The author tracks Fortnite's nascent "popular video game" status to its "full-fledged worldwide cultural phenomenon" ascent last year, allowing everyone (including a certain 8-year old whose Fortnite playing with American, Australian, and Chinese probable teenagers was witnessed over hours by your author) to engage with most corners of the earth. Donnan raises the issue of whether the likes of Fortnite should also be included in global trade. The unified economic growth is good for both the US and China. Cyber unites us, as our tech leaders remind us, and this "trade" is better than free: it is profitable.

But Bloomberg's Prasso and company play devil's advocate regarding China, citing its increasingly stronger near monopoly on digital activity in regions such as sub-Saharan Africa where China has a virtual lock on the sub-continents telecommunications. This is part of China's strategic plan regarding particularly broadcasting and surveillance technology in line with its "Digital Silk Road" subset of its "Belt and Road" initiative. Marco Polo need not apply to implement this plan, which pumps in $79Billion into worldwide projects, according to RWR Advisory Group, a D.C. think tank that tracks Chinese investments. The authors cast this as a "Digital Iron Curtain." The article also includes jaw-dropping charts indicating China's footprint regarding fiber cables, "smart city" initiatives and surveillance, telecom equipment, and internet-connected appliances. China's cyber corollary to its physical belt and road, as well as construction of parliamentary buildings abroad, and airports, etc., calls to mind the repurposed adage: "If they build it, they will come, and come again" or perhaps, digitally stay.

Thirdly, Joshua Brustein continues the Bloomberg analysis looking at "how fraught a trade war could be for Huawei, Apple and every other big tech company." He cites Tim Cook (see para 8 above if you forgot him) who in May 2018 told his Apple investors he wasn't worried about the US President's trade war with China, as they were intertwined (like Fortnite). However, on 2 January 2019, he admitted that the trade war had cut Apple's market by 10% and for the first time in 15 years, Apple's revenue projections. Brustein digs into the ZTE "death penalty" inflicted by POTUS, and the reverberating impact on Big Tech companies such as Apple.

Separately, the 24 January Economist cover casts the future of global commerce as "Slowbalisation", but the Fortnite fans are not abdicating, nor can the interwoven fabric of digital global life be undone.

Relatedly, NYT's tech reporter Jack Nicas projected on 5 January that Apple's Cook may be in for a hot kitchen (not Nicas' expression) in the coming "tougher times." This is due to several issues, but Nicas underscores the CEO's bet on China possibly backfiring (and POTUS knowing where iPhones are made) as well as the challenge for a tech company to innovate again and again. Nicas does close with the possibility of Apple pioneering marketable augmented reality devices--digital interface with what people see. This would be quite an innovation.

And let's not overlook FANG #1, as promised last Cyber Scene. Yes, Facebook is facing opting out among users on a broad level given increasing revelations in December 2018 of its exposure of 6.8 million users' photos. Wired's Brian Barrett provides a mid-December wrap-up for Facebook users of exactly what was compromised, and when it was discovered (25 September 2018). He notes that the GDPR (see how it crops up!), effective since May 2018, requires companies to notify authorities within 72 hours of a breach. In this case, it was months. This follows on the heels of the Wall Street Journal's 5 December "Facebook Emails Shed Light on Tactics" which followed the UK's Parliament's release of internal Facebook emails discussing ways to monetize the data they collect. There is no international exit from Facebook problems but many individuals have unfriended Facebook even if their passwords are still weak.

The international impact of Facebook is also captured by NYT's Max Fisher who examines Facebook's "Secret Rulebook for Global Political Speech." He traces how moderators implement 1,400 pages of rules and regs to enforce community standards. These of course may vary from country to country. Fisher in fact cites cyber experts from several corners of the world regarding this impact, but notes that the fear of misreading or misinterpreting, in a given country/political context, all these byzantine rules without a yes/no easy answer weighs heavily on the moderators who deal with billions of posts per day. Such is the heavy crown which lays on Facebook's head as its role becomes, per Balkans expert Jasmin Mujanovic, "...so hegemonic, so monopolistic, that it has become a force unto itself."

Is the Future Looking Up? Godel, Escher, Einstein

As we terrestrials struggle with digital globalization constrained by GDPR and its offshoots, trade wars or compromise, and technological challenges of continued innovation, celestial thoughts on quantum computing error-correcting code provide a glimmer of a black hole version of Lester Holt's NBC "Inspiring America" finish. Natalie Wolchover, writing for Quanta Magazine on 3 January, looks at what appears (to this novice) to be an exciting correlation between error correction in quantum computing and space-time and gravity. Ahmed Almheiri, who is at Princeton's Institute for Advanced Study, has calculated a bend in the space-time fabric and believes that "everything traces back to black holes." Over to you, gentle readers, to give it your professional consideration for the future of our digital life. Congress will be hard-pressed to regulate this anytime soon!

Cyber Scene #30 - Cyber Takes First

Cyber Scene #30

Cyber Takes First

Kilobytes on the Starboard Bow?

The 29 January Worldwide Threat Assessment briefing by the Directors of National Intelligence (DNI), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA) and the National Geospatial-Intelligence Agency (NGA) before our old friend, the Senate Select Committee for Intelligence (SSCI) underscores the significance of defining "threat." Chairman Richard Burr (R- NC) described the weaponization of cyber platforms regarding Russia's attempts at US destabilization. DNI Coats also addressed this in his opening statement, during which he noted the "valued relationship" with the SSCI, differing slightly in a more relaxed tone from his more formal statement for the record, and echoed concern about the 2020 elections. The unclassified version of the assessment in its written form (hyperlinked above) begins threat discussion with cyber, and even as the quartet of "most usual suspects" is once again China, Russia, Iran and North Korea, the weapon of choice is neither sword nor nuke. As was much reported in the press (e.g., see David Sanger's "New Kind of Intelligence Test" NYT 2/12 for the "story behind the story"), cyber threats are placed No. #1 on the (literal) hit parade.

Lawfare also offers a balanced, pre-digested version of the 2 1/2 hr testimony for "executive summary" readers, While the Harvard voice may have a Bostonian/judicial accent, the message is consistent with the delivery by the IC chiefs, the understanding of the SSCI members, and the New York Times team perspective.

Swords to Kilobytes (Plowshares Need Not Apply)

There remains a high cost regarding the cyber threat. Data as the "coin of the realm," to cite NSA's Gen. Nakasone's SSCI testimony captured by CSPAN (see above), has a tactile side well beyond the application of electrical grid take-downs, denial of service, financial disruption, and a litany of other attacks. Ranking Member Mark Warner (D-VA) implied that underestimating the cyber threat is perilous in expressing the Senate's condolences for the loss of two cyber-related victims from NSA and DIA respectively, killed in an attack in Syria on 16 January.

World War 5 (G): Going Out for Chinese or "China as the Unifier"

Assuming a devilish pose, David Brooks in his op-ed (NYT 2/14) looks at China from the bright side: "I've always thought Americans would come together when we realized that we faced a dangerous foreign foe. And lo and behold, now we have one: China." He outlined trade violations, repressive internal regime crackdowns, intellectual property theft ($225-$600M/yr per former DNI Adm. Dennis Blair and former Amb. Jon Huntsman for 2017) and seizing control of the world economy, inter alia. Most of the above is done courtesy of cyber, as China attempts to implement "Made in China 2025" and "dominate high-tech industries like aerospace, robotics and biotech." He cites hacking, "espionage, and thuggery" as some of the options in the Chinese tool box. He also cites Sen. Marco Rubio's (R-FL) compelling report on the inescapable need to take decisions on US industrial policy.

Toward a World-Wide Ring Road?

Cyber Scene has discussed before, through Richard Engel's eyes in Patagonia (December 2018 Cyber Scene), the resurrection of the cyberspace view of the "Road," but with China playing Marco Polo. The New York Times Magazine now looks intensely at the Kazakhstan piece of the "Son of Silk" Belt and Road implementation. The Belt and Road undertaking, however, differs philosophically from its ancient origins. The author explains: "The ancient Silk Road was equal parts trade route and social network. The routes themselves were in constant flux and administered by no one, and they succeeded through incremental growth and local knowledge in response to changing needs--the exact opposite of the Ozymandian ambitions and sweeping autocratic statecraft that characterize the Belt and Road."(Ozymandias is Greek for Ramesses II and for you poets, a sonnet by P.B. Shelley.) Note that the Belt and Road initiative is global. Think kilobytes, not camels. To cite an earlier Cyber Scene, the esteemed David Lampton, Professor Emeritus of China Studies at the Johns Hopkins Nitze School of Advanced International Studies (SAIS), stated that China says it has had a few bad centuries, but is making a comeback...a very understated aspiration.

US National Security Strategy: in Peace and in War

So how is the US doing in response to, if not ideally ahead of the game? Most discussion is behind classified doors such as the above-referenced SSCI closed hearing following the open one by the Intelligence Community chiefs. The National War College (NWC), however, has recently engaged outside academics to present an unclassified discussion of this subject entitled "Bytes, Bombs and Spies"--also the book title of two of the guest authors. It is uncharacteristically viewable by all Cyber Scene readers courtesy of CSPAN's very first coverage of a National War College presentation on 30 January at NWC. The school was founded out of the lack of communication and understanding not only across the WWII services, but between the military and diplomats, thanks to George C. Marshall, Dwight D. Eisenhower, and George "Mr. X" Kennan in 1946. (Alums include John McCain, James Mattis, Martin Dempsey, scores of ambassadors and four-star general officers as well as some IC directors.) The two authors who hail from Stanford's Hoover Institution were accompanied by two cyber academics from George Washington University, one having been a member of President Obama's Cyber Commission. Together they examined offensive cyber operations as an instrument of national power, just as military, economic, diplomatic and informational (to include intelligence) tools are used separately and together. The speakers delved into issues including the need for persistent, ubiquitous, and tailored coverage in a global age. Next step: over to the policy community.

Progress?

So as the New York Times speaks of the US "scramble to outrun China in the new arms race" in the struggle with Huawei's role in the 5G future, the US is not only working with Canada (see the prior Cyber Scene discussion) but also the UK, Poland, Germany, and yes, NATO (rhetoric does not equal reality). The stakes are high. David Sanger and colleagues go on to quote Agence France-Presse Fred Dufour saying "Both the United States and China believe that whichever country dominates 5G will gain an economic, intelligence and military edge for much of this century."

Ship USS Cyber has reasonably lost some wind in its sail for that starboard bow volley according to Wired, given the US Government shutdown which has kept some of the workforce in greater catch-up mode despite the compliments from the SSCI Senators in applauding the workforce of the Intelligence Community for working without pay for five weeks (see CSPAN coverage in first paragraph). The cyber threat has indeed been assessed by not only the IC chiefs, but by the tens of thousands of their workforce. A more recent New York Times article by Nicole Perlroth indicates that additional hacking of US networks has been traced to China and Iran. Catching up is a moving target.

Meanwhile, Time magazine has some suggestions on "how to restore dignity to technology and design tools to set right what has gone wrong online" on a personal level.

And Bill Gates (TIME February 18) writes in "What this Legendary Artist Can Teach Us About Innovation" that he works daily with people who are brilliant and passionate, like Leonardo da Vinci, and capable of "turning their knowledge into big breakthroughs that make our lives better."

On that optimistic note, over to you, readers!

Cyber Scene #31 - We're Number One!

Cyber Scene #31

We're Number One!

The award-of-the-year, as chosen by the Department of Homeland Security (DHS) Secretary Kirstjen Nielsen, goes to cyberwarfare as the nation's leading threat, as reported in the New York Times. She went on to say that "on top of my list of threats...the word "cyber" is circled, highlighted and underlined. The cyberdomain is a target, a weapon and a threat vector all at the same time."Secretary Nielsen "assailed" Putin "...for a concerted effort to undermine our elections and our democratic process using cyberenabled means." She did praise her department for defending the integrity of the 2018 midterm elections, but noted that an individual American was no match for Russia, China, North Korea and Iran who threaten US infrastructure, finances, secrets and even democracy itself.

It is no surprise that the budget follows the greatest threat. DNI Dan Coats' proposed budget, on the rise since 2016, is up to $86 billion. The budget details are classified. However, given the administration's emphasis on cyber, it is most probable that both the IC (NIP, or National Intelligence Program) of $62.8 billion and the MIP (you guessed it: the Military Intelligence Program) of $22.95 billion all "...reflect the increased costs of focusing less on counterterrorism and more on espionage and cyberthreats from other nations."

Of course, terrorists also use cyber (think New Zealand), so just as there is serious interface across NIP and MIP programs, so too are cyberwarfare and terrorism joined at the hip (as in the MIP and NIP).

Also Number One: Our Old Friend, Russia (konechno)

Russia, in a class by itself like Mozart (sort of), wins the "cyber-hacker-of-the-year" award. Reported in the Economist, a US company, CrowdStrike, published its annual cybersecurity report with a first-ever ranking of the West's cyber enemies. With such a wide selection of criteria, the company chose not sophistication but "breakout time." Russia finished 2018 head and shoulders above the also-rans--Iran, North Korea and China in order of their "time to target." The race does not address the scope or damage of the attacks, but rather how fast the hackers have been: "Russian spies ...were blisteringly fast at breaking out into their enemies' networks, taking an average of just 18 minutes to do so." As for the competition, North Korea took 2 hrs, China 4 hrs. and Iran 5 hrs. Criminal groups were last with 10 hrs. However, China won in quantity with 100 serious cyberattacks since 2006, as reported by the US Center for Strategic and International Studies think tank. Don't be surprised if Russia vies for another category next year, and China is certainly here for the long term.

Why is Huawei an Ever-Present Big Deal?

The Huawei debate continues across continents. The Chinese company is recently seen as regenerating support from European nations who have earlier seems to side with the US in keeping Huawei out of North America. The Economist editorialist Chaguan addresses this in "When giants battle" citing both China and the US as bullies, with China being the more dangerous. But the reason the stakes are so high is the following: "This is a fight bigger than Huawei. The West is really debating whether China can be trusted as a pillar of high-tech globalisation."(sic) It is this that has spawned global trade conflict. The stakes are enormous.

A particularly strategic inflection point in the Sino-US trade and cyber debate occurred when Canada placed Huawei's Meng Wanzhou under a manner of house arrest at the US's behest. Fur began to fly, and Canada is now dealing with a variation of tit for tat with three tricky detainments of quasi-diplomatic "hostages" waylaid in China.

An earlier Economist article, "Crossed wires" spells out the nature of the dissent among and between Western nations. It first looks at the "Five Eyes" community--the US, UK, Canada, Australia and New Zealand--and notes that there is concern among some about Chinese "back doors" as well as the 2017 Chinese legislation that requires firms to operate with Chinese intelligence services.

The UK disagrees with the US back door claim. It notes that GCHQ, speaking in Brussels, sees no back doors but does acknowledge a weak "spaghettified mess" of codes which is full of holes and weak security, ergo, breachable. Germany and Italy have apparently also stalled in banning Huawei. New Zealand has blocked an application but has not blacklisted Huawei outright. Poland is asking for "Western unity."

New York Times journalists Julian E. Barnes and Adam Satariano report that China is keeping its foot in Europe and India's door.All of this is related to the proliferation of 5G by Huawei ultimately "...allowing Beijing to spy on companies, individuals and governments--an accusation Huawei has vehemently denied. Barnes and Satariano report that the UK, Germany, India and the UAE are unlikely to back off from Huawei installing their 5G network. Former HPSCI Chair Mike Rogers notes that "...we are running out of runway." Well, the Chinese are good with building airports too. With the stakes huge, the tech war continues with its corollary trade war.

Regulation Redux

The leitmotiv, regulation, makes a return performance as both Europeans and Americans--legislators and former directors--clamor for more oversight and restrictions for Big Tech.

Enter the new Federal Trade Commission Chairman Joseph J. Simons, a Republican lawyer in a deregulatory administration who is "...a rare voice for strengthening the government's hand," per NYT reporter Cecilia Kang. He is an antitrust expert, dealing with Facebook, Google, Uber and other tech leaders on the issue of privacy. NYT journalist Katie Robertson writes, as part of an entire special report on A.I., that the FTC announced the creation of a task force to "scrutinize tech giants...and is considering a multi-billion dollar fine for Facebook over privacy issues." And this against the backdrop of one of the biggest trade wars spinning off of the US-Chinese cyber issue.

As for Facebook, while Huawei has learned how to monetize by "being there," Facebook is stepping back from some missteps and dealing with old complaints regarding privacy issues and ads. It seeks to monetize privacy.

A former Chair of the Federal Communications Commission (2013-2017), Tom Wheeler, also weighs in on regulation in an interview in Wired with Klint Finley. The Chairman oversaw the drafting of net neutrality rules (ignoring John Oliver's quip about having a dingo babysit your children) and penned a work, From Gutenberg to Google: The History of Our Future reflecting his own extensive experience as the CEO of a tech startup and of a wireless industry group and national cable company looking to the future of the internet. So he echoes the calls for the need of internet regulation.

In the UK, the British Chancellor of the Exchequer, equivalent to the US Treasury Secretary, ordered a 150-page report released mid-March 2019 that calls for stricter regulations in Big Tech. The country believes that Big Tech has harmed innovation and reduced consumer choice, per New York Times reporter Adam Satariano.

On the US home front, two US Democratic presidential candidates are on the same wavelength as the Brits: Senators Elizabeth Warren and Amy Klobuchar, per the Economist, are both calling for antitrust legislation to break up the largest tech companies. Their statements occurred on the one-year anniversary of the New York Times and Observer exposes regarding Facebook's Cambridge Analytica leak. Senator Ted Cruz (R-TX) says this is the first time he has ever agreed with Senator Warren "about anything."

This scenario harkens back to a century-old liberal Republican trust buster from New York who made two successful bids for president. Regulation may just draw other political enemies together.

Meanwhile, Barrons' Reshma Kapadia writes in "Cold War in Tech" that, as the US-Chinese engagement heats up, investments can take a big hit. The article looks at the impact on US companies that this tech war and its trade war partner are making, and how the US stock market is reacting to the US-Chinese volleys. The author does not expect this to end anytime soon, citing that US officials have been concerned for years about Chinese infiltration of US networks regarding both espionage and intellectual property theft. For inventors and investors among this readership, the article goes on to look particularly at chip manufacturing, micron technology semiconductors, China's "BATs" (like US FAANGS)--Baidu, Alibaba, and Tencent as well as Huawei's competition.

For Congressional curiosity seekers, the SSCI has had no open hearings in March but four closed ones. The HPSCI will hold only one open hearing, on March 28, but it may be a blockbuster: to Putin's Playbook: The Kremlin's Use of Oligarchs, Money and Intelligence in 2016 and Beyond. Tune in at 9:00.

And Wired says "Happy Birthday, World Wide Web!" 30 years young.

Cyber Scene #32 - Globalized Tech: Tightropes Everywhere

Cyber Scene #32
Globalized Tech: Tightropes Everywhere

Various Big Tech giants are grappling with technical and quite thorny privacy issues, ethical decisions regarding expansion in international markets, and how future tech developers can solve these issues.

The ubiquitous two-edge tech sword challenge of Google applications, for better and for worse, continues to crop up. This time, New York Times Jennifer Valentino-DeVries addresses the downside of law enforcement using Google-provided information "... on all devices it recorded" near a murder scene in Phoenix. This led to the arrest of an innocent man whose car had been used in the murder. But Google's massive "Sensorvault" database, used to create a dragnet of cellphone users for law enforcement, raised privacy concerns among all the nearby individuals whose movements were also tracked. The new use of warrants expands this investigative option, but one warrant can potentially pull in locational information on up to hundreds of devices.

Similarly, Wired's Andy Greenberg notes that Cisco's Talos security division reported 74 Facebook groups devoted to the sale of stolen credit card data, identity information, and miscellaneous other cybercrime tools. The marketing was open, and Cisco's director of outreach added that the user group was "basically the size of Tampa." Although he noted that it was rather simple to find these cybercriminals, he added, "If you see 10 cockroaches and you kill them, is that the end of your problem?" Facebook noted that the groups clearly violated Facebook policies, but how far out of the lamp is this genie? This conundrum echoes across the Big Tech world.

The Economist in "Careful what you wish for" (back to that genie) explored Facebook CEO Mark Zuckerman's comments who stated that he wants to protect against harmful content, election tampering, and privacy protection. But the article believes this might look like an attempt to ward off new rules of engagement. The article goes on to criticize allowing advertisers to use racial discrimination to target buyers, but a subsequent study noted that this particular algorithm might have inadvertently done so. Ads are bread and butter to Facebook, which makes fixing this an economic issue as well.

Google also faces an ethical challenge. The same Economist issue, but this one by editorialist "Schumpeter" likens Google's challenge to undergoing Chinese burn treatment torture as it is caught between a US human rights scylla and a Chinese national security ("I spy with my AI") charybdis. Google has had quite an odyssey but Schumpeter notes that this predicament is unprecedented. He/she adds that "the growing importance of technology makes the minefield trickier to negotiate." Indeed, particularly as there is nothing stagnant about US-Chinese relations, and these dilemmas play across all tech giants dealing with the national interests of their "home ports" while negotiating with countries around the world and across all three of these "worlds."

To this last point, the Wall Street Journal's Drew FitzGerald reports that Facebook is working to develop an underwater fiber optic cable that will encircle Africa (all of it!). Huawei is working on subsea cable links to Africa via the Indian Ocean. China already has a lock on the continent's 54 country terrestrial telecommunications.

The Outside Legal View

Lawfare Blog provides a synopsis of a fascinating discussion of very recent cyberlaw developments for those looking for an engaging discussion covering a swath of cyber issues. For aural learners and those seeking "the rest of the story,"listen to the podcast itself.

Hosted by Stewart Baker of foreign policy cornucopia Steptoe and Johnson, LLC, who is also NSA's former General Counsel and DHS's first Assistant Secretary for Policy, an intelligent group of worthies discuss current developments regarding (your author's synopsis):

1. Why President Macron is more understanding of China's policy and ambitions and ready to thwart them in accordance with longstanding French diplomatic concerns;
2. Why reporting regarding China being on the cusp of using OPM-breach data might be in fact an "oops" disclosure as reported in the press, but why the breach itself is likely the work of a nation state and not criminals with China as the prime suspect;
3. Assange and the legal case for applying the Computer Fraud and Abuse Act against him;
4. The application of US Treasury's Committee on Foreign Investment in the US (CFIUS) restrictions against a Russian who was trying to buy into a US tech firm that has expertise in phishing, inter alia. Read more about CFIUS (pronounced cif ee oos), whose impact may be ascendant. Moreover, China may also be impacted: the Pentagon is considering the blacklisting of Chinese companies re: foreign ownership in the US. Doing business in China is very difficult now; security issues endure but market decisions may not make the same economic sense with new trade tariffs. The discussants are predicting real change in supply chain with Mexico, Vietnam and India to benefit in rearrangements to com reducing China's role.

Happy Belated Birthday, NATO! Is "Centenarian" in Your Future?

The Economist's "Special Report: NATO at 70" necessarily outlines the birth of the Alliance with 12 member states, the departure (de Gaulle's break in late '60's re: nuclear issues) and reentry of France in 2009, and expansion to 29 with the coming addition of "North" Macedonia, yet another success in burying the Greece-Turkey hatchet at least on one issue to make for an even 30 countries. Of course, not all countries are created equal. One is huge but less reliable than at NATO's birth despite Sec State Pompeo's laudatory comments about the Alliance. Some are tiny (e, g,. the Baltics). One has no Defense Department or standing military (Iceland), several very small budgets and another also lacks military prowess (Luxembourg). All the post-mortem Warsaw Pact countries have joined except one (ask Vlad about that, although he has throngs of reps at NATO HQ and SHAPE (Supreme HQ Allied Powers Europe military facility -- go figure). They all, except the last non-member mentioned, contribute, often in their own individual ways, beyond the dollar figures that have been highlighted again and again, particularly over the last two years.

The Article 5 involvement of NATO to support the US in Afghanistan triggering engagement of nearly 50 countries in ISAF (International Security Afghanistan Forces) from 2001 to December 2014 when command was turned over to Afghanistan seems like a distant memory. Fast-forwarding to the cyber portion of the report, the article parodies the strategist Clausewitz's "On War" reference to war being the continuation of politics by other means in its title "Preparing for conflict by cyber means." The now French four-star led ACT (Allied Command Transformation) in Norfolk, VA, is in discussion of Article 5 (the one-for-all-and-all-for-one defense pact invoked for the first and only time following 9/11). This time it is projecting the possibility of a cyber-based Article 5. This NATO options was approved in 2016, and ACT is the logical implementation site and expected to have a cyber-doctrine approved by 29 or 30 nations by 2020. (N.B. For any NATO naysayers among the readership, think about your country's interagency process or lack thereof and multiply by 29 or 30. Any Brexiters or Remainers reading this?) A cyber operations centre co-located with SHAPE, the military operations hq in Casteau Belgium, US-led since its first Supreme Allied Commander Europe --someone known as Ike, is now a year old. The two sections of the Special Report examine 1) the weaponization of social media, using as an example the NATO Strategic Communications Centre of Excellence report on a NATO exercise in Latvia involving 10,000 people from NATO nations, 10% of whom were identified in open source and thus vulnerable. The other two small Baltic countries each have their own cyber centres -- Estonia for cyber defense and Lithuania for energy security. These three Baltic countries were formerly part of the Soviet Union and are anxious be secure and retain their "former" title. NATO currently has 25 "centres of excellence" spread across the 29 nations and NATO commands. As noted above, some of the nations are militarily or economically under-resourced; the centres allow for "... one way in which small countries can make an outsized contribution to the alliance." So NATO has survived 70 years whereas the 63 alliances over this period that the Brookings Institution studied averaged a lifetime of 15 years.

The Economist notes that the Alliance has:

• safeguarded peace for 40 years of the Cold War
• protected Western Europe from Communism
• helped stabilize Central Europe after the fall of the Soviet Union
• brought unprecedented prosperity to Europe

and (not listed by the Economist) fought side-by-side with the US for 13 years in ISAF, helped secure peaceful passage of the Indian Ocean (counter-piracy), and many other issues. It is also noteworthy that the UK Brexit has not/not discussed leaving NATO. In fact, the Economist cites a former UK ambassador to NATO: "We are incredibly complacent about the continuous delivery of peace and stability in our lives, and a hell of a lot of that depends on NATO; We tend to take it for granted."

Cyber Scene #33 - Huawei, Encore et Toujours

Cyber Scene #33
Huawei, Encore et Toujours

As the 5G digital Chinese belt expands, some countries (including the US and its executive branch leadership) rather see a tightening noose. In the ongoing US-China trade war volley, the latest shot across the bow, "a straight shot at Huawei's Business" per New York Times Raymond Zhong, is the filing of criminal charges of technology theft. Beyond 5G restrictions, this move responding to economic and technological espionage threats now restricts Huawei's access to US technology overseen by the Department of Commerce. Tech transfer has always been part of Commerce's remit, but the growth of Huawei and its worldwide "Bigfoot" print tinged with reported criminal subversion has upped the ante. Commerce has now placed Huawei on its "entity list" of firms that need a "mother may I" request from Commerce to buy American components and technology. This is a huge issue, given the outsized role of US technology in Huawei's business plan. One former Commerce official likens it to "the trade equivalent of a nuclear bomb." Mr. Zhong underscores how this action speaks to how China's "...growing technological prowess ... built on American now-how."

Barron's Jon Swartz (May 15 "Trump Executive Order Could Lead to Huawei Ban in US") also weighed in, noting that the executive order from the White House that bars US firms from using telecom equipment from manufacturers risky to national security adds more teeth to the restrictions imposed on the Huawei side. Needless to say, this dicey plot thickens.

Globalization linked to supply chain issue--in this case of tightly interwoven technology and trade-- reminds us that no man/country/land mass is an island, not even one as big as Eurasia

Across the Bow but not the Pond

European leaders are splintered in handling these Chinese-origin threats in response to the vibrant execution of "Made in China 2025" strategy. As various countries try to adopt political and economic measures to deal with this, the UK has reconfirmed its strategy to "trust but verify" in dealing with the issue. The 27 April Economist across its Technology and security editorial "The right call on Huawei", "Chinese companies abroad: Dragons, disrupted" and "Briefing Huawei: Communication breakdown" devotes a full eight pages to analysis of the decision to allow Huawei to build next-generation infrastructure in the UK under scrutiny. Also explored are the relationship of this policy to the American view and what other European countries should be doing. Unlike the UK's now former Defence Secretary who was fired after a reported 24 April leak (The Economist, 4 May "A cabinet sacking: Leak, plugged") of the decision to the UK press, the Economist editorial hails Prime Minister Theresa May's decision as "The right call on Huawei" for the UK provided that it and other countries adhere to three principles:

1. Continuous monitoring for backdoors and bugs
2. Limiting the scope of Huawei's activities including the exclusion of access to the UK's network "core," and
3. Allowing for a U-turn in policy as an always possible future option.

"Dragons, disrupted" (Economist 27 April) discusses what is known as "the Huawei effect" regarding three Chinese companies known as BATS (Baidu, Alibaba and Tencent" hold stakes in 150 companies abroad. These tech behemoths are not flying blind, but using clout to expand, in keeping with "Made in China 2025." The article calls to our minds the two-year old Chinese security law that requires its companies to execute intelligence gathering when asked. Perhaps BATS investments in Snap and Spotify are far less nefarious than Huawei's supply chain, but the scope of investment is chilling. Six years ago many Americans did not foresee where the digital world would be. China had, and has a vision.

"Communications breakdown" (same Economist) explores across four dense pages the view from abroad on how Huawei's "back doors" led to the US decision. It cites cybersecurity firm CrowdStrike as ranking China ahead of Russia as master of cyberattacks against the West. It also notes that Secretary of State Mike Pence said that the US is willing to withhold intelligence sharing from anyone using Huawei's gear for critical networks including Five Eyes (UK, Canada, Australia and New Zealand) partners. Center for Strategic and International Studies' James Lewis points out that sloppy back door coding can impact both China and its customers. But bugs, as viewed by a Cambridge scientist, can be more useful to hackers. GCHQ's National Cyber Security Centre Chief Ciaran Martin said they dealt with 1,200 "significant cybersecurity incidents since the Centre's creation in 2016. Russia is credited with being particularly gifted in this art.

To enlighten the readership on why the US finds the UK policy wanting regarding restraints on Huawei, see Sean Gallagher's Ars Technica of 28 March "UK cyber security officials report Huawei's security practices are a mess". The verdict was issued by an oversight board, Huawei Cyber Security Evaluation Centre (HCSEC) including the above-mentioned National Cyber Security Centre participants s well as (I am not making this up, to quote Dave Barry) a senior executive from Huawei. The board warned that "Huawei had failed to make long-promised changes to its software development and engineering practices needed to improve security." It also was charged with not managing component usage or lifecycle sustainment of products--not exactly a passing grade in American English.

French and Kiwi Calls for Tech Regulation

So how does the world attack this seemingly intractable issue? France joined ranks with Facebook, the terming this "unprecedented collaboration with a private operator" to explore a framework for social network regulation as reported in Lawfareblog. The interim report is in; the final due is 30 June. It focuses on content moderation on social media platforms and instead of blasting the platforms, looks at how to regulate and prevent either lone wolf individuals or organized groups from abusing social media. (For the record, Australia has "criminalized hosting abhorrent violent material," according to Lawfareblog and Australian Harvard Law student Evelyn Douek responsible for this non-US/UK perspective.) The interim French report protects both individual and platform entrepreneurial freedom while creating an independent body to implement the new prescriptive regulation regarding social network accountability related to: algorithmic transparency obligations, Terms of Service transparency obligations, and the obligation to defend user integrity. (Note from your non-Australian-speaking author: it is likely "obligation" should be translated as "requirement" from the French to read: "required to..."). Among other issues, the French government's report calls for European cooperation. Its emphasis is on incentivizing cooperation, rather than a "punitive approach" illustrated by the UK having reportedly called Facebook a "digital gangster."

The Christchurch Call led by New Zealand PM Jacinda Ardern in cooperation with French President Emmanuel Macron, while a quick and less nuanced response to the horrific attack, calls on countries to consider regulations or policy to prevent online dissemination of terrorist and violent extremist content while conserving the importance of "free, open and secure internet and respect for freedom of expression." (The US did not sign the Call due to First Amendment concerns.) While not a panacea by any measure, the Call is a beginning and is on the agenda for the upcoming G-7 and G-20 meetings. Microsoft, Twitter, Facebook, Google and Amazon are all signatories. You will recall Facebook's unsuccessful and frustrated attempts to immediately remove the horrific Christchurch footage. Among other possible implementation tools, the industry-driven and Call-supported Global Internet Forum to Counter Terrorism (GIFCT) will be used to explore a way forward.

Ms. Douek sums up by contrasting the approaches of these two initiatives: while both move toward regulation to online space, the first is bottom up while the second is leadership down. In either direction, there remains a great gap to conquer.

An Exception or the New Rule?

Even as the Call and the French report bring together the public and private sectors, other voices are not as sanguine about the progress made in collaboration on cybersecurity. David Kris, former Assistant Attorney General for National Security at the US National Security Council writes, on Lawfareblog that a robust private-public partnership must evolve even as the thrust of the US Intelligence Community (IC) focuses less on counterterrorism--"a mainly kinetic threat"--and more on cyber. In addition to citing emerging technologies as did the Call, he underscores cyber sabotage, theft of secrets and socio-political disruption with particular emphasis on election interference. He notes that much of the cyber battle space is owned by the private sector, which has much better access in certain circumstances than the IC. The "tremendous innovation" of the private sector was noted by former NSA and CIA Director Mike Hayden in 2005 who Mr. Kris quotes as saying that "... there was no other element out there in American society that is dealing with volumes of data in this dimension."

Mr. Kris opines that this partnership is fundamental to the IC increasing its analytic superiority. But the first move, he says, must come from the US Government at the highest level. The task, since Snowden, is daunting, and the author says that private-public relations are at a low ebb. He wraps up by noting that only a partnership will work; "A unilateralist approach is doomed to fail."

Congressional Voices

As Mr. Kris calls for US leadership, Congress gears up on two fronts where kinetic and digital threats are intertwined. The House Homeland Security Committee met on 16 May to discuss the rise in domestic terrorism and its link to cybersecurity and the House Homeland Security Subcommittee on Cybersecurity, Infrastructure, and Science and Technology to address funding for the recent National Cyber Security Strategy published in September 2018. The House Homeland Security Subcommittee on rolled up its sleeves in a 30 April hearing to work on FY2020 (i.e., beginning 1 October 2019) funding against the backdrop of the increase in election security issues. There was strong bipartisan support at both this subcommittee and the parent Homeland Security committee level. Several Members spoke of the need to coordinate a federal approach since, per subcommittee Chairman Cedric Richmond (D-LA) and Member John Katko (R-NY), there had been no coordination. More importantly, the offered White House budget for cybersecurity and S & T, as noted by both the Members and those testifying, was a cut from the prior year whereas the general consensus called for an increase. The cut was opposed by subcommittee Members and the Chairman of the House Homeland Security Committee, Bennie Thompson (D-MS). The latter said that even level funding for these cybersecurity and related issues, is very dangerous. Testifiers included DHS Undersecretary for Cybersecurity and Infrastructure Christopher Krebs and S & T Director William Bryan who called for a "whole of government" styled collaboration. Director Krebs also testified on 13 February 2019 on this subject before this committee in a hearing entitled "Defending Our Democracy: Building Partnerships to Protect America's Elections".

Homing In

In another instance of bipartisan mirroring, Republican Florida Governor Ron DeSantis announced on 14 May (NYT 15 May "Russians Hacked Voter Systems in 2 Florida Counties. But Which Ones?") that Russians had hacked into voter systems in two Florida counties during the 2016 elections. When grilled on which two, he steadfastly said he was not allowed to reveal that information per the rules of his nondisclosure agreement. Former Senator Bill Nelson (D-FL) had said the same thing, gleaned from his service on the Senate Select Committee on Intelligence, during his unsuccessful run for reelection in the mid-terms, but when challenged by his opponent to substantiate the information, declined to reveal anything as Governor DeSantis had done. Even as the British Defense Secretary is sacked for a reported leak, it is encouraging that some US leaders from both sides of the aisle know when silence is golden, even at a cost. Now to fund cyber!

Cyber Scene #34 - Grid Lock, Here and There

Cyber Scene #34
Grid Lock, Here and There

Before discussing somewhat somber cyber-related issues developing or breaking over the prior month, let's look at the June "celebration of cyber" edition of "Wired," in a sense a counterpoint to Roger McNamee's dour "Time Magazine" technology review, all of which is linked directly or indirectly to cybersecurity. "Wired's" Paul Ford launches "Why I (still) Love Tech: In defense of a difficult industry" to remind us why he is "proudshamed" (sic) of the growth of technology. His journey begins with the annual Davos global conference themes of 1996 "Sustaining Globalization" and 1997 "Building the Network Society" and their logical linkage. On a personal level, he envisions someone in his youth, unimaginably at that time predicting that he could carry "a few thousand Cray supercomputers in my pocket." He goes on to ask how one can change an industry that "just won't stop" and morphs in incredible ways, like U2's worldwide success leading to "Bono hanging out with Paul Wolfowitz." Surrealist, indeed. He reviews a day in his contemporary life and closes with "Proudshamed, yes, but I still love it ... down to the pixels and processors, and up to the buses and bridges ... but the miracle is over, and there is an unbelievable amount of work left for us to do."

And as to that work ...

Grid Lock, Here and There

In a dystopian world, things fall apart. Digital cyberattacks to the infrastructure, e.g., the systems directing the buses and toll booths for the NYC bridges Paul Ford discussed above, cripple an individual's daily life. Baltimore, MD, and Riviera Beach, FL, know this life. Beyond the press discussions of who has the digital "smoking gun" and who created it, Baltimore has been subjected to extortion costing $18M to repair the computer shutdowns impacting health alerts, real estate sales, water bills and other services, according to a series of articles by NYT's Scott Shane and Nicole Perlroth (NYT 25 May, 31 May). While portions of this group of, so far, attacks on Baltimore, Allentown PA and San Antonio TX may have been related to a lack of Microsoft patches (updates, updates!!), the attacks occurred. Riviera Beach, as reported by Patricia Mazzei (NYT 20 June) simply sent a Bitcoin "check" equivalent to $592,000 to cancel the ransomware attack which closed down the entire city computer system, starting with the policeman who opened an infected email.

Sanger and Perlroth go on to report separately (NYT 15 June) that National Security Advisor John Bolton on 11 June warned " ...Russia, or anybody else that's engaged in cyberoperations against us, 'You will pay a price." The article goes on to discuss digital land mines reportedly laid in Russia's power grid to return the favor. CYBERCOM Commander General Paul Nakasone is quoted as advocating the need to "defend forward." The return volley arrived on 17 June, with the Kremlin spokesman warned of an escalation of tension that may lead to a cyberwar, despite his confidence in Russia's capability to defend itself, per NYT's Ivan Nechepurenko (NYT 17 June).

"...the Terrible SWIFT Sword?"

In a discussion of an intermingling of trade and cyberwar, the "Economist" (6 June) addresses the vulnerability of interdependent tech supply chains. It opens in "Pinch Point" with a description of the mayhem in the literal wake of the earthquake that knocked out Japan. It points out that cataclysmic events--floods, fires, tsunamis, earthquakes (and more of them)--provide rude tests of the supply chain in a digital world. It transposes these events to a "geopolitical shock" linked to Cyber Scene's earlier discussions of Huawei and its 5G blacklisting by the US. Citing two US academics, Henry Farrell of George Washington University and Abraham Newman of Georgetown University, the "Economist" refers to the temptation of weaponizing interdependence. One option the US is reportedly considering is blacklisting countries who deal with Huawei from the SWIFT international banking/clearning network hosted in the US.

The "Economist" article also includes an informative chart entitled "Interdependence days" laying out a smartphone example of digital supply chain interdependence in a globalized world.

An aside from your author: "weaponizing trade" is becoming a ubiquitous term, but the use of economics as a tool of statecraft is not a new arrival to the strategic toolkit. The National War College (motto: "Strategy in war and peace") teaches the "DIME" approach (chapter IV page 13): diplomacy, information (to include intelligence), military might, and economic power. Note that several prominent military leaders --Generals Jim Mattis, Colin Powell, Dwight D. Eisenhower, and George C. Marshall himself, inter alia-- have underscored starting with the "diplomatic dime" instead of the "military dollar" to avoid General Powell's Pottery Barn rebranding: "you break it, you own it." General Marshall also invested in a version of "E." Japan and Germany remember; Afghanistan and Iraq not so much.

Back to the Future

Elections, Also Here and There

The European Union Commission's foreign policy and security arm determined that Russia and other, non-state, actors undermined the EU elections through disinformation to "suppress turnout and influence voter preferences," in the EU May 2019 elections, as reported by the NYT's Adam Satariano (14 June). Satariano continues, noting that many investigators, academics and advocacy groups had warned of this. They feared the Kremlin's spread of divisive content online "to inflame and stoke electorates all over the world."

Just days earlier (NYT 6 June), Nicole Perlroth and Matthew Rosenberg analyzed how the legal roadblocks are impeding US 2020 presidential candidates from accessing a wide range of cybersecurity assistance, some of it offered free of charge or discounted to all candidates, as this cybersecurity support is considered an "in-kind donation." The issue was addressed in early June when lawyers at the Federal Election Commission advised the Commission to deny a request from a Silicon Valley tech firm asking to provide services to all candidates at a discount. A US Senate bill to allow political parties to provide greater cybersecurity assistance to candidates stalled in the Senate when the majority leader declined to bring it to the floor for a vote. On the other hand, FBI Director Christopher Wray is cited as warning in April 2019 that Russian election interference continued to pose a significant counterintelligence threat and that 2016 and 2018 efforts were "a dress rehearsal for the big show in 2020." The article cites JPMorgan Chase Jamie Dimon as saying that the bank spends nearly $600M a year on security; Bank of America's CEO says his bank has a "blank check" for cybersecurity. Several additional cybersecurity experts reinforce this looming crisis and point out that the 2020 campaigns have neither the expertise nor the finances to deal with this nation state threat.

On the academic front, Matthew Lepinski, MIT PhD and cybersecurity expert teaching at the New College (Florida's honors college), gave a public presentation on 11 June, sadly not on video, entitled "A Cybersecurity Perspective on Elections." (Recall last month's Cyber Scene reference to two Florida county 2018 elections being hacked.) Dr. Lepinski had been engaged in the 2000 Cal Tech-MIT Voting Technology Project studying malicious cyber adversaries, so concerns about election tampering are nearly a decade old and no longer involve Chicagoans voting from the grave. He mapped out three areas of direct election interference: registration, polling operations, and counting/aggregation. He discussed and rated the danger-level of each of these from the perspective of availability/denial of service, integrity/falsifying data, and confidentiality/theft of data. He then arrived at the "quo vadis" portion, noting that election legitimacy matters because it validates democracy through institutionalizing the peaceful transfer of power. Discussing the broad picture, he also made specific suggestions to standardize the cyber side of the election process and also to ensure a backup process to legitimize the voting such as a paper ballot in addition to voting machines for the purpose of auditing and transparency, and empowering the states to regulate and standardize this across their electorate.

In Tech We Trust?

"Barron's" (10 June) Eric Savitz leads off with options for thinking differently about regulating the tech world. Savitz references the early June announcement that the FTC and Department of Justice (DOJ) would be launching investigations of sorts regarding Facebook and Amazon (FTC) and Apple and Alphabet's Google. To date there is no open source information about these DOJ and FTC activities. However, NYT's Cecilia Kang, David Streitfeld and Annie Karni wrote on 3 June about the "tough scrutiny from all sides" the tech giants would face on the subject of competition and new antitrust considerations. Two days later, Cecilia Kang and Kenneth P. Vogel (NYT) wrote of the "army of lobbyists" these four tech leaders are deploying, at the combined cost of $55M for 2019, and the interface they have with particular political figures. The registered lobbyists--238 of them as of the first calendar year quarter--come largely (75%) from earlier government employment.

Antitrust and Verify

The Chairman of the House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law announced, as reported by the NYT on 3 June, that the subcommittee planned to hold a set of hearings over the next 18 months to focus on digital platforms. True to his word, the subcommittee held the first of these on 11 June on "the impact of digital media on the news industry." Incredibly, this is the first hearing on media antitrust issues since the Ma Bell breakup. Chairman Cicilline (D-RI) opened with a reference to the importance of the free press as the backbone of our democracy. David Pilofsky, the General Council for News Corps which includes publications such as the Wall Street Journal, said that the media industry is in economic freefall with massive workforce reductions. He included the example of the Cleveland Plain Dealer, the city's only remaining daily, which just announced an 80% layoff. This decline for both on-line and traditional media, according to the testimony, is due to the "erosion of advertising revenue." There was much discussion around how to "reset" and how to regulate the monetization of data. The definition of antitrust had been traditionally very narrow, but in the digital age several Members and guests agreed on the need for a careful and different approach. The hearing is available for your viewing.

Elsewhere on the Hill, the House Permanent Select Committee on Intelligence (HPSCI) also engaged media experts in exploring the problem of deepfake videos. Chairman Adam Schiff (D-CA) discussed the issue of what appropriate response should be taken for the election, while Ranking Member Devin Nunes (R- CA) confirmed that media manipulation was a real problem, and sought information regarding details of deepfake issues themselves. Those testifying included a former DARPA project manager, David Doerman, who considered the taking down of such videos a "cat and mouse game which is a new major concern." Danielle Citron, a law professor at the University of Maryland, argued that immunity law protected the guilty and needs to be updated. She also pointed out that when the media withheld posting an item that they might believe to be fake, and err, they themselves can "get burned." This particular hearing was particularly edifying. The Members were genuinely concerned, and those testifying came with brilliant credentials in both the public and private sectors.

The Senate Select Committee on Intelligence (SSCI) held five hearings in June on "intelligence matters" but all were closed. Their last open hearing was on 1 May. "Holding one's tongue in public" matters too.

Though only indirectly related to cybersecurity, if you need a Senate fix, watch the Senate Foreign Relations Subcommittee on Europe and Regional Security Cooperation look at Russia's activities in Ukraine. This aired, presciently, just before the Netherlands released the names of the Russians under indictment for the shootdown in Ukraine of Malaysia Airlines Flight 17. The Senate subcommittee hearing, chaired by Ron Johnson (R-WI) was very balanced: current State Dept Special Rep for Ukraine negotiations, a former US Ambassador to Ukraine, and experts from the Heritage Foundation and Brookings Institution provided rational and highly experienced discussions with these Senatorial inquiring minds. Cyber did play a role in detection and indictment, but not to (at least public) knowledge in the attack itself.

Cyber Scene #35 - $5 Billion here, $5 Billion there...Facebook is Fine (d)

Cyber Scene #35
$5 Billion here, $5 Billion there...Facebook is Fine (d)

On 24 July, the Federal Trade Commission (FTC) delivered its 50-page plan to take Facebook to task for transgressions regarding improper use of personal identifying information (PII) of its users. This record fine had been anticipated at least since a July 12 article by Cecilia Kang as the FTC was awaiting a green light from the Department of Justice (DOJ). The DOJ usually approves FTC settlements. The core of this settlement on privacy was related to whether Facebook violated its agreement in 2011 with the FTC to refrain from deceiving users over how their PII was used and shared. The settlement is exponentially greater than the next largest one: $22M with Google in 2012, but a criticism Mark Zuckerberg seems to be taking to heart without significant danger to his company, as reported by NYT reporters Mike Isaac and Natasha Singer. A second settlement with the Securities and Exchange Commission (SEC) of $100M was also announced on 24 July - this from the perspective of misleading investors. This leaves a third potential settlement, with the FTC, still outstanding related to anti-trust actions creating an unlevel playing field. The FTC vote of 3-2 on the $5B settlement was not unanimous because the two "nay" votes believed that the reprimand was not strong enough.

Regarding mitigation plans, Wired on 24 July reports in "The FTC wants more privacy, less Zuckerberg at Facebook", that the CEO must certify annually and personally that the company is in compliance with the changes to Facebook's structure and privacy protection.

Facing the Nation

As for the view from across the Pond, The Economist in "Volte-Face" notes on 18 July that the series of testimonies from this social network to "...behave better from now on." has a familiar a ring. However, in the margins of testimony regarding the launch of cryptocurrency Libra, US Members of Congress and David Marcus from Facebook who heads up Libra all appeared to be better prepared, per the Economist, with Mr. Marcus now "asking for permission rather than forgiveness." It also notes that this points to a change in which "Facebook works with governments rather than around them" which appeals to its investors. The article includes a handy chart of US and EU tech companies' operating profits entitled "Fine and Dandy." Facebook is highly unlikely to risk debt prison.

This however leads to more regulation in the US and Europe, which spills over into other cyber-and facial-recognition issues. The Economist of 13 July addresses Congressional and Supreme Court views on facial recognition aspects of privacy. Two US towns banned the use of facial recognition by their local police, whereas one Congressman on the House Homeland Security Committee believes that someone in the public domain should have no expectation of privacy.

The Supreme Court disagreed, with Chief Justice Roberts holding that the Court's view of the Fourth Amendment indicates that "individuals have a reasonable expectation of privacy in the whole of their physical movements." Ergo, no non-consensual GPS tracking.

Can You See Yourself?

Wired's Brian Barrett penned an article on 17 July entitled "Think Faceapp is Scary? Wait Till You Hear About Facebook" in which he looks at the Faceapp ability to let you see what you will look like when you are old and grey. He reminds the reader that the product is of Russian descent and retains the right to use photos forever. But "...at least Faceapp didn't access your GPS or SIM card." And it stated that it doesn't upload all your photos to the cloud. Barrett casts this as good news in comparison to transgressions of Facebook, Life360, TikTok (a Chinese app) and other apps that are worse. However, he undercuts his own argument a bit by ending with a note that Faceapp does send data to DoubleClick (the Google ad company) and Facebook. He adds as a final caution for users to focus on broader awareness, recognize the value of one's personal data, and think twice about who, with your consent, gets your data.

For graphic learners, the NYT's Cade Metz on 13 July analyzes the "quiet hording" of millions of faces drawn from the web with a stunning photo of the Microsoft MS Celeb database with over 10 million photos of 100,000 (mostly famous) people. Facebook and Google are credited with not distributing their massive photo databases, and Microsoft and Stanford University's Brainwash have removed theirs as Duke and other innovators also struggle to conduct research while respecting privacy. We are back to the beginning regarding police being denied facial recognition access by two US towns: the FBI is mentioned by the author as having used this data for years.

Congress United, Microscopes in Hand

This ever-growing challenge of balance continues to drive regulators. It particularly draws politicians of opposite polarities together with respect to the Big Tech FAANGs. NYT's Steve Lohr, Mike Isaac and Nathaniel Popper in the 17 July "Reprimands of Big Tech Cross Aisle" look at senators and congressmen of considerable status such as Senators Ted Cruz (R-TX) and Sherrod Brown (D-OH) who join forces, if only on cyber security or anti-trust issues related to regulating Big Tech.

Who's Watching? Mueller Time

For those returning from an isolated African jungle safari, on 24 July former FBI Director Robert Mueller testified before the House Judiciary Committee on obstruction of justice and the House Permanent Select Committee on Intelligence (HPSCI) on Russian election interference. The former hearing did not directly address cyber issues; Mr. Mueller was "by the book" with no surprises, and the Members of both parties expressed their admiration for the witness's service and then launched into somewhat politicized blasts, despite Chairman Jerrold Nadler's (D-NY) attempts to rein them in and direct them to complete their comments within the allotted time. Some "questions" gave Mr. Mueller no time to respond. This behavior is not unusual on the Hill. In contrast, the HPSCI was markedly civil, in part likely due to Mr. Mueller as a former FBI director having appeared before the HPSCI many of his nearly 90 times before Congress. Chairman Adam Schiff (D-CA) had a less contentious three hours, with Ranking Member Devin Nunez (R-CA) being a slight exception. What was also, conversely, exceptional was the questioning of Member Will Hurd (R-TX) who commended Mr. Mueller and his work, and did so with no "howevers." More expectedly, Member Eric Swalwell (D-CA) asked about cyber attacks and countermeasures used against the US during the 2016 elections. He also queried whether encryption and other technologies deployed against the elections hampered US defenses. Mr. Mueller acknowledged that they did, and that they continue "as we sit here." He added that these attacks were also involving additional actors beyond Russia. When asked about who should be in charge of this now, Mr. Mueller asked Congress to do its part to strengthen the connectivity across the Intelligence Community (IC), as was initiated post-9/11.

Interestingly, NYT intelligence reporter Julian Barnes wrote on 20 July of a new post of IC Election Threats Executive to be held by IC professional Shelby Pierson who had served as crisis manager on interference in the 2018 midterms. The Director of National Intelligence Dan Coats has directed that all IC agencies name a senior executive to her ODNI leadership board to defend against 2020 election interference.

Does Crime Pay? It Depends

Although criminals benefitting from the 2017 Equifax breach have undoubtedly reaped financial benefits, the company itself is poorer, responsible for payouts that may exceed $650M dollars for many of the 147 million individuals whose data was stolen, per NYT reporter Stacy Cowley. A federal judge issued that minimum settlement on 22 July, pending finalization. The complexity derives from the involvement of two US government agencies and 48 of the 50 states. There may also be compensation for the time it took for victims to secure their accounts. Stay tuned.

NYT's journalist Frances Robles reported on 7 July that Lake City FL, whose municipal IT system holding 100 years of data was held for ransom on 6 June, is still dealing with data now encrypted that is not yet accessible. Sixteen terabytes of data were locked. Despite a ransom payment, some remain unlocked. The triple-threat Ryuk attack, executed through spearphishing, is the culprit. Negotiators for this and other ransom events in Baltimore, Atlanta, Riviera Beach FL, Dallas, Key Biscayne FL, and Jackson County GA are loathe to disclose details to the public. This would just drive prices up as well as publicly disclose vulnerabilities and regret. Officials and insurer negotiators often do not expose how many Bitcoins the ransom demands total, despite FBI's official position on not dealing with the criminals. So cities are paying for crime--that inflicted against them. And Bitcoin traders...? Well, money certainly makes the netherworld go 'round.

Cyber Scene #36 - Cybersecurity's Changing Face

Cyber Scene #36 -
Cybersecurity's Changing Face

From the Encryption Dilemma to War

US Attorney General (AG) William Barr presents his view of cybersecurity as the largest game changer in his nearly 30-year bookend tenures as AG (Bush 41 and Trump) at a Fordham University conference sponsored by the NY FBI Field Office. He poignantly notes that in the "vast and expanding digital infrastructure" that we depend on, we are challenged by "...making our virtual world more secure...but not at the expense of making us more vulnerable in the real world." One particular example is encryption to defend against cyber attacks while still retaining the ability to lawfully respond to criminal activity. He boils it down to balancing a citizen's and the general public's interests, as intended by the Fourth Amendment. He lays forth Supreme Court case history, the issue of "going dark," and suggestions from the UK's GCHQ for mitigating encryption challenges as well as examples of other nations which are moving on to establish statutory frameworks to better create a balanced way forward.

Another lead attorney, NSA General Counsel (GC) Glenn Gerstell in his 10 September NYT op-ed, underscores concern about technology "upending our entire national security infrastructure." He writes of the US Intelligence Community in its entirety and expands to include partners such as the Five Eyes community (US, UK, Australia, Canada and New Zealand) and other like-minded countries as warfare morphs increasingly into digitized expressions. The GC had earlier served on the president's National Infrastructure Advisory Council, where infrastructure includes digital bridges derived from the imperative to embrace the future and plan for a "whole of government" + partners solution.

Moving from the (attorney) general to the specific--Army General, NSA Director and Cyber Command Commander Paul Nakasone--NYT intelligence experts David Sanger and Julian E. Barnes look on 23 September at the context of possible cyber attacks against Iran. The Pentagon has held for several years that a cyberattack may be viewed as an act of war. The possibility of spiraling retaliations, digital and tactile, could ensue. General Nakasone has reportedly informed the White House that a "cyberscenario is no magic bullet" for deterring Iranian aggression. As noted above by GC Gerstell, such a scenario would not only engage the whole of government but would have broad-reaching international implications.

For those curious as to how inching into a cyberwar without a magic bullet, or perhaps a clear end state and means to get there could play out in an era of denial of service (hospitals, electricity, water supply) , captured ships(recent history), or boots on the ground, aural learners might appreciate Episode 84 of the "Dead Prussian Podcast" military strategy series, the Prussian being the revered military strategist Carl von Clausewitz. In this broadcast aired on 20 September, the host discusses a recently published book on "The Day After" the cessation of combat. The author, Lieutenant Colonel Brendan R. Gallagher, a serving US Army battalion commander ("Princeton Ranger" on Twitter), analyzes the last 20 years of US military engagement regarding success or failure. This is viewed from the existence or absence of clearly articulated goals paired with a strategy, working backwards, to get there. An inconsistent tension underlines these wars: choosing "enduring democracy" or "bring the troops home now," but not both. He argues that the decision to go to war needs to be reached after this strategy is determined, the means to execute it to the desired end state with obstacles identified and mitigated, and teed up by the National Security Council apparatus for whole of government engagement. This approach may be applied to cyberwarfare as well as 21st Century sea/land/air combat.

Cybermetrics, Anyone?

Former DHS Deputy Assistant Secretary for Policy and Senior Chertoff Group Advisor Paul Rosenzweig writes in Lawfare that cybersecurity is similar to (well, you know...): "we know it when we see it" but struggle to define or measure it. This impacts on our ability to judiciously make "tradeoffs, cost-benefit assessments, and (address) issues of practicality and scalability." He opines that measuring cybersecurity is foundational for policy, law, and business decision-making. He notes that "trust us" is no longer a rational response, particularly in the current environment of "tech-lash." Granted, there have certainly been improvements but how much, how fast, how effective are they? Some are considered "secret sauce" not openly disclosed, so transparency and accountability are left wanting. Or is the "quest for good cybersecurity metrics a phantasm?" The answers to cost, value and benefit are unknown if this exceedingly elusive quest for metrics remains unresolved. Science and art seem to be inextricably linked for those seeking a solution.

Up Hill Toward Intelligent Decisions

In the wake Director Mueller's headline-monopolizing Congressional testimony in late July, a reflection of extremely encouraging bipartisan unity also occurred at that time: the move forward in Congress of the Intelligence Authorization Act for FY 2018, 2019 and 2020. This provides a means of resolving some of the challenges noted by AG Barr, GC Gerstell, and lawyer Rosenzweig above. The HPSCI approved the bill and moved it forward. The House added a few amendments, "overwhelmingly passed" in a bipartisan show of strength: 397-31 (92% yea, 7% nay, 1% not voting).

The SSCI had approved it unanimously on 14 May, but recommended a full Senate vote. With strong votes in the full Senate. For cyber practitioners reading this Cyber Scene, the act not only specifically calls out Russian cyber threats relating to election interference and creating a task force within the ODNI to protect the US tech supply chain, but also, notably, "...enhancing career path flexibility and benefits for cybersecurity experts working within the Intelligence Community."

Distrust and Verify

In the US

With attempts to measure, balance, and fund the future cyber developments as noted above, interaction between the tech giants and the Hill continues to accelerate. This includes discussion about regulation. The US Department of Justice (DOJ) decided to open an antitrust review regarding tech giant competition and market power, which ups the game. On the one hand, the 10 August Economist posits that the big tech firms are solidly ensconced. The article notes that not only are these firms exceedingly successful, they also pour vast bullish proceeds into innovation and advertizing for their customers. These customers, however, are more concerned than in the past about big tech's negative impact on society. DOJ is not alone. Kevin Roose, in the 12 August NYT criticizes the tech leadership for swapping hoodies for flag pins to woo Congress by "conspicuous patriotism." This approach from tech leadership may not yet be successful: on 9 Sep the NYT published charts on "16 Ways that Facebook, Google, Apple and Amazon are in Government Cross Hairs." The leading, detailed offenses across the board, as denoted by tech company and the particular agency or committee that was in the mix, were privacy and antitrust infractions.

Foreign Relations Trick or Treat: Cybersecurity Month and Leif Erikson Day

In the shadow of this year's DHS designated Cybersecurity Month, NYT Adam Satariano reports from Copenhagen on 3 September that Big Tech is so powerful and so global as to merit collective superpower status there. He notes that in 2017, Denmark acknowledged that such a superpower required diplomatic treatment and named a career diplomat, Casper Klynge, as Ambassador to the Tech Industry. His war experience involves Kosovo and Afghanistan (two of the wars discussed in the above-cited podcast) and also harkens to the classic Clausewitzian definition of war as "the continuation of politics by other means." A case could be made relying on the diplomatic tool of statecraft to avert cyberwarfare or tech-bashing. The future may offer the readership an opportunity to weigh whether diplomacy or Congressional regulation is more effective. On a lighter note, there have been unconfirmed rumors that this Viking nation, whose early explorer discovered the new world, may be considering a "Make Denmark Great Again" agenda by repossessing New England. (N.B. This is unrelated to the self-designated "Great Dane," the prescient and late Victor Borge.) Minnesota may also be in the mix. The Danes appear to be disinclined to sell Greenland. The 9 October traditional US presidential proclamation on Leif Erikson Day, should it occur this year, may shed some light on the future of US-Danish partnership.

Near and Far

As facial recognition improves by leaps and bounds, its applications and countermeasures do so as well. The Economist 15 August "Face off" scans across San Francisco, CA, through the UK and Hong Kong tech developers and academics who are moving full-frame ahead, so to speak, in perfecting AI-based techniques and expanding face-recognition applications. Some US cities disallow their use as an affront to privacy. Protesters in Hong Kong have hidden their faces or pointed hand-held lasers at cameras. Although face recognition is broadly used in UK surveillance, some members of parliament have called for a ban on police use. How good is it? The US National Institute of Standards and Technology (NIST) says that as of 2018, face-recognition technology was over 99% accurate. The article goes on to analyze academic research across the globe, summing up that there are still loopholes. Sunglasses, anyone?

For those who deem these countermeasures insufficient, Consumer Reports is running an October Guide to Digital Privacy entitled "Who is Watching You" and how to help individuals implement privacy controls.

Farther: The Great Wall

China is reloading to thwart damage to Huawei's market share by unveiling a new mobile operating system, Harmony, as reported by the NYT's Raymond Zhong on 9 August. Although some of the impact on Huawei's ban is slightly mitigated now, it remains the world's second greatest smartphone provider, behind Samsung but ahead of Apple, per Mr. Zhong.

The overarching issue for Huawei, however, is creating a means to verify what they can deliver in an atmosphere of distrust, as captured by the Economist's Chaguan in Distrust and Verify on 8 Aug.. Customers expect a tech life commitment based on trust. Even more challenging, the present globalized marketplace has created an international supply chain based, in some markets, on "ABC: Assume nothing. Believe nobody. Check everything." This is basic caveat emptor. The Chinese dismiss queries into national intelligence requirements of tech companies to share with the national government by saying that these laws only apply within China. The article concludes by suggesting that China's tech companies retool their marketing approach to argue for acceptance of low- or non-existent trust. But the reporter does not except that to be acceptable to the Chinese government. More recent developments in mid-September include the eviction of the Chinese telecom company by an international cybersecurity group in order to comply with US sanctions. The reported downside per Wired, is the increased vulnerability of customer systems to malware attacks.

Forecast: Cloudy Weather for Capital One

As customers are checking to see what is in their wallets (and bank statements and social security cards), the Washington Posts' Rachel Siegel reported that Capital One's reliance on cloud security was misplaced as, per the article, cloud services themselves were compromised. The Economist's Schumpeter dubs this breach the "Exxon Valdez of cyberspace." Like the single-hulled Exxon Valdez, Capital One's "security web application firewall" was penetrated by the hacker. With the oil spill serving as a "watershed" (? oil shed?) moment for Exxon, the cyber world should, Schumpeter argues, learn from Exxon's 30 years of course correction.

Black Hat Snippets from Wired

For those not attending the Black Hat conference this August, Wired has highlighted cybersecurity threats for you. Two examples of likely broad concern are the following.

Dreamliner or Nightmare?

Cyber experts have discovered a flaw "in the gut" of the Dreamliner Boeing 787, adding to Boeing's 737 MAX and stock price woes. The discovery of a security glitch in the aircraft's code, while dismissed by Boeing, is viewed by its discoverer as a serious concern.

I Phone,They Text

A second eye (I)-catching Black Hat summary, courtesy of Wired, is a discussion of how hackers can access Iphones via a text without the Iphone user ever clicking on the text. The interaction-less iOS attack is an offshoot of the WhatsAPP flaw that allowed phone calls to attack phones without being answered.

Cyber Scene #37 - Letting Justice Prevail Another 230 Years

Cyber Scene #37 -
Letting Justice Prevail Another 230 Years

Lawyering Up: Supreme Justice(s)

Congress continues to be vectored on issues regarding checks and balances --the impeachment process, White House Syrian withdrawal and cancellation or withholding of funding allocated by Congress, and the sudden death of Rep. Elijah Cummings (D-MD) who chaired the House Oversight Committee in the middle of this mix. Congress will restart hearings with FACEBOOK CEO Mark Zuckerberg, a familiar thread Cyber Scene will address in November.

Meanwhile, the Supreme Court of the US (SCOTUS) kicked off its new fiscal year 2020 term on 7 October (always the first Monday of October). SCOTUS has 47 cases on its docketfrom a variety of appeals courts and states. Seven cases are pointedly on cyber, whereas others may be tangentially connected, given the ubiquitous nature of cyber underpinning our daily lives. As checks and balance issues are addressed by Congress, a few words regarding SCOTUS members and their mandate to uphold the Constitution of the US, as the third leg of US democracy, might be of use to this readership. This is not to predict where the Court may end up on the issue of cyber, nor report (not yet) what they decide, but rather to explain the process.

Order in the Court

The Justices themselves, appointed by the sitting President and confirmed by the Senate, have not feel no obligation to being pidgeonholed on any projected plot on a political spectrum. They call 'em as they see 'em. This spectrum includes liberals, conservatives and centrists; strict versus broad interpretations; "originalists" and "living interpreters;" and national origin, racial, gender and religious diversity since the Bush 41 administration. There have historically been some surprises as "conservatives" (Chief Justice Roberts seems to be a current example) and "liberals" move toward the middle, or even selectively, in the opposite direction. The driver is each Justice's interpretation of the Constitution and the intent of its framers relevant to the case before her/him. Unlike the acrimonious partisanship in the other two branches of government, the Justices are respectful of and collaborative with each other, even when their own interpretations of the Constitution, as viewed in their decisions (majority or dissenting), are polar opposites. There are droves of examples of them reaching across the so-called aisle, and not only during confirmation hearings. For example, Justices Scalia and Ruth Bader Ginsburg were friends despite their distant "place on the spectrum." Justices' positions have been charted, but note the frequent variations in "liberal" verses "conservative." The black lines indicate the Chief Justices' opinions and the courts under them are referred to as "the Warren/Renquist/Roberts, etc., courts."

Traditionally, the Justices prefer to stay out of the limelight, unlike the members other two branches of US government who run for election, and rather hunker down thoughtfully on the huge docket before them. There have been some exceptions. To illustrate, look at the Justices noted above. The late Justice Antonin Scalia is the subject several books and of a play, "The Originalist" referring to his belief that the framers--mostly Hamilton, with Madison and Jay, in their 1787 Federalist Papers and the Constitutional Convention of 1787 these papers led to--said what they meant. Justice Scalia held that "distorting" the Constitution by revisionism is ill-advised. It took two years for the Constitution to be ratified in 1789; even or particularly then, Congress could get bogged down. John Jay also served the first Chief Justice role--an early framer called upon to practice what his five papers, which focused on foreign policy, proposed. Hamilton wrote 51, and Madison, who drafted the constitution itself, wrote 29.

Another exception is Justice Ruth Bader Ginsburg (RBG), about whom two recent movies ("RBG," a documentary, and "On the Basis of Sex", a Hollywood take) were released over the last two years. Other Justices attempt with greater success to step away from the lights. Justice Clarence Thomas was recently asked by a former SCOTUS clerk (as recounted to your author by this clerk), whether he is publically identifiable as he and his wife RV across the US during Court recess. The Justice replied that recently, when approached at a gas pump by someone saying, "You look a lot like Clarence Thomas," he replied, "Yea, I get that a lot." However, with the publication of two new books about him over the last 6 months, he may sacrifice his anonymity. SCOTUS itself will likely draw greater public attention as new challenges, including cyber, are addressed on the 2020 docket. You can witness this yourself: the sessions where arguments are presented are open to the public while the decisions from the Justices' opinions, decidedly not/not TV-spontaneous, are written. They serve as the Court's historical precedent--the basis for what lies ahead into the next 230+ years. Stay tuned for the Court's activity this 2020 term related to cyber, cybersecurity, and its entangling alliances.

Sizing Up Cyber's Future

On the same track of supremacy, the "Economist's" (28 Sep) accolades to Google's quantum computing power in "Supreme Achievement" underscore the global impact of this cyber-linked achievement. Starting with Feynman's predictions in 1981 with "blackboard squiggles," the article celebrates the fact that Google's new quantum computing power can perform in 3 minutes a task that would take the world's greatest computers 10,000 years to execute. That is one giant step for man delivering the future today. Of course, the cautious British-based "Economist" curbs its enthusiasm by returning to its theme of who is going to "seize the Holy Grail of computing." Visions of "Raiders of the Lost Ark" come to mind. Moreover, such powerful, state-of-tomorrow's-art computing requires "clever" (British English for brilliant) mathematicians and programmers. The "Economist" clearly states: "A world with powerful quantum computers, in other words, is one in which much of today's cyber-security (sic) unravels." Moreover, it likens this power to the Sputnik launch, which proved a concept. In this case, the journal believes that sceptics about the power and future of quantum computing should be won over, and the practical applications of this achievement will arrive much sooner than had been anticipated.

This harkens back to an earlier discussion by the "Economist" related to who grabs the "grail," in its series on AI and War (7 Sep). Specifically looking at warfare with the US and China as the lead comparison, both countries are concerned about the other's misuse of AI-enabled weapons and the general dangers to we humans that could devolve. The overview, "Mind Control," cites long-standing arms control expert Henry Kissinger as saying that "adversaries' ignorance of AI-developed configurations will become a strategic advantage." Meanwhile, in "Battle Algorithm" the issue of AI transforming warfare is explored in considerable detail. What good is theory without action, it wonders. It analyses various AI applications for warfare purposes, and charts the success rates of AI image. per detection and object segmentation, and language processing, per sentence parsing and translation. It concludes, however, that human intervention or direction, as in China, will make a difference.

Not Child's Play

As if to counter this influence, its "Masters of the Universe" edition (5 Oct) takes the position that the world capital market is increasingly driven by computers. Its flippant "Hey Siri, can you invest my life savings?" resonates with a Bluetooth quiver. The focus is largely on New York City as the hub of world financial activity, and graphs both institutional trading and the rise of assets in indexes, cleverly labeled "passive aggressive." Needless to say, the backbone is cyber.

As the US 2020 presidential election heats up, cybersecurity issues are now impacting the White House incumbent as well as the Democrats, but seemingly from different vectors. The latest breaking story from"Wired" delves into Iranian hacking targeting President Trump. The attacks were focused on 241 individuals, but only 4 were successful. The perpetrator is known by Microsoft, which identified and thwarted the attacks through its Outlook, as Phosphorous, aka APT 35 and Charming Kitten. The hackers attempted to take over the accounts of these individuals by using certain personal information, but were unsuccessful. They had been involved in US Treasury attacks in 2018 per "Wired"and Reuters, which was responsible for publishing the story picked up by Wired.

For hackers, 2018 was a very good year. On 10 October 2019, "Wired" reports on "The Untold Story of the 2018 Olympics Destroyer Cyberattack" in Seoul. The events are painstakingly chronicled, beginning with the Olympic countdown when the technology chief of the Pyeongchang Olympics organizing committee discovered that "...something was shutting down every domain controller in the Seoul data centers, the servers that formed the backbone of the Olympics' IT infrastructure." Although the attack was thwarted, "the incident immediately became an international 'whodunit." Attribution has been increasingly challenged by sophisticated "false flags" and this article addresses several significant ones, including Russia's attempt to hoist such a false flag when it hacked the Democratic National Committee and Hillary Clinton's 2016 campaign. Some disbelievers persist, particularly as there was plenty of evidence to implicate other perpetrators as well as the Russians. However two cyber experts working completely separately, and two Intelligence Community agencies, NSA and CIA, working together came up with the same solution. In fact one of the experts was able to connect the Olympic Destroyer attack to a specific GRU unit. The protocol of historic seafaring false flag usage to confuse the enemy was resolved by the user "coming clean" but in cyberwarfare, the onus is on the cybersecurity experts to properly attribute the attack.

Cyber Scene #38 - Back to the Future

Cyber Scene #38 -
Back to the Future

Are Cybersecurity Politics Also Local?

The House Permanent Special Committee on Intelligence (HPSCI) is of course vectored of late on dawn 'til dusk (really) subpoenaed testimony, but outstanding and pressing docket issues remain for this committee and others on the Hill. One is the never final division of federal, state and local authorities and responsibilities. The Federalist papers presciently noted that division of federal and state (and subsequently local) political issues is a thorny and enduring problem. Are we picking our poison re: hanging separately or together? Are ransomware attacks hatched in a tweener's basement in State A or from a Vlad the Hacker's global cyber megaplex? Cities including Atlanta, Baltimore, and two in Florida which have been victims of "cyber hostage situations" might, in the final analysis, also start keeping the HPSCI literally up at night as the present mega hearings are doing. As reported by Wired on 28 October, U.S. states including Alabama, Virginia, Oklahoma, Texas, Arizona and New York, in addition to several major cities, are being attacked in hospitals, city internet systems, and voter registration networks. Although a bill to require the Department of Homeland Security to move forward to create "cyber hunt" and "cyber response" units was in play to defend against future ransomware shutdowns, the complexities in sorting out the centuries-old federal or state/local responsibilities endure. Funding is a major roadblock.

Even when the constituency is the same, the parties the same, and the state the same, divisions in how to fix the problem remain. According to the Wired article, although HPSCI Member Jim Himes (D-CN) "...is concerned about the rise in these brazen attacks, he also sees fundamental limitations in the federal government's ability to help stop hyper-local attacks." On the other hand,Senator Richard Blumenthal (also D-CN) believes that "Ransomware is one of the growing threats to cybersecurity, and the federal government ought to be doing everything possible to assist towns and cities. There's an urgency and an immediacy." Indeed. House Member Dutch Ruppersberger (D-MD) offers a compromise of having the federal government train and assist (sound familiar to the military?) local entities to defend against the attacks, which will also give state and local authorities time to finance this very costly cyber shield. Once an attack occurs, FBI steps in to track it. But this does not meet Senator Blumenthal's "urgency and immediacy" standard. For those individuals turned away from a hospital, certainly not.

It's APT33 To Take Control

To "pylon," as it were, Wired's Andy Greenberg on 20 November reports that Iran's APT33 hackers are likely exploring "disruptive cyber attacks" on critical infrastructure. Iranian attacks are historic, but the perpetrators anticipated this time are looking at physical control systems used in electric utilities, manufacturing and oil refineries. The CyberwarCon conference in Arlington, VA, held on 21 November, was scheduled to include Microsoft security expert Ned Moran discussing Microsoft's recent findings over the last two months of a shift in Iranian activity from APT33 (aka Holmium, Refined Kitten and Elfin). Moran and Microsoft posit that APT33 is shifting to "...going beyond wiping computers...and may hope to influence physical infrastructure." The article goes on to document that such attacks on ICS (Infrastructure Control Systems) are rare, but powerful: the US and Israel's Stuxnet (2009 and 2010) reportedly destroyed Iranian nuke centrifuges; in 2016 Russia is said to have caused a blackout of the Ukrainian capital of Kyiv; and unknown hackers attempted to inflict physical mayhem and threaten the safely of personnel at a Saudi oil refinery (2017). CrowdStrike vice president Adam Meyers disagrees and thinks the Iranians will focus on espionage and will likely install software from APT33. Moran documents recent Iranian-US escalation devolving from political issues in attacks and counterattacks since June 2019, upping the ante.

For a look at how the U.S. Government is positioned to meet and anticipate these and other cybersecurity issues, Wired's Garrett Graff interviews on video NSA's Anne Neuberger, the Director of the newly established Cybersecurity Directorate. She articulately outlines the role of the Directorate, how she directs outreach to the public with the example of three alerts made public since the establishment of the Directorate in October 2019, and an overview of the problems and challenges now and projected into the future as new technologies take hold, and even newer ones are created. The video is a refreshing overview of how moving forward in a positive way plays out, despite the gloom and doom of the targets and victims.

Looks Familiar

For readership with a U.S. Global Entry access card, you may have been recently surprised at the "cleared in seconds" facial recognition system in place in certain US ports of entry. China's system is, per the 9 November "Economist" in "Data Privacy: The First Face-off" even more expansive...too much so, per one of its citizens who has brought a suit against his very large and powerful country. Guo Bing objected to the pervasive facial recognition requirement for entry, now specifically, into China's 300 site safari park system. There has been little privacy debate in China about this technology, but Mr. Guo is now cast as a hero of the "netizens" championing consumer rights. This has led to much social media discussion and support for Mr. Guo, as the article cites examples of those who are terrified due to "...a feeling that everything you say and do is being monitored...1984." Mr. Guo's case, requesting a modest refund for his season park pass, has not yet been concluded. The request is infinitesimal but the implications may be global.

Tech-tonic Impact

Is it, as Barron's journalist Leslie P. Norton opines on 25 October, "...the end of the world as we know it?" She interviews Ian Bremmer, founder of the highly respected Eurasia Group consultancy which provides geopolitical analyses and regional risk assessments to contemplative folk/agencies/countries who/which seek expert advice. In the context of the shift of political, economic and even military clout away from the trans-Atlantic region, Bremmer notes:

"...technology increasingly doesn't serve the purposes of liberal democracies. It has moved from undermining authoritarian states to supporting them, as the data revolution (enables) surveillance data and social media. These things make the U.S. weaker and more divided, and make China and other authoritarian states stronger. That's exactly the opposite from what technological advances achieved 10 years ago."

As one steps back to digest this and the other subjects, Bremmer addresses issues such as the incubator role of the U.S. in the development of technology, and awaits the publication of Eurasia Group's Top 10 Risks list. He closes by saying that the biggest short-term risk for global investors is that "You don't think of the U.S. driving global political risk. That's changing."

Which Way Do We Go?

How do tech giants deal with the increasing desire of countries to censor speech online? In "The Splinternet: Net Loss" of 9 November, the "Economist" examines how authoritarian countries are restricting on-line postings, whereas until lately the internet has functioned according to "techno-libertarian assumptions." Britain's health minister believes that tech giants like Facebook and Google share a "duty of care" as do lawyers and doctors. The article probes this attitude vis-a-vis U.S. First Amendment freedom of speech issues. Where should the line be drawn, and how can tech giants do both?

Two theoretically unrelated articles in the same issue explore different examples of these seemingly insoluble issues. One, entitled "Sexual Disinformation: Naked Untruth" looks at how European women--a Finnish journalist, Russian critics regarding the Skirpal case in Britain, and others across six European countries--are disproportionately "singled out for vile abuse for political ends." Facebook and WhatsApp were noted as platforms.

With regard to political ends, a second article entitled "Lie-posting" takes to task both Facebook and its U.S. critics for not thinking clearly. It takes a brief historical look at America's political history, noting that no politician after George Washington has "...felt the compunction to never tell a lie." It calls to the stand two American heros: John Adams and Alexander Hamilton. Both have well-deserved reputations as visionary founding fathers, but they are also known for their testy personalities and flippant accusations. First comes John Adams, whose campaign slandered Thomas Jefferson: the two, early friends, did not work well together in mid-life and only reconciled in their final decades and near simultaneous deaths (4 July 1826). As for Hamilton himself, this Federalist writer-in-chief and creator of today's enduring U.S. treasury and banking system took easily to dueling verbally with rivals as a result of sometimes inaccurate slanders. Predating the instantaneous high-tech delivery systems of the 21st century now evolving at warp speed, the issue of "lie-posting" has existed in earlier expressions since the birth of America, and certainly beforehand. It has just become far more challenging to handle equitably and honestly as volume and velocity flourish worldwide.

Regrets, He Has a Few

The New York Times devotes its entire 17 November Magazine to some internet regrets which Bill Wasik in the NYT lead article terms "both dreams and nightmares" and a future viewed from "as many angles as possible." He opens with Mark Zuckerberg's presentation at Georgetown University on 17 October entitled "Standing for Voice and Free Expression," the reception of which might cast him as unpopular. Wasik interpreted the speech as hinting that the status quo might no longer be possible. He discussed China's exportation of an internet bearing different values and holding six of top ten internet platforms.

The magazine goes on to explore the promised many angles of the internet, past and future, across many articles. Looping back to managing lies, slander and fake news generally, another article explores the role of censorship in conveying truth. China's super apps, the impact of Youtube on teens, and how tech giants are now at an "uneasy stalemate" regarding global domination. The article includes projects for the status quo model of revenues per capita ($616) in 2022 and the AI-driven accelerator model ($21,522) in 2030; the staggering total revenues are $198 billion in 2022 and $7.1 trillion in 2030.

Cyber Scene #39 - The Future is Looking Up

Cyber Scene #39 -
The Future is Looking Up

Launching the Next Decade--Times Two

New York Times tech analyst Brian X. Chen leads off on 1 January in "The Tech that will Invade our Lives in 2020" with New Year projections of how "tech everywhere in life" is evolving quickly. He comments that many of the details of "high tech at our door" will be showcased at the CES 2020 consumer electronics trade show in Las Vegas, ongoing as this Cyber Scene is published. The arrival of 5G, he posits, will be at the center of the near future--yes, the same hotly contested 5G that has a face that has launched a thousand digital ships (Trojan horses included??) with China. Mr. Chan goes on to point out that the steady rise of 5G has spawned a panoply of related devices, such as vehicle additions that allow two 5G-supplied drivers to signal lane changes or braking, contributing to the forward march of autonomous cars. Digital ear "fitbits," which are a step up from Siri-controlled earbuds, increase the sophistication of applied technology. And your home will become smarter as it becomes more digitally connected.

Across the pond, the London Times examines the intelligence "counterpoint" to the race pace of advancing technology in the ten years to come. The UK government is in the process of preparing to conduct its defense and security review pledged by newly-elected Boris Johnson to be the most profound review since the Cold War, per PM Johnson. Much of this is cyber-related, and has "sparked intense preliminary discussions in Whitehall departments, MI6, MI5, and GCHQ as they try to win resources and pitch desired modernisation reforms" to prepare it to defend against Russia's and China's quickly evolving technology-driven attacks. Likely to be included would be wider surveillance powers for the intelligence services, a broader remit for surveillance warrants, a move to take advantage of technological advances relating to data, and an upgrade to the security systems to make them more agile and effective. The British continue to be concerned about government vs. civil liberty surveillance issues and worry about Russian military intelligence operatives gaining a "first move" advantage regarding British intelligence officers.

The review will also include decisions regarding police and intelligence use of "equipment interference" (hacking of computers, phones, servers and networks) and more effort for analysis via artificial intelligence and algorithms of bulk data acquired by surveillance. The UK also plans to develop new models for government-tech industry partnerships. Last, but not least is the expansion of the UK's Defence Intelligence (DI) service which will "play a big role in the national cyberforce being set up to preside over offensive cyberactivity." According to the article, interagency disagreements are problematic, as the DI does not have the standing of the other more robust intelligence players. On a positive note, Dominic Cummings, the chief strategist for the Prime Minister, seeks to use the US DARPA's (Defense Advanced Research Projects Agency) as a model which would also benefit UK universities and research labs.

From Stars to Groundlings

"Beam Us Up!"

The future of cyber is literally not beyond, but above us, according to both the recent US decision to create and fund a Space Force, as well as the Economist's peek at the next decade. Although emissions from the White House have not yet done so in a detailed manner, Space Force proponent Admiral (ret) James Stavridis predicts that the nascent US Space Force will evolve into a Space and Cyber Force. Following his Bloomberg op-ed picked up by many mainstream dailies briefly mapping out the logic for a Space Force whose time has come, he then engaged in a follow-up military-focused 8 minute podcast (far more informative than tv sound bites) laying out the rationale, in a global context, for its creation. He then goes on to discuss the initial reconfiguring and centralization of space-related endeavors, ongoing and funded; the scaling and future growth of the Space Force; and its cyber connection. While his op-ed ends on a light note, embedding navy-speak into the Space Force initiative, the podcast is a wholly serious discussion of the blueprint for a Space Force capable of standing up to existing Russian and Chinese space forces and future bad actors.

The Economist's five-part Holiday Essay "Beware the Borg," which predates by a few days (published 18 December) Admiral Stavridis' Starship Enterprise op-ed, delves into space not so much as the next frontier, but one with historic ties back to the 1960's and Chile (!). Subtitled "A future of command economies and cybernetic dictatorship needs to be feared, but not expected," the essay fast-forwards, warp-speed, to cite Jack Ma, the recent CEO of China's Alibaba, who predicts: "Over the last 100 years, we have come to believe that the market economy is the best system, but in the next three decades, because of access to all kinds of data, we may be able to find the invisible hand of the market." One can extract from this that money as we know it, may not fuel the global economy--not even as a credit card, Paypal, Bitcoin or Libra. And then what does one do, the essay asks: help, anticipate, or disable the invisible hand? It then wonders that "if technology could outperform the invisible hand in the economy, might it be able to do the same at the ballot box?"

After discussing costs, the intoxication of technology, and other developments, the essay proclaims: "Let a thousand satellites bloom, a trillion sensors sense" which recalls our recent Space Force discussions. The conjoined nature of economies and high-tech hierarchies is discussed in the context of Soviet-styled planned economies, as in "The People's Republic of Walmart" a book published in 2008 looking at the history and possible future of planning. (N.B. China's White Paper plans to the year 2050.) In the fifth segment entitled "Welcome to Planet Platform," the essay posits that this future might lead to new ways of making decisions that will be entirely dependent on cyber.

Champagne taste but a taxed budget

As the satellite space expands above us, earthlings from liberal democracies throw down gloves over taxing tech. The 5 December Economist's "Bottle Shock" looks at the US and France sparring over corporate taxes on US-based FAANGs such as Google and Facebook whose tax rates across European countries "look suspiciously low." How low? The International Monetary Fund (IMF) assesses that the shortfall of taxes globally per year is, well, rounded off, $500 billion from "multinationals shifting profits to tax havens." France is adding a 3% tax, backdated to 1 January 2019, and the UK 2% while the US is retaliating with a threat of a 100% tax on French exports ranging from cheese to champagne. One might wonder whether Wensleydale and Pimm's may be next. The Organization of Economic Cooperation and Development (OECD) which includes these three and 33 other countries, has been working on a solution for nearly 6 years. China and other countries are working on a "unitary" approach lumping companies' worldwide operations together. Since there is no near-term solution, the Economist recommends that Americans keep their champagne on ice.

The Here and Now

As the uptick of space operations adds to the constellations above, here below the very near issue of protection against 2020 election tampering has upgraded US defenders to a war status.

A War by Other Means

The concern around Russian election interference, past and particularly future, has solidified into a new age of warfare--one emphasized by the Associated Press article on 26 December entitled "States are on the front lines" by Christina A. Cassidy. She reports on a US military presentation to 120 state and local election officials from 24 states gathered together in Washington D.C. under the rubric of a Harvard-affiliated democracy project. It emphasizes training for election security officials--increasingly worried--to be able to thwart interference. The article compares the past election security to a wedding planner who merely needs to see who shows up on election day and ensure that the wedding is properly stocked with equipment and supplies, as compared with the notion of the system itself being at risk. It is worth noting that this Defending Digital Democracy Project falls under the Belfer Center for Science and International Affairs at Harvard's Kennedy School. Its programs and fellowships run the gamut from technology and policy on water to China's cyber capabilities.

On the governmental side, the Washington Post's intelligence correspondent Ellen Nakashima writes on 25 December of the US military's development of warfare tactics to avert Moscow-sourced interference by hacking 2020 election systems. US Cyber Command, now 10 years old, is at the vortex of this effort, according to the article. University of Texas, Austin, law professor Bobby Chesney notes that Russia has shown that integrating traditional information warfare with cyber-operations is now an inseparable practice, which Cybercom and the National Security Agency are trying to weave together in military operations as cyber-offensive capabilities. Ms. Nakashima goes on to say that while other military organizations such as the Joint Special Operations Command (JSOC) have combined these before, they have not done so with reference to election security. She also delineates several cyber operations that were used against attacks during the 2018 mid-term US elections--counterattacks which proved very successful. Interagency coordination for 2020 operations has also been worked out. Former Senior defense policy official Michael Carpenter points out, however, that cyber operations alone are most effective when also aligned with other tools and backed by allies.

Cyber Scene #40 - Nations (Not Totally) United On Cybersecurity

Cyber Scene #40 -

Nations (Not Totally) United on Cybersecurity

The United Nations--Not Cyber Scene's Usual Suspect

The United Nations (UN) has spoken loudly, twice in the last few weeks, on cybersecurity. Both the UN Secretary-General (UNSG) himself as well as the UN Human Rights Council representing the voice of world authority have addressed the future impact of cybersecurity as well as monumental past transgressions just confirmed by the UNCHR.

Cyberspace: The Not-So-Cold War

UN Secretary-General Antonio Gutteres spoke at great length and detail on US-China's tech divisiveness related to cyberspace and its worse-than-cold-war status in a discussion with Wired's Editor in Chief Nicholas Thompson recently, with the full interview and video published on 15 January. The UNSG covered a wide swath of global issues, including the high-level panel the UN created for digital cooperation. The panel's objective is to bring nations at loggerheads together under UN auspices. The UNSG believes that technology can promote democracy but also addresses dangerous aspects--unintended or sometimes intended consequences. He believes that access to the internet should be a right, but that technologies should not be used as instruments of political control.

WhatsApp if Money Can't Buy You...Privacy?

Crown Prince versus Google King

Business Insider's Isobel Asher Hamilton reported on 22 January that US human rights investigators "...just backed bombshell claims that Saudi Crown Prince Mohammed bin Salman (MBS) most likely hacked Jeff Bezos' phone." The UN Council on Human Rights (UNCHR) Office of the Commissioner formally stated that UNCHR was gravely concerned about the hack. In the words of the UN itself: "The two experts - who were appointed by the Human Rights Council - recently became aware of a 2019 forensic analysis of Mr. Bezos' iPhone that assessed with "medium to high confidence" that his phone was infiltrated on 1 May 2018 via an MP4 video file sent from a WhatsApp account utilized personally by Mohammed bin Salman, the Crown Prince of the Kingdom of Saudi Arabia. "The UN statement goes on to argue for increased and immediate investigation and control by the US and other "relevant authorities" regarding MBS's efforts to target perceived opponents.

California is setting off its own state-wide privacy scramble while awaiting national or international support. Fortune's Jeff John Roberts reports that a new 2020 law, California Consumer Privacy Act (CCPA) requires businesses to reveal to consumers what they have collected on them, and to delete it all upon the request of the consumer. Mr. Roberts notes that advertisements by behemoths such as Walmart would no longer be able to be tailored for a particular consumer. Google also would lose income from advertisers who are charged more for ads specific to individual consumers. A nonpartisan report projected upfront costs of $55 billion to the advertisers with this law taking hold; nearly two dozen other states are considering implementing similar laws. Meanwhile, Mr. Roberts notes that "unusual bipartisan agreement to pass such a law" at the national level may not be stalled until after the November 2020 elections because, as Brookings Institution expert Cameron Kerry notes, the lack of privacy for the children and grandchildren of US legislators is making this issue personal.

Blame Game, Revisited

The issue of Russia generously ascribing to Ukraine credit for the Burisma hack continues to play front and center. The New York Times reported on 13 January new evidence of a Kremlin hand in the attack of a Burisma subsidiary in Ukraine which keeps the issue linked not only to cybersecurity concerns generally but to major political ones, particularly the one before the Senate this week and through November elections.

Getting a Grip/Grid: Iran and Your Daily Life

As many Americans worry about retaliatory moves by Iran, two learned voices, General (Ret.) Keith B. Alexander, former CyberCommand and NSA Director, and Jamil N. Jaffer, Esq., the former chief counsel of the Senate Foreign Relations Committee, co-authored a threat warning and call to action published in Barron's on 10 January. It specifically pertains to Iran's build up; use of disruptive and destructive cyberattacks on US banks, a US dam, and a Las Vegas casino; and the US "sotto voce" response. This has changed since the strike on Iranian commander Suleimani. Now the expectation should be, per the authors, cyberattacks on the U.S. government, U.S. companies in key sectors, allies in the region, or all three. General Alexander and Mr. Jaffer point out that, in this war, Walmart and Target won't "...have surface-to-air missiles" as a defense. The speed of cyber attacks does not allow the US Government sufficient warning time to alert intended victims, as one would in a missile attack. They point out that in order to "provide for the common defense" as the US Founding Fathers demanded, a collective defense capability across multiple sectors, at increased speed and scale, needs to be developed now.

Wired's Andy Greenberg picks up on the issue, citing a RAND think tank expert on Iran, Ariane Tabatabai, who notes that Iranian military strength cannot match that of the west, but a cyber match up will give Iran a more equal shot. Another think tank expert, Chris Meserole at Brookings Institution, expects that cyberattacks will allow for immediate attacks, but that Iran would not necessarily exclude bombs and bullets.

Microsoft: One Big Step for Public-Private Partnership

The National Security Agency (NSA) and Microsoft are recent exemplars of the defense capacity of which General Alexander and Mr. Jaffer wrote. In a discussion with NSA's Director of Cybersecurity Anne Neuberger on 14 January, Wired reported that in a call with reporters she spoke about the public release of a Microsoft vulnerability which NSA shared with Microsoft. She notes, "When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it." This is consistent with Ms. Neuberger's face-to-face video discussion with Wired's Garrett Graff of a new approach to public-private partnership. The video, published in Cyber Scene in the November R&O, was aired on the heels of Ms. Neuberger's October 2019 appointment to her new role as Directorate Chief.

East by South East

"Headwinds for Huawei"

The Economist's annual projection of technology in "The World of 2020" holds that, over and above the global tousling over Huawei's 5G, many additional Chinese tech firms, which are multiplying due to easy start-up access to the world market, will collide with geopolitics abroad. Asia technology correspondent Hal Hodson in The Economist's "The World in 2020" Science and Technology goes on to note that startups can quickly scale up due to China's wealth and support from the Chinese state itself which loops back to the US issues with Huawei's 5G.

Mr. Hodson followed up in The Economist's Technology Quarterly (4 Jan 2020) in a special issue entitled "Poles apart: China, America and the planet's biggest break-up." He explores the "new revolution" from "the people who brought you fireworks..." regarding big data, reactors, microproccessors and countless other technologies. He concludes with the fact that these developments could rekindle fireworks on at least the tech, economic and diplomatic levels, if not the military.

Back in Europe's 5G battlespace, the UK's new Prime Minister Boris Johnson continues to push back on US insistence that the UK ban Huawei. With considerable insight into the UK's national security decision-making, The (London) Times reports on 15 January that some of the UK's internal discussion centers on whether intelligence sharing would be at risk among the Five Eyes (UK, US, Canada, Australia and New Zealand) communities. Certain members of the UK's inner circle say "no problem," but former Australian Prime Minister Malcolm Turnbull felt the UK would be "very vulnerable." One of the UK National Security Council members has left the "opposed to Huawei" side to support Huawei's 5G in the UK, and the head of MI5 is not convinced that UK-US intelligence sharing would be at risk; a US delegation said accepting Huawei would be "nothing short of madness."

"Trying Times" for Huawei Get P

The Economist notes on 23 January marked that day as the beginning of a likely lengthy extradition hearing and legal case in Canada of Meng Wanzhou, Huawei's Chief Financial Officer and daughter of its founder. Her lawyers in Vancouver argue that "... the alleged crime for which the United States wants to extradite her, i.e., violating American sanctions on Iran, was not a crime in Canada at the time of her arrest in December 2018." The prosecutors contend that misrepresenting banking connections, however, is illegal in both the US and Canada.

Africa Dishing it Up

Wired's Laura Mallonee reports that 8.8 terabytes will be heading to Africa where the first of up to 3,000 dishes across 9 African countries and eventually Australia are to be erected. They will connect with a telescope--"...a Square Kilometre Array (SKA)--at 1,800 miles wide the largest scientific structure on the planet with 50 times the detail of the Hubble Space Craft and the ability to gather 10.8 million square feet of radio waves." Germany and China have both had a hand in the design. The timeline for completion is expected to be "next generation" in the human, vice technical, sense.

Cyber Scene #41 - Cybersecurity Yesterday, Today, and the Great Beyond

Cyber Scene #41 -

Cybersecurity Yesterday, Today, and the Great Beyond

This issue of Cyber Scene will provide a study of the US process from the cybersecurity perspective of the executive, legislative and judicial branches of US government, anchored by strategic inflection points to highlight cybersecurity challenges. Cybersecurity voices will be heard from Europe and Australia as well to widen the aperture of this readership.

The electoral process established by US Founding Fathers has given birth to chaos of late. The Electoral College at the time of its creation 200+ years ago was controversial. That is still true today, as some worry that it is no longer representational of the masses, and some electors could in fact vote against the will of their party. The 26 January New York Times editorial discussed below explores this in depth. The electors are not necessarily impacted by cybersecurity any more than the rest of the population, but the issue of election interference is front and center.

We will look first at the federal court system and state judiciaries. The Supreme Court of the United States (SCOTUS) justices (9), circuit judges (13), and district judges (94) are appointed by the executive branch and serve for life unless they retire first or are impeached.

There has lately been a significant turnover in judges at the federal level, and much interest in SCOTUS Justice Ruth Bader Ginsburg's health. In the state judiciary system each state elects their judges for a term, not life. This division of effort would mean that non-criminal cases at the state level could be appealed and heard by federal judges or even by SCOTUS, in keeping with the Federalist structure. This division of legal authority supports SCOTUS dealing with constitutional issues or appealed cases (i.e., Is the Constitution at risk from federal election interference?), whereas the states have authority over, for example, how to protect the electoral process from cyber threats within their state and local purview. The Judicial Learning Center provides a handy chart that diagrams this as well as a reminder that the Federalist Papers second-most prolific contributor, James Madison, nailed the distinction between the two courts systems in his contribution. It has endured since then. So states are struggling to develop serious plans to be funded and implemented to ensure elections are "free and fair" even as the primaries are already occurring.

The 3 February 2020 Iowa caucuses--an atypical approach to selecting a presidential candidate--was rather chaotic. Election interference is unlikely in such a system which is technically party driven and not an "election," but humans moving physically from place to place to be counted again can be messy. New Hampshire (11 February 2020) has a more traditional system. Las Vegas (22 February) has caucuses. South Carolina (29 February) has a complex open primary delegate system and voters do not need to publicly declare their party; one party can be asked to vote in the opposite party's primary to influence the final choice. In Florida, one's voter registration is publicly available online with name and address; one must vote along party lines in the primary (17 March). Most states use electronic systems vice physical caucuses to choose candidates. Whether paper ballots back up the bits and bytes or not varies from state to state. The federalist system believes that this is the state's purview. So there is not one way of protecting all states from election interference, as those responsibilities devolve to the state. Some are funded and forward-leaning, and others are less so.

The US House of Representatives and the US Senate are concerned about cybersecurity election issues. The House Permanent Select Committee on Intelligence (HPSCI) and the Senate Select Committee on Intelligence (SSCI) have held many committee and subcommittee hearings--sometimes open but often closed--on this issue, particularly in the wake of 2016 issues regarding foreign interference and the run up to the 2020 presidential elections. The Mueller Report also investigated this.

Most recently (13 February), the HPSCI was reportedly provided a briefing on 2020 Russian interference even in the Democratic primaries, according to a New York Times intelligence beat reporting team. The briefer was the Acting DNI Joseph Maguire's aide Shelby Pierson and first election interference czar--a position created by the latest DNI, Dan Coats. Mr. Maguire had stepped up as Acting DNI from his post as the DNI's Director of the Intelligence Community's (IC) National Counter Terrorism Center when DNI Coats, selected by the incumbent president, resigned in July 2019. According to the article penned by the New York Times team, the White House was unhappy with the briefing, which was conveyed as well to the President by Mr. Maguire. On 18 February the White House announced that Mr. Maguire would be replaced by the relatively new US Ambassador to Germany Richard Grenell as acting DNI. All previous DNIs, including Mr. Coats, have, to some extent at least, had an IC background. His resignation was reportedly linked to Russian interference issues. The present principal executive serving as Acting Principal Deputy DNI, Andrew Hallman, who is also a career IC professional, is leaving to give Ambassador Grenell an opportunity to establish his own leadership team. Ambassador Grenell is also acting, so does not need Senate confirmation. The President announced to the press on 19 February that he was considering the permanent nomination of Georgia House of Representatives Doug Collins, but Representative Collins, who serves on the House Judiciary Committee, told Fox News on 20 February that he was very honored to be asked, but that he was focused on promoting his party's Georgia 2020 races. Russian election interference, even in the 2020 primaries, appears to continue to be a serious divide as these primaries progress.

The Hack's Afoot

In a follow up to January 2020's Cyber Scene discussion of the Saudi Prince hack of Jeff Bezos's WhatsApp account, the Economist in "Alexa, define chutzpah," offers a more detailed analysis, based on the 22 January UN investigation of the economic and political implications of the event which occurred when the CEO of Amazon and Prince Mohamed Bin Salman (MBS) exchanged WhatsApp numbers in Los Angeles. In addressing the reaction of the market to the hack, the Economist opines that big investors might be reluctant to work with Saudi firms that may be bugging them.

The article continues: "The same goes for foreign leaders. Intelligence officials in America and elsewhere will no doubt wonder if Mr. Bezos was the only target. The president's son-in-law, Jared Kushner, is known to chat often with Prince Muhammad (sic) on WhatsApp." Beyond Mr. Bezos's status, he is the wealthiest person in the world and controls some giants in both the tech (Amazon) and news (The Washington Post) worlds; Mr. Kushner would be an attractive political target.

In another continuing saga from last month's Cyber Scene discussion of UN Secretary General Guterres, Associated Press correspondents Jamey Keaten and Frank Bajak report on 29 Jan that the UN offices in Geneva and Vienna had been hacked. The extent of the damage and the level of sophistication varied depending on which UN office commented. Those assessing the hack also noted that the intruders "didn't cover their tracks" like the pros. However, the UN's Office of Information and Technology reported that 42 servers were compromised and 24 were "suspicious." It determined that the hack was due to a vulnerability in Microsoft's SharePoint software.

And thirdly, Barron's Jason Sadowski noted on 17 February that indictments of Chinese military members responsible for the 2017 hack of Equifax are contributing to the "data bubble that is now bursting." He likens the hack of 150 million Americans to the Exxon Valdez oil spill. Mr. Sadowski is a research fellow in the Emerging Technologies Research Lab at Australia's Monash University and is wary of the power data companies now have. The Exxon Valdez was also bordering the Pacific. That data bubble is worldwide.

ARPA with British Characteristics: Looking Forward

Britain has launched a technology and research effort to draw insight from the US ARPA/DARPAand create a 21^stCentury ARPA for the UK. The Economist in "Aping ARPA: How to invent the future" examines how Downing Street, spirited by the prime minister's adviser Dominic Cummings, seeks to "make Britain the best place in the world...for those who can invent the future." This would be a civilian organization, vice a DARPA military clone. The plan is to allow high-risk, high-reward creative thinking of a math and pure physical sciences nature to flourish, unfettered by micromanagement. Mr. Cummings is quite lavish in his praise of ARPA, and notes that ARPA's budget was "trivial compared to the trillions of dollars of value" it created.

Strategic Planning Indeed: Digital Life after Death

As for the next world, in "Creating a digital estate plan," Kiplinger's' Kaitlin Pitsker cautions we humans who do not believe in reincarnation to understand that our own, inevitable (like taxes) death does not mean that our digital life has ended for our beneficiaries. One must, in fact, allow access to one's accounts for those who come after. Google, for example, will allow up to 10 "trusted contacts who can access your Gmail, photos or more." So choose your Facebook photo wisely! It will outlive us all.

Cyber Scene #42 - Cyber Surge

Cyber Scene #42 -

Cyber Surge

Regardless of what corner of the world you may be sheltering in, COVID-19 has touched you. "Ubiquitous" understates the reaches of a pandemic. But cyber is by your side, for better or worse, per the New York Times/Reuters as you are working at home. Your internet may slow down as much of the world's billions of residents are driven (figuratively, of course) to "face time" options--WhatsApp, Skype, Instagram and the like--in the absence of tactile human contact. Rather than a run on the bank for cash to stash under the mattress, touching bank notes is abhorrent to many of you and telebanking seems to work very well, thank you very much. Touching snail mail, like touching groceries, calls for caution. A sanitized keyboard does not.

Briefly, COVID-19 has, if anything, accelerated our reliance on cyber connectivity as most of the world locks down.

The pandemic generates reactions, such as the $2 trillion stimulus signed into law on 27 March. An analysis of the most salient tectonic changes is articulated by Anne-Marie Slaughter, CEO of "New America," former head of State Department's Policy Planning, and former professor at Princeton, Harvard and University of Chicago. She believes that America is capable of saving itself. She examines how governors and city leaders across the US are taking charge and how Facebook, Cisco, Amazon Google and Twitter were among the first to establish cyber work-at-home policies in early March. Education--from PhD programs to pre-K classes is all online now.

Ms. Slaughter goes on to say that COVID-19, "...with its economic and social fallout...is a time machine to the future." It has not only led to online education, imposing this move to the future on foot-draggers, but has also resulted in unimagined progress, as cited in her description of the founding by Governor Newsom (D-CA) in 2019 of a Future of Work Commission. The Commission has brought together, in early March 2020, 300 engineers, doctors, nurses, and designers to launch a Facebook-based Open Source Ventilator project.

Barron's Eric J. Savitz notes on 20 March that Big Tech is well positioned to support this future: the combined "in the black" profit of Alphabet, Amazon, Apple, Microsoft and Facebook is $380 billion. Their cyber lifelines are indeed saving lives.....and perhaps mental health as well via Facebook, YouTube, Netflix, etc.

In the world of cybersecurity, however, the flip side is dark. Since mid March 2020, life and death pandemic concerns have inadvertently given rise to a resurgence of cyber attacks. The earliest 2020 case reported by Reuters and published by the New York Times of a suspected Chinese hacking group "APT41" was believed to have started up in late January when the pandemic was just beginning to ramp up outside China. According to FireEye, Chinese hacking groups have reportedly been active in "one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years" in the last few weeks. Three additional companies--Cisco, Citrix, and Secureworks/Dell Technologies--also believe that this represents a new thrust, with Dell indicating a new digital attack infrastructure related to government contractors.

Over the 13-15 March weekend, the Wall Street Journal reported that US Health and Human Services (HHS) suffered an unidentified "cyber incident" that, a White House spokesperson noted, did not penetrate HHS networks nor remote work. US officials and cybersecurity experts expected cyber disruptions to increase during crises, with several hackers reportedly trying to "leverage the coronavirus to spread malware." This threat has been exacerbated by the increase in the US workforce working from home. Moreover, hospitals were noted as being a historically attractive target for ransomware attacks.

In the wake of the cyberattack on HHS, the New York Times/Associate Press reported that Attorney General (AG) William Barr threatened "swift and severe action if a foreign government is behind misinformation campaigns" related to the pandemic or denial of service at HHS. He also directed attorneys across the US to place any criminality connected to the pandemic at the top of their prosecution list. Some fraudulent pandemic activity has reportedly included fake cures, phishing (fake CDC and WHO notices) and malware inserted into virus tracking apps.

WHO Chief Information Security Officer Flavio Aggio stated that earlier in March, elite hackers attempted to break into WHO's systems by impersonating WHO users. He said attacks have more than doubled. According to a New York-based Blackstone Law Group cybersecurity expert Alexander Urbelis, the hackers were caught around 13 March mimicking the WHO's internal email system. Although Mr. Urbelis didn't know who the perpetrators were, two other sources suspected an advanced group of hackers known as DarkHotel, which has been involved since at least 2007 in cyber-espionage.

The Wall Street Journal's Dustin Volz first reported on 10 March that the bicameral-led Cyberspace Solarium Commission was about to release its report the following day after many months of work indicating that the US lacked key abilities to avert cyberattacks. Among other recommendations from the report in its entirety, Chairmen Senator Angus King (I-ME) and Congressman Mike Gallagher (R-WI) called for speed and agility, the addition of a Senate-confirmed National Cyber Director, the creation of an Assistant Secretary of State and a new Bureau of Cyberspace Security and Emerging Technologies at State Department as well as nearly 75 additional recommendations, some requiring Congressional approval and funding. The White House had had a National Security Council (NSC) cybersecurity coordinator position, but it was not a Senate confirmation post, and was eliminated by White House National Security Advisor John Bolton in May 2018 with a view to "streamlining the NSC."

At the time, cybersecurity experts and Members did not agree with NSA Bolton's decision. Ranking Member of the Senate Select Committee on Intelligence Mark Warner (D-VA) said he couldn't understand how cutting the top cyber official would make the country safer. The Senate and House apparently still agree on this. The White House's last incumbent, cyber expert Rob Joyce, who also held a senior Homeland Security position, remains active and spoke on 28 February 2020 at CyberTalks in Washington D.C. on disrupting and deterring foreign hacking with a view to the future as well as the present.

March 25, Reuters/New York Times reports that nearly 400 cybersecurity volunteers digitally gathered together across more than 40 countries to counter coronavirus-related hacking. The organization, christened the "COVID-19 CTI League"--CTI for Cyber Threat Intelligence--is run by three group coordinators from the UK, US, and Israel. Private sector companies like Microsoft and Amazon are in the mix. One of the initial managers, Marc Rogers, who is head of security for the established hacking conference DEFCON, said that their top priority is deterring pandemic hacks against medical facilities and frontline responders. Law enforcement, per Mr. Rogers, has been very collaborative. This might be linked to AG Barr's directive to prosecute vigorously.

Not to be outdone by the other two branches of government, SCOTUS has been attacking its brimming docket with an agreement to hear the appeal related to Oracle v Google litigation. While the Court continues its aggressive schedule during the pandemic, it has banned visitors in the courthouse and amended its methodology for discussions as well. However, "Tech's Trial of the Century," according to Fortune's March 2020 edition, may either "safeguard innovation" or "deal a deserved comeuppance to a lawless tech giant." In either event, no decision is expected prior to 27 March, and if SCOTUS upholds Google's case that software has thrived over the decades precisely because a "mother-may-I" approach to asking permission or paying "every time they use a high-tech equivalent of a nut or a bolt" has not been the practice. Either way, it is a big deal and SCOTUS agrees that the case is of sufficient import to hear.

Cyber Scene #43 - Cybersecurity's COVID Cloud 

Cyber Scene #43 -

Cybersecurity's COVID Cloud

Present, Future and Past

The role of cybersecurity continues, front and center, in the battle to subdue COVID-19. Both Big Tech and the US federal government are rebalancing their relationship and evolving. The view from across the Atlantic examines this from the outside. Both the 26 March Economist in "Everything's Under Control" and the 4 April Economist "Big Tech's COVID Opportunity" address the necessary growth of big government to combat the rise of the pandemic. Both winning this battle and preparing for the future require support and initiative from Big Tech's cyber warriors. In the latter article, the Economist calls on large digital platforms, such as Alphabet (parent of Google) and Facebook, "...to reset their sometimes testy relations with their users. Otherwise, big government...is likely to do it for them."

This editorial goes on to note that at this time, the fact that Facebook and Google are removing misinformation on COVID-19 is a much welcome control. Moreover, the editors do not foresee new federal privacy laws coming into being at this time. In fact, they posit that big tech has taken up a position similar to "vital utilities." But this latter article goes on to say that water and electricity are regulated, so is this the future for Big Tech? The writers cite Microsoft as an exemplar of how "how to build a reputation for being trustworthy" for the rest of the Big Tech lot.

Helping to save lives is certainly a direction in which Big Tech can add to its credibility. Wired and the Wall Street Journal both analyze this direction. Wired notes on 3 April in "Google Reveals Location Data to Help Public Health Officials" that Google's idea in revealing locational data to track individuals' movements for public health improvement is intended, as it is around the world, "...to evaluate how well social distancing measures are working and identify places where new policies might be needed." Google maintains that it uses "differential privacy" adding "noise" to the data to protect privacy rights. Stanford Law's Director of Privacy at the Center for Internet and Society believes that this demonstrates how aggregated locational data can be used in a manner that is sensitive to privacy issues.

The Wall Street Journal's Liza Lin and Timothy W. Martin go further on 15 April in "How Coronavirus Is Eroding Privacy." They are based in Singapore and Seoul, where Asian governments have had an earlier start, and note that investigators use smartphone data to determine within 10 minutes "...who might have caught the coronavirus from someone they met." Israel is using Shin Bet, its intelligence unit, to track down similar data. In the UK, police sometimes use drones to monitor movements. While those who may owe their lives to this brush with privacy are likely most appreciative, privacy advocates on the other hand are worried that, post-pandemic, this surveillance might continue. But in the U.S., Apple and Google are planning to launch an app, with the agreement of the user, "...to reverse-engineer sickened patients' recent whereabouts." Germany is also relaxing its "world's most stringent privacy laws" to "very quickly investigate infection chains."

Meanwhile, the Economist reports on 26 March in "Taking People's Temperatures Can Help Fight the Coronavirus" that a San Francisco firm, Kinsa Health, has digitized phone use to track the spread of the pandemic through temperature data. The company has sold or donated 1 million such smartphone apps that transmit this data to base and determine what medical advice, given an individual's age, sex, etc., should be followed. It can also generate data about neighborhood information and school contagion.So how could this play out in the US at the state and local level? New York Times' Ellen Barry reports on 16 April in "An Army of Virus Tracers Takes Shape in Massachusetts" that Governor Charlie Baker has embraced this private-public partnership in contact-tracing the old fashioned way: by person-to-person phone calls. It is certainly a labor-intensive approach, but at the moment there seems to be a surplus of labor if unemployment rates are an indicator. In Massachusetts, the nonprofit Partners in Health, whose doctors have worked on Ebola, Zika, cholera and other diseases, are in charge. They sought 1,000 trainers and had 15,000 applicants. It is also expensive--$44 million, even though some have volunteered to work without pay. Whether this could displace more cyber-based, federally centralized efforts is dubious, but the plus is that the callers report that the discussions last 30-45 minutes as most of the individuals are sheltering-in-place and isolated. It seems an excellent role for social workers and National Association of Mental Illness (NAMI) advocates, that is, those who are not already essential for medical support elsewhere.

As the world continues to be overrun by COVID-19 issues, especially impacting the Big Tech cyber world, US Congressmen and Senators continue to battle through enduring past, present and future responsibilities. On 21 April, the Senate Select Committee on Intelligence (SSCI) released its official report on Russia's "active measures" (interference via a largely cyber hand) against the 2016 US elections. SSCI Chairman Richard Burr and SSCI Vice Chair Mark Warner had begun this bipartisan work in the run-up to, not after, the 2016 elections and continued to date. The 364 page "Committee Sensitive" report is broken down into four sections: Russian Active Measures Infrastructure, Social Media, the US Government Response, and Intelligence Community Assessment. All but a dozen pages total are consensus, bipartisan findings. The remaining few pages represent additional comments by a handful of senators relative to each section's issues. For those who seek to understand what the Russian cyber threat was during the 2016 elections, how the most informed Senators view it now, and the implication that it is likely to have another go at us in this coming round, most of the substance of the first three sections are here for your edification. The fourth section--the Intelligence Community Assessment (ICA), serves up a very quick read given the 158 pages as it is largely redacted. While the economy is certainly a top priority in homes and in Washington D.C., election security for November 2020 continues to challenge US legislators, even if their voters are less sensitive at this time to the dangers.

With respect to the Supreme Court of the United States (SCOTUS, COVID-19 has demanded decisions related not to the outcome of arguments but decisions on procedural issues in a now high tech world. In retrospect (quite literally), SCOTUS tech procedures are examined by AP's Mark Sherman and Jessica Gresko in "You've reached the Supreme Court here. Press 1 for arguments." Yes, in deference to the pandemic, the Court is not only going to hear arguments over the telephone, but will make the audio available live for the first time. Even as the world charges ahead to embrace cyber and propel new advances, Chief Justice Roberts noted in 2014, per the authors, that "the Courts will always be cautious when it comes to embracing the "next big thing" in technology." A SCOTUS official acknowledged that the phone argument plan "is sort of retro" given alternatives abounding.

The critical need for a strategic, future focus that is becoming increasingly urgent is presented by Foreign Affairs' Lauren Rosenberger's "Making Cyberspace Safe for Democracy". She underscores the return in 2020 of Russian election interference and enjoins us not to take our eyes off cyber. Ms. Rosenberger delineates the underlying differences between authoritarian and democratic systems, comparing/contrasting the US on the one hand and Russia and China on the other. She calls to arms cyberwarfare strategists to help the US avoid playing into authoritarian hands. She fears that as the US seeks to move forward, "...it risks falling behind in the development of new technologies." This, she argues, is a growing concern as many countries are gravitating toward authoritarianism. As she walks us through China's and Russia's information warfare and the sense that these countries are "two sides of the same coin" in the way they approach cybersecurity and information security, she concludes by citing the biggest barrier of all in contesting information space: "the erosion of democracy at home."

Ms. Rosenberger also points out that the 2020 Cyberspace Solarium Commission recommended "...a more concerted action on developing emerging technologies and countering information operations." Ms. Rosenberger is a civilian, Director of the Alliance for Securing Democracy, Senior Fellow at the German Marshall Fund of the US, and a former National Security Council and State Department official. However, she credits former Secretary of Defense General James Mattis for insisting on this focus in 2017. But she notes that outside the military, there is still a lack of an integrated national strategy.

On 8 April, as if to echo the above Foreign Affairs analysis, the Washington Speakers Bureau hosted a webinar with Admiral William H. McRaven (Ret.), former Commander of Special Operations Command and Chancellor of the University of Texas System; and Admiral James G. Stavridis (Ret.), former NATO Supreme Allied Commander Europe, and Commander, European and Southern Commands as well as, post-retirement, Dean of Tufts University's Fletcher School of Diplomacy. They addressed "Leadership and a New World Order: The Need for Resilience." While ADM McRaven focuses on leadership such as Ms. Rosenberger outlines, ADM Stavridis discusses cybersecurity on the global stage. Related to cybersecurity, he focused, among other issues, on control, power levels, and "positive security." The exchange leads us to ADM McRaven's belief that "the only thing more contagious than a virus is hope."

Cyber Scene #44 - Tracing Tracks: So Near Yet So Far Away

Cyber Scene #44 -

Tracing Tracks: So Near Yet So Far Away

Tracing the tracks of the pandemic before us is a monumental challenge across the globe, calling upon the world's most illustrious cyber and epidemiologic experts to once again work through the tangle of the privacy versus security dilemma to resolve an agonizing and on-going life or death struggle. This Cyber Scene will look at how this is playing out in both the private and public sectors particularly with regard to the development of contact tracing across several non-US countries.

As a backdrop, democratic and authoritarian nation states vary fundamentally in how they address tracking for any purpose. Whereas historically the US has exercised decision-making in a representational democratic manner, China or Russia, on the other hand, assert control through centralization, fueled by millenniums of history--Tatars, dynasties and czars for example. Such governments determine and implement policies from the top down, supporting security over privacy. The "West" does not. Some nation states attempt either a democratic or an authoritarian approach unsuccessfully and become failed states with ungoverned space. A map of UN peacekeeping missions across three continents provides a sense of where neither bookend of governance exists, or exists in only a nascent or nominal stage. The histories of independent nations are very young, but contact tracing may bloom in Third World's future as a cell phone is the single most ubiquitous item that interconnects the world, regardless of whether "globalization" blossoms in the future or dies. But that is for the future; here we will focus on the current contact tracing mechanisms for dealing with pandemic issues.

While governance differences apply to dealing with pandemic contagion levels, implementation of restrictions, and current knowledge of a (or at least an approximate) sense of population demographics, this Cyber Scene is exploring how contact tracing is playing out particularly in China, Russia and Europe.

Authoritarian states -such as Russia and China do not - abide public disgruntlement over the use of cyber for contact tracing, or at least not for long: authoritarianism by definition sets the course, traditionally in 5 year plans in Russia, and up to multi-decade plans in China where the most recent is the year "2050." What might in other countries be a developed private sector tech world, China pulls an otherwise private sector under the government's umbrella where it may be highly nurtured, as is seen more openly in China. The most accomplished cyber experts and epidemiologists work for or closely with the government. They align with the strategic plan which is not subject to democratic underfunding, disregard, revision, or replacement with every election, as may occur in the US and other Western countries.

In China, this strategic approach to working backward from 2050 to establish interim goals per sector is beyond impressive. For those lacking the patience to read the entire 2050 plan, Google provides a handy graphic analysis of where the Chinese tech sector is heading for readers to grasp at a glance. While the plan may be altered, the approach to technology--and health and census and demographics, to say nothing of economic global impact and military prowess--is unified, funded, and supported politically. The country's "private sector," with full central government support, seeks to extract as much information as possible from global developments to accelerate its own country's progress.

With regard to the pandemic, of course, the Chinese had a plan. As early as at least 2006 there was not only a pandemic plan for China, but for its Asian neighbors as well. Early on, the Chinese not only identified the COVID-19 code, but shared it world-wide as their epidemiologists foresaw the pandemic's spread and impact. They knew where their populace was, given good census data and a general tight hold on demographics. As early as early February 2020, China launched its contact tracing app linked to an on-line bill pay app or WeChat used by the populace, to trace the spread of the virus by cell phone users. Given the travels of the Chinese, to include overseas study, the contact tracing app was a very significant tool. Their census data is strong. Their growth rate had been shrinking in part due to their one-child policy; Chinese officials recognized this and lifted the constraints to align with the country's needs. They mitigated the "unknowns" in their data. As of 14 May, according to the New York Times Sui-Lee Wee and Vivian Wang, China is executing its program to test 11 million residents of Wuhan, despite the drop in COVID-19 prevalence. And they know where to find them.

Wired's Mara Hvistendahl examines, in "How a Chinese AI Giant Made Chatting--and Surveillance--Easy," tracking evolution in China's cyber technology, noting that its Big Tech voice technology company, iFlytek, has been supporting the country's surveillance of its populace by identifying the sound of cell phone speakers by voice recognition. Wired references the Human Rights Watch August 2017 report with the organization, in turn posting an article by Washington Post Senior China Researcher Maya Wang. Wang maintains that this is "a technology perhaps useful in contact tracing but objectionable" and is "an essential part of the party's plan to build a digital totalitarian state."

In Russia, the Moscow Times reported on 22 May that the COVID-19 prevalence data indicates a likely spike, over and above the country's move to #2 globally, behind the US. The article also alludes to changes in the medical reporting mechanism. There has been no disclosure of a top-down pandemic plan that the country as a whole would sign up to, to include contact tracing, and certainly no public discussion of privacy issues. There is, however, a history of robust surveillance. Chief of State Vladimir Putin had been characterized as withdrawn from early and mid-timeframe concerns about the pandemic, and involved in his re-election issues. He famously delivered pandemic supplies to the US, but as noted by Nathan Hodge in CNN's 15 April broadcast, Russia was reciprocally the beneficiary of US ventilators.

The Russian authoritarian approach illustrates a serious contrast to China's approach: with Russia, decision-making relies on only one leader, whereas China's leadership is executing a longstanding, all-inclusive strategic pandemic plan under the umbrella of its 2050 plan. Science's Kelly Servick's 21 May overview of contact tracing developments around the world notably makes no mention of Russia. However, Australia is described (as would likely be New Zealand) as a democratic country which nonetheless has instituted contact-tracing practices and apparently sidestepped much of the privacy issues that impact other countries.

Western democratic countries do not usually execute either of these authoritarian cyber-related plans. That may sometimes be problematic. The Economist's 16 May "Escaping the lockdown" probes into the pandemic's forcing quick decisions with incomplete data and a move to warp speed research and development to resolve the pandemic's multi-faceted challenges. The article goes on to say that contact tracing apps on smartphones fall into the same category; those countries involved "from Bahrain to Bulgaria to Indonesia and Iceland have developed such apps" but that these governments should "tread carefully." It cautions that unlike pandemic-related medical advances that are still subject to safeguards, contact tracing may lead to misleading information. This includes the complications of coverage, accuracy and calibration of the system. It does note that Google's and Apple's cautiousness is well taken (more to follow here on that) and that "caution is as valuable as it is with pills and potions."

Indeed, in the Herald Tribune, Associated Press's Matt O'Brien on 20 May writes that Apple and Google released technology that would allow smartphone users to be notified if they might have been exposed to COVID-19. This would be accomplished through a voluntary (versus mandated) user app download. Reportedly, companies in 22 countries and several US states are opting to use this technology. Mr. O'Brien notes that many governments (public sector) have not been as successful as their private sector colleagues. However, Apple and Android phones have not been used;their GPS tracking is now banned from the new Apple and Google tool because of privacy and accuracy issues.

It has been the issue of privacy in the COVID context that generated a clash between Apple and Google on the one hand, and certain European governments on the other, according to earlier reporting by the Britain-based Economist editorialist "Charlemagne" in "Privacy in a Pandemic" who stated on 23 April that "If the EU had a religion, it would be privacy." He outlines how the EU has been quick to punish tech sins against "the faith." He cites some German and Austrian leaders as casting the dilemma as "data protection or saved lives." Continuing his profession of faith, Charlemagne sums up this sea change as follows: "It is as if the pope began a sermon by admitting that perhaps Martin Luther had a point." He underscores that the final deliberations will be won or lost not on legalities (existing EU laws, etc.) but by the weight of political considerations.

Almost unbelievably, the converse seems to have come true. By 30 April in "Privacy be damned" the Economist reports that as an outgrowth of Apple and Google working with European governments on a new Bluetooth protocol regarding the location of the data gained from the phone for uses such as contact tracing, the governments wanted to centralize the data, and Apple and Google wanted to keep it decentralized on the users' phones. The governments--Germany, Switzerland, Estonia, and Austria, inter alia--caved and accepted the decentralized approach. France and Britain were holdouts as of early May. The article applauds Apple and Google, and observes that "the pandemic has highlighted the core role that digital systems play in human life."

A possible compromise of these two approaches regarding the need for COVID-19 data AND privacy may be in the making. On 14 May, the Economist's "Health data" presented a new way to use accessible yet protected medical data. A team of data scientists and epidemiologists called the OpenSAFELY Collective led by Dr. Ben Goldacre at the University of Oxford--a university in the news of late for a possible COVID-19 vaccination in the making--created a way to access sensitive patient records for 17 million people from their database without removing the data from its location. This work was occasioned by the need to analyze data of COVID-attributable deaths reported by doctors to the UK's National Health Service (NHS) Normally, accessing such data and publishing about it would have either never occurred or would have taken forever. This time, however, it took only 42 days from concept to publication. This was due in part to the fact that the team was working on behalf of the NHS, that Dr. Goldacre is known as "one of Britain's foremost medical glitterati," that the collaboration of the esteemed London School of Hygiene and Tropical Medicine added academic expertise on electrical health records, and that a private British company, Phoenix Partnership, added data storage expertise.

Meanwhile, the Isle of Wight is serving as a beta tester for the UK's newly developed contact tracing app. This endeavor, launched in early May, is backed by the NHS, endorsed from a security perspective by GCHQ, and moving forward. The London Times casts this effort in a highly optimistic manner, but does not make a direct connection to the OpenSAFELY Collective work. Perhaps applying the OpenSAFELY Collective approach to contact tracing would satisfy both sides of the privacy "religious" schism in Europe and aid the rollout of Apple/Google's app in the US as well.

Cyber Scene #45 - Cyber Offense and Defense: The U.S. Election 3D Chessboard

Cyber Scene #45 -

Cyber Offense and Defense: The U.S. Election 3D Chessboard

Coming to terms with the magnitude of cyber's role in the 2020 election and how it will be impacted by the COVID-19 pandemic is daunting. "De-globalizing" as the U.S. and other nations such as the U.K. have tried to do recently is difficult if not unfeasible.

As for a framework to clarify this conundrum, Cyber Scene proposes the analogy of Joseph Nye, the "soft power guy," to provide a visual framework for U.S. election vulnerabilities under the pandemic. Although not a cyber expert, Dr. Nye has experience across U.S. government sectors and academia: head of the National Intelligence Council, Deputy Undersecretary of State for Security Assistance, Deputy Assistant Secretary of Defense for International Security Affairs, and Dean of Harvard's - Kennedy School.

In 1994, he posited his theory of the world functioning as a 3D chessboard: the three strata, through which events passed, were foreign policy, economics, and military issues. Building on his model, Cyber Scene offers that a pandemic exceeds the definition of an event. Rather, let us consider it as the black - and red - chessboard squares; cyber serves as the connections that move decision-making of world leaders--kings, queens, autocrats, presidents and other nation-state and technology leaders; bishops, other religious organizations as well as radicalized quasi-religious entities; knights as military leaders, and the less prestigious pawns--all the rest of us. Cyber permeates all our lives as it enables movement--across the board and across essential segments of everyday life. The global aspect of this board can also be confirmed by Thomas Friedman's dissection and country sourcing of his computer components, as discussed in his initial version of "The World is Flat." So we have Dr. Nye's 3D model with "cyber-pandemic characteristics."

With this graphic image as our framework, let's examine the June 2020 status of U.S. election security threats--direct and indirect, foreign and domestic, intentional and unintended. The intensity and mutation of these threats multiply under the COVID-19 pandemic closing in on us. As we hunker down we are all trying to determine our next move (or vote) on the board, be we kings or pawns. Cyber is the path to the objective and success.

On 7 June, New York Times (NYT) reporters David Sanger, Nicole Perlroth and Matthew Rosenberg opine in "Amid Pandemic and Upheaval, New Cyber Risks to the Presidential Election" that as America attempts to secure the health and safety of U.S. voters by expanding remote voting, largely Vote-By-Mail (VBM), and other measures to protect those working the polls and those going to them, an ugly vulnerability is identified. The authors believe that the pandemic "...could open up new opportunities to hack the vote--for President Vladimir V. Putin of Russia, but also others hoping to disrupt, influence or profit from the election." They dismiss the claim that the problem could be fraud, noting that Stanford and other research concludes that voting by mail might increase voting for both parties, with no advantage to either, and that five U.S. states that have being using and tracking VBM for many years found little fraud.

Rather, the concern regards online voting systems created quickly by many states in light of the pandemic, as well as existing online voter registration systems. The former were considered by the Department of Homeland Security (DHS) as "high risk" and the latter assortment of state registration systems among "chief targets of Russian hackers in 2016." These attacks were viewed by American officials as a dry run for the next opportunity. In 2019, DHS hired the RAND Corporation, a prominent think tank, to re-evaluate election security. RAND's conclusions were grim: "state and local registration databases could be locked by hackers demanding ransomware or manipulated by outside actors." Since then, DHS's Christopher Krebs who leads the Cybersecurity and Infrastructure Security Agency (CISA) has been working on countering these vulnerabilities. This includes calling for backup systems with paper printouts of poll books for registration purposes in the event that the hacker in the basement or a powerful nation state have another go at it.

Because of the pandemic, states accelerated VBM opportunities even for those not voting absentee, per se, for reasons of health and safety. Many of these issues, per the NYT, have gone to court with justices across the country, rendering differing opinions. The U.S. Supreme Court (SCOTUS) has just, on 26 June, decided a Texas case involving VBM rights, judging that the 26th Amendment does not guarantee everyone the right to vote by mail. Texas will continue to offer VBM to those over 65, those disabled, those in jail, and absentee voters but not to others who wish to avoid physical voting at a polling location.

With this knowledge, the University of Michigan and MIT did identify one platform, called OmniBallot, used by several state jurisdictions (voting procedures are generally not even standardized within a state), that may be vulnerable. So some states are hesitant regarding VBM as the number of polls and those able to work the polls are dwindling due to COVID-19 issues. While VBM has been in existence since Union troops in the Civil War were able to mail their votes, cyber interference is a new concern.

The NYT reporters underscored that foreign threats are real: U.S. officials identified Russia as again meddling in the presidential election: "The National Security Agency (NSA) warned that Russian state hackers had targeted an email program used by dozens of congressional candidates to steal emails, as Russian hackers also did four years ago." Google also observed Chinese hackers targeting email accounts of campaign staff members of presumptive candidate Joseph Biden. Iran had targeted Donald Trump. This was also reported on 6 June by the London Times which observed from abroad that this happens as the U.S.-Chinese trade war, political snipes, and debate over COVID-19 escalate.

The NYT article of 15 June entitled "Made-in-America Conspiracy Launched by Russia." recounts how Russia passed along a conspiracy theory to likely unwitting Americans who were duped by RT, Russia's TV channel aired in the U.S... They propagated the original, malicious information to 20,000 twitter readers in 2016. Instead of implanting a nefarious intrusion into a system, the "elegant" approach was to implant dangerous lies into RT programs and into a twitter or two, and activate the minds of vulnerable Americans online.

But there is no easy answer. The lack of any standardization of voting registration and/or VBM makes any one solution for 50 states and all their jurisdictions an upward battle in the near term. However, Congress is trying to mitigate this cyber intrusion so potentially disruptive to the 2020 elections. Among other endeavors, DHS testified "before," in the digital sense, the U.S. House of Representatives Committee on Homeland Security on Coronavirus and Homeland Security.

The video testimony, under the rubric "Election Security and Integrity During a Pandemic, Part II," voices concerns and ways forward to counter the threats noted earlier in this Cyber Scene. The testimony is chaired by Congressman James Langevin (D-RI) who authored a 1999 book entitled "Responding to the Threat of Cyberterrorism Through Information Assurance." In addition to Congress allocating $4B to secure election systems, DHS official Wendy Weiser maintains that as part and parcel of the COVID-19 threat to health and safety of voters, the cyber threats are imminent, real, and three-pronged:

1) that U.S. election systems and procedures under the pandemic are insufficiently secure to provide credible and fair elections, and that not mitigating this would be helping out our foreign enemies;

2) foreign cyber interference has occurred across all 50 states in the past, and there has already been significant activity, as documented, this round;

3) the threat of disinformation regarding fraud would undercut the very fabric of trust at the heart of democracy.

The intent of Congress is to work with all 50 states, fueled by funding, drive and urgency, to secure fraud-free, credible and fair 2020 elections despite the pandemic.

Even as Congress takes action, U.S. efforts to rethink cyberspace defense is addressed by The Economist on 28 May in "Cyber-defence: Policing the Wild West." This too outlines FBI and DHS concerns about election threats from cyber-actors affiliated with China, Russia, Iran and North Korea and various attacks on elections and COVID-19 issues. These are ultimately intertwined. The article lays out why today's cyber attacks are similar to 9/11 and how difficult it is to define the problems in resetting cyber defense. Despite the work to support the Pentagon's Cyberspace Solarium Commission, Senators Angus King (I-ME) and Mike Gallagher (R-WI) presented their recommendations just as the COVID-19 lockdown occurred. The Commission maintains that jurisdictional boundaries "hobble" cyber defense, with responsibilities strewn across several agencies (FBI, NSA, CYBERCOM, DHS, CISA, et al). It again calls for a national cyber director within the White House, working more closely with the private sector, establishing a platform for public-private exchange as the U.K.'s GCHQ has, and moving forward with Cyber Command's 2018 "persistent engagement" and "defend forward" approach. The article continues, noting under "Taking Offence," that defending too far forward looks like attacking and that "punching back by other means" might offer some alternative.

Meanwhile, countries across the globe struggle to contain the virus. Again, cyber plays an essential role in identifying those who are afflicted or not. Unfortunately, contact tracing, which as of May 2020 appeared quite appealing, has suffered in implementation on both sides of the Atlantic. The U.K. has reportedly, per 19 June London Times, scrapped its 3-month attempt to create its own smartphone app for contact-tracing. Instead, Health Secretary Matt Hancock said the U.K. is looking to Apple and Google technology for something better.

The Brits are not alone. As of 21 June NYT report by Sharon Otterman, New York City's attempts to launch an ambitious contact-tracing program with 3,000 tracers program has disappointed, according to. During its first 2-week trial, only 35% of 5,347 who tested positive for COVID-19 gave information about contacts to tracers. Apparently, New York City has actually executed contact-tracing in the past for tuberculosis and measles, but on a much smaller scale compared to the pandemic's challenges. Massachusetts, whose contact-tracing work has been in place for some time, said that only 60% of infected individuals answered their phone when contact tracers called. Privacy is part of the reluctance, whereas the article points out that in other countries, information from businesses, for example, is required. Ms. Otterman notes that China, South Korea and Germany have reaped some success. In South Korea, for example, folks at karaoke bars, weddings or funerals are required to cede their names and phone numbers for contact purposes.

Quarantines across the U.S., facing alternative risks, loop us back to the chessboard: what moves are safe, and how will cybersecurity or lack thereof impact the endgame?

Cyber Scene #46 - Virus Central: Vulnerabilities of Many Colors

Cyber Scene #46 -

Virus Central: Vulnerabilities of Many Colors

The Big Tech industry retains as one of its most imposing "raisons d'etre" the security of our cyber networks. Similarly, the World Health Organization (WHO), the U.S. Center for Disease Control (CDC), the U.K.'s National Health Service (NHS) and like institutions, and particularly their sovereign governments worldwide, strive to protect the physical security of their populations struggling with the pandemic. The era in which we live is indeed extraordinary, particularly because these two threads have converged in the era of COVID-19. This has occurred both globally at the highest foreign affairs level as well as at the very personal level for those concerned about cybersecurity privacy from Alexa or more nefarious intrusions in discussing your personal health issues in your telemedicine session with your physician.

This Cyber Scene will explore the latest developments and the vulnerable cybersecurity aspects that unite them. While the major players on the international stage are Asian, European and American, the fallout necessarily impacts the Third World, dependent on cyber connectivity, as well.

This readership is exceedingly conversant with the history of Huawei and 5G reaching across all oceans. The voices of political protest related to 5G/Chinese cybersecurity have become more strident in recent years. The U.S. administration has recently lashed out at China on the issue of cybersecurity as well as conflated this with the spread of COVID-19. The most recent outbursts have resulted in huge diplomatic movements on both sides. During the week of 19 July, this bilateral divide reached a new apogee: even as China and the U.S. maintain large trade, economic and Big Tech exchange and overlap, the U.S. closed China's consulate in Houston, Texas, and China retaliated by closing the U.S. consulate, opened in 1985 by then Vice-President H.W. Bush, in Chengdu. According to the New York Times (NYT) 24 July, this is clearly a "tit for tat."

This widening fissure is not simply a Sino-American issue. The Economist wrote in late May 2020 in "America is determined to sink Huawei" and the Wall Street Journal (WSJ) by 3 June confirmed in "Huawei Risk Tougher Line From Britain" the U.K.'s progressive cyber change of heart: "New U.S. restrictions imposed on China's Huawei Technologies Co. have prompted British officials to consider steering telecom carriers away from its gear...providing fresh momentum to Washington's anti-Huawei campaign." The Brits, the article continued, were leaning toward possibly dropping Huawei altogether. The U.S., for its part, reportedly threatened to cut off intelligence sharing with any country that subscribed to Huawei technology.

By mid-July, the U.S. and China both escalated. The Economist, following up on 16 July, noted that in Europe (non-UK Europe, per the Brits) there was still some hesitation on the part of U.K's neighbors to join forces in its official 14 July ban on mobile-network operators in Britain buying Huawei 5G equipment. This ban was also covered from the U.S. side by NYT 14 July cyber experts Adam Satariano, Stephen Castle and David E. Sanger who also connected the U.K.'s decision to political issues regarding Hong Kong. However, the NYT article, quoting a former British diplomat who worked on Britain's high tech issues with Silicon Valley, opined that "American sanctions left the U.K. with little choice. There was a bit of checkmate by the U.S." At the same time, they noted that on 14 July the U.S. National Security Advisor Robert O'Brien was in Paris meeting with his counterparts from France, Germany and Italy. Finland and Singapore have, per the Economist, opted for Ericsson (Swedish) and Nokia (Finnish) equipment.

The French cybersecurity agency has advised its tech operators to avoid Huawei in the future. France is separately working on its established offensive cybersecurity strategy. Germany has postponed its Huawei decision until the fall, but its decision is more complicated as Deutsche-Telecom relies on Huawei equipment. Moreover, they see fallout regarding the impact on their automotive industry. However, China has threatened, as reported by WSJ 20 July, to retaliate against Ericsson and Nokia if Europe follows in the footsteps of the U.S. and U.K.. Despite these actions, the U.K. ban does not include smartphones produced by Huawei, or 2G, 3G, and 4G systems in place. As a former U.S. Deputy Director of National Intelligence put it, this still leaves us all "living in a dirty network."

Japan, despite its reputation for "technophilia," per the Economist 18 July in "The other virus: Japan Inc's IT needs a security patch," is struggling with its cybersecurity patches for the now discontinued Windows 7. Microsoft had warned Japan of being "susceptible to cyber-attacks" and it was struck by one against Honda in June 2020. The article points to increased spikes in cyberattacks since the March explosion of COVID-19 and the fact that more companies are victims of cyber criminals. The article goes on to underscore what is largely held belief: that more individuals are teleworking on unsecured devices and networks.

This may seem mundane, but it can be quite personal as it was to U.S. presumptive Democratic presidential candidate Joe Biden and Tesla CEO Inventor Elon Musk whose Twitter accounts were breached on 14 July. The supply chain may also be at risk, the Economist article notes. Japan is particularly worried, as only 55% of its firms (all sizes) conducted cybersecurity risk assessments compared to 81% in the U.S. and 66% in Europe. By extension, even oximeters or masks or medications may be at risk as the world fights the pandemic.

Companies that have seen huge growth during the pandemic, like Zoom, are also vulnerable. The Economists' Schumpeter, on 20 June's "Can Zoom be trusted with users' secrets?," notes that despite the company's 19% increase in sales due largely to the pandemic, jumping from 10 million users in December 2019 to 300 million in April, Zoom has suffered from its "open exchange of ideas," having closed down the accounts of three critics of China's regime outside of China. This demonstrated how tech firms struggle between China and the U.S.

Western countries are now fighting viruses on two fronts. This is not exclusively a China-U.S. war. Russia has not missed the opportunity to play a perhaps more subtle role: it was accused in mid-July of targeting organizations working on the creation of COVID-19 vaccines in the U.S., U.K., and Canada. According to the 16 July NYT's Julian E. Barnes, the National Security Agency identified hacking associated with Russian SVR intelligence as coming from APT29 and Cozy Bear, responsible for the 2016 hacks into Democratic Party servers. Now they are attempting, as have reportedly China and Iran earlier, to breach health organizations including universities and companies working on vaccines.

The U.K. National Cyber Security Center Director of Operations, Paul Chichester, spoke for Britain: "We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic." The center's director, Ciaran Martin, said that the cyberattacks date back to February. Oxford University and AstraZeneca, a private pharmaceutical firm, were surprised at how similar their research and that of Russia had been. A former director of GCHQ opined that perhaps Russia simply didn't want to depend on the U.S. or U.K. for a vaccine as Russia has not disrupted the production development.

FBI Director Christopher Wray says that "Russia is not alone. A lot of people are in this game...the whole pandemic is absolutely riddled with spies." Another country specifically called out was China on 16 July, according the 17 July Associate Press's (AP) article in the Herald Tribune entitled "Russia is hacking virus vaccine, US, UK and Canada say." This article underscores that "Russian cyberattacks strike a particular nerve in the U.S. given the Kremlin's sophisticated campaign to influence the 2016 presidential election." But Moscow denies its involvement in the vaccine hack.

As noted above, the linkage between hacking vaccine research and elections is not a big leap when history points to a common source. Recent Twitter hacks as well as 2020 election issues seem personal to at least one person: presumptive presidential candidate Joe Biden. In a 20 July MSNBC interview he considers such intervention a violation of sovereignty issue.

He is also accompanied by lawmakers in an AP Herald Tribune article of 22 July following Mr. Biden's 20 July discussion: "I will not hesitate to respond as president to impose substantial and lasting costs" were any foreign power to interfere in U.S. elections. The article cites the MSNBC discussion but provides more background regarding both the White House and the House of Representatives on election intervention.

U.S. lawmakers and external cybersecurity and legal experts are crafting a prevent-defense plan to counter this imminent threat.

The National Defense Appropriations Act 2021, which is an omnibus bill to fund defense including cybersecurity and intelligence needs, was passed separately during the week of 19 July in the House and Senate as reported by the Pentagon. While the military itself focuses on issues impacting troops or the process of base-renaming, the mainstream press zeros in on the political side of changing base names and, per the 23 July Washington Post, the wide bi-partisan support in both the House and Senate for these bills which would withstand a White House veto.

Although the bills will have to be conjoined in a House-Senate conference into one bill for funding (allocation), the fact that the Senate has passed, 86 to 14, its own version similar to that of the House, 295-125, should ensure a completed joint version. This time, with $740B at stake, there is little light between the two components. More importantly, regarding cybersecurity, in an official Congressional synopsis of the focus addressed in the process, the issues of "...enhanced deterrence against Russia and COVID-19 funding, Pandemic Preparedness, and a Resilience National Security Fund" are highlighted. The last but certainly not least issue is "Strategic programs, cyber, and intelligence matters."

Furthermore, the U.S. Cyberspace Solarium Commission Report is moving forward, as a strategic plan feeding into congressional action. Four legal experts outside Congress who are serving as Chief Legal Counsel and three supporting counsels to the Commission offer a 20 July update in the Lawfareblog:

"To cope with the coronavirus crisis, Americans rely more than ever before on information and communications technology to stay connected, do our jobs, see our families and live fulfilling lives. But this shift has come with a significant increase in cybersecurity and data privacy risk."

We face a two-pronged viral attack-- physically and virtually. While the world struggles to move toward a healthy outcome, we continue to live in a dirty network. Cybersecurity serves as this universal connector.

Cyber Scene #47 - Thunderbolts: Cybersecurity-charged Elections

Cyber Scene #47 -

Thunderbolts: Cybersecurity-charged Elections

Just as cyber connectivity underpins all academic year 2020-2021 education under the covid19 cloud, so too does it flow over, under and through all aspects of the upcoming election. This cybersecurity current runs deep, fast and expands pervasively.

The cybersecurity role in voting has arisen in earlier Cyber Scenes, but its importance and evolution cannot be undervalued nor dismissed given the upcoming 3 November general and presidential election.

Most of one's daily life in First World countries, most Second and many Third, holds cyber as its lifeline. Food deliveries ordered on line, Amazon's consolidated shopping options, connectivity to family and friends via Zoom, WhatsApp, WeChat (at least as of this writing), and other cyber-supported developments have built a solid, expansive and dense bedrock for nearly all aspects of our day. Education is one of them. Schools at all levels are choosing online or hybrid options. Some educational institutions which have already started in person are shifting to the former two options as students test positive, along with increasing data regarding children's pandemic vulnerability and contagiousness.

One exception to this transition is the shift to online voting. For better or worse, only a handful of states allow it. "Politico's" Eric Geller points out that the US has not addressed cybersecurity integrity and voter privacy at the national level. He goes on to note that to be secure, technology would need to be developed that "...allows voters' computers and phones to demonstrate that they are malware-free and end-to-end encryption to protect ballots in transit."

US military and expats living overseas historically have been allowed to vote online as have those with disabilities in several states, according to the US National Conference of State Legislatures. As of August 2020, online registration has been in place for dozens of states and the District of Columbia, and obtaining absentee ballots, some for "any reason," is common practice across many states. Each state, as the online registration link denotes, has its own rules. But online voting itself has not been deployed broadly across the US. The option most secure remains in-person voting on a secure system with paper backup.

Choosing a voting option if you have one, is also imperiled by existing and new nation-state cyber threats. The US Senate Select Committee on Intelligence (SSCI) on 18 August issued its nearly 1,000-page redacted Russian Interference 2016 Election, Volume 5 and final report. Many of the issues have been in the public domain. However, according to New York Times intelligence reporter Mark Mazzetti, the report "shed new light on the interaction between Russian intelligence and WikiLeaks--and between WikiLeaks and the GOP 2016 presidential campaign." The Senate report did not criticize the FBI for anything it did, but on the contrary, rather said that it "...should have done more to alert higher-level officials at the Democratic National Committee that their servers may have been infiltrated by Russian hackers." Considering how much time and effort the bipartisan SSCI members spent on compiling 5 volumes of countless data following countless interviews and tracking down countless issues on counterintelligence and vulnerabilities, election security and cyber interference, perhaps it does merit an undigested read.

Separately, the NYT Magazine of 16 August features an in depth study, in print and audio, by Robert Draper , of the issue of projected Russian interference in the 2020 and 2024 elections, as viewed by the US Intelligence Community (IC).

Facebook is prepositioning itself as a cybersecurity "keeper of integrity" to thwart some of these ancillary threats, both already manifested and anticipated. As reported by NYT's Mike Isaac and Sheera Frenkel, Facebook is girding up for November. It has reportedly spent years preparing to avoid tampering on its site, as noted in the article. Facebook executives are reportedly considering a "...'kill switch' to shut off political advertising after Election Day since the ads, which Facebook does not police for truthfulness, could be used to spread misinformation."

Cyber Scene #48 - From Digits to Global Cyber Wars

Cyber Scene #48 -

From Digits to Global Cyber Wars

Despite COVID-19 lockdowns at altitude the world seems to spin at an accelerating pace. The old adage, "for want of a nail, the war was lost" has its contemporary counterpart: "for want of a digit (or control of them) the war has started." In fairness, it seems rather the control of digitization that appears to be fueling, on political, economic and all other levels, the rise of the tech cold war. It continues to warm up on the geopolitical level as cyber permeates life in any climate.

This Cyber Scene will toggle between the cloud above us and the world at our literal fingertips.

In one's personal digitized world, many lives may have felt a cyber impact recently: the New York Times (NYT) reports that Google suffered an hour+ outage which seemed to affect customers of Google's cloud computing service, as well as several other services, on the US East Coast the evening of 24 September. A person, who had knowledge of the outage but not authorized to speak for Google, told NYT correspondents that a cyberattack had been ruled out. The services impacted included Gmail, YouTube, Google Drive, Google Meet and Google's search engine. According to NYT reporters Daisuke Wakabayashi and Michael Levenson, the outage "raised anxiety among people already tense about technology's role ahead of the Nov. 3 election and the heavy dependence on online services for education, work and entertainment during the coronavirus pandemic." In the Internet of Things world, your digit does not stand alone in time or space.

Moving into the future of our cyber-based economy, Barrons weekly edition of 21 September was brimming with insight into breaking records and crystal ball projections. Regarding the first, is "Wall Street snow in late summer." Snowflake is the "biggest Initial Public Offering (IPO) of a software company on record"; Snowflake had a putative value of $88B at the close of its first day. Barrons' Randall W. Forsyth goes on to explain that this is a further endorsement of the incredibly hot "megacap" tech world as seen by Wall Street.

Secondly, on 20 September Barrons interviews Ian Bremmer, founder of Eurasia Group (a highly regarded political risk consultancy firm) and also launcher of a digital media firm. Bremmer zeroes in on cyber: "Imagine that instead of a (health) crisis we were hit by a cyberattack of the same scale; that would have hurt most of the digital economy, the virtual economy, our trust in data, all of that." He goes on to say that what we should also worry about "overwhelmingly" is the point of no return the world has reached in the tech cold war.

Thirdly, adding fuel to the cyber fire, on 18 September Barrons' Mike Zimmerman interviews Nela Richardson, an Edward Jones investment strategist, who believes the Federal Reserve will launch a digital currency. She subscribes to digitization as a trend "...that has been amplified and accelerated by COVID-19." Federal Reserve Chief Jerome Powell actually hinted at this possibility in a hearing before Congress's Financial Services Committee on 11 February 2020. Since then, Fed Governor Lael Brainard provided an update to the Fed's progress on 13 August. We are already largely "cashless" and tactile with our keyboard to autopay credit cards, permitting no-touch spending.

Returning to space of the cyber variety, Lawfare (a blog associated with the Brookings Institute) discusses two studies released on 31 August treating cloud computing and cybersecurity in two distinctive approaches in interviews published on 21 September.

The first, the Carnegie Endowment for International Peace's Cyber Policy Initiative report entitled "Cloud Security: A Primer for Policymakers," written by Tim Maurer and Garrett Hinck looks at defining the cloud, its evolution and market, and security incidents pointing to key issues. The Atlantic Council's Cyber Statecraft Initiative similarly launched "Four Myths About the Cloud: The Geopolitics of Cloud Computing" by Trey Herr. The Atlantic Council's report dispels "...four myths: a) that all data is created equal, (b) that cloud computing is not a supply-chain risk, (c) that only authoritarian states distort the public cloud, and (d) that cloud providers do not influence the shape of the internet." Lawfare asks all three authors to address five probing issues regarding the cloud and cybersecurity. These cover many areas, including:

• the rise of cyberattacks and inability of smaller organizations to rival large cloud service provider teams
• the misconception that migrating to a cloud solves all problems
• the messy future of governance over the cloud: large organizations are powerful but still suffer from fragmented in decision-making
• conflating existing cloud issues with emerging ones
• projecting next "great geopolitical flashpoints over the cloud," with the US and China battle as the point of departure and Russia, India and parts of the Middle East lying ahead.

Back to earth, the Economist's 1 September article, "The digitization of government : Paper travails" described how online governmental services, again accelerated by COVID-19 experiences, are expanding cyber, are trying to do so, or should be doing so. Examples include US and UK problems, such as the former's broken unemployment systems across many states and the latter's National Health Service being the biggest world purchaser of... fax machines. Neither country has a national digitized ID program, as opposed to France which does.

On 19 September, the Economist went further. Its report, "New global ranking of cyber power throws up some surprises" uses a Harvard University Belfer National Cyber Power Index to rank the top ten countries in the world according to overall score, offense, and defense. "That America stands at the top of the list is not surprising. Its cyber-security budget for fiscal year 2020 stood at over $17bn (billion)." The US and UK are #1 and #2 respectively on offense, but #4 and #8 on defense. The study notes that Israel is not on the overall or defense list at all, but most countries "shy away... from acknowledging their capabilities." Closing, the study cites former UK GCHQ Deputy Director Marcus Willett who concludes, with think tank colleagues at the International Institute for Strategic Studies, by saying that "although stealing things and disrupting networks is important, what matters most of the longer term is control of digital infrastructure...On that measure, only China is currently positioned to be able to make the jump to join us in the first rank." China is, indeed, already first in defense and second to the US overall according the Belfer study.

It should be no surprise that the US and China continue the tech cold war. In recent weeks, the future of TikTok, and sanctions against it and WeChat have captured front business and political pages. As of 20 September, as reported by the NYT team, the White House escalated the tech fight by barring Chinese-owned mobile apps WeChat and TikTok from US app stores. (This does not entail removing one you may already have.) Another phase would occur on 12 November. Meanwhile, as developments change rapidly, TikTok has chosen Oracle instead of Microsoft to be its US partner handling the Chinese firm's US operations. To better grasp the impact of these fast-moving events, Lawfare's Robert Chesney has parsed out a synopsis of the verdicts for TikTok and WeChat. The 12 November boom would be lowered not by the Department of Commerce but by the Committee on Foreign Investment in the United States (CFIUS), which is an interagency US component with oversight authority in estimating the national security risk of foreign investments in the US. Lawfare goes on to note that while some constraints are immediate, there are still others that allow time for negotiation.

While the judicial system writ large has been exceedingly busy, the Supreme Court (SCOTUShas not been looking at cyber issues recently as its October 2019 docket draws to an end.

As the US 2020 elections approach, Facebook has announced its decision to initiate a new phase of cyber security protection by banning political ads on Facebook and Instagram to avoid voter misinformation. This will begin 27 October and be in place until one week after the 3 November election. Facebook seeks to work against posts dissuading people from voting prior to the election and would also "quash any candidates' attempts at claiming false victories postelection by redirecting users to accurate information on the results," according to NYT's Mike Isaac.

Also bearing on the election, as reported by NYT's Zolan Kanno-Youngs, FBI Director Christopher Wray told the US House of Representatives Homeland Security Committee on 17 September that "We certainly have seen very active--very active(sic)--efforts by the Russians to influence our election in 2020."

On a lighter but conversely darkweb closing note, a massive international law enforcement effort dubbed Operation Disrupter resulted in 179 criminals across six countries including the US being arrested along with 500kg of drugs, $6.5M in cash and cryptocurrency netted as well. FBI Director Wray, noted that the takedown was due to a combination of traditional criminal activity and more sophisticated technology: recovering a backend server was key to "...an invaluable trove of evidence" according to Wired on 22 September.

Cyber Scene #49 - Major League Strikes: Election Replays

Cyber Scene #49 -

Major League Strikes: Election Replays

As October 2020 draws to a close, memories of 2016 may make a return appearance as the U.S. scurries to vote under a pandemic. Despite divisions, present and past, two Republican- and Democrat-appointed DNIs agree that Russia, and likely Iran, tinkered with the cyber stream of information and hacked voting databases in 2016. Mainstream press maintains that these two countries and possibly China are at it again. Examining what cyber delivers, finding truth is at the heart of this contention, which spills into U.S. Congressional hearings for Big Tech firms on how to handle misinformation. All three branches of the U.S. Government are involved.

The U.S. Justice Department has been busy: as reported by New York Times (NYT) Michael S. Schmidt and Nicole Perlroth on 19 October, the Justice Department unsealed charges against six Russian GRU (military intelligence) officers for attacks on the French presidential election, Ukraine's electric grid and the 2018 Winter Olympics in Seoul, South Korea. These six hail from the same unit suspected of the distribution of stolen Democratic emails and other U.S. election meddling in 2016. The current U.S. Assistant Attorney General for National Security, John C. Demers, stated: "No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite."

The present Director of National Intelligence, John Ratcliffe, and FBI Director Christopher Wray, went further: they held a press conference on 19 October during which DNI Ratcliffe defended the integrity of the U.S. voting system and cautioned voters to dismiss misinformation that may come their way. The DNI went on to say that the US Intelligence Community has been working on these threats, and that the Department of Homeland Security and the FBI have taken action on them. According to NYT Julian Barnes, Nicole Perlroth and David Sanger, unnamed intelligence officials who had been briefed on the findings agreed with DNI Ratcliffe's summary, but distinguished Iran as a minor league baseball player while Russians were major leaguers.

The former DNI during the 2016 elections, James Clapper (2010-2016), was joined on CNN by the present administration's former FBI deputy director Andrew McCabe. They agree with DNI Ratcliffe on the threat, but believe Russia is far more worrisome than Iran.

Former DNI Clapper had also discussed at length, on C-SPAN on 17 September 2020, Russia's long history of interfering in elections, but noted that 2016 brought a new Russian aggressiveness, a multi-pronged interference, and an increasingly high technical approach. He feels that social media was the worst exploitation, reaching 132,000 Facebook users alone. He was joined on this latter C-SPAN emission, hosted by the Annenberg Center for Ethics and Rule of Law at the University of Pennsylvania, by Ms. Kathleen Hall Jamieson, U. Penn Public Policy Director and author of "Cyberwar" which examined the 2016 election in depth. She maintains that hacked content particularly had a clear impact, and influenced the 2016 election. The fact that voter registration records in at least 39 states had been hacked in 2016 but appeared unused at that time by Russia raised questions about future use in the 2020 election.

Facebook, Twitter, and Google's YouTube, for their part, are very much at bat; they should not anticipate any softball questioning from Congress. These three arms of Big Tech are together reviewing QAnon postings to "prohibit content that targets an individual or group with conspiracy theories that have been used to justify real-world violence," as reported on 15 October by Elizabeth Dwoskin and Isaac Stanley-Becker. The three companies do not have strictly aligned approaches, however, as YouTube would allow for QAnon postings that do not target individuals or groups protected by hate speech policy.

These calls are difficult at best, and Congress is stepping behind the plate as the umpire. The Senate Judiciary Committee is prepared to enforce the appearance of Facebook and Twitter CEOs to testify regarding the suppression of an inflammatory and undocumented recent press article. The CEO of Google had already been scheduled for other reasons (see the 10 October Economist's "Regulating big tech: Ex-antics" regarding Google's anti-trust testimony and 1 August's Economist's "How to cope with middle age" and "Google grows up" for broader background details).

Now they are all to testify on 28 October regarding tech company control over hate speech and misinformation on their platforms, according to the Associated Press's Marcy Gordon's "Facebook, Twitter CEOs ordered to testify" (23 October Herald Tribune). In fact, the Senate's Commerce, Science and Transportation Committee had already subpoenaed the three CEOs, on a bipartisan vote on another matter, and the CEOs had agreed to testify before the Committee. It should be noted that, rather than a win for Big Tech, it may end up as a shutout loss: both parties believe Big Tech is not doing its proper job regarding the management of misinformation, but they hold opposing views as to how Big Tech should do it.

How to counter these cyberthreats is indeed a challenge. Beyond politics, there is tension in the governmental and private sector interface and between and among nation states.

From the U.S., Marietje Schaake, the President of the Cyber Peace Institute and International Policy Director at the Cyber Policy Center at Stanford University writes in "Foreign Affairs" (November/December 2020) that we now have a "lawless" realm--think of a baseball brawl where the players of both teams duke it out. U.S. policymakers fear a cyber-Pearl Harbor. Some cite North Korea-based WannaCry's attack on Microsoft Windows in 150 countries including the UK's National Health Service as inching close to Pearl Harbor. Countries, even powerful ones, see the strength of the digital leaders increasing. Meanwhile, she points out, attackers see a "legal vacuum: there are few mechanisms that guarantee international cooperation and coordination in discovering and bringing to justice cyberattackers." At this time, covering all bases is all but impossible.

She notes that in democracies, the private and public sector imbalance is already dangerous but "the sale of cyberweapons to authoritarian regimes" is even worse. She argues that domestic rules don't answer, but rather "democratic countries must extend norms and rules to ensure safety in the digital world."

Drawing from U.S. Governmental expertise, two former U.S. diplomats also offer a solution. Jared Cohen, a former member of the Department of State Policy Planning Staff and Adjunct Senior Fellow at the Council on Foreign Relations; and Richard Fontaine, CEO of the Center for a New American Security, former National Security Council official, and Senator John McCain's foreign policy advisor, have co-authored in "Foreign Affairs" (November/December 2020) an article, "Uniting the Techno-Democracies" proposing a G7-like organization dubbed T-12 (technology and 12 member nations) to work out these issues among global leaders. They cite the creation of the World Bank, the International Monetary Fund, NATO, the G-20 and other useful international organizations that survive and serve still, at 50, 60, or 70 years strong and still working. They go on to dispel projected opposition to the concept and close by stating: "For too long, national approaches to technological questions have been ad hoc, poorly coordinated, and left to technology experts to sort out. But in today's competitive global environment, technology is too important to be left to the technologists."

Meanwhile, C4isrnet's Mark Pomerleau reports on progress from the Cyber Solarium Commission, a bi-partisan organization created by Congress in 2019 to develop a multi-pronged U.S. cyber strategy, which may sound familiar to Cyber Scene readers. It just published, on 19 October a whitepaper stating starkly that the U.S. lacks a supply chain strategy regarding China, and proposes that "Congress should direct the U.S. Government to develop and implement a strategy for the information and communications technology industrial base to ensure more trusted supply chains and the availability of critical information and communications technologies." They specify five strategies to build trusted supply chains, strategies drawn from past Chinese cyber activities.

Meanwhile, Wired's Garrett M. Graff reports -Cyber Command's General Paul Nakasone and his success in reining in disparate entities and training the military in cyberattacks. While never having actually interviewed the General Nakasone, Mr. Graff compiles an extensive portrait of him, highlighting his quiet reflection, his listening to and considering team inputs, and his excellent relations across the government, particularly with both of this administration's National Security Advisors and staff since being appointed in 2018. The article is extensively documented and underscores the importance of what the Commander calls "persistent engagement."

The advancement of 1) the Cyber Solarium Commission recommendations, 2) the exploration of the T-12 alliance, and 3) the further application of "persistent engagement" may together bridge the distance between nation states, strengthen private and public sector discourse, and even find commonality politically to foster cyber collaboration, both domestically and internationally.

Cyber Scene #50 - The Post-Election Cyber World

Cyber Scene #50 -

The Post-Election Cyber World

Even as last month's Cyber Scene reviewed 2016 follow-up issues regarding cyber-related issues during the US election, this Cyber Scene will seek to inform this readership of the generally successful management of election protection in the US 2020 elections and additional cyber issues still in play.

On 2 November 2020, the eve of the US election, Barron's (Barron's 2 November) guest Glenn S. Gerstell explained why successful cyberattacks capable of calling into question the veracity of the results, whatever they would be, were unlikely to occur. Mr. Gerstell would know: he served five years (up to early 2020) as NSA's General Counsel prior to his move to the Center for Strategic and International Studies (CSIS), a US think tank, as Senior Advisor. His four decades of both private and public sector legal experience provided solid background for his determination that "America's elections are more secure than you think." While other editorialists cited the vast swath of individual, state-directed variations on the theme of election security that indirectly make cyberattacks less effective--Gerstell refers to this as a problem and a partial shield--he went on to explain how the frailty of election security in 2016 led to improvements made by the U.S. Cyber Command in 2018, "keeping the Russians at bay." Across the Intelligence Community, a coordinated approach in preparing for 2020 with major players including FBI and the Department of Homeland Security "...made strides in sharing responsibility for election security, and in tipping off social media to foreign cyber mischief without revealing classified information. Now, well-rehearsed and coordinated efforts across government have positioned us to withstand attacks."

CNN's national security reporter Zachary Cohen concurred, explaining that US Cyber Command expanded its "hunt forward" operations, to which Mr. Gerstell above alluded. Mr. Cohen also reported that then-DHS Cyber Chief Christopher Krebs explained that despite some ransomware attacks by Russia and Iran's "getting in the game" with disinformation activities, the situation remained relatively calm. Mr. Cohen goes on to address the issue of "the lingering concern" of "Black Swan" incidents--unforeseen or unpredictable events that were not considered during the months of coordinated preparation among federal, state and local officials." This preparation also included the option of alerting private industry partners to take action if needed. Mr. Cohen closed the discourse by highlighting the continued US "laser focus" on adversaries, post-election.

Inevitably, Big Tech and election security converged most recently in the US Senate Judiciary hearings on 17 November. The discussion with Twitter's Jack Dorsey and Facebook's Mark Zuckerberg dealt with the two CEOs' action to moderate and label disinformation preceding and directly following the 2020 US election. The full hearing is available on the Senate Judiciary posting above, which includes solidly divided partisanship issues. An "executive" version is available by, inter alia, the Washington Post's Cat Zakrzewski and Rachel Lerman. They underscore how both sides of the aisle were critical, one that the two CEOs went too far, and the other that they didn't go far enough: "Lawmakers from both parties gave blistering assessments of the companies and said greater regulation of Silicon Valley was needed, signaling that could be a greater priority in the next Congress."

What is different, however, is that Twitter and Facebook had never executed this "moderation" process before. The article also notes that Mr. Zuckerberg spent the first 14 years of his tenure as Facebook CEO without testifying before Congress, but this was his third round since summer 2020...more to follow from the Hill, certainly.

Relatedly, however, is a broader issue: how free is free speech? The Economist addresses this in a focused, deep dive under the banner headline: "Who controls the conversation?" (Oct. 24) The discussion includes other Big Tech entities and embraces the world's tech users. Does an individual control his/her addition to a world databank, or do the Big Tech CEOs have a role, or even an obligation, to reduce misinformation that has led to murder, genocide, and/or manipulation? In the follow-on "Great Clean-up" analysis, the Economist (also Oct 24) addresses the question of whether the tech giants are actually making the right decision, and should it be their decision in the first place. The article cites statistics quite chilling, e.g., that Facebook counters17 million fake accounts every day, and that its removal of hate speech has "risen tenfold in two years." The charts accompanying the text of the article are clearly disturbing. This has led Big Tech to try to balance "...trade-offs between free expression and safely."

Attempts at "moderation" to deflate misinformation are not always successful. On 18 November, New York Times' (NYT) Sheera Frankel reported that YouTube videos endorsing the claim of widespread election fraud were viewed by 138 million people. As determined by YouTube, 34% supported the false claim and 66% disputed the claims or remained neutral. This is certainly unknown terrain in the cyber world. A spectrum of options has arisen on how to proceed, even to include the suggestion of the governments outsourcing "moderation" to non-governmental social-media councils. Facebook had established a new Oversight Board--an internal watchdog--on 22 October, but the Economist cast the board's scope as narrow and did not include posts algorithmically demoted unlike those deleted. And then there is how to proceed globally. Much work remains and one can expect democratic governments to engage.

Meanwhile, as the world assesses "What can you trust?" issues, the US Senate and House members, new and old, will continue to engage on Big Tech antitrust issues. So too is the EU engaging, most recently, on a European Union (EU) antitrust charge against Amazon.

Amazon, per the Associated Press's Kelvin Chan. (Herald Tribune, 11 Nov) was accused of "using its access to data from companies that sell products on its platform to gain an unfair advantage over them." This follows a 2-year EU study by the EU Commissioner in charge of competition issues. Fines have included $10 billion to Google and recent investigations into Apple. Stay tuned for follow-on activity.

In assessing this global impact, seemingly all roads lead to China. The 19 November Economist calls upon democratic countries to "take on China in the technosphere." The article outlines how wealthy Chinese tech giants can become--one at $2 trillion and two at $1 trillion. The digital giants are savvy AI and cloud-computing powers, and most of the 1.4 billion Chinese, "live online to an extent that Americans--many of whom still have cheque (sic) books--do not."

Unlike Facebook, YouTube and Twitter, China has no problem with censoring false news: its Great Firewall "...keeps undesirable digital content out. Within the wall, tech firms are allowed to fight it out as long as they are happy helpers of China's surveillance state." US Founding Fathers knew that democracy would be messy, but alternative governing choices are less so. The Economist goes on to contrast European views of regulation and notes that bilateral approaches won't work for multinational Big Tech firms with a global reach. In fact, it concludes with a nod to Ian Bremmer, America's Eurasia Group lead whom Cyber Scene cited in September 2020, that even if a grand bilateral bargain might be reached, the global cyberworld needs something like Mr. Bremmer's recommendation or at least a "General Agreement on Data and Digital Infrastructure," a "cybertwin" of the historic General Agreement on Tariffs and Trade (GATT) which gave birth to the current World Trade Organization (WTO).

As we review the digital travel from China to the Western World, Wired's Andy Greenberg reported on 5 November the arrest by the FBI of $1 billion in stolen bitcoins.

These bitcoins were, incidentally, "Silk Road" bitcoins derived from the dark web's drug profits. Technically, the hacker was in San Francisco, so this Silk Road looked eastward, post-Columbus. The perpetrator was nabbed, thanks to law enforcement's modern, blockchain analytic tools, for stealing dirty drug money. The 144,000 bitcoins seized were auctioned for $48 million, so crime does pay, but it is the US government that is richer.

Cyber Scene #51 - The Viral Cyber Pandemic

Cyber Scene #51 -

The Viral Cyber Pandemic

As most of the U.S. leadership ushers in 2021 with a sigh of relief regarding election security and a hopeful view to containing the COVID-19 pandemic, a hack of increasingly numerous private and public sector networks with SVR's (Russia's Foreign Intelligence Service) fingerprints is casting a dark shadow over the new year. The attack may be seen through the lens of a 21st Century version of a classic diversion and trap door strategy.

While thwarting possible election interference, pandemic vaccine theft, and other nefarious applications of cyberthreats to national, state and local systems, US officials are now beginning to understand the expanding impact of the private sector-generated hackageddon. Media writ large are sizing up the scope of this development, with NBC among others exploring why it is extremely worrisome. Senator Mitt Romney (R-UT) notes: "You can bring a country to its knees if you don't have electricity, don't have water, and can't communicate."

This cyberattack clearly benefitted from surprise. It can be viewed that this cyberattack was successful because it targeted, first and foremost, private, domestic networks. The US Intelligence Community, particularly the National Security Agency (NSA) and Cyber Command, are constrained regarding domestic operations. They have no purview over private sector companies, even if these companies feed into and support US missions. And the end users in both private and public sectors, were unaware of the former Soviet Union players in the supply chain feeding into the US tech world.

The New York Times intelligence reporters David Sanger, Nicole Perlroth and Julian Barnes summarized on 2 January 2021, in "As Understanding of Russian Hacking Grows, So Does Alarm," the increasing understanding of the breadth and depth of the hack and how 250 federal agencies and businesses may now have been affected.

Senator Mark Warner (D-VA), the ranking (#2) member of the Senate Select Committee on Intelligence (SSCI) notes: "The size of it (the hack) keeps expanding. It's clear that the United States government missed it." The tipoff came from a private sector security firm, FireEye. It learned that the transmission occurred via a Texas company, SolarWinds, which served as the conduit. The latter's security operation was a distant second to profitability; one of its security experts had earlier resigned in protest due to the neglect of cyber protection, per the NYT in-depth summary, and the CEO of SolarWinds has now announced his imminent retirement. The NYT intelligence reporters also noted that the source of much of SolarWinds' cyber support came from the Czech Republic, Poland, and Belarus. The latter has been under heavy Russian influence since its "independence" with authoritarian rule, a controlled economy, and one leader since 1994. Its recent election is disputed. So even when Amazon's front door was closed and Microsoft also closed its "windows," an unobtrusive backdoor access was exploited, or rather a Trojan horse's trap door was introduced and the cyberattack released. History does not quite repeat itself but mutates with technological advances.

The Economist (14 December) notes in "Cyber-security: Bear hunt" that FireEye described the attack as "top-tier operation tradecraft." SolarWinds is quoted as saying that "fewer than 18,000 customers" may have been struck, though most would have had collateral damage.

However, some of those customers are current US Cabinet members. Treasury Department's "most senior leadership" was targeted, according to the 21 December as reported by NYT's David Sanger and Alan Rappaport. Senator Ron Wyden (R-OR), a member of the Senate Finance Committee, stated after a briefing for committee staff members, that Treasury "suffered a serious breach, beginning in July, the full depth of which isn't known." Microsoft runs the Treasury Department's software. Secretary Mnuchin spoke about the hack, noting that classified systems had not been breached.

Both Attorney General William Barr and Secretary of State Mike Pompeo believe that the attack "appears to be Russian." The current National Security Advisor, Robert O'Brien, convened a Principals' Committee (PC) session on 20 December to "take stock" of the situation. Other attendees included Commerce Secretary Wilbur Ross, acting Homeland Secretary Chad Wolf, and Energy Secretary Dan Brouillette.

At odds with his own senior leaders, President Trump tweeted on 19 December that the attack on "federal networks was under control, was being exaggerated by the news media and might have been carried out by China rather than Russia" according to Ellen Nakashima and Josh Dawsey of the Washington Post.

In addition to earlier cited diversions, distractions, and disagreement between the White House and the Cabinet, Homeland Security's Chief of its Cybersecurity and Infrastructure Security Agency, Chris Krebs, was fired in November 2020 and a federal judge declared Acting Secretary of Homeland Security's appointment unlawful. Moreover, as reported by NYT David Sanger and Eric Schmitt on 20 December, the present White House Administration and acting Defense Secretary Christopher Miller (following the firing of Mark Esper in November 2020) have recommended that Cyber Command and NSA be divided. This apparently "...led to a firestorm of protest on Capitol Hill. Democrats and Republicans alike say that the two institutions are too intertwined ...and any unilateral action by the administration to change the current structure would violate legal requirements for extensive assessments before altering it." Chairman of the Joint Staff General Milley was reported to have neither reviewed nor endorsed the recommendation.

These legal requirements, in a bipartisan bill introduced by US House Armed Services Committee Representatives Jim Langevin (D-RI) and Don Bacon (R-NE) and passed into law, require a 6 month strategic assessment of the objectives, and means to achieve them, for a separation of Cyber Command and NSA to become effective. This subject has been under discussion since the christening of Cyber Command, but is not a likely candidate for instantaneous creation even when the timing is troublesome.

Stepping back from the current cyber crisis, one strategic look at the divide between public and private sector cybersecurity policy across democratic countries worldwide, is offered by Marietje Schaake, President of the Cyber Peace Institute and International Policy Center at Stanford University. In Foreign Affairs, November/December 2020, she takes into consideration recent cyberattacks on the Norwegian Parliament, the New Zealand stock exchange, and the Vatican, underscoring the fact that these were not threats of a cyber-Pearl Harbor nature, but of "...attacks from below that threshold--intrusions that can still cause grave damage." She also addresses the Microsoft Windows hack and the UK National Health Service shutdown. She calls upon governments to recognize that "...the private sector wields outsize power in the digital world... and that public authorities are largely at the mercy of private companies." Many options for resolving this imbalance are offered, particularly... "for democracies that should extend norms and rules to ensure safety in the digital world."

In fact, such progress might just be underway. The US Senate and the US House of Representatives have coordinated on the new FY2021 Intelligence Authorization Bill. House Permanent Select Committee on Intelligence (HPSCI) Chair Adam Schiff explains what the new bill contains:

It includes important provisions related to global health and pandemics; the challenge posed by a rising China, emerging technologies like artificial intelligence and 5G; recruitment and retention for the workforce; and other regional priorities, including the Middle East, and Afghanistan. Further - and especially notable in light of the recent cyber breach of government agencies and private sector companies - the bill also includes several provisions designed to strengthen our cyber defenses, protect our supply chains, and provide additional resources and capabilities for responding to cyber-attacks. Many of the most important elements of the bill are contained within the classified annex that governs the necessarily secret elements of the IC's work.

While the references to Russia's cyberattack can only be inferred from Rep. Schiff's oblique reference to the classified annex, the summary does speak to the recent cyber breach crossing public and private sector domains. Likewise, the Senate, has worked via its SSCI, to hold two closed hearings where the hacking is likely to be addressed in December 2020 and one on 6 January 2021 in addition to all the stimulus, pandemic, seating new members on Capitol Hill, and other pressing issues.

Cyber Scene #52 - Cyber: Capitol Offense and Counter

Cyber Scene #52 -

Cyber: Capitol Offense and Counter

Since the last publication of Cyber Scene, a mere 2+ weeks ago, the world has been rocked by two seismic events, both located on Capitol Hill.

Cyber has had, and is playing, a top billing role in both, for worse and better.

The 6 January 2021 insurrectionists' attack on the Capitol and the members of Congress within, was fomented and organized principally via social media. Be it friend or foe, or both, cyber as the means of communication has been a world bedrock structure.

From a constitutional perspective, the first wave would largely be construed as having evolved into a "foe." As reported generally by all media sources--from mainstream sources and those historically not--the consensus argues that the incitement, organization, funding across the US, and the assault itself, was cyber-driven.

Kevin Roose reports in "Who's Boss? 2 Tech Giants" that Twitter and Facebook, which served as the dominant communications platforms coming from the White House to those arriving for the rally and attack, implemented their existing anti-hate incitement policy by shutting down the then-President's Twitter and Facebook accounts. In addition to the cries of "censorship" and "death of free speech," both of which have been a recurring subject of Congressional hearings over the last few years, the article underscores the power of Big Tech. Both Jack Dorsey (CEO, Twitter) and Mark Zuckerberg (CEO Facebook), were reluctant to act and "appear to hate playing the role of speech police." However, they considered this a particularly unique case.

Unsurprisingly, Parler, "a small but rapidly growing social network" associated with right-wing Americans, according to the 16 January Economist ("Said the spider to the fly: Donald Trump's ban from online platforms underlines their power"), nearly quadrupled its downloads by 8 January on its Apple app. Parler lost 12 million accounts when, by the publication date of the Economist article, Amazon's cloud-computing infrastructure arm, AWS, which supports "millions of services and websites," -cut the cord.

The article goes on to point out that the legality of this action is founded on Section 230 of the Communications Decency Act that allows for the removal of any "objectionable" content if done in good faith. Even though some legal eagles will object, challenging the definition of "objectionable" considering the constitutionally protected freedom of speech, the article opines that Microsoft, Google, and other giant services will steer clear of supporting either Parler or similar companies.

Donations also played a role in the attack. Cyber again provided the means (literally, in a financial sense) to the end (fortunately, not literally). The 17 January Sunday NYT article ("Before Capitol Riot, Thousands Made Small Donations Online") reminds us that funding tends to underwrite political actions. In addition to wealthy donors, the article cites several sources of many thousands of small donors via GoFundMe or GiveSendGo. It notes that PayPal cut off the latter by 11 January 2021 as this information came to light. Some of the fundraising was even captured at the entrance to the Capitol shortly before the arrival of the crowds on 6 January and recorded via online videos.

The cyber presence of the run-up to the attack, the attack itself, and post-attack online tracking of the event has proven to be very useful to FBI, state, and local law enforcement. It seems that an insurrection selfie, posted in situ, does not likely allow for subsequent "5th" pleas for inadmissible status in a courthouse. This has led to significant, cyber-based roundups of physical, financial, or "spiritual" perpetrators.

The House Oversight and Reform Committee Chair Carolyn B. Maloney (D-NY) has called for a formal investigation into Parler and other sites that "bristled with violent chatter," according to the Washington Post's Tom Hamburger and Craig Timberg of 21 January ("House Oversight Committee chairwoman requests FBI probe of Parler") in the context of the siege of the Capitol. What may propel this investigation, according to the Chair's letter to FBI Director Christopher Wray, is Parler's use of a Russian-owned web services company, DDoS-Guard, that also has Russian government clients.

As the FBI executes its post-mortem at the federal, state, and local levels, rounding up the unusual suspects, including some veterans, and bringing them to justice, the non-prosecutorial wing of the US Judicial system has been hard at work, looking strategically at the future.

Its point of departure is the National Defense Authorization Act (NDAA) for Fiscal Year 2021 (which began on 1 October 2020). This is noteworthy for being the only (and strongly bipartisan) bill for which Congress (House on 28 December 2020 and Senate on 1 January 2021) overrode the recent President's veto during his entire 4-year administration. On 2 January 2021, Lawfareblog.com's Paul Rosenzweig ("The NDAA Pushes Forward on Cyber Metrics") published an analysis under its "Day Zero: Cybersecurity Law and Policy" of cyber metrics called for by the NDAA. Among the extensive inclusions in the bill, which is "chock full of interesting tidbits," he cites Congress's wisdom in requiring guidelines for establishing a rapid procurement process for software acquisition. Perhaps the confirmation (by the Senate on 22 January 2021) of Secretary of Defense Lloyd Austin will make his past military "time-is-of-the-essence" mark in moving this and other cyber implementations forward quickly.

On 15 January 2021, Andrew J. Grotto, wrote on cybersecurity and deterrence, also for Lawfareblog.com ("How to Make the National Cyber Director Position Work"), also related to the FY2021 NDAA, and also chock full of interesting tidbits itself. One of the most prominent is the NDAA's requirement for the President to nominate the first national cyber director for Senate confirmation. This requires a new organization, centralization, and depth, drawing from past "czar" experiences at the National Security Council (NSC), as well as many other complicated issues. He suggests that the Office of the National Cyber Director be integrated into the NSC where, traditionally, inter-agency coordination takes place for advice to the White House. He also referenced the dismantling of cyber centers across the inter-agency during the prior administration. However, Cyber Scene is pleased to have promising, timely news upon which to focus.

Timely, indeed. As of 22 January 2021, according to Reuters' Christopher Bing and Joseph Menn, the new administration will be announcing its new cybersecurity team ("After big hack of US government Biden enlists 'world class' cybersecurity team"). The authors characterize them collectively as "a group of national security veterans with deep cyber experience." While the nominees bring exceedingly deep-bench public sector experience to the all-encompassing inter-agency team, the article cites two anonymous sources (one former official and one analyst) who believe "that the collective group's experience is almost entirely in the public sector." These unnamed sources have not done their homework. Firstly, it is to be expected that those dealing in cybersecurity may not wish to provide extensive security details, public or private sector, blasted across the internet unless required. For those vetted during a Senate confirmation process, the Senators will be properly informed. However, open sources, including Wikipedia, confirm at least the following private sector sampling of experience regarding the qualifications of the team cited for imminent cyber posting. The following open-source additions from Wikipedia and easy Google sites are arranged by new position, name of nominee, and an example of private sector experience. Some projected nominees have many decades spanning both sectors. The intent is to link these individuals through a National Security Council structure.

• US Cyber Director, (ODCS): Jen Easterly, Chief, Resilience, Morgan Stanley
• Director, Cybersecurity Infrastructure Security Agency (CISA), DHS: Rob Silvers, Attorney, Paul Hastings, LLP
• Deputy, National Security Adviser, Cyber and Emerging Technology, NSC: Anne Neuberger, Sr VP for Ops, Am. Stock Transfer & Trust Co.
• Homeland Security Senior Director: Dr. Michael Sulmeyer, Dir, Cybersecurity Proj., Belfer Center, Harvard
• Homeland Security Adviser: Elizabeth Sherwood-Randall, Prof; GA Tech, Belfer Center, Harvard
• Deputy Homeland Security Adviser: Russ Travers, Atlantic Council
• Senior Director for Resilience and Response, NSC: Caitlin Durkovich, Dir, Toffler Assoc., Atlantic Council

Cyber Scene #53 - Cybersecurity: Under (Mostly) New Management

Cyber Scene #53 -

Cybersecurity: Under (Mostly) New Management

One mere month post-US Presidential Inauguration, Washington, D.C., and environs have catapulted into very significant changes in the way cybersecurity is supported and optimized. Military commanders largely remain, to date, providing continuity to include the Chairman of the Joint Staff, Vice- Secretaries of the Services (the Secretaries themselves are civilians), and the Combatant Commands to include the Commander of Cyber Command (USCYBERCOM). However, the nomination and quick confirmation of a swath of talented, experienced cyber experts are advancing the success of even near-term efforts to protect and defend not only the Constitution, but its beneficiaries as well.

In addition to the other cybersecurity players noted in the January 2021 Cyber Scene, Gen. Lloyd Austin, who retired in April 2016, received a waiver for less-than-7 years of retirement and then flew through Senate confirmation. This included a detailed discussion on cyber. Prior to SecDef Austin's confirmation by the full Senate on 22 January, the Senate Armed Services Committee (SASC) first addressed the subject of his being a civilian leader, and then elicited the following from the now new SecDef:

"I believe the Department must effectively counter these campaigns by taking proactive action to: generate insights about the adversary's cyber operations and capabilities; enable its interagency, industry, and international partners to create better defenses, and; acting, when necessary, to disrupt adversary cyber actors and halt malicious activities."

SecDef's deputy, Dr. Kathleen Hicks, confirmed on 4 February by a voice vote (an indicator of broad support), also faced the SASC. She too, addressed cyber, stating that she was supportive of the proactive CyberCom approach executed as part of DoD's 2018 Cybersecurity Strategy and wanted more clarification on this strategy. Hicks adds: "China and Russia's malicious cyber campaigns seek to diminish U.S. military advantages and economic security. The department must be proactive to understand an adversary's cyber operations and capabilities...and should work with U.S. interagency, industry and international partners to counter adversary cyber actors."

Examples of the new military cybersecurity's forward thrust abound. Public discussion of these initiatives includes inter alia, three separate examples to strengthen and implement cybersecurity strategy: Space Command, Special Operations Command (SOCOM), and the National Guard, all provided by C4isrnet's Mark Pomerleau.

First, in early February 2021, the new Space Command began receiving its first cyberwarriors from the U.S. Air Force. According to Chief of Space Operations General Jay Raymond, "Why it's so important...is that they will understand cyber terrain of space...and help us protect this critical domain from that threat." These guardians are intended to build Space Command's mission defense teams, aligned with the Air Force's cyber squadron work. These specialized cyber defense teams will protect Air Force missions and installations.

Second, on 18 February, Pomerleau reported the 1st Special Forces Command's creation of an Information Warfare Center at Fort Bragg. Although some focus is on psychological operations, cyber is the platform--an artillery piece through which "influence rounds" can be delivered, according to 1st Special Forces Commander COL Croot. The objective is to protect the military's digital footprint in tactical operations: "protecting Green Berets from sophisticated snoops." He used as an example an earlier exercise where a commander ordered everyone off social media one month prior to the training; during the training, the commander displayed to the troops all the footprint revelations, including how many people had deployed and from what base, their destination, their mission, and where their families lived, all from their digital footprints--quite a "close to home" lesson calling for increased cyber-based protection.

In the third example, the journalist explores the story of National Guard units from four states continuing the relatively new creation of Cyber Protection Battalions in the Army National Guard in support of USCYBERCOM. When the umbrella organization, Task Force Echo, was created in 2017, it was the largest mobilization of reserve forces in cyberspace. This is the fifth iteration involving a total of 600 guardsmen. It supports the Army's 780th Military Intelligence Brigade, which conducts protective operations against malicious cyber actors. While not brand new, it is highly "renewable."

The co-authors of the -landmark Cyber Solarium Commission bill passed in March 2020-- the Senate's Angus King and House's Michael Gallagher --discuss progress on cyber in Northrop-Grumman's Weekly Cyber Report audio podcast. This bipartisan, bicameral strategic cyber bill plays out on multiple domestic and international levels. While the audio veers toward the role of cyber in the 6 January attack, it also asks the co-authors on the general progress of the bill's implementation. Sen. King expresses his delight with the pace of implementation, noting that as of 27 January 2021, 26 of the 50 recommendations have already been implemented over 7-8 months. The recommendations call for not centralization, but "coordination and harmonization." The co-authors are still looking for international expansion and a Department of State individual to take on his international issue of cyber information sharing and greater conferring with partners and allies on China toward an international-norms-based order. Rep. Gallagher closes by recalling his own military service and noting that cyber's weak link is human mistakes that are difficult to eliminate wholly, as human beings are, well, human.

In a completely separate perspective on this issue by Washington Post's Ellen Nakashima, the author underscores a remaining bridge to be crossed between the White House and Congress regarding cyber policy. Congress wants more oversight, while the White House is concerned about lawmakers "exerting influence of a critical area of national security." Part of the dilemma revolves around the White House 60-day review of the role of a national cyber director to advise the president on policy and strategy and to be Senate-confirmed in public hearings. Sen. King refers to this as "one throat to choke." This part of the above-cited Cyber Solarium Commission package was passed in November 2020. It seems that the former administration did not take action on this; it now falls to President Biden.

The resurrection of the National Security Council (NSC) cyber leader, which had been deleted by former NSC Adviser John Bolton, has already been named Anne Neuberger. Nakashima describes Neuberger as "arguably the most powerful White House cyber position ever." The article also notes her close working relationship with National Security Adviser Jake Sullivan and CyberCom Commander Gen. Nakasone. However, the NSC, from the adviser her/himself down, is not subject to Senate confirmation or Congressional influence. On the one hand, Sen. King believes that if the cyber leader is exclusively in the NSC, lacking Senate confirmation will give it neither continuity nor stature required. The White House reportedly believes that "...running cyber policy from outside the NSC--creating a sort of "Shadow NSC" for cyber--is not the most effective way to do it."

Even as the dilemma remains with supporters for each of the two possible options, some are looking for a compromise in a division of labor between non-military and military, and private versus foreign ally entities. Sen. King concludes by saying: "These two functions can be complementary and should be. I'm not going to fault the administration for moving to shore up our cyber defenses. I just think they need to take the next step."

On the same day, the above Washington Post article was published, Defense One's Mariam Baksh recounts both Neuberger's White House press briefing updating the response to Solar Winds and noting the preparation of a multi-part Executive Order (EO) on the hack. She noted that 8-12 items are to be included in the EO. However, since it involves nine federal agencies and 100 companies, there are legal issues in the private sector sharing with the federal government that still need work.

Baksh also reported that the week before, the House Homeland Security Committee heard from former Cybersecurity and Infrastructure Security Agency Director Chris Krebs. He confirmed the issue that federal agency contracts have with vendors, which prohibits them from sharing cyber incident information across the government. Krebs goes on to say that Solar Winds is "...not the only malicious cyber activity of likely Russian origin, either for us or our allies or partners, so as we contemplate future response options, we're considering holistically what those activities were."

As for the judicial view, Lawfareblog's Tasha Jhangiani on 17 February follows up on the U.S. government's insufficient capacity for responding to cyberattacks, Russian or otherwise. After a short synopsis, the issue of a "cyber state of distress" is discussed in the framework of the Cyber Solarium Commission's recommendation. The result of this declaration would trigger a Federal Emergency Management Agency (FEMA)-like mechanism for resources to resolve the crisis. Jhangiani continues that the current Presidential Policy Directive 41 "...fails to give federal agencies the authority, funding or resources needed to assist non-federal entities in the event of a significant cyber incident." It is noted that the Commission would give Homeland Security the authority to trigger the availability of these resources. This does not appear to be included in the 26 initiatives in the bill already implemented.

So is Russia, as malicious as it is, the principal threat to the U.S., its partners, and allies? Likely not. Syndicated New York Times Columnist Thomas Friedman among many others, believes that Russia has fallen to #2, ceding first place to China. In his somewhat hyperbolic but fundamentally factual "Vladimir Putin Has Become America's Ex-Boyfriend From Hell," he maintains that Russia has been hollowed out, has become far less powerful than in the past, is economically and demographically bereft, and has generally relegated to "stalking the U.S" through hacks and election-meddling, and that Putin is "...relishing the notion that so many Americans think he installed..." the former U.S. president. Russia is also less lethal due to the February 2021 extension of the NEW START nuclear treaty between Russia and the U.S. The running metaphor is forceful as well as wildly entertaining.

So, as we await a spectrum of breaking cyber news and look next month at China, take a peek at Wired's February edition. Exceptionally, it is completely dedicated to three chapters of one new book entitled "2034: A History of the Next World War." Although the upcoming book on which the issue is based is supposedly fictional, co-authors Elliot Ackerman and Admiral (ret) James Stavridis claim in their discussion with Wired that year 2034 is coming too soon in reality.

Cyber Scene #54 - US-China: Cyber Syndrome or War of the Worlds?

Cyber Scene #54 -

US-China: Cyber Syndrome or War of the Worlds?

This month's Cyber Scene will exclusively focus, as promised last month, on US-China relations bearing strongly on cyber security. The backdrop to this selection is the jumpstart "diplomacy dime versus military dollar" approach of the new US Administration in its dealings with China. This approach does not exclude other tools of statecraft, to include economics (inextricably linked to the tech world) and information/intelligence (also linked to the tech world). Nor does it underestimate enduring and long-term timelines and cyber-linked military issues, as a podcast referenced later may demonstrate to this readership.

The choice of China versus Russia was simple. True, it was Russia cast as "guilty as charged" in recent disclosures of 2020 US elections while China was held far less culpable, as they "backed off" per a New York Times (NYT) 17 March article by Julian Barnes "The Intelligence on Russia was Clear." Three days later, NYT's David Sanger article "That was Fast: Blowups with China and Russia in Biden's First 60 Days" cited former Secretary of Defense and CIA Director Robert Gates as saying to David Ignatius of the Washington Post that if Putin remains, Russia may be the most dangerous challenge. However, Sanger leads with a cyber-based opening volley. He opines, "It may look like the bad old days of the Cold War, but today's bitter superpower competition is about technology, cyberconflict and influence operations." Sanger's discussion of Russia vs China as leading challenger reflects not only the 2020 recent intelligence assessment on foreign interference in US 2020 elections but also the 19 March US-China meeting in Alaska between Secretary of State Antony Blinken and his Chinese counterpart. This follows a 2-hour phone call between President Biden and Chinese leader Xi Jinping.

Secretary Blinken summarized the US strategy with China, as reported succinctly by Barrons on 22 March, as follows: "The U.S. relationship with China will be competitive where it should be, collaborative where it can be, and adversarial where it must be." Blinken had offered an expansion of this approach in an earlier Bloomberg piece on 3 March by Nick Wadhams: entitled: "Blinken Says Only China Can Truly Challenge Global System." This speech was a preview of U.S. diplomacy to be carried out, per Secretary Blinken, via this "interim strategic guidance" from President Biden. The Secretary concluded by saying: "Diplomacy, not military action, will always come first. We've seen how they've often come at far too high a cost, both to us and to others."

The Associated Press characterized these two-day talks as contentious: "The U.S. accused the Chinese delegation of 'grandstanding' and Beijing fired back, saying there was a "strong smell of gunpower and drama" that was entirely the fault of the Americans." Given the tenor of the Alaska discussions, Alaskan ice fields may have receded even more, but then again, climate change is the leading example of a prospect of some collaboration between China and the U.S. as it is an issue the two superpowers share in a positive way. Perhaps this may be the diplomatic toe in the door Secretary Blinken will need.

But Sino-US agreement on cyber? Not so much. In the Sanger article cited above, Robert Gates also notes that US cyber capabilities should be more aggressive. Sanger closes in summary by: "The risk, of course, is one familiar from the Cold War: escalation."

That may be inevitable. In the wake of two major hacks into U.S. systems by Russia and China, per NYT 14 March, the White House and Congress are considering a new cybersecurity approach. "When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it's hard to say we don't have a problem," stated US House Representative Mike Gallagher (R-WI) who sits on the - Cyberspace Solarium Commission. The above article, authored by Sanger, Barnes and Nicole Perlroth, explained that intelligence agencies whose mandate is limited to foreign activity, like the CIA and National Security Agency, are prohibited from working on domestic hacks such as these recent ones on Amazon and GoDaddy. However, FBI, Homeland Security and some others do have a domestic responsibility. Congress and the Administration are looking at how a closer relationship between domestic-focused US agencies, and private sector cybersecurity companies (two of whom caught the referenced hacks) could be bolstered. This in turn could result in timely tip offs to those agencies focused on foreign interference. Per the authors, there is no interest by either the Administration nor the Congress to change the authorities of foreign versus domestic intelligence agencies, but rather improve communication where possible between public and private sector players.

Stepping back from the here and now, rather harkening back to the Biden/Blinken strategic approach to relations with China as discussed above, China is of course taking steady steps toward its strategic 2050 plan. The Economist reports on 11 March on China's strategy: "Five-year plan: The big target," explains that China wants to ratify and implement its plan carefully and completely. Leader Xi quips "It's not like back in the day, when we were still bumpkins." To remind readers of China specialist David Lampton's comment, "China says it has had a few bad centuries but is making a comeback." Classic understatement on both counts. The article goes on to underscore that competing against the US "looms large in China's strategies." It projects research and development increasing 7% over each of the coming five years and reach an 18% reduction in carbon dioxide emissions by 2025 (again, one if only one, US-China point of overlap). The article considers these figures also likely to be exceeded. The principal elements of China's existing "Made in China 2025" continue but have not been directly cited. It does call out quantum computing, semiconductors and artificial intelligence as some of seven frontier technologies vital to national security and development. This is all under the umbrella of at least nominal insulation from the rest of the world.

"The fallout from Hong Kong: How to deal with China" goes on to delve into the struggle between autocratic and liberal democratic approaches that reach far and wide of political theories. The article calls out the financial boom in Hong Kong while rife with turbulence. Investors include Morgan Stanley, Goldman Sachs, Apple, Starbucks, Siemens and many others. The Economist then looks at why China has 18% of the world GDP--innovation, great financial returns, consumer trend expertise, etc. And while out of favor now, Jack Ma's empire is still worth over $500B.

It also looks at where America has failed to match China's success. Huawei is one such example that this readership understands has been problematic for the U.S. The Economist observes, "Of the 170 countries that use its products, only a dozen or so have banned it. Meanwhile, the number of Chinese tech firms worth over $50bn has risen from 7 to 15." This is an example of why the Western liberal democracies are called upon to "...start with building up the West's defences. Institutions and supply chains must be buttressed against Chinese state interference, including universities, the cloud and energy systems."

As China focuses increasingly on its domestic work, while nevertheless playing a leading role economic movement worldwide, the Economist notes that "...isolation tends to strengthen the grip of autocratic governments." And how to avoid appeasement - while engaging China is a challenge that faces the West, and particularly the new Biden Administration. The conclusion is an unfiltered warning: "China's rulers believe they have found a way to marry autocracy with technocracy, opacity with openness and brutality with commercial predictability...free societies...now need to muster a response--and to prepare their defences for the long struggle ahead." Secretary Blinken had cautioned to expect a multi-administration approach.

Finally, the Harvard/Brookings Lawfareblog offers a view of the US-China future, in a podcast . The interview host is LTC Alexander Vindman (USA, ret.) who is Pritzker's first Military Fellow, completing a dissertation and book at Lawfare following his departure from the National Security Council staff. The guests are the co-authors of "2034: A Novel of the Next World War." ADM. James Stavridis (USN, ret) has served in three 4-star postings prior to retirement to serve for five years as Dean of Tuft University's Fletcher School of Diplomacy. This is his 10^th book. His co-author is journalist, award-winning novelist and highly decorated US Marine, Elliot Ackerman. They discuss the impact of hubris, miscalculation and escalation in advancing to a China sea war footing, in part due to not "upping our game in cyber." The use of Twitter plays role in spreading the battle cry. The overreliance on technology is a major issue against the Chinese--China having a "supreme cyber capability;" the US has shortcomings in quantum computing as well as with cyber and AI which plays a role as well in this cautionary tale. The authors underscore the importance of crafting a Plan B and the danger of "sleepwalking into a war" without a strategy.

Cyber Scene #55 - Cyber Meteorology - Part One: The Ghost of Cold War Past

Cyber Scene #55 -

Cyber Meteorology - Part One: The Ghost of Cold War Past

This issue of Cyber Scene examines which way(s) the cyber wind is blowing and ultimately, who among Western "meteorologists" are willing, able and armed to fight this war.

Historically, the frigid winds from Siberia fly across Europe every winter, race down the Rhone River valley, and in addition to causing some physical destruction, drive the locals temporarily mad. The cyber world continues to anticipate, weather, and counter threats from Russia, not merely in Europe but particularly in the US and its Five Eyes allies. The KGB or SVR or FSB or "mistral" by any name blows strong. Potential victim nations anticipate attacks, shutter their homes (sanctions), try to redirect (expulsions), and generally armor up with learned advice (cyber experts take the con).

Simultaneously, from the country that created explosives for the world, we detect a global change in climate. Your technology summers get warmer. Under ransomware attacks you are already flooded before you know it. Denial of service creeps in, dries up your communications and parches your cyber landscape. And worse is likely to come. National or global power loss? Algae in your drinking water digitized into contaminated home downloads? Buckle up and call your tech pros who understand the cyber world and wield influence and respect of those who control the tools of statecraft.

First to Russia without love. The aptly named SolarWinds attacks (think Siberian wind) came sweeping down into US public and private systems and, like that mistral, have been sourced to Russia. The US White House under President Biden has fought back openly against a bundle of incursions (election-related interference, SolarWinds, military threats to Ukraine, etc.) in both sanctions and expulsions against Russia. As reported by New York Times (NYT) intelligence experts Julian Barnes, David Sanger and Lara Jakes on 14 April, the new National Security Advisor Jake Sullivan indicated that there are both seen and unseen retaliatory actions. Among the "seens" are sanctions against the Russian financial sector (inter alia, US-dollar denominated bonds and Russian debt) and build-up of US military within threatening reach of the Russian troops deployed to the Ukrainian border. The US had also expelled 10 Russian diplomats and sanctioned 32 others for 2020 presidential election interference as reported separately two days earlier by NYT's Andrew E. Kramer. The "unseens" will not of course be specifically identified which, by definition, would convert them to "seens" but would predictably include cyberoperations and cyberexercises with allies.

As reported above, President Biden did contact President Putin about these actions, which the US considered "proportional." Foreign Minister Sergey Lavrov stated that the US actions were actually "escalatory and regrettable." Mr. Lavrov announced the banning of most senior serving US intelligence/cyber officials and several former ones implied that the US might recall its ambassador to Russia (a "suggestion" not a "demand") as Russia had done with its ambassador to the US, and went on to note that since Poland had expelled some Russian diplomats in solidarity with the US, Russia retaliated with the expulsion of some Polish diplomats from Russia. George Kennan, who penned the US policy of Cold War containment, must be turning in his grave.

SolarWinds played a pivotal role in putting the proverbial final nail in the US-Russian "all's well" friendship coffin. Associated Press's Frank Bajak looked in detail at the ransomware contribution to the present state of affairs. He reports that damages alone in 2020 include over 100 federal, state and municipal agencies, 500+ hospitals (and this, during the pandemic, no less), 1,680 schools, colleges and universities and hundreds of businesses. He assesses that tens of billions of dollars in losses have accrued. He also cites former British intelligence cyber chief Marcus Willett as this being "arguably more strategically damaging than state cyber-spying." The looming question is, how does the US go from this catastrophic situation to resolution and safety, and what role might the recent reactions by the US play in the future? How do the US and its allies, and their companies around the world, protect against these attacks?

Many will appreciate the Bill Whitaker's CBS 60 Minutes refresher on SolarWinds' guilt in launching this US-Russian volley of threats as well as presenting a view to where US policy could go. He interviews three individuals savvy about the attacks regarding whether these recent ones crossed the line ("yes"), the difference between more traditional cyber spies and these attacks, the downstream impact upon up to 300,000 users, and the folly of avoiding "making Russia mad" when the US "should make it afraid." Watch the video and you will gain a serious appreciation for the direction cyber operations will take under the new Biden Administration, particularly if you read the rest of this Cyber Scene as well.

Remaining on the US front, the Washington Post's Joe Davidson examines the current state of US cybersecurity and opines that its status "is good reason for Americans to be insecure." This is likely to change for the better. Cyber Scene readership is conversant with the role of the bipartisan, bicameral Congressional Cyberspace Solarium Commission. Its four leaders, Sen. Angus King (I-ME), Rep. Mike Gallagher (R-WI), Sen. Ben Sasse (R-NE), and Rep. Jim Langevin (D-RI), had in January called for the creation of a national cyber director post, as had a GAO report and the Commission done previously. The four Solarium leaders explained:

"As our adversaries' attempts to probe our networks become bolder, the need for a leader with statutory authority to coordinate the development and implementation of a national cyber strategy to defend and secure everything from our hospitals to our power grid could not be more clear."

President Biden, on 11 April, nominated former NSA Deputy Director John (Chris) Inglis as the first US National Cyber Director; former NSA senior executive Jen Easterly to replace the fired Chris Krebs as head of the Cybersecurity and Infrastructure Security Agency (CISA); and Robert Silvers as Undersecretary for Strategy, Policy and Plans at DHS per the Washington Post's Ellen Nakashima. As reported by Joe Davidson (above) the Cyberspace Solarium Commission has praised the President's nominations. Rep. Jim Langevin went so far as to say: "I am absolutely thrilled with the appointment of Chris Inglis as the first national cyber director." Inglis, Easterly and Silvers require Senate confirmation, which is expected to be smooth. They, joining the already-in-place Anne Neuberger to serve as Mr. Inglis's deputy, have their work cut out for them, as the 60 Minutes video captures. Politico provides a comprehensive biographical background for Chris Inglis, who served as the second longest ever deputy director of NSA, and Jen Easterly who had, inter alia, assisted General Keith Alexander in establishing Cyber Command as one of his "Four Horsemen." One of the other three is current NSA Director Paul Nakasone. Rob Silvers has served as DHS Assistant Secretary for Cyber Policy during the Obama administration; as Undersecretary (a move of increasing responsibility) Silvers will likely put his cyber background to good use. Chris Krebs, himself, declared the three picks as "brilliant."

To avoid excluding a Cyber Scene peek at the third (judicial) branch of government, it should be noted that the nominee, announced on 17 April, for Deputy Attorney General, is also a cyber expert. Lisa Monaco, who served the Obama Administration on counterterrorism issues, is well prepared for her remit to tackle not only domestic extremism but cyberattacks from abroad. The Senate Judiciary Committee, per the NYT's Katie Benner's report, "voiced unanimous support and a bipartisan coalition of senators is expected to confirm her in the coming days." They did, 98-2, three days later on 20 April, per the Senate's own count.

Near unanimity in the Senate as well as the bipartisan strength of the bicameral Cyberspace Solarium Commission bode well for the advancement of cyber security in the coming years, as does support from alliances.

Deepening the cyber bench is not restricted to political appointments. The US Senate is trying to bolster DoD's cyber security status by expanding quantum computing. As reported by C4ISRNET's Joe Gould, the two bills, one from Sen. Maggie Hassan, (D-NH) and one from Sen. John Thune (R-SD), are part of the Quantum for National Security Act, which would impact the Pentagon, and the Quantum Network Infrastructure and Workforce Development Act. The two bills were introduced to the Senate on 16 April. The two senators are supporting each other's bill--another sign of bipartisanship regarding technology--which would enhance quantum computing research, expand partnerships, and generally place quantum computing on the front lines of DoD technology.

NATO, awaiting President Biden's visit to Belgium, is also fortifying its cyber defenses, as reported, again, by C4ISRNET.

On 15 April NATO convened a virtual NATO Cyber Defence Pledge conference hosted by the government of Estonia to discuss needed improvements in the alliance's cyber posture. Estonia also hosts NATO's Cyber Security Center of Excellence. Among other topics, one theme in the publicly available remarks by top leaders was "a newfound urgency in protecting key infrastructure against cyberattacks as the coronavirus pandemic has forced an even greater reliance on data connectivity across all sectors of society." Estonian Prime Minister Kaja Kallas referred to "malicious cyber activities" near and far, her apparent reference to Russia and China. The two key themes were mandating certain levels of resilience among NATO members, including cyber resilience, and leveraging NATO's capacity for harnessing next-generation technology.

Lastly, as the Economist reported in late March, the UK is placing science and technology "at the heart of a foreign and defence policy shake-up." This derives from Prime Minister Boris Johnson's recent "integrated review of foreign, security, defense and aid policy." However, the review highlights the aspiration of the UK to become a science and technology superpower, as the country anticipates technology becoming the prime metric of national power. The review cites the need to influence "the future frontiers of cyberspace...data and space" among other references to cyber's central role.

And yes, the UK approach does call out China, which will return as a topic, also viewed through meteorology, for the May edition of Cyber Scene.

Cyber Scene #56 - Part Deux: Cyber Climate Change with Chinese Characteristics

Cyber Scene #56 -

Part Deux: Cyber Climate Change with Chinese Characteristics

As referenced in earlier Cyber Scenes, China's White Paper 2050 strategic plan for having an "influence" is muted and grossly understated. In the U.K., the new Government Communications Headquarters (GCHQ) Director Jeremy Fleming said "Russia is affecting the weather, whilst China is shaping the climate." In the Reuters report entitled "China could rule world's technology," U.K. cyber spy chief says he casts the global situation as dominated by China's jumbo-sized technological weight having the ability to potentially "control the global operating system." Chilling, indeed.

The Economist picks up the temperature in an entire edition entitled "The brutal reality of dealing with China." Of particular note is "White heat" which discusses an "integrated review" entitled "Global Britain in a Competitive Age" presented by Prime Minister Boris Johnson, of the U.K.'s "radical" foreign, security, defense and aid policy. Technology including cyberspace, data, and space are woven throughout the 114 pages. The near future includes a new National Cyber Force for the U.K. Moreover, the new strategy has been warmly received by partners in the U.S., Asia (including Japan), and Europe (including France, remarkable given Brexit).

The U.S. as well is moving forward. Despite the thrust of E.J. Dionne's Washington Post op-ed on the illusion of bipartisanship in the U.S. Senate, he notes that Senator Schumer's (D-NY) bill entitled the "Endless Frontiers Act" has been merged with the U.S. Innovation and Competition Act of 2021 which has been cleared by an 86-11 vote to advance the bill for full Senate approval. It will legislate $100 billion toward the creation of 10 technology hubs in the U.S. and scientific education to develop cutting edge technologies.

The rise of China brings up several issues that underpin cyber and other technologies, present and future. As has been addressed widely in public discussion, and here, the prior U.S. administration took a decidedly hawkish view toward Chinese technological development, particularly challenging Huawei's expansion world-wide. According to the 8 May Economist's "Assuming the position" the Biden administration is still sorting out its tech trade approach to China. It inherited a redirected Bureau of Industry and Security (BIS) which falls under the usually soto voce Department of Commerce. The prior administration, per the Economist, made the usually faceless and silent BIS the prime weapon against Chinese technology, cutting off Huawei "from global semiconductor supply chains." As of this writing, the new administration is looking to "outsider" candidates to lead the charge for the U.S. at BIS. The lead contender seems to be James Mulvenon, who last year connected China's chipmaker to its People's Liberation Army. Mulvenon is a defense analyst, neither a lawyer like the Obama administration appointee nor a tech leader like the Bush #43 appointee. The position was largely vacant during the Trump administration. In considering the appointments discussed in the April Cyber Scene, we may see his name rise up in the near future as the current administration develops its approach to China, fills key holes that remain, and names an undersecretary and policy guru for BIS. Meanwhile, the article notes that "Mr. Biden's National Security Council (NSC) contains plenty of expertise on China and technology." Its Director for Technology and National Security, Saif Khan, developed a plan for countering Chinese semiconductor development, but a complete China policy is still in the works. The article believes that the nomination of the undersecretary of Commerce to run BIS will be a strong indicator of whether "Mr. Biden does, indeed, have a plan for redrawing the lines of technological trade with China, and that he intends to use the most experienced people possible to do so."

Internally, China is trying to reign in competition among its own cyber companies. Craig Mellow of Barron's reports in "China's Crackdown on Internet Giants Lingers" that 34 Chinese internet companies were directed by China's State Administration for Market Regulation to fix their anticompetitive practices or "be punished severely." This followed Alibaba's fine of $2.8 billion for "banning merchants from using competing e-commerce platforms, among other infractions." The article discussed investor interests (profits, of course) and went on to address two areas where internet giants are looking for greener pastures: finance and cloud computing. For any investor readers, the article points out that despite the threats from the Chinese government, the internet giants' stock has not folded as investors at least know what to expect.

As these internal Chinese challenges occur, and the U.S. advances its development of a Chinese strategy based largely on technology, Taiwan has successfully moved in as the world's biggest chipmaker "...amid the Sino-American tech war" and is becoming indispensable, per the 1 May Economist in "Living on the edge." Taiwan Semiconductor Manufacturing Company (TSMC) controls 84% of the world's chips from A to Z, rather from Apple to Alibaba. The article is brimming with tech details, investment issues, and how this occurred, for the curious reader.

Meanwhile, China has another domestic 1,000 flowers to bloom. Their internal cybersecurity work includes "Chinese government's insistence on being able to monitor and control the information that flows through the country's digital networks." The 24 April Economist "Hacking China: Watching them watching you" covers the internal difficulties this global tech power faces. Examples include popular WeChat which is not encrypted, as it must be filtered and censored which also makes these transmissions a vulnerable target writ large of over a billion WeChat accounts. Another aspect is Tencent's challenge, which owns WeChat and must keep inspecting messages while denying this option to attackers. Security is widely weak and means to keep it that way have been developed to make it easier for the Chinese government to monitor its population. As a result, internet users in China have complained about the lack of data protection. The government's response has been to promote programs for companies to protect customer data while enforcing weakness in their devices. The Chinese government has accepted the tradeoff. The populace may think otherwise.

As for hacks, London's 16 May Financial Times broke headlines that French-based "AXA Asian operations hit in ransomware attack." Mainland China was not named, but victims include Thailand, Malaysia, the Philippines, and Hong Kong. The Russian-speaking attackers used a ransomware variant called Avaddon and claim to have stolen 3 terabytes of data including customer IDs and privileged data between customers and doctors/hospitals. AXA is now eliminating coverage of cyber extortion insurance in France as it merely encourages the attacks. France is second worldwide only to the U.S. in ransomware attacks.

Those of you readers who live in the southeastern part of the U.S. may be compassionate, as many have had a short spike in gas prices due to the we-can't-ignore-it Colonial pipeline attack driving the company to shut down operations, as reported on 8 May by New York Times' David Sanger, Clifford Krauss and Nicole Perlroth.

This time it was neither the governments of Russian, China (both guilty as charged in the past), Iran, or terrorist groups. It was the DarkSide--a criminal group eager to hold corporate data for ransom. They succeeded with a reported $4.4 million payout. Sanger and Perlroth returned to report on 14 May regarding lessons learned about U.S. cybersecurity which parsed out how the preparations and simulations to avoid such an attack bore little resemblance to the real thing. The former CEO of cybersecurity firm CrowdStrike notes: "Every fragility was exposed. We learned a lot about what could go wrong. Unfortunately, so did our adversaries." President Biden suggested the U.S. would not give in: "We're also going to pursue a measure to disrupt their ability to operate," Mr. Biden said, a line that seemed to hint that United States Cyber Command, the military's cyberwarfare force, was being authorized to kick DarkSide offline, much as it did to another ransomware group in the fall ahead of the presidential election.

Far from this being the end, Washington Post's Ellen Nakashima and Rachel Lerman opine on 15 May that it may be the beginning. Returning to climate issues, they liken the attack to the tip of the iceberg. Colonial Pipeline's dilemma is faced by thousands of companies, schools, governments, and other entities around the world every year. Most incidents go unreported. Anecdotally, according to companies that help victims hit by ransomware attacks, more than half pay some form of ransom. DarkSide has reportedly collected $46 Million during the first 3 months of 2021. By 15 May, however, the Administration believed that while the criminals were unlikely to be linked to the Russian government, they may however be living in Russia.

And the plot thickens, according to a 24 May report by ProPublica, co-published with MIT Technical Review ("...Ransomware Hackers...Secret Weapon..."), Renee Dudley and Daniel Golden explain how two researchers, five months earlier, had discovered a countermeasure to this sort of DarkSide ransomware. However, a cybersecurity firm made the mistake on 11 January 2021 of publicly exposing this fix which gave DarkSide time to develop a counter to the counter. As a result, gas shot up in price, Colonial Pipeline lost millions of dollars, and the DarkSide won. Additional articles available on this Pro-Publica/MIT link provide more details that make this darkness even darker.

The payment in this case was reportedly made in Bitcoin. The rise of governmental as well as other questionable sourcing leads us to an Economist 8 May Special Report on Banking "GOVCOINS: The digital currencies that will transform finance." Even as money makes the world go 'round, sometimes badly, in this case it loops us back to China. The cover story explains that virtual currencies are before us. They are risky but needed. It touts the transition from an anarchist's obsession to a fund manager portfolio. PayPal is starting to reach China's levels of "govcoins." Technology has had a huge influence on banking and cost-cutting is making such international flows more attractive. The Economist puts the savings of digital currency per year per person at $350. It also allows access to those without bank accounts.

But the other side of the coin is its dangerous appeal in an ungoverned or poorly governed currency. The issue goes on to drill down on organized crime as seen in the Economist's 8 May "A decentralized dark economy makes cyber-crooks more effective and harder to catch." The article continues, sketching out the increase of nefarious cyber-criminal ransomware attacks. Conversely, China's expected digital currency is not expected to be terribly revolutionary as reported in "The new yuan: a lot like the old yuan." But these directions in finance would, in turn, reduce the dominance of the dollar (as noted in "Hege-money").

So the dollar may cool, cybercrime will likely heat up, and China is warming to its cyber future.

Cyber Scene #57 - New Cybersecurity Developments

Cyber Scene #57 -

New Cybersecurity Developments

This month has been overflowing with cybersecurity developments--new hacks, fallout and rebounding from past and recent hacks, assessments of crystal balls past and present, and most importantly, where the U.S. stands regarding the 17 June Biden-Putin meeting. We will start with the latter and flash back.

On 17 June, U.S. President Joe Biden and Russian President Vladimir Putin held their first meeting as presidents under the cloud of the recent Russian-originated cyberattacks. President Putin had already declared "nyet" when questioned just prior to the meeting with President Biden regarding Russian governmental involvement in recent, Russian-traced cyberhacks. The setting was cast by the U.S. as a meeting and not a summit, framing the discussions as expectations being limited but a start. NBC has captured both the essence and the video. The tenor was not friendly, but histrionics were also absent on both sides and the meeting itself was historic. The door to further contact was left open.

As the world cries "Where's the beef?" with the hack of JBS, SA, a global Brazilian-owned meet producer in the U.S., the expansive spread of ransomware likely gives this readership pause. Ditto for your car, if recent gas prices brought you to a halt, particularly if you live east of the Mississippi, in the South, or on the Eastern seaboard. The Mid West may have escaped the shortage of gas but not of McDonalds offerings. And this is just the fallout of attacks in very recent 2021 history that have reached public view.

As for the role of government, on 19 June Wired's Gilad Edelman writes that the U.S. Government is now moving at the speed of tech. He believes that one strong indicator is the appointment of new Federal Trade Commissioner (FTC) Lina Khan. He states: "This week, Khan, at all of 32 years old, was appointed chair of the FTC, one of the two agencies with the most power to enforce competition law. Congress, meanwhile, has introduced a set of bills that represent the most ambitious bipartisan proposals to update antitrust law in decades, with the tech industry as their explicit target."

Lina Khan's ascendance to the top of the FTC, and a set of bipartisan antitrust proposals, show just how much has changed in Washington--and how suddenly. Politics, in other words, may at least be aspiring to finally be moving at the speed of tech.

While Mr. Edelman's report may be more aspirational than foundational, he does provide proof that both corners in the ring have found common ground, for disparate and different reasons, for moving to try to restore a fair playing field (to mix metaphors) with common ground. Ms. Khan will lead the FTC in looking at Amazon and fellow FAANGs.

Such is the glimmer of bipartisanship that speaks volumes of a functional future. Catching up with tech, however? Well, the future will tell us.

Some have been correct in predicting it in the past. One such clairvoyant is Leon Panetta, former Director of CIA, as well as other positions, who warned of a looming "Cyber Pearl Harbor" a decade ago, per NYT's Nicole Perlroth's "Are We Waiting for Everyone to Get Hacked?" of 6 June. She admits that he didn't call every issue, and some predictions haven't happened yet, but "...the stark vision he described is veering dangerously close to the reality we are living with now." Ms. Perlroth cites 2021 hacks attempting Super Bowl water contamination and attempts at disrupting Martha's Vineyard ferries in addition to the well-known recent hacks, and adds that the list does not include all the businesses that are paying off extortionists quietly. The entire article is well worth a read.

The Colonial Pipeline hack did much to highlight Mr. Panetta's predictions. Although the restart of pipeline operations occurred in early May, NYT Clifford Krause and David Sanger note that many gas stations and refineries were slow to start. The NYT authors describe the attempts to resume fueling for mass transit, truck deliveries, chemical producers and airlines and the reaction of individuals, one of whom categorized this hack as like the beginning of the pandemic where people "just freaked out."

On a macro level, The Economist 15 May "Hacking and Ransoms; Post-Colonial studies," discusses how such a cyberattack underscores growing risks to infrastructure in the U.S. It goes on to cite several energy-specific initiatives that have been in place to counter cyberattacks, including the 2020 Cybersecurity Multi-year Program Plan. But vulnerabilities obviously remain, and hackers have doubled ransom amounts, thereby increasing incentives.

It was Pete Buttigieg's first crisis as Secretary of Transportation, and U.S. Cabinet members "...held a series of briefings to describe efforts to get freight trains, trucks and more ships into what amounted to a complex bucket brigade to bring fuel up the East Coast."

The fallout continues. Details of the Russian-affiliated DarkSide in Ransomware Powerhouse as reported by NYT's Andrew E. Kramer, Michael Schwirtz and Anton Troianovski reveal not only a sweeping, high profile attack, but also that "It casts a spotlight on a rapidly expanding criminal industry based primarily in Russia that has morphed from a specialty demanding highly sophisticated hacking skills into a conveyor belt-like process. Now even small-time criminal syndicates and hackers with mediocre computer capabilities can pose a potential national security threat." And for a mid-crisis assessment of where it all stands, see CNN's Zachary B. Wolf's What Matters regarding ransomware hacks. Even as individuals try to fill the tank and calm down, the U.S. Government is trying to systemically, and in a bipartisan way, counter fallout and repetition.

CNN itself is sensitive: AP's Kelvin Chan 8 June reported that CNN, as well as the NYT and Britain's government home page plus dozens of other web pages were victims of a cloud computing outage of the service Fastly. The San Francisco-based service said the problem was technical and not a cyberattack, but it gives one pause.

On 8 June NYT David Sanger and Nicole Perlroth updated their lessons-learned/way forward synopsis of ransomware attacks such as the Colonial Pipeline. Pointedly, they concluded that "The episode underscored the emergence of a new "blended threat," one that may come from cybercriminals, but is often tolerated, and sometimes encouraged, by a nation that sees the attacks as serving its interests. That is why Mr. Biden singled out Russia -- not as the culprit, but as the nation that harbors more ransomware groups than any other country."

FBI Director Christopher Wray confirmed in a broad-based 4 June article by Wall Street Journal's Aruna Viswanatha and Dustin Volz, that Colonial had paid approximately $4.4 million in ransomware. However, subsequently FBI recovered the money in both cash and bitcoins. In this article, Director Wray also addresses the role of government in the ransomware world. He took a page from Mr. Panetta, comparing the recent cyberattacks to 9/11. The WSJ goes on to discuss Biden administration officials as characterizing these attacks as an urgent national security threat, and that "they are looking at ways to disrupt the criminal ecosystem that supports the booming industry.'

This WSJ tech news briefing continues, describing what is a "whole of government" focus on countering ransomware. From the judicial branch of government, Deputy Attorney General Lisa Monaco urged all ransomware investigations to be coordinated with a task force created in April.

Part of this challenge is public-private coordination. Anne Neuberger, White House Deputy National Security Adviser for Cyber and Emerging Technology, contacted corporate executives and business leaders to "...immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations." Ms. Neuberger added that the Biden administration was working with other countries to counter ransomware gang attacks. She concluded: "We cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices."

Days later on 8 June the Associated Press' Mike Corder, Nick Perry and Elliot Spagat reported that the FBI executed a major cybersecurity "unprecedented blow" to organized crime in Trojan Shield. In conjunction with 15 other nations, the FBI rolled up 800 suspects, 32 tons of drugs, 250 firearms, 55 luxury cars, and over $148 million in cash and cryptocurrencies. How? In 2018, FBI took down an IT company, Phantom Secure, that provided end-to-end encrypted devices and replaced it with a secure messaging system of its own, ANOM. Business was herded to ANOM. The FBI worked with USDA as well as the EU's Europol with world-wide impact, according to Dutch National Police Chief Constable Jannine van den Berg. Beneficiaries reached as far as Australia.

As Ms. Neuberger asserted, this is not only a private-public matter, but also a global one. NATO's Secretary General Jens Stoltenberg reminded the Atlantic Council that NATO includes cyber-attacks as demanding an Alliance "Article 5" military response--"all for one and one for all." This means that all NATO members will support the country or countries in a cyber environment that are attacked. The only time so far that NATO has declared an Article 5 was for 9/11. And this resulted in 47 countries (NATO and others) joining the U.S. in a military-on-the-ground response.

Capitol Hill has been incredibly supportive of this direction. Indeed, the Senate has just confirmed the appointment of Chris Inglis as National Security Advisor for Cyber via a voice vote, indicative of the strong expectation of few if any nays. This bipartisanship was matched with multiple accolades from Senators on both sides of the aisle. While the Senate is responsible for confirmations, it also plays a role in funding as Congressional purse keepers. However, the Senate has not funded Mr. Inglis' office yet nor sorted out various directives regarding his execution of duties.

So perhaps the U.S. Government is not quite moving at the speed of tech, but it appears to be approaching a broader domestic and international, public-private, and comprehensive most-if-not-whole of government acceleration.

Cyber Scene #58 - China's Cyber Belt and Road: Strategic Measures and Countermeasures

Cyber Scene #58 -

China's Cyber Belt and Road: Strategic Measures and Countermeasures

This edition of Cyber Scene is all about cybersecurity, stretching from the U.S. across Europe to China and back.

Cyber Scene readers may be familiar with China's Belt and Road infrastructure projects. The expanding hubs serve as the belts and the spokes extending from them are the roads--global roads. Presented as an infrastructure project, "One Belt One Road" (the official Chinese translation) is officially aimed at 65 countries, half of the world's population (4.4 billion at the time it was released), and one third of the world's economy. The infrastructure requires towers and cyber connectivity for all those parliamentary buildings, road construction, supply chains, etc.

US White House leadership over the last 5 years has talked about infrastructure, but only recently has a tangible strategy been developed by the White House and funded by Congress. It is not exclusively physical either. Rather, it advances simultaneously and compatibly with an embedded cyber strategy.

Chinese leadership has been heading in this direction for many decades. In the Western World, the White House is both developing cyber strategy and naming proven, experienced cyber experts. And this too is impacting NATO, non-NATO Europeans and other constitutional democracies world-wide. The jury is still out as to how the new US cybersecurity strategy will play out in a global widening cyberattack environment. But the following discussion indicates that at least there is a strategy in the game.

The White House has its challenges. It is working on multiple fronts. China is not the only problem, although the recent Biden-Putin face-to-face keeps those doors open. On the tech front, the White House is also dealing with how to enhance cyber defense while working with Big Tech to comply with strategic initiatives. And while juggling these issues, it is also rejuvenating relationships with foreign partners who share an interest in dealing proactively with these threats. Moreover, the White House needs to fully man its cyber staff and fund its cyber initiatives. This is also subject to politicized dispute.

For starters, New York Times' (NYT) Nicole Perlroth addresses this in "How China Transformed Into a Prime Cyber Threat to the U.S." She notes that unlike a decade ago, current Chinese cyber-attacks are highly aggressive, sophisticated and mature--far more advanced than in the past: "China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world." Sloppy PLA hacking has been replaced by "elite satellite network contractors at front companies and universities working with China's State Security," reportedly as of 2018. They work through software like Microsoft's Exchange email service and Pulse VPN devices which are harder to defend. The analysis goes on to point out that the US Justice Department indicted four Chinese nationals for hacking commercial aviation, defense, biopharmaceutical and other industrial commercial secrets in July 2021. In late July, the U.S. also indicted China's Ministry of State Security itself. Secretary of State Antony Blinken believes that the State Security Ministry "...has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain."

NYT cyber experts Zolan Kanno-Youngs and David E. Sanger reported the following day that for the first time the Biden administration accused the Chinese government of "...breaching Microsoft email systems used by many of the world's largest companies, governments and military contractors." As White House Press spokesperson Jen Psaki states, "We are not holding back." The article goes on to explain that the US diplomatic goal is to bring countries like China and Russia to agree to "a set of guardrails for behavior--not arms control, which would be impossible to verify in a world of invisible, reproducible cyberweapons." The cyber experts go on to say that dealing with digital espionage is nothing new, but that the Biden administration has been "aggressive in calling out both countries and organizing a coordinated response." As a result, a joint statement from the U.S., NATO, Australia, the U.K., Canada, the EU, Japan and New Zealand that criticized China for the cyberattacks was issued and publicized.

With a view from across the pond, the Economist followed up on 20 July in "After failing to dissuade cyber-attacks, America looks to its friends for help." This article added that "...unusually, America recruited those allies to admonish China by name, something they had been loth (sic) to do. NATO joined America for the first time in condemning China for state-sponsored hacking." The expectation is that the US will convince its allies to take some form of collective action against China.

A big question is to what extent NATO might take Article 5 action against a cyber-attack on one of its members. In the Pentagon's Early Bird Brief, Defense One addresses this issue. It notes the possibility of a cyber-attack leading to Article 5 implementation. It was used only once: NATO joining the US in Afghanistan following 9/11. As of the NATO Summit in June 2021 attended by the US President, the alliance on 14 June officially "re-conceptualized how and what kind of adversarial activities can lead to cross the threshold of an armed attack. The most important change: the insertion of the word 'cumulative.'" Asked about the choice of the word "cumulative," the NATO press response is significant:

"The term was indeed used deliberately, and the reason for using it is because the alliance has recognized that the cyber threat landscape is evolving, and that several low impact cyber incidents by the same threat actor have the same impact as a single destructive cyberattack."

By early July, the NYT's Kellen Browning reported that hundreds of businesses around the world had suffered from elite cyberattacks. The issue of an Article 5 declaration would impact non-NATO nations as well. Sweden, not a NATO nation but one joining the US in Afghanistan, was hit hard when Sweden's largest grocery was forced to close 800 stores due to a cyber-attack; Sweden's railway system and a major pharmacy chain were also affected. While President Biden opined that the attacker was not specifically identified, a European response would be similar. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stepped in to identify this attack as a "supply-chain ransomware attack" and added that CISA was helping with the investigation.

Such is not the exception but the rule of late. As the US struggled in May with its own ransom attacks (Colonial Pipeline and JBS meat factory were the lead headliners), per the Economist 19 June "Ransomware highlights the challenges and subtleties of cybersecurity," Ireland lost control of its healthcare system, Health Service Executive (HSE). HSE declined to pay the $20M ransom demand. The article goes on to address the surprisingly permissive attitude that had existed toward "...a regime led by an old spook like Mr. Putin." But as was seen in the 2014 OPM hack of 21.5M records of US persons, cybercrime is experiencing a growth spurt.

So, the tenor has changed. Catch up isn't working well at cyber speed. In addition to global alliances to counter cybersecurity breaches, large and small, preemptively, Wired calls out the importance of President Biden's playing "Hardball with Internet Platforms." It believes the White House needs to prioritize Americans' wellbeing over Big Tech's "whims" to begin a path to restoring democracy, privacy, and competition. As an example, Wired reporter Roger McNamee points out on 24 July that the Surgeon General cited disinformation as a public health menace citing 65% of Covid disinformation coming from 12 Facebook accounts. He singles out YouTube, Instagram, Google and Twitter as "also guilty" of having a decidedly negative impact. He opines that many Americans know this but find the use of these platforms so convenient that they are disinclined to bring this to litigation.

Mr. McNamee does point out that "...appointments of former FTC advisor Tim Wu to the National Economic Council, antitrust scholar Lina Khan as chair to the FTC, former FTC commissioner Rohit Chopra to lead the Consumer Finance Protection Bureau, former CFTC head Gary Gensler and [Jonathan] Kanter at the SEC are brilliant moves because those leaders understand the issues and will make the most of the limited tools at their disposal." But, as he summarizes, clipping the wings of these tech giants will cause profits to drop a bit, and the economic impact will be a difficult issue to deal with.

On the subject of forward progress, Wired's Garret Graff also discusses strong team appointments from the Biden White House. He praises the selections, most of which Cyber Scene has highlighted in past issues, but states "It's a lot of talent, but the US now has five overlapping roles jockeying for limited budgets, authorities, and bureaucratic victories." One of the selections is Jen Easterly, the new CISA chief, and Graff also notes the challenge of sorting out the roles of just-sworn-in Chris Inglis as top cyber adviser and coordinator to the White House and that of Anne Neuberger as the Deputy National Security Adviser for Cyber and Emerging Technology. But he does underscore the fact that except for Lisa Monaco who is going to the Department of Justice, the other senior cyber experts all have common "DNA" from their earlier work at the National Security Agency (NSA) and have all worked successfully and closely together in the past. As an aside, he points out that NSA was the principal agency responsible for creating this cyber expertise, continued by its current Director and Cyber Command Commander Paul Nakasone. As another aside, Lisa Monaco, during her work from 2012-2016, would have worked with at least two of the cyber experts Mr. Graff cites. The US cyber strategy would appear to combine reining in the increasing number cyberattacks and expanding their ability to defend against them both nationally and globally.

Cyber Scene #59 - Cyber Around the World

Cyber Scene #59 -

Cyber Around the World

Ill-gotten cyber gains continue to extend their reach. This month's Cyber Scene starts in Asia but moves around the world. Brand new to Cyber Scene is the inclusion of Taliban, which also is playing a cyber role in making Southeast Asian history today.

As there is not yet any confirmation on alleged hacks to the US Department of State (DoS), we shall focus on confirmed disturbances to the cyber universe. As customary for Cyber Scene, we will weave in what the White House, Congress, and parts of the U.S. judicial system are doing about these cybersecurity issues. We will end with "how to handle your T-Mobile hack" as a grand finale: from the big global picture to what's in your pocket.

Afghanistan has now reached headlines not only for the Taliban's rapid terrestrial dominance, but also for the significant role it is playing regarding cyber. The Taliban has exhibited a skillful use of cyber for winning hearts and minds. A sometimes-graphic overview of this development spanning the last decade is captured in Ian Fritz's Atlantic article of a then-U.S. airman (himself) who listened in on 600 hours of Taliban discussions on means of attacks, proselytism, and use of media to win.

Recently, Washington Post reporter Craig Timberg presented a description of how the Taliban had been promoting its policies on websites spanning five languages: Pashto, Dari, Arabic, Urdu and English. These websites "went dark" as of 19 August. Who or why was left unexpressed, but Mr. Timberg noted that previously a San Francisco-based cyber company, Cloudflare, that helps websites defend against cyberattacks, had been protecting Taliban sites; however, US companies must abide by US sanctions laws. Mr. Timberg said that Taliban groups on WhatsApp, which belongs to Facebook, were also shut down. Facebook has officially banned Taliban accounts--its spokesperson stated: "We're obligated to adhere to U.S. sanctions laws. This includes banning accounts that appear to represent themselves as official accounts of the Taliban." Twitter has not yet banned the Taliban. The Taliban's Twitter spokesperson said it has told its over 375,000 followers that the Taliban will "...respect the rule of law, property rights, and the rights of women." DoS has designated the Taliban as a foreign terrorist organization, and Rita Katz, the executive director of the SITE Intelligence Group, which monitors online extremism, noted that the Taliban has been significantly contributing to "the empowerment of global violent extremism."

New York Times (NYT) reporters Paul Mozur and Zia ur-Rehman provide a short history of how the Taliban turned to social media to control the populace. They point out that initially, in 1990, Taliban banned the internet. Now it plays a significant role as a "powerful tool to tame opposition and broadcast their messages." Particularly, they are using thousands of Twitter accounts, official or anonymous, to address their readership. The social media campaign may have influenced the surrender of the country over the last few weeks. Whether the Taliban wins hearts and minds and cements power, or whether, as the reporters discuss, an "Arab Spring-like" counterinsurgency rises, remains to be seen.

On the flip side, Paul Mozur writes the same day that Facebook has added security features to help Afghans control their accounts as they fear retaliation. This includes disabling temporarily the possibility of searching and viewing friends' lists on Facebook inside Afghanistan and the ability to close their own account instantly if they feel targeted. Apparently, the Taliban is still overriding some Facebook banning. Facebook's security chief Nathaniel Gleicher acknowledged indirectly that there are risks of having personal information online. Afghans have apparently taken note of this, as many "...have shuttered their social media accounts and deleted messages out of fear that their digital footprints could make them targets." He also cited the history of Taliban reprisals. Mr. Gleicher advised people whose Afghan friends are in contact with them to consider security measures regarding their own settings. Meanwhile, migration to Twitter continues, increasing the hard decisions the company must make.

On another front, Congress continues to wrestle with national security risks sourced to China. Following the Chinese hack of Microsoft discussed in last month's (July 2021) Cyber Scene, Defense News reporter Andrew Eversden conveys that a bipartisan group of Congressional lawmakers want to amend the Pentagon's upcoming defense policy bill to better map supply chain issue risks and to cut those connected to Chinese products.

Of particular concern is sole-source material in the Defense Industrial Base coming from China. This was codified in a 22 July House Armed Services Committee's (HASC) Defense Critical Supply Chain Task Force report published by Defense News and the Pentagon's Early Bird. The final task force report provided six recommendations, forcing the Pentagon to address the Chinese use of backdoor spying or sabotage of weapons systems related particularly to semiconductors, rare earth elements for defense systems, pharmaceutical ingredients and energetic propellant for bullets or missiles.

The HASC report also calls for a DoD risk assessment strategy and a process for continuous monitoring of supply chain risks. Not explicit, but perhaps understood in the article, was the sidebar issue of withholding access to sole-source material.

The HASC forward movement, led by Rep. Mike Gallagher (R-WI) and Rep. Elissa Slotkin (D-MI), alluded to this. While Rep. Slotkin's hypothetical example of a vulnerability is an ammo propellant shortage due to political disagreements with China, such a vulnerability applies directly to cyber-related issues as well.

Sadly, these vulnerabilities are nothing new. In April 2021, Wired reporter Lily Hay Newman presented a synopsis of specific cybersecurity blindspots cited in a 2021 Government Accountability Office (GAO) report on cybersecurity hygiene, which criticized DoD for such vulnerabilities. The study underscored the need for an implementation of a 2015 attempt to plug them. Ms. Newman noted that the new report finds that DoD had abandoned or lost track of most of its dozens of security hygiene goals. Peter Singer, a cybersecurity-focused strategist at the New America Foundation stated simply: "If you can't track it, you can't measure it. If you can't measure it, you can't manage it. And if you can't manage it, you're not going to succeed."

DoD has gone over the GAO report and agrees with some of the criticism, but finds other issues overtaken by events. Drawn from two DoD Cybersecurity Initiatives in 2015, of the 28 initiatives, 10 were completed, four were determined by DoD in 2021 to be outdated as circumstances and technology have changed, and the status of the others is unknown as they have not been tracked. Much has changed in the last five years, but cybersecurity blind spots or vulnerabilities are with us still.

While dealing with these issues, Russia has been active. The White House has been working to constrain ransomware attacks while Russia has been working in a considerably opposite direction. The Atlantic Council's Cyber Statecraft Initiative fellow Justin Sherman has provided a comprehensive synopsis, via the Early Bird's Military Times, of the state of the Russian cyber landscape vis-a-vis cybersecurity. Although the two chiefs of state committed to future cybersecurity dialogues, albeit at a lower level, following their meeting in Geneva, a Russian-based ransomware attack on a U.S. company addressed last month in Cyber Scene occurred. Putin has been arguing for an "isolatable domestic internet" which pundits have often considered as separate from Russia's "cyber ecosystem." But Mr. Sherman argues that the more an internal internet is developed, the less transparency the world would have regarding ransomware. He outlines what measures have already been taken by Russia and believes that "The regime's coercion of domestic tech companies--meshed with its overall coercion and control of regime-threatening forces--underscores that Putin could crack down on cybercrime if he so desires." He concludes that the U.S. and its NATO and EU allies must move jointly and counter this Russian cyber direction "head-on."

From another perspective in early August, Mr. Sherman presents (in Wired's eye-catching "Putin is Crushing Biden's Room to Negotiate on Ransomware") the UN angle on the issue of an isolatable internet. Mr. Sherman maintains that this attempt to introduce a new international cyber treaty to the UN reconfirms Putin's unwillingness to cooperate with Biden on cybercrook threats. The proposed treaty is intended to replace the Budapest Convention on cybercrime that Russia does not support. The article goes on to analyze Putin's understanding of the terminology, concluding that "...the new cyber treaty ...conveys a sense of commitment to the same old lack of cooperation." He adds that even the definition of "cybersecurity" is not agreed upon.

One agreement that has grown some, if uneven, teeth is the EU's General Data Protection Regulation (GDPR). Regular readers will remember that EU countries seeking to end the tax-free ride that several giant Big Tech multinationals have enjoyed moved to enforce their new law. Attempts to do so had been inconsistent. However, Wired's Matt Burgess reports (first through Wired UK), that Luxembourg, which happens to be a serious European financial center, has gone to the courts. Amazon was declared "guilty" and fined $883 million. The figure is, according to Mr. Burgess, twice the total number of GDPR fines. He opines that the decision is extremely noteworthy because it displays the power of GDPR while exposing "...cracks in how inconsistently such regulation are applied cross the EU." A French civil liberties group had initiated the court case. The article notes that Luxembourg and the Republic of Ireland are the most important data protection authorities, small as they are. For those not familiar with the process, Mr. Burgess explains: "Under GDPR law, companies that operate across multiple countries in Europe can select one country--where their main office is based--to act as the nation where complaints are funneled through. This process is called the one-stop-shop mechanism. Before a decision--which can include a fine or enforcement action that can make companies change their behavior--is issued, all the European nations that are interested in the case are given a right to reply." While the GDPR system is still in its infancy, it seems to have shed its baby teeth. Big Tech is a big target.

The legal boom is also being lowered on Google regarding several of its products made in China that the wireless speaker-tech company Sonos maintains infringes their copyright per the NYT's reporter Daisuke Wakabayashi. He reports US federal court was first engaged in 2020, but the US International Trade Commission--a quasi-judicial body that decides trade cases and can block importation of goods--is now engaged as well. Google and Sonos are now suing each other, claiming infringement on U.S. or Chinese patents, trademarks or copyrights. At risk, are Google Home smart speakers, Chromecast systems and its Pixel phones and computers.

Yet another Big Tech legal issue might also touch you. The Economist reports on 14 August that the US and China have agreed on a big trade issue that includes some big cyber players. As grievances in America developed due to transgressions of large foreign companies, the Holding Foreign Companies Accountable Act was passed, requiring audits for companies traded on American exchanges. Skipping submissions of audits triggers automatic delisting from the exchanges (as in the New York Stock Exchange, the NASDAQ, or even the Chicago Exchange, etc.) within three years. Surprisingly, China and the US agree on this. The article notes that "Rare as this moment of Sino-American agreement is, it hardly spells good news for investors." It goes on to say that China has $1.5 trillion of market value in US exchanges.

Just in case you feel that you have sidestepped a political, technical, and monetary crevasse, if you use T-Mobile you might want to think again. The Washington Post of 20 August, as reported by Chris Velazco, has provided you with what could be called a "disaster relief" program, as T-Mobile has confirmed reports of a major data breach. Hackers have snared personal information including full names, dates of birth, social security numbers, drivers' licenses and customer phone identification of 40 million past, present and potential customers...some 45.3 million people. You should hear from T-Mobile, but you can also follow the Post's suggestions.

Cyber Scene #60 - From All Foreign and Domestic Cyber Enemies and Their Minions

Cyber Scene #60 -

From All Foreign and Domestic Cyber Enemies and Their Minions

This Cyber Scene looks domestically as well as internationally at the last four weeks of brisk developments in the cyber world. Following an August recess of Capitol Hill denizens, the return to a jam-packed agenda/docket has Cyber Scene issues overflowing as well. Afghanistan, Haiti, the recall of the French Ambassador to the U.S. and the annual United Nations General Assembly kickoff in New York, ending on 27 September, provide the demanding backdrop to cyber life here and abroad.

Apple makes the Cyber Scene due to issues surfaced by multiple sources. The Wall Street Journal reports that Apple has been procrastinating its scanning for illegal content. Journalists Joanna Stern and Tim Higgins take Apple to task for claiming that the newly minted system for identifying child pornography for removal which was "vigorously defended," was privacy-friendly in its iCloud. But the reporters maintain that privacy experts were concerned that data protection via encryption was "softening." And Apple put off until "the coming months" implementation, for the second time.

Abroad, Apple has been joined by Google in removing a voting app at Russia's request, setting a new precedent, according to Wired's Lily Hay Newman. Cast as anti- Russian establishment, the voting app was the "latest in a series of concessions that Apple in particular has made to the Kremlin." This takedown was fed by threatening fines and accusations of illegal election interference.

Curiously, Germany made the same last claim against Russia. Per the New York Times' (NYT) Melissa Eddy, Germany's federal prosecutor's office accused Russia of attempts to disrupt the 26 Sep national election by hacking lawmakers and members of the federal Parliament through phishing emails and attempts to steal passwords and other personal information. An investigation of this originally nameless "foreign power" ensued. The cyber sleuths now point to the G.R.U. and its Ghostwriter campaign as the perpetrators.

Russia may be disappointed in the German election: Chancellor Angela Merkel, who initiated several sanctions against Russia at least as early as 2014, will be succeeded by two power-sharing leaders who are of like mind as Ms. Merkel regarding Russia. The third possible power-sharer is even tougher.

Russia continues to protect its own cyber soil. According to Ars Technica via Wired's Dan Goddin, Russia has initiated a new way to silence Twitter: slow rolling it to an unusable speed. This mechanism, dubbed "intentional throttling," renders sites basically useless for Russian internet users. A byproduct was consuming memory and CPU resources. Roskomnadzor, the country's body that regulates mass communications, said that throttling Twitter was needed to remove content of child pornography, drugs and suicide.

China has also tightened the grip on its domestic tech world. The 11 September Economist in "Codified crackdown" delves into China's progressive regulation of digital technology. But now that Facebook and Google have been blocked, it is domestic tech giants that are impacted. China has not only silenced its domestic businesses, but also reaches out overseas, such as when Didi, a Chinese "Uber," had its apps removed and was told to stop adding clients two days after it opened in New York City. New laws are in effect to control China's tech leaders to include ones that require code "for their platforms so that they provide content that the government likes, and inhibit what it does not." Four of the new laws to be implemented over the next three months are said to reshape China's internet. Although Europe's General Data Protection Regulation (GDPR) accomplishes this to a very limited amount, China's rules are broader and stricter. Included is a Personal Information Protection Law which starts 1 November. Also new to the streets is, so far, a draft of 27 August, of China's Cyberspace Administration of China (CAC) which will set rules for algorithms. Alibaba and Amazon and Didi are subject to them, as are many other companies with global reach. One advantage of this restriction is fewer spam messages and phone calls. This leads to massive software being rewritten, and, well, time will tell.

Wired's interpretation of "China vs. Big Tech" re-published by Jennifer Conrad in late September looks at this sea change from another angle. She reports that the six-month campaign of China's Ministry of Industry and Information Technology intends to "regulate the country's internet companies, to rein in practices that 'disrupt market order, damage consumer rights or threaten data security.'" They are already aligned, according to Scott Kennedy from the U.S. think tank the Center for Strategic and International Studies (CSIS), as a sort of "whole of government" thrust. But this has not set well with some of the tech giants, including Jack Ma's Alibaba: his financial arm, ANT, had to suspend a planned IPO and is now facing a $2.8 billion antitrust fine. Ms. Conrad summarizes that "the party is over--for the good of the Party."

International economic, diplomatic, and political relations are also subject to fallout. In a phone call in early September, President Biden expressed to President Xi Jinping his concern about cyber activities while also addressing the importance of the two largest economies in the world working together, despite their differences, on common ground issues such as global warming.

Continuing with White House measures, the Washington Post's Ellen Nakashima on 17 September reported on the new U.S. sanctions targeting financial entities that empower ransomware payments. The Department of the Treasury is preparing these sanctions against financial exchanges that facilitate illicit digital payments to hackers. Implementation of these new sanctions is cast as imminent. The overview the Post describes, familiar to most, points out that cybercriminals extract exorbitant fees from victims whose computers are held hostage until these victims pay, generally in cryptocurrency. "...a digital form of money traded through a series of private wallets and public exchanges that can be difficult to track." The pay to hackers in 2020 is estimated at $412 M. Treasury had attempted in October 2020 to identify companies facilitating ransomware payments for being in violation of Treasury's Office of Foreign Assets Control (OFAC) rules but it did not advance to full implementation. Now it has teeth. China, on the other hand, declared all cryptocurrency transactions illegal on 24 September.

Reuters's Alexandra Alper on 21 September expands on the information, identifying an exchange, Suex, whose sanctioning is, per Treasury Deputy Secretary Wally Adeyemo, "a signal of our intention to expose and disrupt the illicit infrastructure using these attacks." She also notes that President Biden spoke with President Putin on this subject in a meeting in July 2021.

The Washington Post's Joseph Marks, who writes under his "Cybersecurity 202" newsletter, adds on 20 September that although progress is swift, "disrupting the current ecosystem" is exceedingly difficult. He points out that the flip side entails making institutions more resilient and urging international cooperation. He also referred to the Biden-Putin meeting in sterner terms: "President Biden demanded that Russian President Vladimir Putin rein in Russian ransomware gangs and threatened retaliation if they hit 16 vital U.S. sectors." He continues, discussing drawbacks and possible implementation challenges.

As for action, the Hill back in business. While much focus has been targeted on getting the House to pass the behemoth National Defense Authorization Act (NDAA)--achieved on 23 September, the House is also working on cyber workforce legislation to further strengthen USG response, or strategizing against, cyber concerns. The Senate has resumed work but was out on 24 Sep.

Cyber Scene #61 - Ghosts of Cyber Past

Cyber Scene #61 -

Ghosts of Cyber Past

As the season falls into place, the ramp up to a cornucopia of cyber delights is looking more like spewing hack-laced Halloween tricks. Even as we deal with new October 2021 cyber crises, this Cyber Scene draws from the distant past including the 1^st Amendment (freedom of speech) and the legal mind--now a century ago--of Supreme Court Justice Louis Brandeis and his critical arguments on regulation.

As of this writing, there is breaking news regarding SolarWinds' renewal of activity in the U.S. On 25 October, New York Times' (NYT) David Sanger's "Ignoring Sanctions, Russia Renews Broad Cybersurveillance Operation," sums up how Russia's S.V.R.--a new-ish labeling of the old KGB-- launched a new campaign shortly after President Biden issued sanctions in response to a trail of Russian spy global operations. This step backward was announced by Microsoft top security officials and cybersecurity experts on 24 October. The impact of the SolarWinds attack is aimed at piercing "...thousands of U.S. government, corporate and think-tank computer networks." There is a particular diplomatic fly in this cyber ointment: following a discussion between Presidents Biden and Putin, Biden "pared back the penalties" and imposed milder sanctions against financial institutions and tech companies in April 2021 saying to Putin, "Now is the time to de-escalate." Microsoft stated that six hundred organizations were victims of 23,000 attempted hacks, but it did not specify how many attempts were successful. This led to a discussion of responsibility resting on the shoulders of the intended victims. An unidentified official stated: "We can do a lot of things, but the responsibility to implement simple cybersecurity practices to lock their--and by extension, our--digital doors rests with the private sector." However, on the federal level, officials say that they are "aggressively using new authorities from Mr. Biden to protect the country from cyberthreats, particularly noting a broad new international effort to disrupt ransomware gangs, many of which are based in Russia."

More specifically, Drew Harwell of the Washington Post reported on what the author termed "a guerrilla war on tech companies" particularly devastating as it exposes "fiercely guarded secrets" of the internet. Amazon's streaming site Twitch, to include its entire source code, seems to have been the leading target. Cyber experts are concerned, according to the Post article, because the hackers are not well known. Anonymous is blamed for this last hack. Hackers boasted: "Bezos paid $970 million for this. We're giving it away FOR FREE." They portray themselves not as cybercriminals or ransomware gangs but as serving the public, since their booty ends up on the public internet. The Post article also notes that, perhaps relatedly, Facebook, Instagram, and WhatsApp suffered an hours-long outage 3 days earlier on 4 October.

Facebook, however, has recently been in the throes of several attacks-gone-public. Some have of late spilled over onto Capitol Hill as well as the British Parliament, and four distinct media sources to be cited as follows.

One unusual discussion of Facebook (or "Facebookland") comes from The Atlantic's Executive Editor Adrienne LaFrance. In her "opening argument" she posits that "The social giant isn't just acting like an authoritarian power. It is one." She is extremely critical of CEO Mark Zuckerberg. In contrast to Einstein who attempted to save the world from the atomic bomb, she describes the creator of Facebook as the image of a hostile foreign power, focused on its own expansion and "indifferent" to the endurance of American democracy. Facebook's "population" is 2.9 billion, equal to those of China and India combined. She notes that as a "nation state," Facebook calls for "...a civil defense strategy as much as regulation from the Securities and Exchange Commission." She continues, describing organizational structure in terms of a judicial branch as well as a legislative one. With 58% of his company's stock, the CEO is the undisputed authoritarian leader of the executive branch.

As strident as this article is, follow-ons across the media spectrum in October are stronger still. Former Facebook employee Frances Haugen appeared before the US Senate subcommittee nearly 3 hours on 5 October to testify, based on internal Facebook documents she was privy to, about Facebook's influence and role as a social media giant. As a whistle-blower, she believed that Facebook was morally bankrupt and downplayed its own role of influence across a wide spectrum--from ethnic violence to teenage depression.

Following Ms. Haugen's Senate subcommittee testimony, The Economist underscored the importance of Ms. Haugen's information tersely: "The public has long suspected Facebook of two-faced toxicity but lacked fresh internal communiques to prove it. That changed when Ms. Haugen released a trove of corporate documents to regulators and the Wall Street Journal." It also applauded her success in bringing both Senatorial aisles together: "Senators, who cannot agree on such uncontroversial things as paying for the government's expenses, united against a common enemy and promised Ms. Haugen that they would hold Facebook to account."

The Wall Street Journal (WSJ), which as noted above was the first to publish Ms. Haugen's revelations regarding internal Facebook documentation, also covered the session Ms. Haugen had with a U.K.'s parliament committee on 25 October. The UK has been at the forefront in calling for more regulation regarding Facebook and other international cyber players.

It is no surprise that the U.S. Senate is moving toward more regulation. The Post reports on 14 October--following Ms. Haugen's discussion with the Senate subcommittee-- the Senate Judiciary Committee is introducing a bill to restrict the tech giants' practice of favoring their own services and products over their rivals.

The Senate is particularly looking at Amazon, Facebook, Apple, and Google. In other words, it would make "self-preferencing" illegal and reduce anticompetitive behavior. Senator Klobuchar, chair of the Senate Judiciary Committee, cites the Sherman Act of 1890 which prohibits anticompetitive agreements as well as attempts to monopolize. Of course, John Sherman wasn't thinking of digitized competition or lack thereof 130 years ago, so digital updates are needed. Supreme Court Justice Louis Brandeis wasn't thinking digital either, but he did however foresee the need for regulation in the early 1920's, which is the lead into the subject of the Supreme Court itself.

The US Supreme Court (SCOTUS) is back in session with the new 2021-2022 term having begun on 4 October. According to the docket they intend to hear 32 cases. Ten of these may indirectly relate to cyber but as the Economist synopsis "SCOTUS Term Time" (October 2) notes, the docket is more likely to focus broadly on states' rights v dominant federalism as well as a dozen dicey health-life-death issues. Derivatives from these issues might however impact cyber and the role of privilege and FISA (the Foreign Intelligence Surveillance Act).

Cyber Scene #62 - From Cyber Week Back to the Future

Cyber Scene #62 -

From Cyber Week Back to the Future

This Cyber Scene will look at what some prescient futurists see in the coming years—regular human years and not cyber "years" which accelerate progressively. Then we will explore what is going on now with respect to the impact of cyber on lives worldwide and on countries, First World and Third.

The first perspective for your consideration is Foreign Affairs' (Nov/Dec/2021) "The Technopolar Movement: How Digital Powers Will Reshape the Global Order." The strategist, political scientist Ian Bremmer, comes with a strong history of political risk analysis, TED talks, Stanford University, and its Hoover Institution, and is the founder and president of the Eurasia group as well as the author of 10 books on geopolitical issues. This particular article posits that a sea change in global affairs is in process, and the tech world, not that of domestic political clout, is rising. He asserts:

"States have been the primary actors in global affairs for nearly 400 years. That is starting to change, as a handful of large technology companies rival them for geopolitical influence. The aftermath of the January 6 riot serves as the latest proof that Amazon, Apple, Facebook, Google, and Twitter are no longer merely large companies; they have taken control of aspects of society, the economy and national security that were long the exclusive preserve of the state."

He goes on to say that the US is not alone: China, as well, has Alibaba, ByteDance and Tencent as nonstate tech actors who are reshaping their country but with Chinese characteristics. European companies are in a totally different, distant, class behind. Big Tech companies are not instruments, or as he puts it, "foot soldiers" of the state. In the January 6 example, the tech world acted on its own initiative, not at the behest of the state. Bremmer suggests that a new category of classifying geopolitical leaders is needed. He stakes out three geopolitical postures and worldviews: globalism, nationalism, and techno-utopianism. They are not dependent on physical space, but rather digital space, which is far more powerful and agile. They are also well funded. He concludes this very pithy analysis with a call to understand better the geopolitical power of the digital tech world.

This strength and agility are also highlighted by the Economist (6 Nov) in "Reinvention as a service." The article highlights the relative ease with which Big Tech evolves in the digital world. The CEO of Qualcomm is cited as saying that "We are a different company now. We are no longer focused just on mobile. And we have the numbers to back it up." Other historic big tech companies such as Cisco, Dell, Hewlett Packard, and IBM are moving into cloud computing and artificial intelligence.

A new, vice reinvented, entity on the (Wall) street is discussed by former Treasury Deputy Secretary under the Trump administration Justin Muzinich in Foreign Affairs (Nov/Dec 2021) "America's Crypto Conundrum: Protecting Security Without Crushing Innovation." Digital currency, he notes, often derives from a belief that government should have less control over money. But again, the dual-edged sword appears: "Digit currencies are driving tremendous innovation that has the potential to make whole economic sectors more efficient. But they also pose various national security and financial threats and could even diminish US influence abroad." He observes that the upside is that digital currency allows the private market to call the shots, whereas the downside is that some view cryptocurrencies as nefarious tools for illicit finance.

The issue of authority over digital currency is huge: there is no gold or guarantee backing Bitcoins. In fact, with offshore activity beyond the reach of the US, the G-7, the G-20 and other institutions (e.g., the US Federal Reserve or the European Central Bank), the wizard behind the curtain is unknown. However, despite the increased risks, it is faster and cheaper than financial alternatives. He concludes that it is important that some control, "…not only by software developers but also by elected representatives who are accountable to the American people" be created.

Digital financial transmission in non-Bitcoin wrappers is rampant. From your online holiday shopping of Black Friday deals to ever-increasing variations on PayPal financial transfers, the world of digital finance is in revolutionary mode, even on Wall Street, at the US Federal Reserve, and in the Third World. The Economist (6 Nov), in "Turf Wars: Africa's fintech firms vie for domination," observes that "The payments frenzy is going global, and Africa is catching the bug." Several of Africa's financial tech firms surpassed billion-dollar valuations. On the subject of billions, most of the next 2 billion human beings are expected to be Africans—by 2025 there will be 1.5bn Africans--so the clientele will expand. The investors in Africa's fintech unicorns are international. Among some of the newest successes are Soft Bank (Japan), Chipper Cash (Jeff Bezos), OPay, Wave, and Flutterwave. The agility of digital fintechs is called out: "Africa is an obvious choice for fintech investors. They are betting that young African talent can innovate its way out of the region's most pressing financial problems faster than legacy firms can." The relatively new African Continental Free Trade Area now includes 38 of the 54 countries on the continent. Moreover, the Pan-African Payment and Settlement System was launched in September 2021 which supports these systems. Returns on investment are already strong; some investors believe Africa resembles China in the 1970s. Digital currency is expanding on "turf" that is enormous and otherwise often inaccessible, which harkens back to earlier discussion in this Cyber Scene of the role of the digital world's attributes regarding agility rather than physical ground.

Returning to Black Friday, CBS reports (17 Nov, online and on video) that cyberattack concerns are increasing across the timespan from Thanksgiving to the New Year. With the pandemic and many security staff being out of the office, "…businesses say they're worried about the possibility they'll face cyber intrusions this holiday season, a time when many of their cybersecurity operations rely on skeleton staff."

Relatedly, and as if in a parallel universe with the Covid pandemic, the title "digital pandemic" is applied to 2021 in the Economist's magnum opus (8 Nov) "The World Ahead 2022: The digital pandemic of ransomware attacks will continue." Economist Defence editor Shashank Joshi predicts: "Until firms get the basics right, the digital pandemic will rage on." Joshi points out that ransoms paid in cryptocurrency and held anonymously, are hard to unmask. Although the US has recovered a surprising amount of ransom payments in Bitcoin, this is exceptional and in no way usual. The editor goes on to underscore that free-flowing ransom Bitcoin by a lone wolf classified as cyber-crime is different from cyber-war, but the distinctions are still blurry. Moreover, even seeking newly created ransom insurance is, well, no insurance. The industry, valued at $7bn in 2020, is expected to reach $20bn in premiums by 2025. At least two of the three parties seem to be making a profit.

Another weakness in a digital big tech world, relayed by the Wall Streel Journal's "Chinese Tech Giants, Under Pressure From Regulation, Now Face Economic Drag," is China's macroeconomic slowdown, particularly impacting Tencent, Meituan, Baidu and Alibaba. Some of this may be attributed to new Chinese government policies that increase control over several cyber areas. This of course harkens back to the relationship between the freer-wheeling Big Tech companies and the State. As of Yang's report of 26 November, Chinese Big Techs are taking a hit which may be related to their having had their agile wings clipped.

Reminding the readership that while volcanic cyber events occur worldwide, US officials inside the beltway in Washington, D.C. are hard at work. Work continues as the White House connects with passage and implementation of trillions of projected infrastructure and other bills.

Capitol Hill itself is also working hard. The National Defense Authorization Act for FY2022 (NDAA 2022), having passed the House, may be approved by the Senate by the time you read this. The Hill's Jordain Carney (16 Nov) in "Democrats mull cutting into Thanksgiving break amid pile up…" captured the urgency to pass this mega bill as soon as possible, as Senator Schumer (D-NY) tried unsuccessfully to have the Senate work through the Thanksgiving holiday to wrap up and ideally vote on NDAA 2022. The Senate usually breaks on the Thursday the week before Thanksgiving and has worked through much of Thanksgiving week this year. As it stands, they reconvened on 29 Nov. and may have closed in on the vote by this publication. It was previously passed by the House, and usually receives strong bipartisan support. But fiscal year 2022 began on 1 October 2021. Some years the NDAA delays have caused serious problems for multiyear funding projects and impeded government work when continuing resolution funding dried up. Cyber is a central component of NDAA 2022 with dozens of bills under the NDAA 2022 umbrella.
 

Cyber Scene #63 - Cyber Flight Plan: Heavy Cloud Cover; Clipped Wings Alert

Cyber Scene #63 -

Cyber Flight Plan: Heavy Cloud Cover; Clipped Wings Alert

Cyber is reaching new heights, with polar-to-polar, tropospheric, unfettered success executed at Mach 4 speed. This Cyber Scene will focus principally on some of the newest orbiters and what restrictions, or countermeasures are playing against them.

Related to the theatrical creation of metaverse, we will "take it from the top" and begin with the Economist's Schumpeter's (a "nom de plume" weekly editorialist) discussion on 18 December entitled, fittingly, "The billionaire battle for the metaverse." He compares Amazon's Jeff Bezos and Tesla's Elon Musk space race as kids' play compared to Mark Zuckerberg's "billionaire battle ...to take people beyond reality." He notes that other tech giants are heading for this alternative reality but that the most "ardent evangelists" are the big firms still controlled by their founders. He names tech leaders from the US to China. He cites Epic's Tim Sweeney speaking with Bloomberg characterizing metaverse as a multitrillion dollar opportunity. Schumpeter goes on to say that the billionaire battle will rely not on rocket science but will be fought "with reality-bending headsets, blockchains, cryptocurrencies and mid-frazzling amounts of computing power." The markets have already reacted, placing their monetary stamp on this development. He describes the disciples' differences: technology bases, designs, political issues (free market vice China's Communist Party "techlash") but they are poised to adjust and jump in. He closes by saying that although these big firm players are "in" to promise a future of an internet which is more open and less controlled, they all want to arrive first in order to "...set the rules to their advantage."

The future may be closer than we think. The 29 December reprint of Wired's Cecilia D'Anastasio's "The Metaverse is Simply Big Tech, Only Bigger," takes a religious tack, proclaiming that "...tomorrow's cyberspace will be empyrean, transcendent, immersive, 3D, and...we will live, and die gathered under one love." She continues, analyzing the consolidation of Big Tech under the metaverse tent. She views, dismissively, one "polite" vision of metaverse collaboration as a quilt with contributions from opposite sides, where metaverse enjoys one open-source standard from which no one reaps billions. She asks: "Why would three or four tech giants partner to make a metaverse when they already spent decades and billions constructing their own?" She pokes holes in other aspects of the metaverse undertaking concluding that the future of metaverse would resemble a world similar to the 1992 dystopian novel, Snow Crash, by Neal Stephenson, where Amazon would be the landlord, and own all the homes too.

And now to the present issue of the cloud itself. The Economist's 18 December "Cloud atlas" picks up on the current computing (and competing) cloud battles. Like the metaverse of Tomorrowland, this battlefield is growing as well. The bonanza of cloud computing is likened to the discovery of electricity. Startups, per the article, invest 80% of their revenues in cloud computing and drop down to an estimated (2021) 10% of spending on public-cloud services. Spending for 2021 services is pegged at $400bn. For readers who may have attended the Amazon Web Services (AWS)-sponsored Re-Invent, the world's reportedly largest cloud-computing conference, in Las Vegas in December 2021, you may move on to the next discussion. For those who didn't attend, the article includes a graph sketching out spending in billions by type from 2017 to forecasts for 2021 and 2022 and the public cloud percentage of total IT spending. A suggestion was made to recommend that firms might want to build their own private clouds to keep costs down, but this might cap scalability, one of the founding tenets in the creation of cloud computing, according to the article. Meanwhile, AWS is offering detailed, complex services which it views as its competitive advantage. Don't get too excited: the closing paragraph discussing these services is subtitled: "Costly, with a chance of discounts."

Who knew that the cloud atlas would include Africa? (Answer: The Economist, naturally.) On 4 December, "Seeding the cloud" outlines the cyber upheaval much overdue for African communications. Microsoft and Amazon have opened data centers in South Africa and are bringing their cloud services to "the region." Africa is three times the size of the US and the article notes that due to heat the continent is a victim of frequent power cuts. The article does not delve into the many isolated areas, but there are few legacy communication systems to deal with, and investors are pouring in funding. Huawei has a data center of its own, and a large cyber footprint in Africa. Despite the lofty presence of this cloud-based "revolution," it will land through fiber, on steel, and under concrete.

Closer to the 1^st world, Bloomberg's Brad Stone's "How Shopify Outfoxed Amazon..." reports that a Canadian upstart directed by Tobi Lutke called Shopify outpaced Amazon in a big way: "What Zoom was to corporate America during the early days of the pandemic, Shopify was to small-business owners, many of whom had never sold a single product online until it became the only way they might stay alive." The CEO wasn't merely the new kid on the block; he was on every block. Shopify expanded with 100% remote work, included companies such as Staples and Chipotle and luminaries such as Taylor Swift and Lady Gaga, and reached out to all the mom-and-pop businesses to achieve tremendous success --$177 bn in as of late December 2021. Headquartered in Ottawa, the CEO now uses "Internet, Everywhere" as his dateline. The written article (with photos) is decidedly "in depth" even for speed readers, but the "readership" can access a 29-minute audio synopsis of this David beating Goliath little-guy-wins story as well.

Now the flip side of the coin lands up, and cyber expansion is under a very large microscope.

The White House has been trying to rein in Big Tech, and the horseman in the saddle is President Biden. In the Economist's "In tech we don't trust" (27 Nov), the change in the President's relationship with Big Tech players is explained as being heavily influenced by Senator Elizabeth Warren. She has been outspoken about the power and, in her opinion, the unregulated nature of technology in the US. Some of her candidates became nominees for the President's selection of members of the National Economic Council and the Federal Trade Commission, inter alia. Senator Warren explains: "He has put people in positions of power who understand tech at a whole new level and are deeply skeptical about many of the current practices." The public policy director of Yelp, Luther Lower, says that it is a good time for complainants who hope for government enforcement of tech regulations, and that this political state is 180 degrees from where Vice-President was in 2016. Now he has a chance of a "do-over." The current White House policy work on Big Tech is determining what battles the White House can win in passing regulatory bills pertaining to tech. Antimonopoly and antitrust legislation is in the mix, but the stage is cluttered with many complicated political issues.

Advancement of tech regulatory legislation has been slow. The New York Times' (NYT) "Congress ... Is Still Nowhere Near Reining In Tech" by Cecilia Kang reported on 11 Dec. that these political issues related to Big Tech have shifted from "theater" to gridlock. She reports that in earlier years, Congress didn't necessarily understand Big Tech issues in need of regulation. Now that is not the problem. CEOs fly frequently for hearings before Congress, and staff are much savvier than in the past in background work for the Members. In fact, the article chronicles years of "belly flops" from the Committee Members themselves. Moreover, it wasn't until April 2018 that Mark Zuckerberg testified before Congress. No, the issue has devolved into complex political issues not handily resolved, particularly not now.

However, Congress is not in a complete stalemate. The NDAA legislation that was discussed in the previous Cyber Scene was passed by Congress and signed by the President, although on 27 December vice just after Thanksgiving. The passage avoided shutdowns, multi-year contractual issues, and many, many additional and weighty problems.

Cyber Scene #64 - Cyber: Expanding and Constricting

Cyber Scene #64 -

Cyber: Expanding and Constricting

This edition of Cyber Scene will focus on the role of cyber regarding its expansion, in the hands of both Big Tech visionaries and a teen in a garage, as well as attempts to constrict its impacts, at home and abroad. Underlying this discussion is a cobbled mix of strategic developments as well as tactical attempts to resolve cyber issues. The near-term terrain this month stretches from Silicon Valley to Donetsk, Ukraine, with reverberations reaching well beyond these 10 time zones and nearly four dozen countries, for starters. The strategic impact is worldwide. We will begin by sweeping out and move on to the US heartland before visiting Russia and Ukraine.

It is no surprise to this readership that Big Tech is powerful and ambitious. The Wall Street Journal's (WSJ) Christopher Mims explores the groundwork, or rather more technically, Big Tech's undersea fiber-optic capacity that supports the titans' dominance. He singles out Microsoft, Google's parent Alphabet, Meta (formerly Facebook), and Amazon as now controlling two-thirds of world capacity. They consider this to be only the beginning with a goal to connect all continents except Antarctica via over 30 long-distance undersea cables. Mims notes that they had only one such cable in 2010, and that was between Japan and the U.S.

Expansion is not restricted to undersea operations. On 18 January Microsoft "paid cash" of $69 billion to acquire Activision Blizzard, a video game developer--and twice the cost of LinkedIn (2016) as documented by The Economist on 22 January. This will place Microsoft #3 in gaming revenue behind Tencent and Sony. Microsoft is banking (this is literal) on its Azure cloud-computing support for videos. The Economist believes that this will trigger such acquisitions by other Big Tech firms. If Microsoft is successful, it will be a tribute to its own "gaming" talent.

This assumption tracks with another Economist companion piece entitled "Big tech's supersized ambitions," which provides a new acronym for Alphabet, Amazon, Apple, Meta and Microsoft: MAAMA. The article goes on to discuss the fact that failed big tech companies did not have regulatory problems, but rather did not anticipate the future. "The problem is that nobody knows what it will be." Indeed. But at least the forward-looking MAAMAs have studied the past to enhance their predictions of future successes by studying those that tanked. As the MAAMAs grow "...governments, rivals and billions of customers, who already fear these firms are too powerful, may be alarmed by all this."

The WSJ's Mims returns to this issue in "The Nanotechnology Revolution is Here--We Just haven't Noticed Yet." The key to tech revolution, per Mims, is nanotechnology: "You can thank the microchip." He outlines a score of nanotechnology's developed winners--computer printers, cellphones, sensors to detect air pollution, and even the present 5G issue regarding air traffic safety. But he continues to project how this will expand to applications such as for self-drive car camera that can detect black ice, phone cameras that can detect skin cancer, and many other visions of which Jules Verne would be proud.

With respect to the current chip shortage, Intel has a plan: it is investing $20 billion in a chip-manufacturing facility outside of Columbus, Ohio. WSJ's Meghan Bobrowsky reports on 21 January that Intel intends to alleviate the world chip shortage and may expand to eight factories at the cost of another $100 billion. The first two facilities are due to begin construction immediately, and have on-line production by 2025. The near-term bonus? The company also pledged $100 million toward partnerships with educational institutions to build a pipeline of talent and foster research programs in the region.

This initiative tracks with President Biden's Build Back Better regarding infrastructure and the Senate's $52 billion to support semiconductor research and production. (N.B. Bobrowsky notes that the House has not passed the Senate bill yet.) It also addresses issues of some Rust Belt steelworkers and former auto factory workers.

As these issues are felt in Pittsburgh, Pennsylvania, as well, it would behoove Intel to extend a job offer to an inventive young undergrad, Sam Zeloof, at Carnegie Mellon University (CMU) in Pittsburgh, 3 hours east on I-70 from Columbus, who at 17 started making chips in his parents' garage, per Wired's Tom Simonite. Wired reports that the parents' garage that served as Zeloof's "low tech" lab is located only 30 miles from Bell Labs in New Jersey where the first transistor was made in 1947.

Within the context of "for better AND for worse," we will examine a few examples of cyber's seedier side as well as the advocates of constriction to include antitrust legislation, and reluctantly as it may be required, cyber warfare.

Cyber Scene readers are conversant with a panoply of suggestions for and attempts to temper the global and unregulated expansionism of Big Tech. It is reportedly bracing for this "wave of regulation" that spans the Western world, from the U.S. to the U.K. the E.U. (now chaired, rotationally, by France), and Asia. WSJ's Sam Schechner reports that Big Tech firms worry that this is impacting their bottom line. To date, Silicon Valley has not suffered much. Schechner notes that in the last five years, five of the biggest of the Big Tech quadrupled their market value, cranking it up to $9.31 trillion. However, internationally, various laws being enacted impact them. Facebook has had to sell one of its companies under a U.K. November 2021 mandate and now has to shut down its facial recognition system. Google has had to remove online-tracking cookies. Twitter is dealing with new legislative directives in over six countries. Google believes that in complying with EU decisions, they have lost market share to competitors.

In the U.S., the Senate Judiciary Committee cleared a bill on 20 January to proceed, in a bi-partisan vote, to advance antitrust legislation which intends to restrain anti-competitive influence of the "titans," according to Cat Zakrzewski and Gerrit De Vynck of the Washington Post. (N.B. Amazon's Jeff Bezos owns the Washington Post.) This debate continues amid intense and well-funded lobbying. California's two senators did not endorse the bill.

A view through legal eyes, courtesy of Lawfare's Stewart Baker, underscores how Facebook and Google seem to be bearing the brunt of the antitrust thrashing. He discusses the accusation that the two Big Tech titans had "cornered the market on antitrust troubles." There seems plenty to go around. Baker goes on to offer an update of current-event cyber issues, to include rampant "...rumors of war on the Russian-Ukrainian border--and in cyberspace."

A week earlier, New York Times' (NYT) Andrew E. Kramer broke the story of the hacking of Ukrainian government websites following a diplomatic impasse in Russian discussions with the U.S. and NATO regarding a possible Russian invasion of Ukraine. Threats to the Ukrainians included "Be afraid and expect the worst." The Ukrainian government believes that it was indeed a reaction to issues regarding Ukraine's relationship with NATO. (N.B. There has been no offer or action to open NATO admission to Ukraine.) The attack did not drive Ukraine further from NATO; the response was the opposite, with NATO and EU countries offering help, as reported in the NYT.

Lawfare's Stephanie Pell provides a pithy analysis of this event on 21 January, including reporting on a follow-up attack. On 15 January, Microsoft noted the appearance of malware on the Ukrainian government's IT firm's system that was dealing with the hack the prior day. However, the appearance of malware hit governmental agencies as well as other organizations providing "critical executive branch or emergency response functions" in Ukraine. Further study surfaced that the malware was disguised as ransomware, where activation would infect and immobilize the targeted computer system. She continues, providing an overview of US Department of Defense definitions of cyberattacks, of updates regarding the malware (that the perpetrators may have originated in Belarus) and presents varying views on the use of cyber operations in this Russo-Ukrainian context.

Regardless of how this is construed in retrospect, the immediate response has not been to estrange NATO from Ukraine. It is quite the opposite, as captured by the Economist in early January, even prior to the cyberattack on Ukraine. The article parses out several possible directions Russia might take, but while trying to size up how Putin's brinkmanship might play out, "Russia's menacing of Ukraine is unlikely to induce NATO to retreat. It may have the opposite effect."

Given military movements since then along Russia's Baltic and south-western borders, and despite diplomatic engagements prior to the departure of many US and foreign diplomats from Kyiv in late January, the Economist's analysis seems accurate. NYT's David Sanger reviews President Biden's 19 January statements regarding Putin "regretting having done it." Sanger recounts the President's reference to US and NATO troop movements to Bulgaria and Romania (both NATO countries) citing this "as a sacred obligation to defend those nations, both of which are NATO nations." The President had spoken as well about non-military measures, such as sanctions, although he did not address this specifically on 19 January. However, the Economist in mid-December (Economic sanctions SWIFT thinking) did discuss the closing down of Russian access to SWIFT, "...the messaging network used by 11,000 banks and 200 countries to make cross-border payments" as it did to Iran in 2018.As this Presidential address pre-dated continued diplomatic discussions between U.S. Secretary of State Antony Blinken and Russian counterpart Sergei Lavrov, some doors which might have been cracked open a few inches seem to be closing as of this writing. As President Biden noted and captured in Sanger's reporting, this is as dangerous as the world has gone since World War II. Whether SWIFT is engaged as a cyber weapon, or other non-boots-on-the-ground options are considered, remains to be seen as of this publication.

Ad interim, the President has signed a new cybersecurity memo on 19 January supporting additional steps to be taken to better coordinate the US national security system. This supports the standards of Executive Order 14028 and imposes relatively short term 7 to 90 day deadlines for most actions and 180 day deadlines for broader interagency cyber coordination for both data-at-rest and data-in-transit, for example.

Cyber Scene #65 - Cyber Front Strategic Update: Not Quiet on Western, or Any Fronts

Cyber Scene #65 -

Cyber Front Strategic Update: Not Quiet on Western, or Any Fronts

The Kremlin is whipping up a 21^st century Ukrainian requiem for democracy, which is capturing the world's audience. In Ukraine, mortars join state-of-the-art cyberattacks barely obvious while intentionally discernable. Missiles are being "tested" on Ukraine's borders.We have heard other requiems called world wars. This one is decidedly different as it functions with high tech modalities. Vladimir Putin accompanied his multi-pronged military attack on Ukraine with cyber variations.

The Western world continues its attempt to give peace--or at a minimum, diplomacy--a chance, as documented by the Economist,19 February, in "Russia and Ukraine." Attempts by US President Biden, French and EU President Macron, and NATO's Secretary General Stoltenberg have not quieted the "beating to quarters" Russian drum rolls. This Economist article maps out the threats by land and sea, the latter which, since the annexation of Ukraine's Crimea, Russia now controls. The most recent edition of this article notes that President Biden is expecting an invasion of Ukraine. On 20 February, the Economist "Zeros and Ones" addresses another weapon: that Ukraine is bracing for a cyber invasion--a second, but likely simultaneous punch--and notes that its "defences have improved a lot since 2014, but weaknesses remain."

Warmongering is problematic. There may be or may not be 130,000 or 190,000 Russian troops along Ukraine's borders circling Russia's prey. Whether Putin is credible or not, when he maintains that he is pulling back when Western intelligence services and opensource collectors disagree is pointedly vague. Whether Russian forces are "testing" or trying to stir up retaliation as a pretext for war may again be intentionally open to debate. As the Economist above points out, the "fog of war" is one issue, but the intentional foggy prelude to war is something entirely different. It smacks of "false flag" prevarication.

On the other hand, there is little cause for misunderstanding regarding a cyber invasion. Cyberattacks that were relaunched in mid-January were undeniable. The warning that ushered them in was likewise indisputable: "Be afraid and expect the worst." Along with invasion, Ukraine stands in line for an onslaught of a different sort, deriving from "the country widely recognized as the world leader in digital warfare."

The Wall Street Journal's (WSJ) Jillian Kay Melchior fittingly sheds - light on the state of cyberwar on 19 February "The Cyberspace Front in the Attacks on Ukraine." She cites her conversation in Kyiv, from whence she writes, with former Ukrainian Prime Minister Yatsenyuk on cyberattack issues. Wedged between two recent attacks, he maintains that cyber is the number 2 issue, second only to military and munitions. The cyberattacks, to date, are "Ukraine's worst wound: the largest denial-of-service attack in history," according to his government. The Defense Ministry, Armed Services, and two state-owned banks were flooded with cyberattacks denying service.

Melchior goes on to repeat the warning cited by the Economist--that the hacks included messages "to be afraid and expect the worst." Former Prime Minister Yatsenyuk cautions: "It's a red alert for Ukraine, red alert." The UK and US have determined that Russia was the perpetrator of the January and February attacks. Russia promptly denied the accusation.

The Ukrainian Government has been reluctant to speak out officially. This reticence bears a resemblance to Belgium in World War II. The Belgians had been overrun most of their historic lives (Belgium was not even a country until 1830) and were subtle in their resistance and attempting not to bite Hitler's hand that might soon be feeding them. Paybacks were, well, threatening. The post-World War I mantra was "Never Again," yet World War II struck. The same approach to threatened invasion by an exceedingly powerful and threatening neighbor might explain Kyiv's reluctance to speak out against it.

As for the thrust of these attacks, Melchior reports that the Ukrainian Government's State Service of Special Communication and Information Protection did release data regarding its Computer Emergency Response Team's discovery of 113 incidents of "critical severity" during the January to 19 February period, compared to five during the same period in 2021. She notes that in 2015, cyberattacks on three Ukrainian energy-distribution companies left 225,000 Ukrainians without power. In 2016, the attack on the Ministry of Finance and State Treasury system left 150,000 Ukrainians without their pension payments. These series of cyberattacks resulted in two US charges in 2020 against Russian military intelligence hackers behind the attacks. Following the 2014 hack, the US poured $80 million to help Ukraine build up its cyber defenses.

As an aside: European countries also helped, although Ukraine is not, nor is it likely to become, a member of either the EU or NATO anytime soon. This means that, regarding NATO's military role in the European theater, Ukraine is not to be a beneficiary of Article 5 ("one for all and all for one"). The only time Article 5 was invoked was for 9/11 support to the US. But this does not impede nations, individually or collectively, from helping in other measures of engagement.

The WSJ article notes that support from the US and other Western countries resulted in Ukraine bolstering its cyber defense. This includes "...landmark cybersecurity legislation," beefing up cyber staffing to address vulnerabilities, and cyber critical infrastructure improvement with state and key sectors working together. The restoration of services following the most recent cyberattack was said to be much improved by current and former officials, per the WSJ.

The US (but not Ukraine) "...blamed Russian state operatives for the 2017 NotPetya attack that the White House called "the most destructive and costly cyber-attack in history." Melchior adds that the impact affected one third of Ukrainian banks and seriously disrupted its newspapers, transportation, and energy. Globally, NotPetya had a $10 billion impact. Russia denied any involvement of its intelligence officers. Melchior concludes by stating: "Cyber defense is mainly Ukraine's job, but it's up to the Biden administration and Europe to deter Russia's cyber warfare."

As backdrop, Ukraine's Orange Revolution, fueling the country with democratic goals, did not sit well with Putin. Although the "color" of Ukraine changed in 2004, when Putin was the eminence grise behind the official president he selected, the dissolution of the old USSR was painful to him. He viewed the US and NATO as enemies, then and now. Cyber is one of the tools of statecraft he has readily used over his leadership.

The 20 February Washington Post (WP) study on Putin "Wielding the threat of war, a new, more aggressive Putin steps forward", compiled and analyzed - by Paul Sonne and Robyn Dixon, does not address cyber particularly. However, the authors provide both a historic and contemporary understanding of Putin's objectives and the longstanding irritation of the US and NATO particularly in his plans for the restoration of at least a portion of the old USSR of his past. With Moldova, Belarus, Ukraine's former Crimea (annexed by Russia in 2014), and some sympathetic eastern Ukrainians under his control, his next goal is clearly the addition of the rest of Ukraine. Given the Ukraine-wide and indeed global influence offered by cyberattacks and used in the recent past, an understanding of Putin's intent is well worth the read.

As this column closes (21 February), Bloomberg's latest Ukraine Update, "US, Considering Moving Embassy Out of Ukraine," reports that Putin will recognize eastern Ukrainians as separatists, "...a move that would likely torpedo European-mediated peace talks and further escalate tensions with the West." This seems to have happened already.

Moscow also debunks other expectations of a near-term Biden-Putin summit that the White House and France had just announced; Russia says "no concrete plans" are in the works. Biden has called for an immediate National Security Council meeting while France's Defense Minister Le Drian and German Chancellor Scholz (who replaced Angela Merkel) attempt to advance Western-Russo relations regarding Ukraine. They have since received calls from Putin confirming his decree to deploy troops to eastern Ukraine.

The "DIME" option--Diplomacy, Information, Military use, and Economics-- was focused in this case, preventively, on diplomacy. US and French Presidents have not made progress, as of this writing, on the diplomatic front.

These efforts now have minimal chance of support, according to breaking news from the BBC "Putin orders troops into Eastern Ukraine." President Biden has called this decree a clear attack on Ukraine's sovereignty. Earlier, Prime Minister Boris Johnson, as captured in the same dispatch, has addressed the media stating that Putin's decision to recognize two breakaway regions of eastern Ukraine--Donetsk and Luhansk--as independent of Ukraine, was a very dark sign which violates the sovereignty of Ukraine. Putin claims it was never sovereign. NATO's Secretary General Stoltenberg stated: "I condemn Russia's decision to extend recognition to the self-proclaimed 'Donetsk People's Republic' and 'Luhansk People's Republic. This further undermines Ukraine's sovereignty and territorial integrity, erodes efforts towards a resolution of the conflict, and violates the Minsk Agreements, to which Russia is a party." He went on to accuse Russia of seeking a pretext to invade Ukraine.

As we follow Ukraine Updates changing the substance of the hyperlinks cited above, expect to see Ukrainian lights dimming, figuratively and literally, under new cyberattacks.

Cyber Scene #66 - The Beat(ing) Goes On

Cyber Scene #66 -

The Beat(ing) Goes On

The anticipated lowering of the Russian cyber boom on Ukraine does not appear to have occurred as of now, and the loss of thousands of lives on both sides has replaced the expected cyber war correspondence filings on the front page. However, cyber shadows continue to play, if not the leading role at least a supporting one in this tale of sovereignty attacked as, if not first the act, at a minimum, a threat of yet another world war.

This Cyber Scene will first explore the present role of cyber in the Russian invasion of Ukraine, and the sotto voce role of cyber in underpinning various measures and countermeasures taken by the attackers and victims as well as the 140+ UN nations supporting Ukrainian sovereignty, the 5 nations supporting Russia on the other side, and several dozen fence sitters. For background purposes, keep in mind that the UN may be providing policy directions, but NATO, the EU, other combinations of willing countries and organizations, and perhaps even the G20 (which may now exclude Russia) play strategic, operational, and tactical roles in this ongoing war.

While this edition of Cyber Scene is not framed in a more customary inside-the-Beltway mode, this readership is aware of the not only a "whole-of-government" but a "whole-of-most-of-the-world" response to the invasion of a sovereign nation. All NATO, EU, and scores of other countries' leadership, parliament, and judiciary are in play. Their participation and commitment have surged since the last Cyber Scene publication. Note that White House policies are similar to those of like-minded European countries; that Congress, which holds the purse, funds military spending in the billions and support for the promised 100,000 Ukrainians to be welcomed to the US endorsed by mirror images in France, Germany, the UK and Poland, inter alia; and the move to impose drastic sanctions against Russia has cleared the judicial bars in the US as well as like institutions abroad.

Given the Moscow-directed misinformation campaign attacking Ukraine and the shutdown of several cyber means of communication within Russia, Putin is reminiscent of KGB days.

Ukrainian tech folk are not surprised. They have been preparing since at least 2014-15. While the Russian populace is struggling with fewer resources to sort cyber wheat from the domestic misinformation chaff as cyber sources are constrained, Ukrainians appear to be communicating amongst themselves and with cyber support external to Ukraine. If Ukrainian President Zelensky's daily phone calls to world leaders, presentations to NATO, the EU and the US Capitol, and communication with his stalwart and brave "soldiers" are in any way exemplary of what cyber is affording them quietly, they are doing rather well. On 25 March, for example, former US Ambassador to Ukraine John Herbst interviewed Zelensky's Head of the Office of the President Andriy Yermak and took on Putin's misinformation campaign: "evacuation of Ukrainians" is "hostage-taking;" attacking a theater with children is not a defensive measure but a war crime; threats of chemical and nuclear attacks are "blackmail." Yermak pointed out that the invasion was not provoked nor is it certainly not a "walkover."

Stepping back to analyze the "Secret Cyberwar Being Waged in Ukraine," NYT's Thomas Rid, a professor at Johns Hopkins' Nitze School of Advanced International Studies, affirms that President Zelensky is understandably not speaking out about cyber activity in Ukraine that makes it successful; no news is better news. Rid notes that many pundits expected a "...cyberapocalypse and waves of pommeling digital strikes" but goes on to say that "Cyberattacks are conspicuous by their absence." Cyber is "...playing out in the shadows, as inconspicuous as it is insidious." He goes on to state that the most destructive cyberoperations are designed to be covert and deniable. No one seems to know who published the names, numbers, and unit affiliations of 120,000 Russian soldiers in Ukraine. That, along with the death of several high-ranking Russian high-ranking general offices--6 at this writing--would generate quite a psychological wallop. And the counterpart is the bravery of the Ukrainians, civilian or military, man or woman. This is all reminiscent of WWII successes and military psychological operations (psyops), now executed digitally.

Per The Hill's (24 March) synopsis, President Biden launched additional sanctions, during his visit with NATO allies and the G-7 leaders in Brussels before departing for Poland against "...over 400 Russian elites, lawmakers, and defense companies in response to Putin's war of choice in Ukraine. They personally gain from the Kremlin's policies, and they should share the pain." Cyber contributes to sanctions implementation, and President Biden underscored, in a speech at NATO on 26 March, the fact that sanctions implementation, not "sanctions" is what is effective.

Reverberations of sanctions may reach US soil in an upturn in cyberattacks, per "emerging intelligence" alluded to by President Biden and addressed directly in a White House press briefing. Washington Post's Joseph Marks and Aaron Schaffer (22 March) in their publication "Cybersecurity 202" cite that Deputy National Security Adviser for Cyber and Emerging Technologies, Anne Neuberger, conveyed to the public the alert as a "call to action for companies to raise their cyber defenses." Marks and Schaffer explain that she tied it to a series of US intelligence releases in recent months aimed at "shining light on Russian planning." Neuberger also mentions "...classified briefings for government officials conducted last week for more than 100 companies in sectors at the highest risk of Russian hacks." She said that this was the result of recent "preparatory activity" by Russian hackers, and that lax defensive security measures on the part of some companies makes them larger targets than they should be.

Sanction implementation and tracking are grounded in cyber. Long lines of Russian citizens trying to withdraw devalued rubles from ATMs, and the departure of western restaurants, hotels and pleasant amenities largely new since the dissolution of the Soviet Union are painful for Russians who have come to expect access. On the Ukrainian side, of course critical shortages continue. But Wired's Steven Levy offers another perspective in "Crypto goes to war in Ukraine" regarding the fungibility of cryptocurrency. He tells a story of Everstake, a Ukraine-based blockchain company whose CEO tried to convince his employees to leave Ukraine, as he did. However, per Levy, "...the chaos of war often gives rise to alternative economies...one that rests on the unique virtues of crypto." President Zelensky signed legislation in March 2022 that supported crypto sector activities, like currency exchanges and bank integration for crypto firms.

Russia and Ukraine are engaged in a more subtle war--a digital battle per WSJ's Christopher Mims in "The Russia-Ukraine Cyberwar Could Outlast the Shooting War." Ukraine has publicly called up "an international army of vigilante hackers. The country also has hundreds of thousands of tech workers inside and outside the country who are participating in hacks and cyberattacks on targets in Russia, according to Viktor Zhora, deputy chief of Ukraine's government agency responsible for cybersecurity."

Meanwhile, as reported by WSJ's Dustin Volz and Aruna Viswanatha, the US has charged a group of Russian government hackers who have been targeting "...hundreds of companies in 135 countries." Lisa Monaco, Deputy Attorney General, said that although they are being charged for past crimes, the charges "...make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant." The article goes on to discuss the cyberattack plans, naming names of the charged hackers (some FSB) and the various targets in their planned attacks.

Given how the world--well, except perhaps President Zelensky-- may not have anticipated what has transpired over the last four weeks regarding cyber, it is difficult to determine whether next month's Cyber Scene will return to more domestic issues. Stay tuned.

Cyber Scene #67 - What in the World Is Going On?

Cyber Scene #67 -

What in the World Is Going On?

This month, we will step back two paces and look again at the cyber context particularly in the US, the West broadly, and Russia in which the Russo-Ukrainian/global war sits.

As the war is unlikely to come to a halt this month, we will pick up at Foreign Affairs' early 2022 "Digital Disorder: War and Peace in the Cyber Age." Let us begin with "America's Cyber-Reckoning: How to Fix a Failing Strategy" penned by former Principal Deputy Director of National Intelligence Sue Gordon and Eric Rosenbach, Co-Director of Harvard Kennedy School's Belfer Center for Science and International Affairs and Pentagon Chief of Staff.

The authors' march through cyberwar strategy began in 1988 and briefly moved through lessons learned. They believe that the initial approach to cyberconflict was outmoded, the Obama administration too passive, and the Trump administration too inconsistent. Add damage from "...leaks and sloppiness mean that that when US President Joe Biden took office earlier this year, he inherited a mess." They give a salutary nod to John Bolton's Security Presidential Memorandum 13, but not to his President whose own relationship with Putin "...undermined the efforts of his own country's law enforcement agencies, intelligence organizations and military to protect US national security." They cite the Snowden leaks (no explanation needed here) and believe that the US must pass laws that track with Europe's General Data Protection Regulation (GDPR). Cyber Command's creation was a big plus, per Gordon and Rosenbach, but its mission was too constrained. Russian General Nikolai Makarov himself said "One uses information to destroy nations, not networks. That's (sic) why we're happy that you Americans are so stupid as to build an entire Cyber Command that doesn't have a mission of information warfare!"

They recommend a focus, with Congressional laws, for the creation of more offensive vice defensive legislation. They felt this could build on the approach that the Cybersecurity and Infrastructure Security Agency (CISA) established in 2018 and develop into a "true center of gravity for domestic cybersecurity operations" but that it be directed not by the Intelligence Community, law enforcement, or the military, but by CISA which has grown stronger. They suggest a CISA budget of $12 billion. They also recommend that Cyber Command take on the agility of a Joint Special Operations Command and not the "...lumbering Strategic Air Command of the 1950's." And lastly, they call for a greater connection to western allies and look at NATO as a potential cyber center of gravity but step back due to its being "...too clunky to foster creative strategies." They conclude that "That lack of clarity in the battle space makes it more important for Washington to be clear about its goals and strategies. The cyber-realm will always be messy. But US cyber-policy does not have to be." Ten other serious cyber-think pieces fill in the rest of this issue.

In addition to CISA, National Security Council formal focus on cyber with a senior presence now at the NSC table, and many other developments, the State Department, not historically known for its cyber strength, is moving forward fast. "The Hill's" Sarakshi Rai, 4 April, discusses Secretary Antony Blinken's announcement of the launch of State's new Bureau of Cyberspace and Digital Policy. It will address "the national security challenges, economic opportunities, and implications for US values associated with cyberspace, digital technologies, and digital policy (and) consist of three policy units, including international cyberspace security, international information and communications policy, and digital freedom." He has named talented, cyber-savvy Bureau leaders put in place until the confirmation of the Senate for the Bureau chief. The article does note that former Secretary of State Tillerson merged two offices which critics felt weakened cyber diplomacy efforts. Likewise, former Secretary of State Pompeo had announced the establishment of the Bureau of Cyberspace Security and Emerging Technology in the last few days of the last administration, but Congress felt rushed and believed the office to be poorly planned.

Now, however, Congress is moving out on cyber resilience. Lawfare's Congressional expert, (RADM, ret.) Mark Montgomery "Congress Invests in National Cyber Resilience but Misses Important Opportunities in the Consolidated Appropriations Act" on 1 April assessed that the just-concluded Congressional appropriations bill adds significant funding for critical cybersecurity programs, including CISA's; the National Cyber Director, Chris Inglis, and the Department of Energy. He casts them very welcome, but notes that "Congress failed to make similar investments in supporting programs at other agencies, like the National Institute for Standards and Technology (NIST), that serve as enablers of better cybersecurity in the federal government and nationwide." Also underfunded for cyber were the Departments of State and Treasury. Following his in-depth analysis of how the funding is broken down, he concludes as follows: "The omnibus bill's significant appropriations' increases for cybersecurity-focused organizations such as CISA are welcome and badly needed. But providing for internal federal cybersecurity addresses only half of the federal government's cybersecurity mandate. National cyber resilience will fall short if Congress and the executive branch continue to overlook the indirect but important impact that other departments and agencies can have on national cybersecurity."

Inevitably, cyber leads us back to Ukraine.

In the above discussion of shortages of cyber funding for State and Treasury, the author cites the following. "Meanwhile, the world is watching in real time as a case study in cybersecurity capacity building unfolds in Ukraine. As National Security Agency Director Paul Nakasone noted before Congress in early March, Ukrainian work on cybersecurity has helped prevent serious Russian cyberattacks amid the invasion of Ukraine."

And Ukraine is brimming with cyber. The 2 April Economist's "Ukraine's president tells The Economist why Vladimir Putin must be defeated" notes that the Putin's invasion of Ukraine, although not the first social media war, is the most viral. In addition to many accolades about the performance, the bravery, and the courage of the Ukrainians, and particularly their leader, they are also the "...most wired country ever to be invaded" in another article on the same day. The use of cyber to rally the troops and to connect with compassionate supporters within and outside of Ukraine is in most circles, considered unimaginable. President Zelensky attends to his people as well as "attends" NATO, US, media interviews and other events thanks to cyber.

The article mentions the use of social media as "'...an instrument' for governments to achieve wartime aims" per Ukraine's Minister for Digital Transformation, Mykhailo Fedorov. It is also interesting to note that this connects directly with Russia's General Marakov (see above) and his attribute of "stupid" to US disinformation constraints.

Ukraine's cyber ramping up is extraordinary. The article goes on to cite how exceptional Ukraine's speed in ramping up is. It cites rather stunning numbers of Ukrainian mobile subscribers who in 2014 had access to networks of 3G speed or faster was 4%; "this year, more than 80% are on high-speed networks, according to Kepios, a research firm. In 2014 just 14% of Ukrainians had smartphones, reckons Kepios; by 2020 more than 70% did, estimates GSMA, a telecommunications industry body." Zelensky's Digital Operations campaign leader, Mr. Fedorov, said it was organic for the president to use technology. "He wants to share, wants to spread the word, wants to convey his emotions--like a normal person." The impact on Americans is also significant. The Economist notes that at the end of 2021, 55% of Americans considered Ukraine "friendly" or "allied." Two weeks after Russian bombs fell on Ukraine, over 80% of Americans now considered Ukraine friendly, even greater than longtime allies like France or Japan.

Russia's experience is different. The article continues, examining how Russia has "...floundered on the information battlefield." As noted earlier, Russia certainly understands the value of cyber and particularly in the world of disinformation. But it does not seem to make the expected effort to do so consistently. According to Wired's Chris Stokel-Walker, "Russian Inches Toward Its Splinternet Dream." Russia has nothing like China, which has built its own digital "Great Firewall."

However, it has wanted to create its own "sovereign internet" or "splinternet" and has more incentive now to do so. The reason it is hard for Russia to insert barriers for incoming, as well as outgoing digital messaging, is because Russia would have to start from scratch with shutting down a relatively open internet. China didn't start with one, so it was easier to create and patrol.

Yet another problem Russia is wrestling with is more recent: "Russian Tech Industry Faces 'Brain Drain' as Workers Flee" by Cade Metz and Adam Satariano for the New York Times (NYT) on 13 April. A Russian tech industry trade group put the number of tech workers who had departed, as of 22 March, as between 50,000 and 70,000. Another 70,000 to 100,000 were expected to leave soon. They are flying to Armenia, Georgia, Turkey, the United Arab Emirates, and other countries who don't require visas for Russians. Metz and Satariano also point out that they are sometimes supported by people and companies from the outside; examples are a Riga, Latvia-based venture capitalist who chartered two planes to fly out Russian tech experts who gathered in Moscow from other cities. Many global companies who had been working in Russia pulled out and directed their employees to come as well. And some were entrepreneurial and, as the article cast them, as workers part of the global market felt more connected globally than domestically. A Russian tech entrepreneur, Stepan Pachikov, said that the smartest techies had been leaving Russia for some time, but that the departures were accelerating: "It's devastating. If you lose too much blood, it is death for the body. Russia has lost a lot of blood."

Cyber Scene #68 - Looking Inward

Cyber Scene #68 -

Looking Inward

The world seems to spin, like the widening gyre, in unexpected ways and speeds of late. The rapid expansion of NATO, poised to include Finland and Sweden in short order, was likely not even on pundits' "next decade" list Russian President Putin has recently been cast as "the great unifier" of the EU, NATO, and their neighbors. Even Moldova is glancing westward.

But democracy and sovereignty begin at home. This Cyber Scene will first turn to what is happening within the Washington Beltway that influences these virtual tectonic movements. Ukrainian President Volodymyr Zelensky said on 22 May that the only way out of the war will be through diplomacy -- in addition to a win for Kyiv on the battlefield. Meanwhile, a delegation of U.S. diplomats was traveling to The Hague on Sunday for talks with allies on "atrocities committed in Ukraine," the State Department stated. Starting with solid strategic planning, we will examine the "D" of "DIME" (Diplomacy, Information, Military, and Economic tools of statecraft).

Geography matters. The Finnish border matters, and so does the restart of the U.S. Embassy in Kyiv-. Foreign Affairs' Eliot Cohen, Professor and former Dean of the Johns Hopkins University School of Advanced International Studies and State Department Counselor to Secretary Condoleezza Rice, explores in "The Return of Statecraft" that even before the invasion of Ukraine, "...author after author has called for a new "X" article akin to the one laid written by diplomat George Kennan in these (Foreign Affairs) pages in 1947, which laid out the Cold War grand strategy of containment." Dr. Cohen notes that a solid strategy, for both international and domestic consumption, needs to be able to better anticipate as well as respond quicker to developments. He harkens back to Theodore Roosevelt as an exemplar of far-sightedness.

As noted last month, "The Hill" reported the resurrection of State Department's Cyber Office, already staffed. Although Dr. Cohen didn't call out cyber specifically, it underscores diplomacy here and abroad.

The 29 April Economist's "The Zoom where it happens" addresses the changes in how diplomacy is orchestrated with the immediate cause being the pandemic. But technology is advancing at an acceleration even T. Roosevelt might not have imagined.

The UN General Assembly opened in September virtually. U.K. official Jonathan Black says: "For a long time we've been talking about the advent of digital diplomacy. It has, really, now arrived." While the upcoming NATO summit and the G7 (or will it be G6 less Russia, as with Davos?) will be in person, technology has not slowed up the process. Ambassador Nicolas Burns (to China) states: "Diplomacy has not stopped; it's accelerated...." The article does note that Russia did slow down UN Security Council operations by insisting on physical presence, but the reduction of world-wide travel, as charted by the first 3 months of travel of the last 21 years of Secretaries of State, provides a sense of how incredibly useful digital connectivity for diplomatic purposes has become. Ultimately, diplomacy is moving toward a digital and physical hybrid.

The U.S. Justice Department, which is usually viewed as charging hackers, has taken the very opposite approach of late. Washington Post's Joseph Menn reported on 19 May that "good faith researchers with authorized access" who are attempting to identify security flaws will no longer be prosecuted according to "long-standing anti-hacking law." These researchers must be working primarily at improving safety on sites, programs, or devices rather than profiting personally from their discoveries. There are some exceptions--companies and even officials could still press charges, but most state prosecutors are likely to follow federal guidelines. Mr. Menn goes on to explore some examples of how the 1986 Computer Fraud and Abuse Act is now reinterpreted. While this is broadly good, some seek "better." Security experts said they would prefer that Congress overhaul the 35-year-old-law, since judges apply the existing law as they see fit and another Justice Department could reverse the policy.

On the other hand, some lawmakers want to tighten prosecution of cyber adversaries, according to the Washington Post's Joseph Marks and Aaron Schaffer on 19 May. A bipartisan group is particularly aiming at "...nations far inferior to the United States in military and economic might (which) can nevertheless batter us in the cyber domain."

Taking the lead are Rep. Elissa Slotkin (D-MI), formerly from CIA and the Pentagon, and Rep. Michael McCaul (R-TX), co-founder of the Congressional Cybersecurity Caucus. Their intent is to provide more robust "...rules of the road in cyberspace and the consequences for nations that violate them." This may include restrictions regarding international financial systems and trade.

An interesting note is that this is a bipartisan intervention: many members of the House of Representatives are in the middle of their mid-term primaries, and one third of the Senate is embroiled in mid-terms as well.

Another unusual element of inside-the-beltway activity which came to Rep. Slotkin's attention involves the Department of Homeland Security (DHS), according to the New York Times' Steven Lee Myers on 18 May. DHS has abruptly suspended its 3- week-old Disinformation Governance Board while Homeland Security Secretary Alejandro Mayorkas reviews breaking allegations. Mr. Myers' title captures this as "The Panel to Combat Disinformation Becomes a Victim of It." This is a delicate time, as the mid-term elections referred to earlier are prime targets for disinformation.

Per Politico's Andrew Desiderio as of 19 May, the Senate is ramping up to vote approvingly on Finland and Sweden's accession to NATO. Both countries are both EU members and NATO partners, often cast as more "accessible" than some current NATO members. They have 21^st century commands of cyber, strong military, and solid economic standing. They deployed with the U.S. in Afghanistan even though they were not "Article 5-bound" to do so. The expectation is undoubtedly a strong U.S. Senate "yea." All 30 NATO countries must approve new members. Timing is critical, as Finland particularly, being threatened and sharing a border with Russia would not qualify for "Article 5" coverage by NATO until accession is finalized. In the "olden" days, this could take well over a year, but under these threats, Finland and Sweden are being fast-tracked.

In a very interesting perspective on timing raised by National War College Professor Dr. David Auerswald, as reported in the Atlantic, he agrees that the Senate will support Finland and Sweden as new NATO members as the Senators have done in the past, voting unanimously for 7 former Soviet Bloc countries in 2003. However, he addresses several reasons why the Senate might be bogged down in bringing a vote to the floor quickly. "It does not bode well," he avers. The Senators could insert provisos into the "advice and consent" to change administrative policy, or to pass a "ratification document" replete with "reservations, understandings, and conditions." Any of this foot-dragging could delay a vote until after the August recess. This could lead, he explains, to additional opportunities for Russia to manipulate public opinion through disinformation, increase military threats, or engage in petro-coercion. Dr. Auerswald does not cite cyberattacks, but Thomas Rid does.

With U.S. suits and boots on the ground, tracking cyber developments will likely be faster. And what would those be? Johns Hopkins University, in the 30 March video just released including Professor Thomas Rid at the School for Advanced International Studies, outlines five levels of cyber activity in this conflict. Tune into Dr. Rid's presentation (the second video) at 24:22 minutes. Consider this a pithier update to his New York Times article discussed in the March 2022 Cyber Scene. In priority order, the five levels are 1) digital hacktivism (more of a distraction); 2) a range of wiping attacks, six of which are publicly known; 3) command and control against Ukrainian-used satellites/bricking (disabling) many modems; 4) cyber operations by the Ukrainians this time releasing on 28 March Russian FSO officers' names, addresses, etc; and 5) real-time information regarding frictions between Putin and his Ministry of Defense indicating a failure of Russian counterintelligence.

And as reported by Wired's Andy Greenberg on 18 May, "WasteRussianTime.today" auto-dials enable the user to connect Russian officials to each other and listen in. This is also quite personal, so even hactivists on both sides, which was Dr. Rid's least worrisome cyber issue, can slide into psychological operations via cyber and have an impact.

All U.S. entities inside the Washington Beltway live in a cyber world, one way or another. And hybrid or not, , it becomes personal.

Cyber Scene #69 - Looking Back, and Forward

Cyber Scene #69 -

Looking Back, and Forward

All three branches of the United States government deal with crises of the day, with a view to creating a better tomorrow or, a next five years, if budgets are involved. But history reminds us that if one does not look back and appraise the success or failure of earlier decisions, history repeats itself. Earlier Cyber Scenes have noted past decisions made into law by the denizens of the Capitol. Similarly, SCOTUS justices have, at least traditionally, cited past decisions, per stare decisis, as directives for present and future decisions.

This Cyber Scene will limit the "past" to a retrospective of cyber success or failure over the first half of 2022. The frame of course is limited--to Ukraine and legal action against or for cyberattacks, depending on where one sits or stands. This analysis will then add a future mosaic of cyber security issues across both US and international perspectives.

First let us revisit Ukraine and Russia from early 2022 to the present, as seen through the cyber eyes and articles of six experts (four of which are familiar to this readership) from four respected publications over six months. Three of the four publications were inspired by Microsoft's 21 June report tracking Russian cyberattacks on Ukraine and NATO allies.

"Old cyber hands" David Sanger and Julian Barnes filed a 22 June New York Times (NYT) surprising analysis of Microsoft's revelations: a new look at the first months of war resulted in more Russian cyberattacks than originally thought with a stunning failure rate of two-thirds. Sanger and Barnes cite this as a significant effort to understand "...the interaction of a brutal physical war with a parallel--and often coordinated--struggle in cyberspace." They acknowledge that this is the first "full-scale battle" pairing traditional cyber- and military attacks.

Sizing up the Russian side, National Cyber Director Chris Inglis believed as of April that Russia expected a quick victory in February but "were distracted" when this was unsuccessful. On the other side, Ukraine was ready thanks to cyber defense preparations including a significant early warning system with help from Microsoft and Google and moving most of its important systems to the cloud. Microsoft President Brad Smith, who was certainly in the position of knowing, said that Russia's major cyberattack on 23 February used FoxBlade malware to attempt to wipe out government software. Ukraine, however, despite the ferocity of the attacks, thwarted many of them and had significant enough redundancy to suffer little.

Moreover, according to David Ignatius's 21 June Washington Post op-ed "How Russia's vaunted cyber capabilities were frustrated in Ukraine" US tech companies and Western cyber agencies have "unheralded stories" of close partnerships--well, perhaps heralded now. Ignatius cites that between 23 February and 8 April, according to National Security Agency's (NSA) Cybersecurity Director Rob Joyce, 40 destructive attacks cast as "an enormous cyber offensive" on Ukraine, were attempted. Ignatius notes that the private-public damage from Snowden in 2013 seems to be healed because of Russia's attacks on the 2016 and 2020 US presidential elections and the invasion of Ukraine.

The timeline of this partnership was in the works before the invasion. Cyber Command chief General Paul Nakasone said that Ukraine's cybersecurity defense had support from the US in early 2021, with Microsoft and Google there even earlier. Microsoft's president adds that it has been connected not only to the US Government, but also to NATO and EU cyber officials. He added that Russia's attacks originated from its three intelligence services: the GRU, SVR, and FSB.

Google also protected Ukraine. Following Russia's 2014 DDOS (distributed denial-of-service) attacks and the seizure of Crimea as well as attacks on eastern Ukraine, Google initiated "Project Shield" for Ukraine which is now used by 200 sites in Ukraine and 2,300 others in 140 countries.

Fortunately, Project Shield was active when attacks were at Ukraine's cyber door. Wall Street Journal's (WSJ) Dustin Volz's report underscores on 22 June the uptick of cyberattacks against countries, including NATO members, supporting Ukraine. The targeting of governments was only part of the attacks, which also included NGOs (nongovernmental organizations), think tanks, and humanitarian groups supporting Ukrainian refugees in addition to info-tech and energy firms. Volz cites intrusion attempts since 24 February against 128 targets in 42 countries as the projected victims.

Of these attacks, 63% were against NATO--Poland being the #1 target. During the last two months activity increased against the Nordics (Denmark, Norway and non-NATO members Finland and Sweden who have since applied to NATO) as well as Turkey.

The Baltics--little neighbors of Russia--were also attacked. Latvia, Estonia, and Lithuania should take some comfort in the expanded support of other NATO members including the US and remind their allies that it isn't paranoia if "they" (Russian attackers) are after you.

As if to serve as the preface to the above analyses, Foreign Affairs writers Erik Lin-Greenberg and Theo Milonopoulos wrote on 30 May of "Boots on the Ground, Eyes in the Sky" highlighting the role of commercial satellites in defending Ukraine during the invasion. They particularly follow up on a 2021 analysis of the status of commercial satellite imagery, where they marked the dramatic advancements of its role in national security. The relationship of commercial satellite imagery has changed in its connection to the public: information governments might have preferred to hide is now broadly available. The authors assess that "Commercial satellite imagery has helped galvanize public support for Ukraine...and countered Russian misinformation."

This, however, is a two-edged sword. The authors go on to discuss President Biden's release of intelligence about Russian deployments on Ukraine's borders, "...all but confirming that Moscow was planning an assault on its neighbor. This was an unusual move: governments are typically loathe to share sensitive intelligence about adversaries to better protect the sources and methods used to acquire information." The authors explain that by triangulating commercial imagery with social media posts, the public, amateur sleuths, and the U.S Intelligence Community could "roughly be on the same page." This also benefited European allies, delivering data to influence the advancement of unification of western nations in support to Ukraine. Moreover, this Foreign Affairs study goes on to note that the US National Geospatial Intelligence Agency (NGA) Director Vice Admiral Robert Sharp underscored the fact that "Publicly available imagery of Ukraine is now providing unprecedented public insight that until recently would've been only available through government agencies and officials. And it's helping a democratic country fight for its survival." The authors go on to project future expansion of commercial satellite imagery, adding that NATO as an institution may move to buy imagery directly from commercial firms, rather than relying on member states to do so. It appears that this is yet one more example of the impact of the Russian invasion of Ukraine on the unification of western nations.

This union, however, includes neither China nor Russia, as Alex Engler reminds us from Lawfare (and Brookings Institution and Georgetown University). He explains that The Declaration of the Future of the Internet, as presented on 28 April by President Biden's new global partnership in setting rules for technology use by nations, is clearly intended for wavering democracies. China and Russia merit exclusion. The partnership was signed by 61 nations including the nations referenced in this Cyber Scene's earlier discussions. Engler adds that, although the document is nonbinding for the nation's signatories, its priorities "...are admirable and reflect the diverse interests of the signatories." He notes that some executive rank officials see this as "...an alternative to the model of digital authoritarianism." Cyber Scene could devote an entire article to just this month's examples regarding China and Russia. However, Engler explains how the internet has created serious challenges for wavering democracies. He states: "At best, the expansion and modern shaping of the internet has emerged contemporaneously with this enormous challenge to the democratic world. More likely, it has contributed to it."

A thoughtful, in depth, suggestion of how to approach this challenge is offered by the Atlantic Council's Emma Schroeder, Stewart Scott and Trey Herr in "Victory reimagined: Toward a more cohesive US cyber strategy." The authors underscore the inherent divergent paths of protecting US infrastructure through US cyber superiority versus seeking "...an open cyber ecosystem." The executive summary maintains that lessons need to be learned by the policymakers and practitioners looking to implement the new National Cyber Strategy from the "costly lessons of a generation of counterinsurgency." Policy makers must work to not displace efforts to defeat cyberspace enemies, despite the merits of the Defense Forward being "compelling and necessary shift in thinking." The authors insist that the latter is not the only implementation tool available. They cite National Cyber Director Chris Inglis and his deputy for strategy and research, Harry Krejsa, and posing three additions:

1. enhancing security against a wider range of threats beyond top adversaries,
2. coordinate better with allies/partners re: protection and security, and
3. instead of only reducing harm, refocus on the resilience of the cyber ecosystem.

They go on to say that tension in several concepts need to be addressed regarding increased partnership with allies and partners, ensuring cyberspace consistency to achieve strategic cohesion across the board, and increasing the resilience of the cyber ecosystem. They close by saying that the US must ensure that it "...doesn't fall into a strategy of tactics, losing the war by winning the battles" as it has in counterinsurgencies, but rather, having addressed "...the dissonance between the stated policy goals of protection and domain security," proactively ensuring that offensive cyber operations protect US infrastructure and interest.

Cyber Scene #70 - Fueling Cyber: Capitol, Capital

Cyber Scene #70 -

Fueling Cyber: Capitol, Capital

As we inch across a summer toward, one hopes, a period of lower gas prices, Capitol Hill is blasting through hundreds (433 counted by the Senate) of amendments to the National Defense Appropriations Act 2023 (NDAA 2023), to be implemented by the beginning of the next fiscal year on 1 October 2022. This is a seminal exemplar of bipartisanship, despite some amendments that are less so. Senator Jack Reed (D-RI) who chairs the Senate Armed Services Committee (SASC) delivered a bipartisan approval committee vote of 23-3 announced in late June. Senator Reed announced: "It strengthens our offensive and defensive cyber capabilities and accelerates research and development of advanced technologies like hypersonics and artificial intelligence that will give our forces critical advantages." The bill then moved to the Senate for a full vote. A two-page description of funding for cybersecurity is included in this summary. A fine-tuned description and accompanying dollar allocation is elusive, as many of the itemized allocations are identified as "an increase of X dollars from NDAA 2022." The details of the initiatives are often not for public discussion, but the Senate bottom line for NDAA 2023 is now at $817.3 billion.

Likewise, the House of Representatives is marching through the same terrain. Majority Leader of the House Steny Hoyer (D-MD) announced on 14 July that the House of Representatives was concluding review of the House's large quantity of amendments. On 17 July the House passed its version of NDAA 2023 329-101, for $840 billion reflecting a 7% increase over 2022. It also includes hundreds of amendments.

Yet, both halves of Capitol Hill will need to speak the same language with the same funding before 1 Oct. Despite the general compliance with White House voices, one of many "road bumps" will likely be "...specific restrictions in the bill (that) could complicate future US arms sales and transfers to various US allies and security partners, including Turkey, Saudi Arabia and Egypt," per Defense News above. The fact that there is underlying concurrence within Capitol Hill, and between Capitol Hill and the White House, on NDAA issues is remarkable. But the President was asking for $733.2 billion. And when inflation and even recession threaten, and funding for issues such as Ukraine's war are new to the process, "bean counting" will, well, count.

As for the substance, it so happens that President Biden has just engaged a large swath of Middle East countries as well as recent NATO negotiations with Turkey. This will require more deliberations across the two branches of US Government, once Capitol Hill can speak with one voice.

As reported on 16 July by the New York Times (NYT) David E. Sanger and Peter Baker, the importance of Gulf alliances, to include Egypt and Saudi Arabia, are part of a greater strategy. Biden's difficult visit to Saudi Arabia, given recent divisions between the countries, seems to exemplify the late Reverend Desmond Tutu's dictum: "If you want peace, you do not talk to your friends. You talk to your enemies." As for Sanger's and Baker's view, they believe that Biden's intent was part of a much greater strategic plan. "Mr. Biden is driven by a new concern: That his forced dance with dictators, while distasteful, is the only choice if his larger goal is to contain Russia and outmaneuver China."

But Saudi gas instead of Russian gas is only part of the equation: "Perhaps the most notable of Mr. Biden's flurry of announcements with the Saudis was an agreement signed Friday night (12 July) to cooperate on a new technology to build next generation 5G and 6G telecommunications networks in the country." Sanger and Baker underscore the fact that this pushes back the Chinese, who have not been truly challenged in competition to date. Biden believes that freedom and innovation "go hand in hand."

How does this track with cyber advances? Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technologies, is quoted in this article as understanding the advantages: "Quickly build up a prototype here in Saudi Arabia, prove that it works at scale, and become a model for the region...a pragmatic, reality-based project."

As to whether this direction is driven by oil issues, the journalists cite Kori Schake, Director of Foreign and Defense Studies at the American Enterprise Institute, a think tank, who states that in addition to other Chinese and Russian issues, "...it's also the result of Biden administration policy setting up the China challenge as democracy vs autocracy which puts Saudi on the Chinese side of the ledger."

An even deeper analysis of this Middle East coalition, to include Israel, is presented by The Atlantic's Daniel B. Shapiro's 12 July report on Biden's new coalition approach. While it does not address cyber specifically, it does discuss the benefit of normalization agreements (the Abraham Accords) including Israel and secondly, the inclusion of Israel in the US Central Command (CENTCOM) which contributes to more open dialogues to include security issues, which leads us to cybersecurity. The US, however, would not necessarily take the lead on all these issues, as, "beyond the security sphere, they (these Middle East countries including Israel) are positioned to work together to seize opportunities in technology, trade agriculture, water and food security." Shapiro projects that "A US presence calibrated to play this role is far more likely to sustain ongoing bipartisan support, enabling the United States to protect its interests and meet its commitments." And thus, we are back to where we started: the need for bipartisan agreement to advance cybersecurity, inter alia.

While all the above may sound promising, consider the other side.

The Washington Post's Joseph Marks sees a more challenging cybersecurity future. In "Cybersecurity's bad and it's getting worse," Marks analyzes the last 8 years on his cybersecurity beat where cyber was a "shadowy topic." It evolved due to the Target credit card breach which leading to significant resonance with a broad swath of US shoppers. He outlines how year by year, "...cyber insecurity became a more fundamental and important aspect of US policy, politics and daily life." He is quite critical of the shortcomings of the US government and other large institutions which have not reined in the perpetrators for a variety of reasons, and projects that with the rise in technology, the future for cybersecurity is looking down, not up.

The Wall Street Journal's James Rundle and Vipal Monga would agree. In "Cyber Funding, Plentiful for Years, Faces a Reckoning" they explore the impact of the financial downturn the marketplace and the populace at large are facing. They opine that venture capital, from which cybersecurity companies benefited in recent years to fight against hacking and for tech startups to counter such cyberattacks, is now fearful of a "...recession and disruption in the wider technology market" which are starting to reduce investments in cyber. The other side of the equation, however, is that the US government needs private sector support as well, and that cybersecurity growth is in large part related to the current threat environment. Most do not expect that to end anytime soon.

Inside the US government, in addition to the cyber experts exerting influence in moving to more "forward" postures, other adjustments are well underway. The US Army is shifting some of its military manpower away from counterinsurgency commitments to doubling the strength of its active duty cyber corps,ccording to Colin Demarest writing for C4isrnet. Adding the National Guard and reservists, the total will rise from 8,000 to 13,000 by 2030.

From across the pond, the Economist on 2 July discusses "Venture capital: The reckoning" and the current state of investments in the tech world. The bottom line "cheerful" note is that venture capital losses are not as bad as the 2000-2001 dotcom disaster. The article maintains that 67 of 70 top mostly tech world start-ups can survive until 2025. It goes on to note:

"Now the war in Ukraine, China's purging of its tech industry and rising interest rates mean capitalism's moon-shot machine is earthbound. Public markets were the first to be hit. The Nasdaq index, which is weighted towards technology companies, has fallen by nearly 30% so far this year in a gruesome reckoning."

Readers here might assess this bull-to-bear fall as a long-term hibernation, but the Economist attempts to conclude on a high note. It addresses the fact that European and Asian venture capitalists are more self-sustaining and not as dependent on "flighty" American capital but rather have "...enduring links to local financial firms and entrepreneurs." And they are there for the long run. The article continues, noting that "...the opportunity for innovation remains vast."

The NYT's "The Morning" by David Leonhardt July 14 focuses on "the semiconductor problem"--the problem being that the US doesn't make any semiconductors. He notes that 90% of the most advanced ones--used for smartphones, military technology (for those new Army cyber corps folk, for example)--are made in Taiwan. The US does not make any. An attempt to get a bill passed last summer to jump-start domestic production passed in the House in February 2022, but the Senate's bill is stuck, and the two entities that have, as noted at the beginning of this Cyber Scene, worked together in a bipartisan manner regarding the NDAA 2023, have not come to an agreement on this bill. Leonhardt notes that there is a broad consensus of proponents including President Biden, most Democrats in Congress, and a "meaningful number" of Republicans. On Monday, 25 July President Biden met virtually with the CEOs of Lockheed Martin, Medtronic PLC and Cummins Inc., as well as labor leaders, and said the bill, which would provide $52 billion in subsidies to domestic semiconductor manufacturers, was very important to national and economic security. The article continues to suggest ways that this could be addressed before the August recess of Congress.

Cyber Scene #71 - Sizing up the Cloudburst, Above and Below

Cyber Scene #71 -

Sizing up the Cloudburst, Above and Below

The 27 July Economist, in "Cloudburst," has a new acronym for the US tech oligopoly comprising Meta, Alphabet, Amazon, Microsoft, and Apple: "MAAMA." It singles out this Big Tech group for bearing the brunt of the NASDAQ gravity crash (cloudburst) and the vanishing of "exceptionalism" which has provided "borderless cyberspace" exclusions, internationally, of financial impositions. This feature article maintains that MAAMA's "tech titans" are now exposed to ills such as supply chain issues, protectionism, competition, shortage of workers, etc. that have been inflicted on "mere mortal" cyber companies for some time. Internet barriers in Europe and India are cropping up to "...become more protective of their citizens' data and to their own digital darlings." Except from China, MAAMA has not faced much constraint from its landlords in the past. The big question is "MAAMA mia, can you grow again?" according to The Economist.

Turning to other cyber concerns, Wall Street Journal's Dustin Volz reports on 20 August that the UK Conservative Party has decided to allow online voting this round for election of the new Prime Minister (PM) following the departure of Boris Johnson. This is the first time such voting options are available for a PM election, although lesser elections have allowed recent leaders, such as opposition party leads, to be elected through online voting. Vote by mail is acceptable for the UK too. Its National Security Cyber Centre (NCSC), part of the UK's General Communications Headquarters (GCHQ), reportedly ok'd the move.

The scale is quite different from general elections in the US, however; the UK's Conservative Party has a possible maximum vote of 160,000 for two candidates while the 2020 US presidential election involved roughly 158 million voters. In the run-up to the US 2020 presidential election, according to Volz's reporting, US federal agencies privately warned states that voting by internet would run a high cybersecurity risk and would be vulnerable to disruption. While some states allow ballots to be sent out electronically they are returned by mail or in person.

Volz notes that no US state permits all its voters to cast a ballot online, but some allow overseas voters, military voters, or disabled voters to do so. In addition, some states send blank ballots electronically for voters to print and return by mail. The WSJ notes that some other countries including Canada and Switzerland have explored broad online voting but have either halted or curtailed it over security concerns, according to Dan Wallach, a computer science professor at Rice University who has researched the issue. Estonia is the exception, having continued online voting backed, as its host, to the NATO Cooperative Cyber Defence Center of Excellence, but once again, the scale is quite different from the US.

Vote by mail in the US remains a contentious political issue even as the US works through primary midterm elections as you read this, with midterm elections in November 2022.

The Washington Post's Naomi Nix reports, "In new election, Big Tech uses old strategies to fight the 'big lie', that "...social media giants are pushing forward with a familiar playbook to police misinformation this electoral cycle, even as false claims that the last presidential election was fraudulent continue to plague their platforms." Facebook is cited as deciding to not remove election fraud claims but rather to redirect users to accurate election information. Twitter is taking another option: applying misinformation labels or removing posts, such as unverified election-rigging claims about 2020. Twitter didn't explain when it would remove tweets that violate its rules but felt that visibility of erroneous claims would be reduced.

Returning to Europe with special guest spokesperson Sir Jeremy Fleming, the GCHQ Director himself, the 18 August Economist captures Sir Jeremy's views on Russia in the process of losing the cyber info war in Ukraine. His perspective expands on what Cyber Scene has reported about earlier on the duality of a cyber and physical war. The GCHQ chief notes that it is "...a very modern digital and cyber war, as much as it is a brutal and destructive physical one." He emphasizes the development of an excellent private-public partnership supported by the NCSC: "There is now much greater co-operation between big tech companies and governments on security than before the war, a polarisation of positions on the use of cyber in war and a renewed effort to redefine cyber norms." He attributes this support and coordination in part to Ukraine's own success as an extremely effective cyber defender which, "...painstakingly, developed a digital fortress..." since Russia's annexation of the Crimea in 2014. The GCHQ Director casts this digital fortress as, "...arguably, the most effective defensive cyber activity in history. Operating under sustained pressure against a very capable adversary, this team of industry, intelligence, security agencies and in some cases, citizens, has worked side by side to warn, respond and remediate."

Referring to the importance of stealth and ambiguity as key attributes of cyber operations, Sir Jeremy simply adds that the UK's National Cyber Force (NCF) combines the strengths of GCHQ and the Ministry of Defence to build upon its "...world class cyber defence and resilience to deliver offensive cyber capabilities."

As for the US, The Hill (see below) reports that the Pentagon has just announced on 19 August an allocation of another $775 million for Ukraine's military to include high speed anti-radiation missiles, howitzers and ammunition, reconnaissance drones, armored vehicles, and ammunition for rocket systems for Ukraine's war with Russia as the conflict enters a near standstill. There was no overt discussion of cyber support, perhaps out of respect for stealth and ambiguity.

On the other hand, on 21 August The Hill's opinion contributor, Anastasios "Tasi" Arima, provides a synopsis and analysis of President Biden's 9 August signing of the CHIPS and Science Act into law. This law is successful on two planes: "Heralded by supporters as a significant investment in U.S. competitiveness and innovation, this legislation has been the cause for recent bipartisan praise -- and rightfully so. The bill injects more than $280 billion into U.S. manufacturing and research of semiconductor chips, but it's only a first step toward solving global chip production issues."

Arima discusses the origins of the supply chain issues hamstringing companies (e.g., tensions with Russia and China, the pandemic, and economic problems). Things could be looking up for those running short on titanium, waiting for your EV or even a new Toyota. She concludes: "The CHIPS and Science Act deserves its place among landmark legislation of the past quarter-century, but the government should act quickly to catalyze targeted investment in U.S. critical metal and mineral production."

The Senate Appropriations Committee (SAC) Chairman Senator Patrick Leahy (D-VT), with apparent bipartisan support from and thanks to his Vice Chair Senator Richard Shelby (R-AL) released the committee's mark on the NDAA FY 2023 bill "consistent with" the House's NDAA version. Chairman Leahy underscored the importance of wrapping this up before the end of this 117^th Congressional term (3 January 2023); however, the fiscal year ends on 30 September 2022. No, a finalized version is not completed yet by both the Senate and House. It takes a big wagon to move $850 billion through the Senate, House of Representatives, and the White House. The attitude of these powerhouses appears to be conciliatory, so stay tuned for next month's update. SAC Chairman Leahy has also published a formal synopsis of the SAC's NDAA mark.

So just when things appear promising, your new worldwide 5G is showing vulnerabilities. On 9 August, Wired's Lily Hay Newman examines the "ultrafast speeds and enhanced security protections" that are also accompanied by 5G's "...own raft of potential security exposures." The analysis of these vulnerabilities, focused on Application Programming Interfaces (APIs), was to have been presented on 10 August at the DefCon Black Hat Las Vegas conference. The overriding problem is that the Internet of Things (IoT) service platforms for 5G are not standardized; each carrier, company, and country makes its own choices. A researcher at Technical University of Berlin links this issue to the release of users' data and possible access to their IoT devices. Although they can be fixed, these vulnerabilities were already identified on three continents.

Hay Newman looks at another issue to have been presented three days later: John Deere has upgraded its tractors so that farmers must override tech upgrades to avoid the precious time and trouble of turning to the manufacturer for help. The problem (seemingly always a two-sided sword) is that hackers can do this too. The company has agreed to address this problem. Interestingly, this issue appears to be resonant of the recent, wider "right-to-repair" movement urging appliance manufacturers, inter alia, to provide parts for repair instead of a complete appliance replacement.

Cyber Scene #72 - The Widening Cybersecurity Gyre

Cyber Scene #72 -

The Widening Cybersecurity Gyre

This month's Cyber Scene intends to capture a snapshot of cybersecurity past, present, and a glance at the future, stretching from major players like the US and China, to one of NATO's tiniest countries--Albania--and even some examples where participants in four countries were engaged in one big hack. This also involves private sector players.

On 15 September, the New York Times' (NYT or "the Times") Kate Conger and Kevin Roose published an overview of Uber's computer systems breach which is identified as "full access to Uber." The Times notes that the hackers contacted the Times itself as well as cybersecurity researchers and included deliveries of email, cloud storage and code repositories. The success was due to one of the hackers who convinced an Uber worker that he/she was a corporate IT person. This was Uber's second round, following a 2016 hack. And Uber is, well, nearly everywhere.

The Wall Street Journal's (WSJ) Robert McMillan follows up on 20 September by identifying the hacker group: Lapsus$, a teenage hacker group that surfaced from organizations training for youthful cybercrime.

The good news is Lapsus$ does not appear to be cashing in on this hack; it is looking for notoriety. The bad news is that recent other cyberattacks are likely linked to Lapsus$ including Samsung Electronics, Nvidia, Microsoft, and Okta Inc.

BBC News reports on September 1 that BBC News articles were stolen and re-named to be sent to Australian politicians by likely Chinese hackers, who were identified by US cyber "Proofpoint" experts supported by the US Department of Justice (DOJ). The Australian politicians, journalists and others received emails claiming to be from Australian news outlets; the victims were then directed to a malicious website. And how sure is the DOJ that these hackers are connected to the Chinese government? Very. One of the criminals, known as "Leviathan," has already been indicted for past intrusions into the UK's National Cyber Security Centre in 2021. Unlike the teen criminals seeking attention, the UK/AUS/US/CC attack is considered espionage, which dates to 2013.

These are major consumers from longstanding democracies. What about the little nations? Albania has one of the most multi-faceted recent histories of any NATO nation. This country is dominantly Muslim but features Jewish synagogues and Christian churches as well. On 7 September, BBC News' David Gritten reports an astounding headline: "Albania severs diplomatic ties with Iran over cyber-attack." For other readers not focused on Albania, this is likely due to the country accepting thousands of Iranian dissidents which seems to be the linchpin. The hackers "...tried to paralyse (sic) public services, delete and steal government data, and incite chaos." The US National Security Council said experts concluded that Iran "conducted this reckless and irresponsible cyber-attack.(sic)" The US is supportive of Albania as a NATO nation, and plans "...to hold Iran accountable."

The UK's reaction is similar to that of the US. The 14 September Economist's "Iran's cyberwar goes global" proceeds to annotate earlier, simultaneous, and ongoing Iranian cyber offensives. The planned summit/rally in Albania led by the Iranian opposition "movement-cum-cult" was canceled due to hacking by Iran. One of Iran's diplomats in Vienna had been convicted by a Belgian court in 2021 for planning to bomb such a rally.

Iran's simultaneous cyberattacks in Israel are far more forceful. Bilateral "...sparring is often violent and also, increasingly, digital." These attacks, begun in 2020, have continued to the present. The targets include water supplies, steel plants, fuel distribution, and vulnerable and critical systems that remained connected to the internet. The bottom line looks like this: "These campaigns of sabotage, subversion and propaganda represent some of the most aggressive competition conducted over computer networks to date....and is unlikely to abate."

The Times' David Leonhardt on 26 September sums it up on with "Iran is aflame with protests." He explores five significant issues that are fueling these fires, including Iranians firing on civilians. He cites the current dissent as the greatest in a decade, exacerbated by the 16 September murder of a 22-year-old Iranian whose head scarf did not completely cover her face. Leonhardt goes on to cite colleague David E. Sanger: "The technology available today makes it easier for Iranians to communicate in secret than ever before. That's why the Iranians are trying to bring down the whole internet inside Iran. That's real desperation."

Both articles focus on Iran, but China also continues to be on the White House agenda in a very serious manner. David E. Sanger reports President Biden signed an executive order to address Sino-US technology investment, limiting access to data on private American citizens. The implementation is managed by the Committee on Foreign Investments in the United States (CFIUS) and expands CFIUS' remit on what it can control; it may now consider "...whether a pending deal involves the purchase of a business with access to Americans' sensitive data, and whether a foreign company or government could exploit that information." The initial thrust concerns inbound investment first, particularly since China orders, by law, its citizens to help intelligence agencies, usually in secret. But Sanger believes "outbound investment by American companies in foreign nations" might be considered as well. Critical technologies in the mix include microelectronics, AI, biotechnology, biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies. All these technologies figure in the "Made in China 2025" strategic plan. And the bottom line? "The order also authorizes the committee to block any deal that erodes United States cybersecurity."

Also in the picture, The Hill, on 21 September, reports a call by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), co-chairs of the Cyberspace Solarium Commission pushing for the entire Cyber Diplomacy Act to be passed by the Senate. It was passed last year by the House. Some of the issues have been implemented at State Department, but the Act itself has been sitting in the Foreign Relations Committee waiting for a vote. On a positive note, the Senate confirmed Nathaniel Fick in mid-September to head up, as the first cyber ambassador-at-large to do so, State's Cyber Bureau. The bipartisan confirmation was unanimous.

Last but not least, on 23 September the Washington Post's Tory Newmyer reports on the Department of Defense's Defense Advanced Research Projects Agency (DARPA) which is taking on a "...sweeping review of cryptocurrencies to assess threats to national security and law enforcement posed by the rise of digital assets." This will be a year-long project. There have been related advances by Treasury Department and the Justice Department. The latter has 150 prosecutors to coordinate crypto-related investigations and prosecutions. Blockchain technology was one example of an early overlap of cryptocurrency issues and vulnerabilities. However, DARPA is devoted to its "R"-Research--but has many partners who can coordinate other related issues.

DARPA should be great at assessments and collaboration; this comes from the research treasure trove that assisted at the birth of the internet.

Cyber Scene #73 - Cyber Armor Up; Chips Down

Cyber Scene #73 -

Cyber Armor Up; Chips Down

The world seems to struggle more of late than in happier, global-minded days. The Russo-Ukrainian-NATO-supported war continues to play out--a rousing of international support and NATO strength to Ukraine. But short of this armed combat, the rest of the world is withdrawing.

The U.K. has chosen Rishi Sunak as Prime Minister as reported by Bloomberg on 24 October in "Sunak to Be Next UK Prime Minister." Italy's new leader comes with some leadership issues, and the US is dealing with mid-term elections in early November that could lead the country to turn - more inward.

In the cyber world, this inward focus is even greater. Supply chain issues, political divides and other perturbations have resulted in a recalculation of what needs to be done "at home." In addition to a huge hit to "Big Tech International" and its investors, large and small, two countries particularly are sorting out new approaches to the cyber home front, be they digital, political, domestic, financial and/or many other variations. These counties are China and the U.S. Their domestic cyber strategy, nonetheless, impacts their global clout.

China, according to the Washington Post on 23 October in "China's Communist Party hands Xi an endless rule," has just assured the world that things will not change for the better, from a Western perspective, for at least many years to come. Post reporters Lily Kuo and Christian Shepherd state: "Xi was anointed Sunday as China's uncontested leader for five, if not many more years, as he concentrates power to a degree not seen since the days of Mao Zedong and Deng Xiaoping and positions his country defiantly against the West." Xi had terminated presidential term limits in 2018, so the 69-year-old may be with us for many years and terms. The Post goes on to underscore that Xi is a proponent of "self-revolution" and becoming "all-conquering." This is a hardened and seriously upfront approach from China's 2050 White Paper aspiring quietly, stealthily, to "have an influence."

On the other side of the Pacific, much depends on the mid-term elections as to what may happen on Capitol Hill and its influence on the 2024 Presidential election. But the following 2 years in the White House are set in stone, and although Nixon-Kissinger opened China to the West, it is likely that Xi's policies will further estrange these two mega-countries.

(N.B. This Cyber Scene will not capture cyber activity on the Hill, as all candidates for representatives and one-third of the senators are running hard for the looming elections.)

The Economist's 15 October issue is laser focused on the Pacific getting wider in its overarching analysis of "A new order." It casts President Biden in tech geopolitics as "No more Mr. Nice Guy." This article states that: "On 7 October President Joe Biden's administration announced the most sweeping set of export controls in decades. The new rules cut off people and firms in China from advanced technologies of American origin, and from products made using them." Included are chips, software to advance them, and tools to make them. Even American techies cannot circumvent these rules. As an example of the impact this may have on China, the U.S. National Security Advisor Jake Sullivan noted that recent U.S. export controls have forced Russia to "use chips from dishwashers in its military equipment, over time degrading its battlefield capabilities." There may be judicial challenges within the U.S., rigid enforcement may lack necessary funding, and other countries may not concur due to economic pain. The pain would be great in the U.S. as well: "China imports $400bn-worth of chips a year" from the U.S. That is real money by any measure.

But there is more. The global market for computer chips, according to the 8 October commentary from the Economist's Schumpeter "The cloud is the fiercest front in the chip wars," is $600bn. This issue is analyzed in the context of the cloud, the data centers where the data is stored, and the impact of growth and complexity of the market for server processors.

In addressing how the new controls will be enforced, the Times' David McCabe 20 October in "US Details How it Plans to Police foreign Firms" provides an answer. The Committee on Foreign Investment in the United States (CFIUS), as was discussed recently in Cyber Scene, is positioned to levy more stringent penalties if foreign companies fail to adhere to the new guidelines. This answers, to some extent, the question of how the Commerce Department would have the clout, manning and funding to do so. Another significant player is the Treasury Department, which oversees CFIUS. The Assistant Secretary for Investment Security underscores compliance with the new regulations is clearly "not optional."

Other Asian chipmakers are impacted by this, but chip and semiconductor champions, such as South Korea's Samsung and Taiwan's TSMC are not equally affected. Filed in Singapore, the Economist's 1 October "Painful memory" distinguishes between "logic" chips processing information, and "memory chips" storing it. South Korea's memory chips have taken a bigger fall than Taiwan's logic chips. Bloomberg's 22 October "TSMC Suspends Work for Chinese Chip Startup Amid US Curbs" reports that TSMC has already had a round with Biren Technology, with halts to ensure that Taiwan does not run amok with new U.S. constraints and push back from the Chinese-based silicon startup.

Post reporters Jeanne Whalen and Aaron Schaffer's "Taiwan ...says it will abide by U.S. rules" assert that Taiwan has officially accepted, as of 21 October, the new U.S. rules governing semiconductors and their minions.

It noteworthy that the U.S. strategy backs into using supply chain to "throttle China's chip development," according to Wall Street Journal's Karen Hao and Jemal R. Brinson. The text is even stronger, reporting the U.S. aim "...to strangle China's advanced-chip development." The reporters provide the context of recent years seeing various countries that specialize in chip-making. But the U.S. which leads in some of the most critical parts of the chain, is now stepping back. The Commerce Department--with notably Treasury, State, the National Security team, CFIUS and the President--is especially focused on China's semiconductor sector which has had access to critical inputs for making advanced chips. This is a new approach. Hao and Brinson's WSJ article also includes U.S. early chip supply chain charts, which the U.S. dominates regarding chip design; wafer fabrication; and assembly, packaging and testing. The restrictions also encompass "U.S. persons"--any U.S. citizens, permanent residents or people who live in the U.S., and American companies which must no longer allow "remaining avenues for China to obtain chip-making resources." The WSJ notes that it found that 16 Chinese companies had about four dozen American citizens in positions of senior executives. The Journal queries whether they may have to choose between company or country allegiance.

As alluded to earlier, this change is not restricted to the U.S. and China. The spillover is serious. The Economist's 15 October "Special Report: The world China wants" delves into why both the U.S. and the EU are worried. U.S. Secretary of State Blinken is cited as saying that globalization, which is likely being reversed, has been particularly advantageous to China, but that China is now trying to reshape it. The Biden administration calls this direction "asymmetric decoupling," as China seeks to dominate key technologies from electric-car batteries to quantum computing. Blinken believes that China plans to be "...less dependent on the world and the world more dependent on China." The EU is also concerned. Even during the Cold War, the U.S. and the Soviet Union did not trade with each other. China's accession to the World Trade Organization in 2001 was embraced by the West at that time. The article, in depth, explains how that has all changed.

Cyber Scene #74 - Chips Ahoy on Cyber Thursday Horizon

Cyber Scene #74 -

Chips Ahoy on Cyber Thursday Horizon

As a follow-up to the previous "chips down" discussion on Cyber Scene, rather timely work now comes to surface with a new "shore" approach. For those of this readership who have enjoyed a "friends-giving" celebration last week, you will discover a cyber security rendition as you read this Cyber Scene.

Big Tech's expansion following the demise of the Cold War propelled a laissez-faire economic world grounded in globalism. Now, things have changed. Relations are heating up...rather, freezing, as the U.S. and China are struggling to speak diplomatically to each other. Although it's still partially "the economy, stupid," the Russian, Chinese and occasionally Iranian reach into Western cybersecurity has changed the game. Protectionism and its sanction minions are moving back to the front page. Cyber climate change is creating icebergs in some seas.

As the Berlin Wall disintegrated during the 1989-1993 presidency of George W. H. Bush, Michael Boskin--the Chair of the Council of Economic Advisors -joked about no big difference between semiconductor and potato chips, as captured by The Economist in "Biden's billions." The article pursues U.S. President's Biden $52billion Chips and Science Act passed by Congress while Europe and Japan head in the same direction. "Onshoring" is the new terminology for bringing it all back home. The Economist article notes that nearly the same funding for the EU--$49billion--will be used for cutting-edge chip-fabrication plants, citing both security and job creation as the drivers. Some economists cited in this article are "doubtful" about the success. On the other hand, the May 2021 Economist entitled "Building a Boom" cited a seminal study by the Chicago Federal Reserve's late David Alan Aschauer on the success of infrastructure trickledown economics supporting job creation.

On the security side of the issue, there is less division. The article states: "More than 90% of advanced chips, many needed for manufacturing weapons, are made in Taiwan--far closer to China than is comfortable for the West." It also adds that as the U.S. becomes more technologically intensive, it is more productive. This "spillover" to innovation from a strong manufacturing base benefits research and development if software is not the only connection. The software connection alone could result in fewer jobs.

The Economist returns to this issue on 27 October in "Adieu, laissez-faire," acknowledging that despite serious economic issues, the White House "...does seem to be having some success in fusing security and economic objectives, especially regarding China." This is principally attributable to China's support for Russia re Ukraine, and its "zero-covid policy." The article does point out that despite the huge economic problems, "That, however, is to overlook the changes he (Biden) has ushered in with three big pieces of legislation: the $1.2 trillion infrastructure law, a $280 billion semiconductor-and-science act, and $390 billion climate-spending package." It goes on to note that these three are cast as "spending bills" due to partisanship issues that make it "...almost impossible to get any other measures through Congress." Given the recent mid-term election returns, it appears that the House and Senate will be split for another two years. What The Economist did not address was the fact that elements on the Hill, to include the Cyberspace Solarium Committee (CSC), are bipartisan. The co-chairs are Independent Senator Angus King (I-ME), and Republican Representative Mike Gallagher (R-WI), with Democratic support from both the Senate and House as well.

Moreover, this approach is not a boomerang to strict protectionism, casting globalization into the dark blue sea. Rather, the administration has adopted "friend-shoring"--a means of strengthening trade with allies and keeping incalculable nautical miles from adversaries as discussed in the Economist's "The Coming Storm on 27 October." As was mentioned earlier, high-end semiconductor manufacturing is viewed as "...vital to national security," according to the Center for Strategic and International Studies' Gregory Allen, a former Pentagon AI expert. U.S. and Chinese officials are on speaking terms, but "just."

China is not the only issue. Cybersecurity safe havens exist worldwide, and "friend-shoring" countries continue to be attacked. The following is a brief synopsis of nation-victims reported during the last 4 weeks.

Russia's invasion of Ukraine spills over into all NATO countries and then some. The Economist's "The War in Ukraine: Finding an ending in 10 November" cites "grey" cyber-related threats: sabotaging internet connections to the West, conducting bigger cyberattacks and interfering with communications satellites.

Cyberattacks against Australia's second-biggest telecom company has hit current and former users--about 40% of the country's population. A phone company, a health insurer, an online marketplace, and an on-line wine marketer have also been breached. Alastair MacGibbon, the country's former national cyber-security adviser, suggests that it is Russian hackers who "cause fear, uncertainly and doubt" toward countries supporting Ukraine, as reported in the 3 November Economist's "Once more unto the breach." The companies themselves are feeling the pain: many of their customers are leaving.

Sometimes the hacks are the result of an individual's bad behavior.

In the first instance, let us look at personal behavior which the Economist in 1 November's "The home office" avers is the real problem, "...as anyone in an IT team can attest. Powerful folk tend to think that their time outweighs whatever risk the nerds fret about. They are wrong." The UK exemplars of what not to do focus first on the very recent former Prime Minister, whose personal phone hack included a year of her messages, reportedly including Ukrainian arms discussions, and her very recent, and now former Home Secretary who found it cumbersome to use her work phone when she found it easier to download official documents to her personal device to use them during video calls on her official phone. These behaviors are not news to this readership. But recent very senior examples remind us that dismissiveness of strong anti-hacking procedures remains a serious, but correctable, weakness.

Sometimes the weakness is a result of could-be-better business practices.

In Ireland, where Meta, Google, Twitter and Tik Tok have set up their EU hubs, Ireland's Data Protection Commission has imposed more fines in response to pressure from privacy groups who wish the E.U. regulators were more aggressive, according to the New York Times' 28 November "Meta Fined $275 Million." Meta now has reached $900 million in fines since last year. Tik Tok is also under investigation. Ireland is responsible for enforcing EU data protection rules for the entire EU since the 2018 General Data Protection Regulation (GDPR)--a recurrent subject of Cyber Scene.

France has its own problem with Twitter, as reported by the Washington Post's Annabelle Timsit on 22 November on France's regulation of Twitter. France's digital regulator, ARCOM (the Regulatory Authority for Audiovisual and Digital Communication), has asked Twitter to confirm its ability to meet French legal obligations to moderate harmful content and misinformation. France is particularly worried about manipulating information and disseminating online hate speech. If Twitter cannot comply, fines of up to $20.5 million or 6% of global revenue for the previous fiscal year are at risk. The French head of Twitter announced last week that he had left (without clarification of quitting or being laid off).

In addition to the GDPR, the Post article mentions a new "sweeping piece of legislation" from the EU--the Digital Services Act--that imposes transparency restrictions on tech companies. The Post cites a New York Times editorial of 18 November by Yoel Roth, the former Twitter chief of Trust and Safety, confirming that "Regulators have significant tools at their disposal to enforce their will on Twitter and on Mr. Musk," while referencing the new Digital Services Act.

Two ongoing developments show some progress in bolstering U.S. cybersecurity.

Forbes' Councils Member Greg Murphy reminds us in 22 November's "Revisiting the U.S. Cyberspace Solaruim Commission Report" that serious work continues on the Hill. He underscores the value of the U.S. Cyberspace Solarium Commission (CSC) work, to secure our national supply chains and develop a strong cybersecurity workforce. As discussed in earlier Cyber Scenes, the CSC has succeeded in having had many, but not yet all, of its recommendations acted upon. The Forbes article goes on to call for more support for the nation to confront new threats.

Last, but not least, is Lawfare's Eugenia Lostri's 18 November discussion of the White House's second meeting of the International Counter Ransomware Initiative (CRI), this time, in person, in Washington D.C. Thirty countries joined as of October 2021, with the intent of a whole-of-government leverage of a range of criminal, diplomatic, economic and military capabilities to combat ongoing ransomware threats. Now one year old, CRI has divided into five groups, chaired as follows: Lithuania and India--resilience; Australia--disruption, the U.K. and Singapore--financial mechanisms, Spain--public/private partnerships, and Germany--leveraging diplomacy. Thirteen private companies were also invited. Ms. Lostri discusses the successes and the challenges; she particularly cites the greatest challenge being the 3 safe haven countries (China, Russia and Iran) are non-members, and concludes that "the CRI's most concrete deliverable seems to be the future establishment of a task force." It is, at a minimum, a foundational direction.

Cyber Scene #75 - Cyber Security: Past, Present and Future

Cyber Scene #75 -

Cyber Security: Past, Present and Future

As the New Year begins, many issues about cyber failures or successes in 2022, the status of cybersecurity now, and glimpses of the probable future are well-timed for Cyber Scene consideration. This is a more strategic than tactical view which ideally may inform this readership in reviewing your own role as 2023 arrives.

Capitol Hill has led the way, finally establishing this linkage from past, present and future in passing the $1.7 trillion "spending bill," officially the 2023 Omnibus Appropriations Bill, just under the deadline that would have shut down the U.S. Government. This governmental accomplishment offers a holiday gift of progress in balancing Congressional "pork barrel" issues with national cyber security domestic and international issues with global impact. Cyber was in the shadows of Ukrainian President Zelensky's in person address to the joint House and Senate audience the eve of the Senate vote. Capitol Hill found support for both their constituency and more strategic and overarching issues, with the Senate voting 68-29 on 22 December, and the House 212-205 on 23 December.

Cyber security has indirectly influenced the hoisting of a unifying flag. While hackers have occasionally executed politically intended harm, those seeking ill-begotten money are not so discriminating. Everyone is at risk.

Foreign Affairs' Amy Zegart examines "Open Secrets: Ukraine and the Next Intelligence Revolution," which bridges the gap between the past analysis of Russia's failings in the invasion of Ukraine and the future impact of new technology. She notes that there has been a return to Marxism-Leninism, but the tech world is, well, in another world. Digital connectivity, she maintains, is "upending the world," and notes that Artificial Intelligence (AI) is likely to eliminate 40% of jobs globally in 25 years. President Putin himself said: "...whoever leads in AI development will become the ruler of the world." Zegart goes on to note that new technologies are driving renewed war in Europe, terrorist attacks, and cyberattacks and will determine "...who will be able to understand and chart the future."

A corollary of sorts to Zegart's concerns is The Economist's 30 November study of Russia's cyberwar on Ukraine, which assessed the following: "The most important reason for that was Ukraine's defence." Lindy Cameron, head of Britain's National Cyber Security Centre (NCSC) reckons Russia's onslaught was "probably the most sustained and intensive cyber-campaign on record." But as Sir Jeremy Fleming, her boss at Government Communications Headquarters (GCHQ), Britain's signals-intelligence agency observed in an essay for The Economist in August, Ukraine's response was "arguably...the most effective defensive cyber-activity in history." Ukraine was ready and had a contingency plan in place. The report goes on to cite NATO's top intelligence official, David Cattler, comparing Russia's use of malware against Ukraine as more destructive "than the rest of the world's cyber-powers combined typically in a given year." The article concludes by saying that, like the Allied decryption of the Enigma machine, "the ultimate impact of cyber-operations in Ukraine may remain obscure for years."

However, some 2022 success is coming to light now, according to both the Washington Post of 22 December 2022 and The Hill on 12 December 2022.

The Post's Ellen Nakashima reports on routine use of offense cyber operations very recently by the U.S. Cyber Command (CYBERCOM). Unlike the many years that passed before the decryption of the WWII Enigma was publicly revealed, Nakashima now cites the takedown of a Russian troll farm's digital platform to prevent hacking into U.S. 2018 midterm elections. In 2020, CYBERCOM also engaged in thwarting the Iranian Islamic Revolutionary Guard Corps (IRGC), which projected sending threatening emails to U.S. voters. In 2022, CYBERCOM's Cyber National Mission Force (CNMF) has been involved in addressing infrastructure interference. General Paul Nakasone, Commander of CYBERCOM and the National Security Agency (NSA), noted that they followed a "...'campaign plan' to deprive the hackers of their tools and networks." The Post continues, describing "hunting forward" and international collaboration in exchanging digital warning indicators.

The Hill's journalist, Ines Kagubare, addresses "persistent engagement" from the perspective of international collaboration. Not only Ukraine, but other Eastern European countries as well as close allies such as the U.K. pooled their success in countering destructive cyberattacks from Russia or at least "mitigating their impact." The article cites several occasions where "hunt forward" team sent operators to countries near Ukraine and Russia to help cyber defenses and networks against threats. Kagubare interviews cyber experts from academia and tech firms who explain why they want to deconstruct malware before it spreads. She also confirms General Nakasone's comments on offensive cyber operations to support Ukraine but does not discuss details. However, she does refer to an interview with the UK's Sky News where Nakasone refers to "...the full spectrum: offensive, offensive and information operations." She closes by including a commentary by James Turgal, Vice President of the cyber company Optiv, who states: "Russia is still waging a very active cyber war against Ukraine and others; we're just collectively defending better."

But beyond Ukraine, the cyberwar continues, soto voce. The Economist on 12 December considers Sino-American business relations as "frosty" on both sides of the Pacific, well, like an increasingly less-submerged iceberg. Inside the Washington Beltway, U.S. regulators are active in the U.S. Commerce Department: it had added 36 Chinese companies to its "entity list" meaning that business with them is "near-impossible." A Congressional bipartisan group suggested banning TikTok; it has a 100 million U.S. clients, and a bipartisan group of U.S. senators introduced a bill to list Huawei and other Chinese telecoms on Treasury's "specially designated nationals" list. Being "special" is not a good thing. It would close these Chinese companies' access to U.S. banks, freezing them "...out of the global financial system." While these initiatives are further evidence of bipartisanship in the U.S., it does not endear the U.S. to China, nor vice versa. Interestingly, both President Trump and President Biden, in a retro-bipartisan surprise of sorts, have both been keen to blacklist Huawei. Biden has added China's most advanced memory-chip maker to the list. The article closes by stating "Make no mistake: technological decoupling between the world's two biggest economies is proceeding apace." A version of this article also appeared in The Economist's "The World Ahead 2023" --a 146-page compendium of what one might expect for this new year. Despite the progress across the U.S. cybersecurity world, Andy Greenberg from Wired reports on 18 December that cyberattacks have not ceased: Chinese hackers are still at it.

Lastly, the first-ever National Cyber Security Director, John "Chris" Inglis, has announced his resignation from the position that was newly created upon the arrival of the Biden Administration in 2021. According to the CNN announcement, Inglis has requested that his deputy step in upon his departure, seemingly ad interim, to further develop the 70-strong staff that Inglis has created during his term, as he started with a confirmation and title alone. The exact timing has not been released.

Given the circumstances, it would seem that U.S. cybersecurity operations, defensive, offensive, and forward-looking, have made progress despite issues with tech taking a hit and globalism taking a big step backward. It will be most interesting to take stock of this state of cyber, domestic, and foreign, next year as we look back on 2023.

Cyber Scene #76 - Cybersecurity New Math: Folding, Holding, and Anteing Up

Cyber Scene #76 -

Cybersecurity New Math: Folding, Holding, and Anteing Up

The start of 2023 has been multifaceted. Beyond the unusual issues on Capitol Hill of turnover and leadership changes, and tussling with a debt ceiling of $31 trillion, the cyber world itself has seen considerable action of three sorts in the year's first month: a very recent loss of thousands of Big Tech cyber workers, examples of cyber companies in abeyance and under scrutiny, and instances of more agile endeavors among cyber players that include shifts to new perspectives and approaches. Let us start with the "folding" and save the, well, better, for last.

Several of the greatest cyber institutions have cut back their workforce significantly most recently. The 20 January Washington Post's (the Post) reporters Gerrit De Vynck, Naomi Nix, Julian Mark and Ellen Francis combined to deliver a composite figure of very recent tech layoffs: a stunning 200,000. The reversal, from the beginning of higher tech and the expansion of remote work at the onset of the pandemic in 2020 to the present, is somewhat startling to those who have just been fired.

The Post goes on to report that Alphabet (Google), Meta (Facebook), Amazon, Salesforce, and Microsoft all find themselves in a similar situation. Alphabet CEO Sundar Pichai sums it up: "Over the past two years we've seen periods of dramatic growth. To match and fuel that growth, we hired for a different economic reality than the one we face today." Several tech firms expect additional tightening and have alerted their workforce to the possibility of continued cuts. It is not sitting well with those let go. Instead of pink slips on one's desk, some of the messaging was terse and delivered overnight by email. Alphabet's Worker Union's executive chair, Parul Koul, found this action clearly unacceptable: "Today, 12,000 of our co-workers woke up to devastating news. In one email Sundar Pichai has taken away the livelihoods of thousands of workers. This is egregious and unacceptable behavior by a company that made $17 billion dollars in profit last quarter alone."

Despite inflation, deglobalization, and a huge drop in tech stocks of about 30% in 2022, the layoffs boosted Google's stock 4% upon notice of the firings.

The impact on the workforce is discussed by the 20 January New York Times (NYT) Tripp Mickle reflecting the difference between younger and older tech folk in reacting to the layoffs. The massive reduction in the workforce also surfaces in rising issues such as noncompete agreement restrictions for those who leave their companies, willingly or not.

Meanwhile, this drum roll of hackers continues; the breach goes on for T-Mobile, PayPal, and a crypto currency firm. The T-Mobile problem, as reported by 20 January Wired's Lily Hay Newman, cited the latest problem that was not resolved by $150 million spent in attempts to do so. The Securities and Exchange Commission (SEC) filing explains that "... a bad actor manipulated one of the company's Application Programming Interfaces (APIs) to steal customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details." Approximately one third of T-Mobile's U.S. clientele of 100 million was impacted. The breach, which occurred in November 2022 (the 5^th such breach since 2018), came to light on 5 January 2023.

Forbes' Davey Winder on 21 January reported that the hack on U.S. accounts was indirect: "The irony here is that it will have been breaches at other services that were behind the large-scale credential stuffing attack, which led to nearly 35,000 PayPal customer accounts being accessed by an unauthorized third-party criminal actor." The example highlights the interlocking nature of large companies that, along with their clientele, may be indirect victims.

The SEC was also involved in singling out two crypto currency businesses, Genesis Global Capital and Gemini Trust (owned by brothers), for dealing with unregistered securities. According to the SEC Chair, Gary Gensler, Genesis and Gemini bypassed "...disclosure requirements designed to protect investors" per 12 January (NYT) as reported by journalist Ephrat Livni. The SEC said that eventually Genesis stopped, and its clients lost $900 million. The SEC oversight is notable because the crypto industry has been, seemingly intentionally, as unregulated as it could be.

The view from across the pond is similarly challenging. As reported by the British-published Economist on 12 January, the U.S. National Security Advisor, Jake Sullivan, reflected a much tougher approach to global technology. Sullivan is cited as saying that being the tech leader was not enough. Rather, the U.S. "... had to pursue "as large of a lead as possible" in chipmaking, quantum computing, artificial intelligence, biotechnology and clean energy. To that end, America needed not only to welcome clever people and foster innovation, but also to impede technological advances in countries like China and Russia." It appears that not only the Tech Titans, but countries as well have reset their strategic planning.

On a marginally happier note, TikTok, trying to hold its own, is in the throes of attempting to win over U.S. support for a continuing presence in the U.S., according to the 16 January Wall Street Journal's Georgia Wells and Stu Woo. The Chinese-owned company is proposing more transparency, and particularly sharing its algorithms with U.S. regulators. It has also shared with the U.S. its $1.5 billion plan to reorganize its work in the U.S. The many issues before TikTok are still under negotiation with the Committee on Foreign Investment in the U.S. (CFIUS). There has been recent talk about TikTok's reach on Capitol Hill: Congress has proposed a bill to ban TikTok in the U.S. altogether. Representative Mike Gallagher (R-WI), the House of Representatives rep representative to the Cyberspace Solarium Commission (CSC), is worried about Chinese influence on videos on the platform. Along with his co-chair Angus King (I-ME), he has welcomed the omnibus spending bill passage in the last 2 days of 2022 for funding to implement many of CSC's programs.

This is followed by a holding pattern on the European Union side with their examination of the proposed Broadcom acquisition of VMware for $61B. The European Commission, the EU's antitrust watchdog, is launching an investigation to assess whether the merger would hinder competition in the EU server market. The U.K.'s Competition and Markets Authority is also interested. The U.S. Federal Trade Commission (FTC) is also looking into this, so regulatory eyes are fixed on this deal from both sides of the Atlantic.

The third group is the "moving up" category. Despite the belt tightening of Big Tech generally, there are optimistic examples of stepping back and exploring another approach. As reported by Defense One, the omnibus spending bill, which was passed in late December 2022 and signed by the President on 30 December, totals almost $1.7 trillion. Here is a thumbnail sketch of what is included in the bill as captured by 21 December Defense One's Edward Graham and Kristen Errick. The bill includes "... funding for a wide range of technology, cybersecurity and space initiatives across the federal government, from enhanced efforts to counter cyber threats, to additional funding to accelerate the domestic production of new technologies and spur on the adoption of innovative next-generation solutions." The details, like the elevation of the Cyber National Mission Force in late December 2022, as reported 20 December by C4ISRNET's Colin Demarest, are broadly not available to the general public. But the Pentagon and Cyber Command are well versed, and now have a subordinate unified command comprising 39 joint cyber teams with CYBERCOM as its parent. C4ISRNET reports that the Pentagon asked for $11.2 billion for cyber.

The U.S. is not alone in anteing up regarding cyber. BBC's Paul Kirby reports on 19 January that French President and current EU chief Emmanuel Macron is also planning to increase military funding from EU 295 billion to EU 413 billion. Macron mentions that with the Russian invasion of Ukraine, there are no more post-Cold War "peace dividends" Of particular interest is the 60% increase in military intelligence, "...adapting to "high-intensity" conflict with investment in drones, cyber-defence and improved air defences." He added that "We must not do the same with more; we have to do better and differently. We need to be one war ahead."

Closer to home, let us return to our own cyber leaders. Microsoft, which is among the Big Tech players noted at the beginning of this Cyber Scene, was laying off thousands of its workforce. One door now open to creativity is ChatGPT, which Microsoft believes can reach the masses thanks to AI. Will Oremus, from the 21 January Post reports that CEO Satya Nadella is "...making a big bet that they can be something much more than: the future of knowledge work." Big Tech does think big. The CEO forecasts that eventually, all Microsoft products will include some of the same AI capabilities used for ChatGPT and other search engine applications. The analysis goes on to point out that "...a new crop of risk-taking upstarts has stolen (Big Tech's) thunder; Now that they've caught on." Big Tech is playing catch-up. Few are playing it harder than Microsoft.

Cyber Scene #77 - Take 2: The Red Balloon Around the World in X Days

Cyber Scene #77 -

Take 2: The Red Balloon Around the World in X Days

The world is amused and threatened of late by the new elephant in the room (or flying Dumbo): the red balloon, discovered above in commanding digital heights. The future is yesterday, and the U.S. has many compassionate continents worrying about Chinese overhead access as well. It is likely that China did not intend, in fact, for any discovery of their "oversight" and certainly not on the cusp of U.S. Secretary of State Antony Blinken's now postponed trip to China. It also seems that China was not in control of the exact flight path, and certainly not its descent. But here it is, shot down along South Carolina's coast and sending countries around the world examining their own skies.

On 14 February, an analysis of China's "balloon blunder" by the Atlantic Council's Mark Parker Young underscores horrid timing which "...stemmed from both operational miscalculations and bureaucratic shortfalls." While the article notes that the country's internal decision-making is "opaque" he believes that "...the composition of China's national security apparatus highlights factors that probably contributed to the misjudgment." He dismisses as not/not credible China's denial of any PLA intelligence collection and that the balloon had been blown off course to North and South America.

Internally, China's stove-piped structure led the PLA to not collaborate with its leader Xi, who had been working with the Biden administration on this "carefully choreographed series of exchanges." Young blames the PLA for not coordinating and cites their lack of posting senior military overseas, as the U.S. does, to understand the global picture. The "embarrassing exposure," Speaker of the House Kevin McCarthy's reported plans to visit Taiwan, and China's dismissing the U.S. warnings of Russia's invasion of Ukraine may raise XI's concern about the "uncertainties of aggressive military actions."

As reported on 12 February in the Economist's "What Tencent's rebound says about prospects for China's big tech," China's mega cyber company dropped in value from $900billion to $250billion over the last two years. The initial success was due to the company increasing video games--exceedingly lucrative-- and decreasing semiconductor work. Leader Xi wants to reverse this. The downside now is that "...closeness with the state could hurt foreign earnings, for example from Tencent's international gaming business. At home, cyberspace, media and antitrust agencies have gained new powers--and are willing to wield them. Censorship, always part of Chinese life, is intensifying as leader Xi entrenches his strongman rule."

On the other side of the Pacific, the U.S. is increasing warning about Chinese threats. The Hill on 16 February reported the FBI's Cyber Division Deputy Assistant Director, Cynthia Kaiser's statement at a Secretaries of States conference that Chinese hackers are a "growing threat" and that given their activity in the 2022 midterm elections, "significant Chinese cyber activity" is to be expected in 2024.

In the same above 16 February edition of The Hill, an overview by the Departments of Justice (DOJ) and Commerce (DOC) addresses technology threats from both Russia and China. The DOJ has the lead for the Disruptive Technology Strike Force to include experts from FBI (see above), the Department of Homeland Security (DHS) Investigations, and 14 U.S. attorneys' offices from 12 metro areas to attack cyber actors, prevent U.S. technologies from acquisition by adversaries, and strengthen U.S. supply chains.

On the home front, the Washington Post on 9 February published an Editorial Board Opinion on how Biden's challenge to Congress to rein in Big Tech might play out successfully. The most interesting angle is the fact that, as in the past, interest in Big Tech was a unifying force in Congress. But now this occurs for the opposite reason: right and left are not admiring Big Tech together, but trying to work, as bipartisans, to reform it. From this point on, there are, of course, expected disagreements. Biden has recently called for reform on three issues: Section 230 of the Communications Decency Act of 1996, antitrust, and privacy. The first appears as a chasm regarding Section 230 which widens rather than finding common ground and is troubled by political, logistical, and constitutional challenges. The second, antitrust, was discussed by Biden in his State of the Union address, proposing that big online platforms should stop making their own products disadvantaged. (There is more to follow shortly re antitrust.) The opinion piece notes that, "...no matter the reason for a lawmaker's animus toward Silicon Valley, limiting the companies' power seems to be an appealing solution." The third issue--privacy--is viewed as the "most likely to succeed." Biden broached the need "...to stymie technology companies in the 'experiment they are running' on kids "for profit." The Editorial Board believes that a new federal privacy law that covers everyone (especially kids) "...should be a slam dunk for this Congress." One issue--data collection--relates to how nearly everyone plies the internet with mounds of personal information. Biden is calling for Congress to impose "stricter limits on the personal data these companies (Big Tech) collect on all of us." The article closes by saying that although there are additional considerations regarding state vs. federal laws on such collection, "...an aggressive assist from the White House...might be the move that wins the game."

The first issue--Section 230--is pursued by The Economist on 16 February in a literary start. It cites author Jorge Luis Borges' 1941 "Library of Babel" whose books full of everything are so overwhelming they become "gibberish." This may apply to the Supreme Court's consideration of Gonzalez v Google and Taamneh v Twitter will which reach the Court just about when you will be reading this Cyber Scene. The cases involve cracking down on algorithm online platforms for curating purposes. The law of Section 230 provides that providers and users of an interactive computer service are immunized from liability for harmful posts created by other people. It also allows for platforms to remove posts that are "obscene...excessively violent, harassing or otherwise objectionable--even if they are constitutionally protected." This is hugely problematic. Both Presidents Trump and Biden initially called for repeal, but now Biden finds reform vice repeal a better option. Given the violence and death involved in both YouTube-related lawsuits cited above, voices are speaking loudly from many directions--the Anti-Defamation League, Sen. Ted Cruz (R-TX), law professors, Big Tech entities of course, and Thomas Wheeler, the former chair of the Federal Communications Commission who worries about tech companies' freedom where "conduct becomes content; Somebody has to draw a line." The big question is where.

Back to antitrust, the Federal Trade Commission (FTC) has been activity working on an antitrust lawsuit against Amazon as reported by Dana Mattioli and Brent Kendall with the Wall Street Journal on 3 February, four days before the State of the Union address. In fact, the FTC has been scrutinizing Amazon for years. One prominent issue is whether Amazon has been giving advantage to its own products over competitors on its own platforms. If this advances to court, the DOJ which shares antitrust authority with the FTC, has already advanced lawsuits against Google which are likely to move forward. The House Antitrust Subcommittee had been involved for 16 months ending in 2020 in investigation of Amazon, Apple, Google, and Meta. The article goes on to dig down into considerable conflict in Congress moving forward with the biggest of the Big Techs over the last 2 years.

Cyber Scene will keep a vigilant eye on the future of issue 3--privacy and how this challenge is resolved. Next Cyber Scene we will include the UK in widely global cyber issues. Before closing this Cyber Scene, it is imperative that we celebrate the success since July 2021 of the U.S. first National Cyber Director (John) Chris Inglis, who has resigned on 15 February. Although accolades arrive from many corners, starting with CNN in December 2022 with the announcement of Inglis' plans to pass the baton, Tim Starks' Cybersecurity reporting from the Washington Post 15 February seems to relay the history and the future since the Senate approved his appointment unanimously.

This readership is familiar with the Cyberspace Solarium Commission which had advocated for the creation of an Office of the National Cyber Director (ONCD). The creation of the ONCD was vetoed in 2020 by Trump but overturned on 1 Jan. 2021 by Congress. The creation of this 100-staffed organization in record time is for the books. Inglis is succeeded by his deputy, Kemba Walden, at least temporarily, as the Senate will have the last say if she is the candidate up for permanent confirmation. The Biden National Cybersecurity Strategy which Inglis initiated is in the last throes of finalization, and is expected any day now, and perhaps before you read this as a parting gift to us all.

Cyber Scene #78 - U.S. on China’s TikTok: Tempus Fugit

Cyber Scene #78 -

U.S. on China's TikTok: Tempus Fugit

Up against a strong competing background of cybersecurity issues--the Ukrainian-Russo war, global realignments, and tech's ramming speed entrance into new domains--the possible departure of TikTok from U.S. soil took first place in Congress. On 23 March 2023. U.S. lawmakers took TikTok CEO Shou Zi Chew, in his first appearance, to task for over five heated hours of his attempting to answer searing questions before the House Committee on Energy and Commerce hearing.

As the hearing documents, TikTok is used by nearly half of the 320 million Americans and two-thirds of all children: one underlying issue is the safety of the children who have been harmed by TikTok's content.

Of note is fact that 1) China's TikTok is likely to be a candidate for banning from the U.S. and that 2) there is very significant U.S. bipartisan element in doing so that transcends both bicameral Congressional organizations, panels, and committees. "TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms" may have surprised CEO Chew, whose first appearance in a U.S. hearing was clearly a baptism by fire. Having both partisan guns blazing, similarly and simultaneously, is uncommon. The Committee has not in recent times been so united, and is the oldest standing legislative committee. The committee is chaired by Cathy McMorris Rodgers (R-WA) with #2 as Ranking Member Frank Pallone (D-NJ). Their opening comments were, unusually in an age of divisiveness, mutually supportive.

As for guns aimed AT the committee members, The Hill reports a TikTok video posted 41 days earlier was viewed during the hearing with the voice of the author of the video saying that he had brought his gun with him to the hearing. Rep. Kat Cammack (R-FL) was infuriated, adding that taking aim at the Chair and Ranking Members of the Committee was the very sort of violence and deadly influence that TikTok had, and cannot, regulate. This followed the CEO's attempt to explain that offshore TikTok offices, such as the Caymans (a country noted for money laundering) or Project Texas (stay tuned) working with Oracle and Byte Dance, TikTok's owner, would prevent these issues. In comments captured by The Hill, Ranking Member, Rep. Frank Pallone wasn't convinced since Chinese laws on handing over U.S. user data would likely overrule U.S. laws. One might ask: who do you really work for? Moreover, as reported by The Washington Post, Rep. August Pfluger (R-TX) doesn't want TikTok in his state: "We stand for freedom and transparency and we don't want your project." Another Texan, Randy Weber (R-TX), also reneging on any Texan hospitality, accuses TikTok of "indoctrinating" American kids with pro-CCP propaganda, among other grievances.

There is no shortage of complaints against TikTok. Following the closure of the hearing, the Wall Street Journal's (WSJ) team of Ryan Tracy, John D. McKinnon, and Georgia Wells addressed trade blacklists that "...have swept up China-based telecommunications companies Huawei Technologies Co. and ZTE Corp., as well as U.S. defense contractors Lockheed Martin Corp. and Raytheon Technologies Corp," underscoring past transgressions.

The House Permanent Select Intelligence Committee (HPSCI) Chairman, Mike Turner (R-OH), as reported by CBS on 23 March, confirmed what those watching the hearing expected: that U.S.-based TikTok must be banned or sold. The simple reason that this event reigns as #1 on the cyber hit parade is because of the incredible cyber fallout that may derive from this closure or sale. Control over data is an issue that transcends all aspects of cybersecurity.

Capitol Hill is not alone in this endeavor. The week prior to the hearing, (WSJ's) Sadie Gurman discusses how the Biden administration's somewhat new active role is playing out in the Department of Justice (DOJ). It is directing a federal investigation regarding China's tracking of U.S. journalists through a Texas-based location connected to ByteDance, the parent of TikTok. Federal prosecutors in Virginia and the FBI are also engaged.

This is one aspect of a "...major shift in policy on the part of the Biden administration." The Committee on Foreign Investment in the U.S. (CFIUS), had demanded that TikTok in the U.S. must be sold, according to WSJ sources. TikTok's CEO, to the contrary, has been trying to sell his plan to join partners with Oracle under ByteDance in Texas. The WSJ notes that "TikTok's chief executive Shou Zi Chew has said that divesting the company from its Chinese owners doesn't offer any more protection than a multibillion-dollar plan the company has already proposed." The article also confirmed that the federal probe resulted from the Biden administration demanding that "...TikTok's Chinese owners sell their stakes in the app or face a possible U.S. ban of the social media service."

In addition to contributions from CFIUS, the DOJ itself had initiated the creation of a Disruptive Technology Strike Force, announced on 16 February 2023, in joint collaboration with the Department of Commerce (DOC). Under tandem leader of the DOJ's National Security Division (NSD) and the DOC's Bureau of Industry and Security (BIS), the strike force includes the FBI, Homeland Security Investigations and 14 U.S. Attorneys' Offices in 12 U.S. metropolitan regions across the country. Deputy Attorney General Lisa O. Monaco explains that "Using real-time intelligence and 21st century data analytics, the Disruptive Technology Strike Force will bring together the Justice and Commerce Departments' expertise to strike back against adversaries trying to siphon off our most advanced technology, and to attack tomorrow's national security threats today." The leads for DOJ and DOC are, respectively, DOJ/NSD's Assistant Attorney General Matthew G. Olson and DOC/BIS's Assistant Secretary for Export Enforcement Matthew Axelrod. The nearly "whole of government" and at least all three branches of government have been pre-positioned for dealing with China.

Immediately following the hearing, the Post's 6-person team again added that requiring TikTok/Byte-Dance to be sold would be "strongly opposed" by the Chinese government as well as the U.S. dealing with legal and constitutional issues. The Post also pointed out that of the 1 billion TikTok users globally, 150 million are in the U.S. and spend on average 95 minutes per day on the TikTok app, according to an analytics firm Sensor Tower.

The Economist's senior correspondent Alexandra Suich Bass sums up on 24 March that "Of pressing concern are TikTok's risks to national security and democratic interference, as a recent Australian report lays out. But TikTok is also charged with spreading misinformation, addicting children, fueling mental-health issues, violating users' privacy, and profiting from unethically obtained data. In other words, TikTok faces all the toxic charges levied at America's big tech companies, alongside national-security risk." She added that unlike so many hearings she has witnessed before, this one is extraordinary for the likelihood of serious follow-on action taking place.

So how does China deal with the increasingly vitriolic affronts? In a false flag gesture, let us see this from China's perspective in the Economist's "China Inc in the West; Seizing the moment." On 11 March, just prior to the infamous hearing, the Economist sits in China's seat, or CEO Chew's future hot seat, to strategize on the following rules:

First, do not "flaunt Chineseness," such as resorting to English-sounding brands and obscure the country of origin;

Second, "use technology to beat Western rivals on service and price, including use of your own websites and mobile apps to deal directly with your clients; and

Third, "...use technology and supply chains to allow them to limit Chineseness."

This article goes on to explain how TikTok moved its headquarters to Singapore to separate from ByteDance's in Beijing. But now the latter claims to be domiciled in the Caymans. Many Chinese, according to the Economist, were looking to TikTok on 11 March and planning to seal a deal in Europe, as it hoped to do in the U.S., to establish, a data center in the U.S. (and Europe) to share access to its algorithms. On 11 March the article projected that the bills moving through Congress would permit President Biden to ban the app. This seems to be spot on at this post-hearing time.

Meanwhile, WSJ's Ian Talley, Asa Fitch, and Clarence Leong reported the day after the hearing that there was a loophole in the DOC's Entity List which bars U.S. companies from exporting to firms on this list. However, this intent can by circumvented by working with subsidiaries that aren't on the Entity List. "That ability to sidestep export controls undermines the primary purpose of the policy, those people say, which is to prevent adversaries such as China, Russia and Iran from empowering their military, intelligence and economic capabilities with advanced Western technology."

This is a story of a tech war that has no end date. As this readership knows, in our world of the Internet of Things, the fallout from the TikTok hearing impacts countless other domestic and international cyber-related technologies with global impact.

Cyber Scene #79 - Tech Driving Geopolitics; Cyber at the Wheel

Cyber Scene #79 -

Tech Driving Geopolitics; Cyber at the Wheel

In the 1990's, Harvard Kennedy School's Dean Joseph Nye described the world as a three-dimensional chess board: the dimensions were political, economic, and military. In 2023, according to the UK's new National Cyber Force (NCF) Commander James Babbage as interviewed by The Economist in "Cyberwarfare: All in the mind" cyber is the "greatest cognitive effect" which derives from "tilting the playing field imperceptibly." Some readers may believe that cyber has turned the world upside down. Unlike diplomacy, economics, and military might, cyber is the invisible hand doing the tilting.

Babbage goes on to explain that this cognitive effect--responsible cyber power--is precise, calibrated, and accountable to a small group of ministers and Parliament. Simply put, in the Ukrainian theater of the Russian invasion, disruptions include "...influencing generals in their headquarters, rather than colonels in the field." Cyberwar is becoming far less bits and bytes and far more sophisticated.

A greater depth of this discussion comes from former Google CEO Eric Schmidt, who also co-authored "The Age of AI: And Our Human Future" with Henry Kissinger. In Foreign Affairs' "Innovation Power: Why Technology Will Define the Future of Geopolitics," Schmidt, like Babbage, maintains that "The ability to innovate faster and better---the foundation on which military, economic, and cultural power now rest..." is business as usual which will no longer prevail. Schmidt cites foresight and out-of-the-box thinking: Ukrainian President Zelensky's versatility in reconfiguring Ukraine's communications infrastructure when Russian attacks hobbled the existing ones; historic examples including Pizarro's defeat of the Incas; and Commodore Perry's steamboats to open Japan. But Schmidt avers, after discussing AI, that given the reliance of economies and the military on digital infrastructure, "...any future great-power war is likely to start with a cyber-strike." He concludes that while the U.S. still retains "pole position" in innovation for the present, he cites Silicon Valley's mantra: "innovate or die." While he focuses on the U.S., China and Russia in a broad perspective, President Zelensky would apply it quite personally in his country.

The Economist again looks at "the virtual front." Russia is bumbling no more and is unfurling its spring cyber-offensive. Dan Black, the former head of NATO's cyber-threat analysis branch, now working for Mandiant (part of Google), explains that since October 2022, Russia has extended it cyberattacks into its former, now NATO, countries and reinvigorated its cyber capacities including leaning on the GRU (Russia's military intelligence agency) to ratchet up. By January 2023, all three main Russian intelligence services were in the mix, attacking the governments and military of 17 European countries.

Black's beliefs are supported by the Washington Post's Craig Timberg, Ellen Nakashima, Hannes Munzinger and Hakan Tanriverdi's unusual disclosure of Russia's "trove of secret cyberwar ambitions." The 5,000 documents were sent by an anonymous contractor working for NTC Vulcan, first to a German reporter and then to a German-led consortium of news organizations. The documents include a wide swath of cyberattack plans as well as specific work by the hacking group Sandworm, which has been named responsible for Ukraine's blackouts, the 2018 Winter Olympics disruption, and launching NotPetya, "the most economically destructive malware in history." The documents cover a period from 2016 through 2021. Vulkan is based in Moscow, but some of the 135 employees have come to work in the U.S. while those in Moscow intended to use U.S. hardware for its Russian security services. Many examples of these treasures follow in this article for those readers who want to dig deeper into the treasure chest.

Even as Ukraine prepared for the worst, criticism regarding the West comes from Adm. James Stavridis (ret.), in a Bloomberg Opinion column whose own positions as both the U.S. European Commander and Supreme Allied Commander Europe (SACEUR) provide an educated perspective. He goes as far as stating that both sides of the Atlantic are guilty of giving Putin "a green light" due to their "digital appeasement" regarding cyber. He cites the invasions of Georgia (2008) and Ukraine (2014), Ukraine's blackout in December 2015, malware galore, and SolarWinds/Colonial Pipeline, inter alia. He offers that the West's diplomatic corps needs to appreciate the "digital dimension of geopolitics." He believes that a red line for cyberattacks should be established and "vague descriptions of cyber-aggression" should be avoided. The reluctance to escalate in response to an attack, according to Stavridis, should be balanced to avoid unchecked cyber-aggression. And lastly, he notes that there has been a false sense of security and that the U.S. needs to work instead on a sense of deterrence in cyber, likely with more aggressive responses.

Two weeks later, the New York Times' (the Times), Steven Erlanger picked up on the issue of deterrence. He discussed the changes in ramping up since the 2014 invasion of the Crimea, first citing Camille Grand, until recently NATO's Assistant Secretary General for Defense Investment who states: "The debate is no longer about how much is too much (for fear of upsetting Moscow) but how much is enough." As reported by Robert G. Bell, who has served as defense adviser to the U.S. NATO mission (2010-2017), countries can drag their feet or try to opt out, but if one country is heading in the wrong direction, a "consensus minus one" vote can rein that country in. The present SACEUR, General Christopher Cavoli, is dealing with how to maximize the 13 corps of 40,000 to 50,000 troops and how to best benefit from Finland's, and likely this summer Sweden's, accession to NATO. The former U.S. Permanent Representative to NATO, Ivo Daalder, notes that NATO had little fear of defending its own territory. "It did that for 40 years, and even if the muscles have atrophied, the muscle memory is there. The key is to have people and governments who never lived through this, learning how to do it."

Back on the Beltway cyber ranch, the recent release of the White House National Cybersecurity Strategy addresses all and additional issues cited earlier in this Cyber Scene edition. With the approved $65 billion in the Bipartisan Infrastructure Law as a key foundation, the National Cybersecurity Strategy is implementable. Of particular importance is the expressed requirement of close collaboration not just across civil society, State, local tribal and territorial governments, nor only allies and partners--countries to be held accountable--but particular to this readership, the need for close private sector engagement. President Biden states:

"...Our world is at an inflection point. That includes our digital world. The steps we take and choices we make today will determine the direction of our world for decades to come. This is particularly true as we develop and enforce rules and norms for conduct in cyberspace. The United States is prepared to meet this challenge from a position of strength, leading in lockstep with our closest allies and working with partners everywhere who share our vision for a brighter digital future."

The concise Strategy Introduction underscores the importance of robust public-private sector collaboration which "is essential to securing cyberspace." The five pillars that follow in the next 34 pages include defending critical infrastructure; disrupting/dismantling threat actors; shaping market forces to drive security and resilience; investing in a resilient future; and forging international partnerships for shared goals.

Not surprisingly, two discussions surfacing within a few days see the strategy coming to fruition.

The Times' David E. Sanger addresses the Strategy's assignment of responsibility to tech firms He underscores that the Strategy's good-faith efforts in the private sector are not enough, and that minimum cybersecurity standards need to be defined and required. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Tech, adds "...that a voluntary approach to securing critical infrastructure and networks is inadequate." Sanger points out that while some of the implementation of the Strategy is in place, other issues would need Congressional approval. With the Senate and House split politically, that may be difficult.

A cybersecurity strategy is not new. Sanger notes that one started with George W. Bush, and with every president since. The key difference is that if enacted, new regulations and laws would "...perhaps impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty airbags or defective brakes."

Acting National Cyber Director, Kemba Walden, explained that "It just reimagines the American cybersocial contract...in our critical infrastructure." As explained more vividly by the former National Security Agency General Counsel Glenn S. Gerstell, "In the cyberworld, we're finally saying that Ford is responsible for Pintos that burst into flames because they didn't spend money on safety." As noted earlier in this Cyber Scene, Neuberger also used the early days of Russia's invasion of Ukraine as an exemplar of digital success where Ukrainian laws were changed quickly to move databases to the cloud to keep the Ukrainian government up and running.

C4ISR's Colin Demarest and Molly Weisner report that the Pentagon is changing as well: it is assessing how to transition its 225,000 employees in the cyber workforce to and from private industry. The article cites the Department of Defense (DoD) 2023-2027 Cyber workforce Strategy released in late March including four "human capital pillars" that look to "unprecedented levels of cross-pollination with the tech industry." The DoD strategy supporting the White House strategy reaches beyond tech: it points to "collaboration inside and outside government, academia and allied nations, and...a talent-exchange pilot project."

Given the long reach of the new National Cybersecurity Strategy, many lives of this readership may be touched. Stay tuned!

Cyber Scene #80 - Digitization: Making Money Makes the World Go Round

Cyber Scene #80 -

Digitization: Making Money Makes the World Go Round

Even as Americans hope that Congress and the White House will have found a way to manage the debt crisis related to the $31.4 trillion debt-ceiling, impacted by the federal budget, by the time you have read this, cyber will have globally delivered incalculable amounts of money everywhere. This has no ceiling

The Economist delivers a 15 May "Special Reports: Cashless Talk" analysis including 8 articles ("chapters"), the first of which provides an overview underscoring the rising global tide of digitization, which, this readership understands, is cyber-based. In addition to pithy studies of various aspects of this expansion, Sweden is underscored as the #1 country using digitization. The articles discuss "...a new wave of digitisation (sic), driven by the arrival of smartphones and the internet...making possible near-instant, remote payment."

The study goes on to compare "now" with the "old order"--even, in China, "...having to buy video game points in-person." But there are huge implications when it comes to money and state:

"Some governments may be using digital finance to help police their own people. The West may find that the spread of digital-payment platforms means it loses some financial clout. Frictionless movement of money may make for greater efficiency, but it could foster financial instability by making it easier for customers to withdraw bank deposits, a lesson seen in the failure of Silicon Valley Bank, which was preceded by a bank run."

Traditional banking is taking a hit except for bank card/credit card usage due to acceptable interest rates. The article summarizes that digital finance and new payments platforms have led to: "First, the debate in richer countries over whether crypto or fintech firms will end the reign of banks and card networks has been all but settled. Crypto has shed its go-getting reputation and is struggling to demonstrate its usefulness. Whizzy fintechs will doubtless keep growing."

A small group of Economist journalists recently interviewed an incomparably wise man turning 100 this week on the subject of current events and history.

Henry Kissinger spent 8 hours in discussion, published on 17 May 2023, talking with the journalists about how to avoid World War III.He singled out AI and the nature of alliances he views as two issues that are colliding: "...he fears that AI is about to supercharge the Sino-American rivalry."

His recent book on AI was released in November 2022 and he mentions writing more. He also adds that the rapid progress of AI particularly leaves the U.S. and China only 5-10 years to create a solution. On related NATO issues, Kissinger is a proponent for Ukraine's accession to NATO; he believes it would be good for both Ukraine and Russia as well as NATO. "If the war ends like it probably will, with Russia losing many of its gains, but retaining Sevastopol, we may have a dissatisfied Russia, but also a dissatisfied Ukraine--in other words, a balance of dissatisfaction. So, for the safety of Europe, it is better to have Ukraine in NATO, where it cannot make national decisions on territorial claims."

Back inside the D.C. Beltway, Defense One delivers three items of cyber interest. On 15 May, Lauren C. Williams reports the AI-themed testimony by Defense Intelligence Agency (DIA) Director Lt. Gen. Scott Berrier, who had testified before the Senate Select Committee on Intelligence (SSCI) on 8 March 2023 and on 15 May 2023 during an Intelligence and National Security Alliance (INSA) event. Regarding AI, he stated "It definitely can make us better, fast, stronger. We have to go carefully." He goes on to say that while it can do much good, it can't determine intent. The Department of Defense (DoD) is expanding how it uses AI to improve the detection of intrusions on DoD networks. This is directed by the Defense Information Systems Agency (DISA) which has this mandate. The TechnetCyber Conference sponsored by Armed Forces Communications and Electronics Association (AFCEA) was the venue for these discussions. DISA's senior tech strategist Eric Mellot notes that the objective is "...to figure out ways in which we can leverage technology to do autonomous continuous validation...being able to bring in artificial intelligence to be able to think like a hacker." DoD red teams have been working on this. The article also cites ChapGPT as an example of how fast technology is moving, and why DOD needs to continue picking up the pace.

As a follow-up, Defense One's Lauren C. Williams reports on 17 May on the testimony before the Senate Appropriations Committee (SAC) the day before by Secretary of State Antony Blinken, accompanied by Secretary of Defense Austin on the subject of cybersecurity. Secretary Blinken is asking for $750 million in 2024 for cybersecurity to improve networks and communications devices. These improvements particularly focus on both cyber and physical security, upgrades, zero trust architecture, and critical elements in Indo-Pacific missions related to countering China's growing influence.

The New York Times' David E. Sanger also reported on President Biden's concern about World War III, Ukraine in NATO, and Putin's cyber capabilities. While Sanger cites the framework of a White House change of mind regarding the deployment of F-16's to Ukraine, the backstory includes US officials worried that Putin's losses might corner him: "That would leave him with only two viable options: using his formidable cyberweapons to cripple infrastructure, or threatening to use his nuclear arsenal, in hopes of freezing Western aid to Ukraine."

Sanger notes that Putin, to date, "...has been cautious with his cyber-capabilities: He has used them extensively against targets in Ukraine, American and British officials say, but has been reluctant to attack NATO nations and risk bringing them directly into the conflict. And after China's leader, Xi Jinping, explicitly warned late last year against threatening the use of nuclear weapons, Mr. Putin has quieted down."

But that could change, particularly with a trigger. Moreover, "Russian officials have specifically warned against giving Ukraine ATACMS, a long-range precision missile system made by Lockheed Martin" within range of Crimea. And the nuclear option still seems to be on the table.

One concern that has been curtailed, at least for now, is "Russia's Most Ingenious Hacker Group," according to Andy Greenberg from Wired on 20 May. In Wired's polling of cybersecurity experts across Western countries, the worst-ever award would go too Russian FSB's Turla, also known as Venomous Bear and Waterbug, that, per Greenberg, infected computers in over 50 countries with "snake" malware. The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Justice (DOJ) confirmed the reporting of German journalists who revealed this in 2022. The length of this success appears to be at least 20 years; one cybersecurity historian, Professor Thomas Rid, of Johns Hopkins University Paul H. Nitze School of Advanced International Studies, maintains it lasted 25 years. Rid points out that "Its tooling is very sophisticated, it's stealthy, and it's persistent...It's adversary number one."

Greenberg provides an exceptional chronology of the intrusion: 1996: Moonlight Maze (an early name and version); 2008: Agent.btz which attacked U.S. Central Command and underscored the importance of the creation of U.S. Cyber Command; 2015: Satellite Command-and-Control which hijacked satellite communications; 2022: Hijacking a Botnet--a combo with Iranian help; 2023: Beheaded by Perseus (US term for Turla's decapitation). But, as one expert notes in conclusion, there isn't one: "This is an infinite game...They're not going away. This is not the end of cyberespionage history. They will definitely, definitely be back."

As for other prolific users of spyware in the world, Steven Feldstein, Program director of Carnegie Endowment's Conflict Governance Program, and Allie Funk, Research Director for Technology and Democracy at Freedom House, write in Lawfare that constraints on limiting U.S. federal agencies of exporting certain commercial spyware have been imposed by President Biden's executive order during the March Summit for Democracy. This reduces the export of U.S. spyware, as implemented by the Department of Commerce's new rule to align with this policy. Additionally, 42 governments also agreed to coordinate export restrictions for dual-use technologies. The authors believe that this is a good first step, but it is quite complicated and engages many U.S. agencies and others abroad. Feldstein and Funk admit that a good start does not mean that an executive order will remain, as a new president could nullify it. Although they applaud this beginning and direction, they are fearful that "...industry will continue to evade restrictions and pursue its harmful trade."

On the flip side, the Washington Post's Cybersecurity 202 with Tim Starks and David DiMolfetta discuss the need to address "Section 702" related to U.S. surveillance authorities. Congress needs to decide whether the surveillance powers that are due to expire at the end of 2023 need to be adjusted, discarded or kept as is. The underlying issue is the forever balance between civil liberties and the need to use surveillance to counter cyberattacks. The Post's Cybersecurity 202 team took a survey of professionals associated with this business who had to choose either to 1) scrap Section 702 completely (16%), 2) renew it as is (20%), or renew it with changes (64%). Cyber Scene will follow up as Congress, once past current Congressional/White House fiscal challenges, can address it.

Another issue that will likely not be addressed by Congress imminently is the Supreme Court's (SCOTUS) decision to send back to Congress the deliberation on tech's liability protections related to Section 230. Post journalist Cristiano Lima reports Section 230 refers to the tech industry's protection from liability. According to Lima, lawmakers are less inclined to support the tech industry. Two high-profile legal cases dealing with YouTube, Twitter and Google worked their way up, and slid (or were cast) down, from SCOTUS. The unanimous rulings for Gonzalez v. Google and Twitter v. Taamneh, throwing YouTube in for good measure, were that the Big Tech social media platforms were not immune from liability, either by omission or commission, regarding "taking adequate steps to crack down on terrorist content." The next step would be for Congress to take up the issue, as Capitol hill has been critical of the law, so it would be up to Congress "...to pare back the legal shield, which protects digital services from lawsuits over user content." The few attempts to legislate on related issues--dozens more bills--didn't move up to a vote in either the Senate or House. In any event, it is unlikely to be settled anytime soon.

Cyber Scene #81 - California Gold Rush: AI, Chips, and the Tech Arms Race

Cyber Scene #81 -

California Gold Rush: AI, Chips, and the Tech Arms Race

From L.A. (Los Angeles and Los Alamos) to Peoria and D.C.to Beijing, Artificial Intelligence (AI) is ascending to incalculable heights, and at warp speed. Its reach impacts global, national, and "down home" users. This Cyber Scene will briefly discuss some of AI's ubiquitous impacts, how they change war and peace, and how regulators worldwide, both governmental and tech, strive to keep up.

The past few years have reconfirmed the indispensable use of semiconductors and chips, as well as recently "generative" ChatGPT. Chip wars between and among countries, which Cyber Scene has addressed, underscore this importance. The nuclear issue, which has recently resurfaced regarding Russia, Ukraine, NATO, and the U.S., is itself an example of AI regulatory challenges. AI has, in its unique, underpinning way, drawn together this significant and likely long-duration contribution to military and civilian organizations world-wide and merits Cyber Scene's attention. The challenge is how to regulate it.

The expansion of AI worldwide is in exponential overdrive. The 3 June Economist highlights how "waves of innovation," like desktop computers (Microsoft) and smartphones (Apple), created giants. They discuss whether AI might be the next giant for a company such as Nvidia, which makes AI chips accompanied by software developments. The article does challenge Nvidia's long-term standing, given that AI-tailored chips are now being produced by Amazon's and Alphabet's cloud-computing divisions--behemoths that have scale and funding. Governmental regulators, however, have concerns about AI's impact on "society and national security" and how to develop controls for this technology.

Cyber Scene will first look at the worldwide expansion of AI, consider the applications for users, and then address the regulatory issues facing governments and Big Tech.

Big Tech is both creatively and financially inspired. The Economist on 29 May examines why tech giants and wannabees are drawn to joining in the AI "gold rush." The article examines why tech giants and wannabees are drawn to joining in the AI "gold rush." The most recent quarterly statistics on Return on Investment for chipmakers particularly, reflecting computing power, are extremely encouraging. ChapGPT has been the talk of the town/world. AI applications appear to be booming in the marketplace, although "...the biggest question-mark hangs over the permanence of the AI boom itself; in Silicon Valley, hype can turn to disappointment on a dime." The article does note that some of the policymakers' concerns around the world focus on the worry about generative AI's impact on job loss or expanding misinformation.

The New York Times's Sarah Kessler on 10 June in "The A.I. Revolution..." cites a 2013 Oxford University study pointing to 47% of U.S. jobs becoming at risk with automation "...over a decade or two." Seemingly, concerns seem to consider this nearing a one-decade event. Goldman Sachs projected in March 2023 that AI tools such as ChatGPT and DALL-E could automate the equivalent of "300 million full-time jobs." (N.B. The U.S. population is presently at 334,233,854 as of 1 January 2023, according to the U.S. Census Bureau.)

Moving to specific technical issues at the opposite end of this AI growth impact, Foreign Affairs' Lauren Kahn on 6 June analyzes ground rules for AI as it impacts warfare. She uses as an example a possible warfare dilemma were AI and not humans to have directed the US Reaper surveillance drone that was attacked by Russia in March 2023 while flying over the Black Sea. She points out that US operators had to ditch the drone into the sea. However, she questions "...what might have happened if a US autonomous drone, enabled by AI systems, attacked a target it was only supposed to surveil." Her overriding concern is the lack of protocols to avoid this type of "warfare trigger." She specifically is concerned about how "...Washington would reassure the other party that the incident was unintentional and would not reoccur." The recent flip side of this possible incident would remind readers of the Chinese balloon. Luckily, the article points out that this might be mitigated by the fact that China still relies seriously on US technology, and its AI developers "...already face a far more stringent and limiting political, regulatory, and economic environment than do their U.S. counterparts." She adds that China, even if US AI developers were constrained by new US regulations, would unlikely be "...poised to surge ahead."

If a drone does not grab your attention, think about film director Christopher Nolan's perspective. Mr. Nolan discusses his new film Oppenheimer with Wired's Maria Streshinsky on 20 June on the connection between AI of today and the nuclear bomb of yesteryear, still an issue today. He addresses nuclear history connected to generative AI and regulation:

"People keep saying there needs to be a governing body for this stuff. They say you all need to deal with it. Like you governments. There should be an international agency. But that's the oldest political trick in the book of the tech companies. Right?... Zuckerberg's been asking to be regulated for years... 'Cause they know that our elected officials can't possibly understand these issues. And how could they? I mean, its very specialist stuff, and it's incumbent on the creators and Oppenheimer."

Another opinion on the impact of AI regulation on the U.S. comes from Foreign Affairs team Helen Toner, Jenny Ziao, and Jeffrey Ding on 2 June. They argue that AI won't constrain the US in a technology race, despite the fact that Congress regulatory action is now involved. Regarding Cyber Scene's aforementioned "regulatory catch-up," this analysis avers that "The staggering potential of powerful AI systems, such as OpenAI's text-based ChatGPT, has alarmed legislators, who worry about how advances in this fast-moving technology might remake economic and social life." They note that a "flurry" of hearings and "behind-the-scenes negotiations" have worried Congress, while the CEO of OpenAI, Sam Altman, told the Senate that AI regulation would allow China or another country to possibly surpass US technology innovation.

The Government Accountability Office (GAO) has also been involved thanks to two senators, Gary Peters (D-MI) and Ed Markey (D-MA), per The Hill on 23 June. They too are concerned about generative AI tool risks and how to mitigate this. They ask for a "detailed technology assessment" and have asked the GAO, knowing that it is a nonpartisan government agency. They see this as a needed follow-on to the May congressional hearings, including the Senate Judiciary subcommittee, with the CEO of OpenAI. This article references a framework as well for AI regulation, publicized this same week from Senate Majority Leader Chuck Schumer (D-NY), calling on government to move forward on regulation using "...five key pillars: security, accountability, protecting foundations, explainability, and innovations."

As a reminder of how difficult it is to regulate, the flip side of Senate oversight just noted on AI comes from Senator Alex Padilla (D-CA). Wired's Paresh Dave on 31 May recounts that Senator Padilla advocates expanding AI's ChatGPT and states that it is short-shrifting non-English languages. He explains that AI chatbots are not as fluent in non-English languages which in turn could threaten "...to amplify existing bias in global commerce and innovation." About one in five do not speak English at home, according to Wired. At a Congressional hearing in May 2023, Senator Padilla challenged the CEO of OpenAI, about the lack of ChatGPT support. California's language gap is huge: 44% of Californians speak a non-English language. The Senator is skeptical of the current effort, adding that these new technologies should provide education and greater communication, rather than language problems creating "...barriers to these benefits." Skyler Wang, a UC Berkeley sociologist of technology and AI, goes even further: "We want to think about our relationship with Big Tech as collaborative rather than adversarial."

AI is not the only concern with respect to Big Tech. The New York Times' (The Times) Sapna Maheshwari on 7 June discusses how TikTok's recent congressional testimony in March 2023 and an earlier one in October 2021 may have misled Congress. As you likely remember, TikTok is owned by ByteDance, in turn closely aligned to China. The lawmakers drew their insight from reports from Forbes and the Times. A joint letter from Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) underscored the possibility that US data may be stored in China and TikTok employees may have access to such data. Forbes had reported in May that TikTok stored financial information of creators, among them Social Security numbers and tax IDs, on servers in China. They were accessible to TikTok employees in China. In addition, "The Times reported earlier in the month that American user data, including driver's licenses and potentially illegal content such as child sexual abuse materials, was shared at TikTok and ByteDance through an internal messaging and collaboration tool called Lark."

Twitter is also under Congressional scrutiny. The Hill's Ines Kagubare on 8 June adds that lawmakers are increasingly worried about Twitter's data security. She cited a letter to Twitter a week earlier from a group of Democratic senators about concerns about the consumer privacy and data security issues given the resignations of two of Twitter's security leaders. In 2022, Twitter paid $150 million to close a privacy lawsuit the US Federal Trade Commission (FTC) and Justice Department (DOJ) brought about. The Senators found this additionally worrisome and have imposed a 14-day notification when Twitter has "a change in structure such as sales, including change of ownership, and mergers." The latter details are likely due to concerns about slight-of-hand suspicions.

Cyber Scene #82 - Breaking News, Cyber and China

Cyber Scene #82 -

Breaking News, Cyber and China

As July heat drives Americans to cool shelter, Washingtonians, particularly those in the three branches of U.S. government, are steaming hot and teaming together on major cyber and tech advances. "Whole-of-Government" is either involved and designated as responsible for cyber security or involved in bipartisan funding and approval of the direction the U.S. Government is taking. The impact extends far beyond the D.C. beltway, reaching out to countless private sector institutions and businesses.

First and most importantly among those involved is the July 2023 publication of the promised (March 2023) National Cyber Security Implementation Plan (NSCIP). A comprehensive, implementable program has been long-awaited by many in and out of U.S. government. Particularly likely pleased is the now-sunsetted, bipartisan, and bicameral Cyberspace Solarium Commission (CSC) co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI). They remain in the Senate and House respectively while CSC continues as a not-for-profit. The link explains how the CSC continues to connect government and the private sector; its 10 commissioners, together with private and public experience, and the 2021 National Defense Appropriations Act (NDAA) which included 25 of CSC's recommendations. One of the top 3, 100-day, must-do issues was the creation of a National Security Director, which began with the Biden Administration. The first director, Chris Inglis, and his acting successor, Kemba Walden, along with White House Cyber Advisor to the President, Anne Neuberger, have played and are playing central roles in the implementation of the plan.

The following discussions address the scope of the implementation plan.

The NSCIP involves 18 agencies, each of which have leadership responsibilities for pieces of the overarching plan. This White House announcement provides both the NSCIP itself (57 pages, but very terse and pointed) and an overview of this monumental move to dealing with cyber and its applications in everyday life.

The five pillars are addressed digestibly as follows. They include the following Strategic Objectives including the designated, responsible entities; Initiative Description; National Cyber Security (NCS) Reference including the responsible agency, contributing entities, and completion dates by quarters. The implementation calls for implementing all objectives by 2026.

The pillars are:

Pillar One: Defend Critical Infrastructure

Pillar Two: Disrupt and Dismantle Threat Actors

Pillar Three: Shape Market Forces to Drive Security and Resilience

Pillar Four: Invest in A Resilient Future

Pillar Five: Forge International Partnerships to Pursue Shared Goals

As an entry to NSCIP implementation, the first pillar, Infrastructure, is perhaps more simply understood across the country. As an example, Cyber Scene will drill down on Infrastructure.

Just prior to the publication of the NSCIP, the issue of Pillar One: Critical Infrastructure, was addressed by CSIS (Center for Strategic and International Studies), a think tank, via Govtech's podcast. The attendees were host Dan Lohrmann with Anne Neuberger, Deputy National Security Advisor for Cyber, and two other governmental leaders (TSA and Homeland Security). Ms. Neuberger begins with the Colonial Pipeline attack as the example of the need for, at a minimum, cyber security measures to protect all U.S. infrastructure. She also displays a three-pronged complex chart of how an infrastructure attack can be avoided across the country. Subsequently, on 16 July after the publication of the NSCIP, Dan Lohrmann also covers Acting NSC Director Kemba Walden's presentation launching the NSCIP. He not only frames her comments, but also adds several additional public coverage sources regarding NSCIP and its impact.

Acting Director Walden notes that the NSCIP's final actions must be achieved by 2026; the Pillars' implementations are paced out 3 months, or quarterly, for deadlines. They note: "The plan encompasses the business sector, besides federal agencies. The 16 sectors designated as critical infrastructure by the U.S. government are largely operated by the private sector in areas such as healthcare, financial services, energy and manufacturing...businesses will be expected to meet new standards set by federal agencies. The Securities and Exchange Commission, for example, is preparing a raft of rules that will impose incident-reporting requirements on listed companies." The Wall Street Journal's James Rundle and Catherine Stupp also provide a longer outlook of NSCIP's impact: "These (NSCIP) rules are also intended to scrutinize board oversight of cyber risk."

In some respects, regulation is working. The White House succeeded in voluntary agreements from eight Big Tech companies to comply with strong national constraints, according to The Hill's Julia Mueller. These techs-- Amazon, Anthropic, Google, Inflection, Facebook parent company Meta, Microsoft and OpenAI--have made the voluntary commitments "geared at managing the risks posed by artificial intelligence" while also "protecting Americans' rights and safety against risks posed by the uncharted technology."

Foreign Affairs has recently published a think piece on "The Race to Regulate Artificial Intelligence." Columbia Law Professor Anu Bradford explains that regarding content, U.S. Big Tech is racing to advance artificial intelligence capabilities amid intense criticism and scrutiny; "Washington is facing mounting pressure to craft AI regulation without quashing innovation." She believes that digital regulation comes in three flavors: "the United States is following a market-driven approach, China is advancing a state-driven approach, and the EU is pursuing a rights-driven approach." However, from a cybersecurity perspective, a market-driven approach may be the most difficult to apply.

It should be noted that some of those U.S. entities to be impacted by the Infrastructure Pillar are looking forward to it. The American Hospital Association (AHA) seems to have embraced the NSCIP, except regarding funding, as would many of the former victims of infrastructure attacks. AHA's National Advisor for Cybersecurity and Risk, John Riggi, stated "In general, these strategically aligned approaches will help protect our nation from foreign cyberthreats, which continue to accelerate in frequency, complexity, and severity." Considering how so many medical facilities have suffered, this quick AHA announcement is not a surprise. The AHA response is an example of many infrastructure sectors that will be impacted by the implementation.

Hacks can be quite ugly according to The Hill, such as that of U.S. Ambassador to China Nicholas Burns. His email, along with those of State and Commerce Departments, was compromised directly following visits to China by the Secretary of State Antony Blinken and Secretary of the Treasury Janet Yellen who have been trying to build bridges with China.

As reported by the New York Times' David McCabe, American officials are concerned about U.S.-based Chinese data centers and those abroad "...gaining access to sensitive data, echoing concerns about Chinese telecom gear and TikTok." This relates to the power and access of cloud computing, cast as the hidden "... engine of the digital economy, enabling services like video streaming and allowing companies to run artificial intelligence programs." These were the very sorts of issues Secretary of State Blinken was working on. And it was his own State Department that was reportedly hacked.

Chinese data centers are not the only tech issue that is under consideration at the White House. According to the Times' Ana Swanson, David McCabe, and Michael Crowley, the Biden Administration is looking at constraints on AI chips being exported to China. Readers may recall the "Chip Wars" discussions in recent Cyber Scenes. This would involve cutting down or out the delivery to China of U.S. produced chips needed for AI and made by companies like Nvidia and Advanced Micro Devices and Intel. The chips are required for powering AI in data centers. This move, of course, is a financial issue for the U.S. companies involved--another angle on regulation.

The chip war continues. The July 4 Economist, in "Full metal straitjacket," describes the point and counterpoint chip war with China bringing out "the big guns:" the export controls on gallium and germanium used by the U.S. in high-end semiconductors. The article goes on to note that China provides 80% of the world's gallium and germanium, with the U.S. getting 50% of its supply from China. China intends to enforce such new rules by the requirement for exporters to seek Chinese government approval and export licenses.

And this is getting worse. On 23 July, the Economist's "China hits back against western sanctions" reports that retaliations are in place, with the Chinese leader himself saying, "we told you so." Just as the U.S. deals with regulatory safeguards as determined by the NSCIP, so too is China creating new laws, also related to the U.S-Taiwan relationship, that will muddy the international Big Tech water. Stay tuned: more will follow even as NSCIP implementation proceeds.

Cyber Scene #83 - AI Abounding: Worldwide Regulation, Home and Abroad

Cyber Scene #83 -

AI Abounding: Worldwide Regulation, Home and Abroad

In the cyber world, ubiquitous AI is expanding in leaps and bounds from Peoria to Beijing. Even as technological developments run up against state, national or regional constraints, we may find that the economic outcome, challenging as it could be to some tech sectors, is likely to survive and thrive. Cybersecurity and particularly the new tech applications of AI are in fact concerning for offense and defense purposes, but not likely because of estrangement from China or a perception of an increase in US protectionism.

This Cyber Scene will focus on regulatory initiatives in the US, the EU and China. Regulatory intervention can impact developments. It can be applied both in new ways and trigger constraints to some extent, ideally, without building inaccessible barriers. To share or not to share--that is the question.

One perspective raises the question of how much more, or less, regulation is needed. The Washington Post's Cristiano Lima on 24 August reported on a legal case presented to, and dismissed, by a federal judge. A Republican National Committee (RNC) lawsuit alleged that "...Google's email spam filters illegally suppressed their missives, dealing the campaign group a crushing blow in a lengthy battle that has riled conservative lawmakers in Washington." This is one of many current judicial perspectives on cyber regulation including the following one.

At the state level, New York City has successfully banned the use of government-owned devices for TikTok, as reported by the New York Time's Sapna Maheshwari. This decision was repeated in a "wave of states and federal agencies banning TikTok from government-owned devices" following US Cyber Command's determination that the app "...posed a security threat to the city's technical networks." The TikTok app is owned by ByteDance, a Chinese company. Montana has also passed a recent bill eliminating TikTok across the entire state. This is being challenged by TikTok before the bill becomes effective on January 1, 2024.These are merely examples of many issues that arise at the local, state, national or international level.

As the world surges in widespread applications of AI, a serious demand for regulation is also arising. The Times' Ian Prasad Philbrick reported on 24 August that those asking for governmental regulation for AI technology include tech experts, lawmakers and even executives of top AI companies. And they want it fast. He points out that demand for quick decisions comes from Microsoft's president, Brad Smith, Senate Majority Leader Chuck Schumer (D-NY), and Senator Mike Rounds (R-SD). However, time is not on their side: "...history suggests that comprehensive federal regulation of advanced AI systems probably won't happen soon. Congress and federal agencies have often taken decades to enact rules governing revolutionary technologies, from electricity to cars." Dewey Murdick, the lead for Georgetown University's Center for Security and Emerging Technology, believes, as relayed by Times' Philbrick, that while many want fast action, it is hard to regulate technology that is evolving as quickly as AI. Murdick admits: "I have no idea where we'll be in two years."

Neither dismissed nor accepted yet, AI regulation is being considered by the Federal Election Commission (FEC) but is in limbo as of this writing, as presented by the Post's Cristiano Lima and David DiMolfetta. One question dividing the FEC is whether it has the authority to make new AI rules. Still working on this, the FEC is now going to listen to an advocacy group, Public Citizen, which proposes banning "...candidates and political parties from intentionally misrepresenting their opponents in ads through the use of AI." This may be resolved shortly but may lead to additional AI regulatory issues.

One significant issue is that of the UK's regulation regarding end-to-end encryption. The Post's Trisha Thadani and David DiMolfetta explains that the bill does not ban end-to-end encryption and also does not require services to weaken encryption. The report captures the conflicts not only between the UK's pursuing end-to-end encryption and Silicon Valley but also among US tech companies. The issues look to this new law as a safety bill that by US tech firms is seen "...to imperil the security of popular messaging apps, jeopardize the privacy of users around the world and drive at least one app to leave the UK all together." The "Online Safety Bill" will be voted on for the third time in September. The requirement would include mandating companies to report illegal activity of their services, but since messaging apps such as WhatsApp are end-to-end encrypted, the companies do not have access to allow for the reporting. Then the companies with so-called "back doors to encryption" could be "...seized by malicious actors and hostile states." Apple considers it "a serious threat to privacy." Elon Musk, owner of Twitter (now known as "X") thinks that his company should encrypt direct messages on its platform. The UK maintains that the bill does not ban end-to-end encryption nor require services to weaken encryption. These issues are a taste of several additional contentious ones that remain to be resolved.

Meanwhile, on 25 August, the European Union's Digital Services Act (DSA) and the Digital Markets Act will begin a phased-in approach over the coming months to introduce a priori fixes to problems such as the spread of disinformation or antitrust rule violations by setting "...clear rules that online platforms must follow," according to the 24 August Economist. Businesses with more than 45 million users in the EU will have extra rules to follow. These would include "very large online platforms (VLOPS) such as Facebook and Google, but also Wikipedia and an EU encyclopedia (sic)." The article goes on to address additional changes focused on making platforms safer and better, but implementation will be key. The article cites the General Data Protection Regulation (GDPR), which this readership may remember, as having been largely successful, but projects that "...tech giants may resist doing the same with DSA" due to the expense.

Looking to Asia, a historic discussion of "XI's Age of Stagnation" by Foreign Affairs' Ian Johnson (Senior Fellow at the Council on Foreign Affairs and Pulitzer Prize winner) provides a lengthy and fascinating discussion of how China began "the great walling-off of China" lately. The new version of centralization in China differs from the adaptive authoritarianism from the past. He compares China to the Cold War construction of the Berlin Wall. Those of you in cybersecurity are aware of the progressively autocratic and centralized business environment in China.

Important to many of you, the Wall Street Journal's Chief China correspondent and Pulitzer finalist Lingling Wei and Stella Yfan Xie delve into the end of China's 40-year economic boom. They provide data to support this demise, particularly due to a significant change in nature of Xi's version of authoritarianism and note particularly the failure of achieving ways to buoy up the economy. They devote special mention to the country's semiconductor industry; it was expected to reduce dependence on the West, but now China's production is not as advanced as Taiwan's; the former's chips are not as sophisticated as those of the Taiwan Semiconductor Manufacturing Company, which is moving some production to Arizona. Back in the USA, despite regulation, things are different.

Even if keeping enemies closer worked for Sun Tzu, today China is moving to an expansive cyber and political wall which is enclosing China. Instead of a thousand flowers growing, China is cultivating its own garden within an authoritarian brick and mortar tech wall.

How critical is this for AI, cybersecurity, and downhome economics? According to Economics Nobel Prize winner, Princeton professor and Times columnist Paul Krugman, China's broad technological and financial crisis should not be a problem. He maintains that what China experiences today is akin to the US in 2008, but he maintains that the likely impact on the US is negligible. As a respected economist, he has data to prove it.

As, in part, a reaction to China's withdrawal and North Korea's solidified uncooperativeness, the US is moving forward to connect with Asians of like mind including technology issues. On the Public Broadcast Service (PBS) on 18 August, President Biden, flanked by South Korea's President Yoon and Japan's Prime Minister Kisheda at a rare Camp David Summit, offered a tripartite news conference on how this joining together of disparate Asian countries was a step forward.

On Capitol Hill, there is perhaps a glimpse of bipartisanship. Representative Don Bacon (R-NB) on the House Armed Services Committee was notified by the FBI that the Chinese Communist Party (CCP) hacked into his personal and campaign emails from May 15 to June 16, 2023. The vulnerability was in the Microsoft software. He pointed out that this hack was not due to "user error." Rep. Bacon adds: "There were other victims in this cyber operation. The Communist government in China are not our friends and are very active in conducting cyber espionage. I'll work overtime to ensure Taiwan gets every $ of the $19B in weapons backlog." Meanwhile, given that the hacks included the Departments of Commerce and State, as well as human rights advocates and think tanks, concern on the Hill has increased. These departments and elected officials or staff have no access to security measures unique to Microsoft, which supported them.

The Post's Joseph Menn goes on to say that the breach had alarmed experts because "...it was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication." On the other side of the aisle as well as the other side of Capitol Hill, Sen. Ron Wyden (D-OR) asked the Department of Justice (DOJ) and Federal Trade Commission (FTC) to investigate whether Microsoft was in violation of laws, or of FTC's "...20-year-old decree requiring better security after the breach of what was then its single sign-on tool, Passport, for authentication." Sen. Wyden also urged the Department of Homeland Security (DHS) to have its Cyber Safety Review Board, which is 2 years old, work on the Microsoft cloud breach. It agreed to do so while DHS also deferred to FBI.

Despite the retreat from Western and Chinese cyber cooperation, this direction points to undertones of new alliances at the international level (Japan and South Korea were not good friends) as well as possible domestic bipartisanship and whole-of-government engagement. Cyber Scene will try to help inform this readership, but time, and this readership's cyber talent, will eventually take the lead.