The Stroz Friedberg Cyber Brief

  FEATURED STORY           

MONDAY, MARCH 20, 2017


The U.S. government has charged Russian spies with cyber crimes for the first time. Last Wednesday, a federal grand jury in California indicted two officers of the Russian Federal Security Service (FSB) and two co-conspirators with hacking, economic espionage, and other crimes in connection with a scheme to access more than half a billion Yahoo accounts beginning in early 2014.


The FSB officers allegedly involved, Dmitry Dokuchaev and Igor Sushchin, and a third man, Alexsey Belan, a Russian national and one of the FBI’s most wanted hackers, are believed to be in Russia. The fourth suspect, a Canadian resident and Kazakh native by the name of Karim Baratov, was arrested in Toronto on Tuesday. U.S. authorities allege that the FSB officers paid the hackers to break into the accounts of diplomats, journalists, and company officials to steal information seen as useful to Moscow. The Kremlin has denied that FSB employees could have been involved in the hack.

Legal analysts note that U.S. federal prosecutors have been seeking cases against foreign hackers but have only brought a handful that directly name foreign governments. Last December, the Obama administration imposed sanctions on the FSB and Alexsey Belan in connection with Russia’s alleged interference in the 2016 presidential election. Earlier this year, Dokuchaev was arrested in Russia and accused of treason, according to media reports. (Reuters, NYT, WSJ, AP, CNN)


Banks: Researchers at Symantec say a North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in more than 30 countries. The group has already been blamed for a string of hacks dating back to at least 2009, including last year's $81 million heist from Bangladesh's central bank. (Reuters)


Meanwhile, hacking collective Anonymous is specifically targeting central banks, according to two people with knowledge of the group’s activities. Last year, the group reportedly attacked at least eight monetary authorities, including the Dutch Central Bank, the Bank of Greece, and the Bank of Mexico. (Bloomberg)


Zero Days: A new report from the RAND Corporation provides insights about the zero-day vulnerability industry, giving information on the proportion of zero-day vulnerabilities that are alive (undisclosed), dead (known), or somewhere in between. (RAND)

SAP: Europe's top software maker said it patched vulnerabilities in its latest HANA application, which had a potentially high risk of allowing hackers control over databases used to run big multinational firms. SAP software acts as the corporate plumbing for many multinationals, and the company claims 87 percent of the top 2,000 global companies as customers. (Reuters)


Travel Ban: Some of the largest U.S. tech firms have not yet supported one of the latest legal challenges to President Trump’s executive order on immigration. Google, Microsoft, and Facebook are among the more than 60 tech companies that signed onto to an earlier challenge but did not file documents last week in support of a legal brief filed in Hawaii federal court. It was not immediately clear why. (Reuters)


  ON THE HILL                                    

Trump Wiretap Claims: The Republican chairman and ranking Democrat on the House Intelligence Committee said that new documents provided to Congress by the Justice Department provided no proof to support President Trump’s allegation that his predecessor ordered wiretaps of Trump Tower. (WaPo)


Meanwhile, the British intelligence agency GCHQ issued a rare statement dismissing as “utterly ridiculous” White House claims that it was involved in the alleged wiretapping. President Trump reiterated his claim during a joint press conference with German leader Angela Merkel on Friday. (WSJ)


U.S.-UK: Officials in both countries are reportedly worried that President Trump may try to weaken bilateral security ties as British intelligence agencies have become increasingly involved in the inquiry of Russian interference in the 2016 U.S. election. (FT)


Cyber Report: The Office of Management and Budget’s annual report to Congress says that federal agencies reported more than 30,000  “cyber incidents” in fiscal 2016. Of those, 16 were “major” -- considered likely to result in harm to national security, public confidence, civil liberties, foreign relations, or the economy. Ten of the major breaches occurred at the Federal Deposit Insurance Corporation. (Bloomberg)

Budget: The Trump administration’s budget blueprint proposes $1.5 billion for the Department of Homeland Security to protect federal networks and critical infrastructure from cyberattacks. Specific funding for the military’s cyber operations was not mentioned. (The Hill)

  PRIVATE SECTOR                             

Intel: The world’s largest chipmaker agreed to buy Israeli autonomous vehicle technology firm Mobileye for $15.3 billion. The acquisition could propel Intel into the front ranks of automotive suppliers, analysts say. (Reuters)


Facebook: The company now explicitly prohibits companies and organizations from using its services for surveillance. The policy change followed investigations from the ACLU that found social media monitoring companies sold their services to law enforcement. The spy tools often disproportionately targeted communities of color. (CNN)


Booz Allen: The management and technology consulting firm has reportedly been tapped by an auto industry trade group to set up a system for companies to share potential cybersecurity vulnerabilities. Booz Allen said that nearly all major car manufacturers are working with the Automotive Information Sharing and Analysis Center, known as Auto-ISAC.  (WaPo)

Apple: The company has announced two additional research-and-development centers in China. The new centers, to be built in Shanghai and Suzhou, bring Apple’s total commitment to R&D facilities in China to more than 3.5 billion yuan, or about $500 million, the company said. (WSJ)


Why Our Nuclear Weapons Can Be Hacked: “It is tempting for the United States to exploit its superiority in cyberwarfare to hobble the nuclear forces of North Korea or other opponents. As a new form of missile defense, cyberwarfare seems to offer the possibility of preventing nuclear strikes without the firing of a single nuclear warhead. But as with many things involving nuclear weaponry, escalation of this strategy has a downside: United States forces are also vulnerable to such attacks,” writes Bruce G. Blair in the New York Times.


Manipulating U.S. Elections Is a National Security Issue: “If the Russian government did interfere in the United States’ electoral processes last year, then it has the capacity to do so in every election going forward. This is a powerful and dangerous weapon, more than warships or tanks or bombers. Neither Russia nor any potential adversary has the power to damage the U.S. political system with weapons of war. But by creating doubts about the validity, integrity and reliability of U.S. elections, it can shake that system to its foundations,” writes Robert Kagan for the Brookings Institution.

How Chip Designers Are Breaking Moore’s Law: “Making faster chips is now primarily dependent on the cleverness of the chip designer, as opposed to the ability of manufacturers to etch ever more minuscule circuits into silicon, Prof. [Daniel] Reed [chair of computational science and bioinformatics at the University of Iowa] says. As a result, microchips more than ever illustrate Steve Jobs’s famous quote paraphrasing computer scientist Alan Kay : ‘People who are really serious about software should make their own hardware,’” writes Christopher Mims in the Wall Street Journal.


Center on National Security
Fordham University School of Law
150 W. 62nd St. 7th Floor
New York, NY 10023 US
Copyright © 2016 Center on National Security, All rights reserved.