The Stroz Friedberg Cyber Brief

  FEATURED STORY            



Yahoo was reportedly slower to make cybersecurity improvements than other large tech companies, including Google, which after a major breach by Chinese hackers in 2010 began investing heavily in recruiting and infrastructure. Several current and former Yahoo employees told the New York Times that Marissa Mayer, who took over as CEO in 2012, prioritized product development over cybersecurity. Among other things, she regularly denied Yahoo’s security team funding and put off proactive defenses, including intrusion-detection systems, they said.

In related news, cybersecurity firm InfoArmor said that an Eastern European criminal gang, likely motivated by money, may have been behind the attack on Yahoo, not a nation-state actor as initially claimed by the company. The hackers, dubbed Group E, have a history of selling personal data on the so-called dark web, and have been previously linked to breaches at LinkedIn, Tumblr, and MySpace, a spokesperson for InfoArmor said. (NYT, FT)


Internet of Things: Several recent distributed denial-of-service attacks in which hackers commandeered a massive web of internet-connected devices have raised new concerns about the cybersecurity risks of the so-called internet of things. (WSJ)


Banking: Bankers at SWIFT's annual conference in Geneva said they were adopting new cybersecurity tools, reviewing procedures, and considering alternative technologies for transferring money, like blockchain-type systems. (Reuters)

Russia: U.S. officials reportedly believe that at least two hacking groups with ties to the Kremlin, known as Fancy Bear and Cozy Bear, are involved in escalating cyber breaches, including the theft of thousands of Democratic Party documents. Some analysts say Russia is perfecting “hybrid warfare” that includes military tactics, disinformation, covert operations, and cyberattacks. (WSJ)  


Syrian Electronic Army: Peter Romar, a hacker sympathetic to Syrian President Bashar al-Assad's government, pleaded guilty in the U.S. District Court for the Eastern District of Virginia for his role as a middleman in an extortion scheme targeting U.S. media outlets and governments. He faces up to five years in prison. (Reuters)

Celeb Hacker: Illinois man Edward Majerczyk pleaded guilty in a Chicago federal court to hacking the emails of high-profile female celebrities. Prosecutors agreed to seek a nine-month prison sentence for Majerczyk. (Reuters)


  ON THE HILL                                    

OPM Hack Fallout: The Office of Personnel Management is relinquishing its background check duties this week. A new National Background Investigations Bureau will be headed up by Charles Phelan, formerly vice president of corporate security for Northrop Grumman. (NextGov)


2016 Election: Homeland Security Secretary Jeh Johnson said in a statement that hackers have probed the voting systems of many U.S. states but that there is no sign they have manipulated any information. (Reuters)

Drones: Industry analysts say that widespread flights of delivery drones are likely several years away. U.S. aviation authorities have only just recently begun the process of defining the types of collision-avoidance systems considered essential for these operations. (WSJ)

  PRIVATE SECTOR                             

AI Non-Profit: Google, Facebook, Amazon, IBM and Microsoft are joining forces to create a new artificial intelligence partnership dedicated to advancing public understanding of the sector and developing standards. (Guardian)


Blockchain: IBM said that global financial institutions are adopting blockchain technology "dramatically faster" than initially expected, with 15 percent of top banks intending to roll out full-scale, commercial blockchain products next year. The technology functions as an electronic transaction-processing and record-keeping system that allows all parties to track information through a secure network. (Reuters)

Moore’s Law: A breakthrough at a little-known Dutch company called ASML Holding may help ensure that the semiconductor industry can continue to double the number of transistors in a typical microprocessor every two years. (WSJ)

  THE WORLD                                     

EU: U.S. tech giants Amazon, Google, and Microsoft are investing billions in new data centers in Europe in what analysts say is a recognition of the region’s privacy and sovereignty concerns. The European market is one of the largest for American cloud providers. Meanwhile, the European Commission proposed measures last week to tighten controls on exports of cyber-surveillance equipment and technologies that could be used to violate human rights or threaten international security. (NYT, Reuters)


The Hacking Law That Can’t Hack It: “The Morris and Drew cases epitomize, in many ways, the central conflicting ideas about what the CFAA means: One camp broadly interprets the CFAA to include computer-based behavior that violates any rule, whether that rule has been written in English (like the Terms of Service agreement in the Drew case) or built into the technical architecture of the computer system (like the email and directory programs in the Morris case). This camp believes we should be defining computer crimes broadly and punishing violators severely to send a clear message. The other camp believes that the crimes covered by the CFAA should be more narrowly defined and punished less harshly,” writes Josephine Wolff on Slate.  


Time to Kill Security Questions: “From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach,” writes Lily Hay Newman on Wired.

Should We Give Up Oversight of Internet Addresses? In this New York Times “Room for Debate”, four experts discuss the merits of the Obama administration’s decision to transfer oversight of the Internet’s directory of website addresses to a multinational nonprofit organization called the Internet Corporation for Assigned Names and Numbers, or ICANN.  


Center on National Security
Fordham University School of Law
150 W. 62nd St. 7th Floor
New York, NY 10023 US
Copyright © 2016 Center on National Security, All rights reserved.