Cyberstability Update – April 2019

April 29, 2019 Monthly update

European Union Embeds Protection of the Public Core of the Internet in New EU Cybersecurity Act

This article was published on the GCSC website, 11 April 2019

The Council of the European Union adopted the EU Cybersecurity Act, including a clear commitment to protect the Public Core of the open Internet. The protection of the public core of the Internet is a principal norm developed by the Global Commission on the Stability of Cyberspace (GCSC).

UN Secretary-General Report Highlights Norms of the Global Commission on the Stability of Cyberspace

This article was published on the GCSC website, 5 April 2019

In response to the UN General Assembly Economic and Social Council resolution 2006/46, the report of the United Nations Secretary-General, on the “Progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society at the regional and international levels,” highlights the work of the Global Commission on the Stability of Cyberspace (GCSC) on norms of responsible behavior to reduce the risks to cyber stability. Furthermore, the UN Secretary-General repeatedly reiterated the pivotal importance of multi-stakeholder cooperation in cyberspace. The Report of the UN Secretary-General was requested in order to inform the UN Commission on Science and Technology for Development about the implementation of outcomes of the World Summit on the Information Society. The report highlights major activities undertaken by stakeholders in 2018. It was prepared by the secretariat of the United Nations Conference on Trade and Development, based on information provided by United Nations system entities, international organizations and other stakeholders.

More information about the norm to protect the Public Core of the Internet, Electoral Infrastructure, and the Singapore Norm Package is available via the hyperlinks or on the GCSC website www.cyberstability.org.

HCSS Hosts Second GCSC The Hague Dialogue

This article was published on the GCSC website, 5 April 2019

As the initiator and Secretariat for the Global Commission on the Stability of Cyberspace (GCSC), the Hague Center for Strategic Studies (HCSS) hosted the Second Hague Dialogue of the GCSC at its offices today after the Working Group Meetings of the Global Forum on Cyber Expertise. The dialogue convened senior Dutch cybersecurity stakeholders from all branches of government, civil society and the private sector as part of its dedicated outreach efforts. The objective of the roundtable session was for the GCSC to receive as much input as possible on its past work on norms, its current work on a cyber stability framework and principles, and the Commission’s current thinking on taking its work forward. Speakers of the GCSC included Commissioners Christopher Painter, Marietje Schaake, Abdul-Hakeem Ajijola and Olaf Kolkman. The participants were welcomed by Paul Sinning, Executive Director of HCSS, and introduced by Carmen Gonsalves, Head of International Cyber Policy at the Netherlands Ministry of Foreign Affairs, and Alexander Klimburg, Director of the GCSC Secretariat and Director of the HCSS Cyber Resilience and Policy Program. The GCSC is continuously looking to engage with stakeholders and solicit input on the direction of the Commission’s work on norms and future deliberations on a working definition and principles for stability in cyberspace.

Sign up to the weekly newsletter!

This Cyberstability Update is an overview of all articles included in our Weekly Newsletters for the month. Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.

National Policy

Responsible Release Principles for Cyber Security Vulnerabilities

This press release was published by the Australian Signals Directorate, 18 March 2019

We are proud that our Australian Cyber Security Centre is the nation’s premier cyber security authority. Its advice to governments, businesses and families is informed by ASD’s other roles, which include gathering foreign intelligence and conducting offensive cyber operations in support of the Australian military. As part of our work, we sometimes discover security weaknesses or vulnerabilities in technology that are unknown to the vendor and may pose a threat to Australians and Australian systems. For many years, we have made these vulnerabilities known to vendors so they can patch or otherwise mitigate the threat to their systems and customers. Our starting position is simple: when we find a weakness, we disclose it. Occasionally, however, a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability. The decision to retain a vulnerability is never taken lightly. It is only made after careful multi-stage expert analysis, and is subject to rigorous review and oversight. Our decision-making framework is based on a single objective: ensuring the safety and security of Australia and Australians. See also statements by the NSA and GCHQ.

This article by Sean Parnell was published in The Australian, 19 April 2019

A major review of electoral cyber security has raised concern hackers might find a weak jurisdiction, with weak systems, and use it to “sow doubt in the security and integrity” of Australian democratic processes. The Deloitte review, commissioned by the Department of Home Affairs and obtained under Freedom of Information laws, called for a national approach to safeguarding all electoral systems. In the United States in 2016, Russian hackers targeted electoral systems in 50 states, it emerged last week, more than twice as many as initially suspected. The following year, the US Department of Homeland Security declared ‘elections infrastructure’ to be critical infrastructure warranting additional national protection. However, the Australian government’s Security of Critical Infrastructure Act 2018 focuses on electricity, port, water and gas assets. While the government would be expected to protect the Australian Electoral Commission (AEC), it has no authority over other jurisdictions’ systems under the Act. Yet the review found every jurisdiction and every system “can be seen as critical to our ‘social and economic wellbeing’ and therefore consideration should be given to designating Australia’s electoral systems as ‘critical infrastructure’.”

This article by Evelyn Douek was published in Lawfare, 10 April 2019

When Facebook CEO Mark Zuckerberg wrote on March 30 that the internet could use more regulation of “harmful content,” maybe he should have been more specific. Less than a week after Zuckerberg’s statement, Australia’s Parliament passed the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019, with no public or expert consultation. Passed in response to the horrific terrorist attack in Christchurch, New Zealand, that occurred on March 15, Australia’s attorney-general said the act “will send a clear message that the Australian government expects the providers of online content and hosting services to take responsibility for the use of their platforms to share abhorrent violent material.” The message is indeed clear: The law creates new offenses and liability, including imprisonment and huge fines for failing to take down violent content, such as the video of the Christchurch attack that was broadcast live on Facebook, quickly enough from online platforms. However, it has received widespread condemnation from internet rights organizations, the tech industry (both within Australia and abroad) and academics who study freedom of expression online. And the critics have a point. The legislation is riddled with ambiguities that make its legal effect and effectiveness uncertain. One concerning element is the fact that the law applies not only to platforms or content services but also to internet service providers (ISPs). One Australian professor has commented that the law potentially creates “an expectation for ISPs to apply deep packet inspection monitoring of everything that is said.” The Electronic Frontier Foundation has called indirect hosts of content such as ISPs “free speech’s weakest links” because they are often unable to remove individual posts and so, if facing liability, will remove entire websites or domains.

This article by Agence France-Presse in Moscow was published in The Guardian, 11 April 2019

Russian politicians have approved a controversial bill that would allow Moscow to cut off the country’s internet traffic from foreign servers, in a key second reading that paves the way for the bill to become law on 1 November. Lawmakers in the State Duma, parliament’s lower house, voted 320 to 15 to pass the proposed bill. The proposed measures would create technology to monitor internet routing and steer Russian internet traffic away from foreign servers, ostensibly to prevent a foreign country from shutting it down. The legislation has been dubbed a “sovereign internet” bill by Russian media. Critics say implementing the measures would be expensive and give vast censorship powers to the government’s new traffic monitoring centre. The bill’s authors insist however that the measures only outline a plan to make Russian internet “more secure and reliable”.

This article was published in Telecompaper, 11 April 2019

Opposition to allowing Huawei to build 5G networks in the Netherlands is growing among Dutch MPs following a report that ASML, the Dutch supplier of lithography machines to produce semiconductors, was a victim of corporate espionage that may have been driven by the Chinese state. An investigation by the Dutch paper FD found that ASML employees had been passing information to rival XTAL, a company with allegedly indirect backing by the Chinese science and technology ministry. ASML said it did not recognize the version of events as reported by FD, noting that it initiated and won the trade secrets case against XTAL. While some of the employees involved were of Chinese nationality, other nationalities were involved as well. “We resent any suggestion that this event should have any implication for ASML conducting business in China,” the company said in a statement.

This article by Briang Fung and Ellen Nakashima was published in The Washington Post, 25 April 2019

Top British officials apparently have decided to let the Chinese technology giant Huawei help develop an ultra-fast 5G wireless network in the United Kingdom, according to reports, in spite of pressure by U.S. officials to freeze out the company on security grounds. The leak of the apparent decision by Britain’s National Security Council — a panel led by Prime Minister Theresa May — risks inflaming tensions between the U.K. and the Trump administration as Huawei flexes its muscles as the world’s dominant supplier of telecom equipment. And it instantly created a political firestorm among members of Parliament determined to hunt down the source of the leak. Some analysts said the such a decision would set a precedent that other countries would be likely to follow. Countries would be “less likely to do a complete ban,” said James Lewis, a cyber policy expert at the Center for Strategic and International Studies who has followed the international 5G debate closely. Lewis said it was still possible that the British decision, when it is announced, could reduce risk to a manageable level. “If the British implement their restrictions in a tough way, it’s not a big deal. If they implement them in a soft way, then Huawei will be all over the network,” he said.

Tags: GCSC Commissioner James Lewis.

This article by Jack Corrigan was published in Nextgov and Defense One, 23 April 2019

The U.S. could do a better job deterring cyberattacks if international allies were on board to punish the perpetrators, the nation’s top cyber diplomat said Tuesday. In recent years, the U.S. and its allies have gotten less afraid of attributing cyberattacks to adversaries like Russia, Iran and North Korea, but their attempts to punish those online aggressions are far less united, according to Rob Strayer, the State Department’s deputy assistant secretary for cyber and international communications and information policy. To prevent those countries from launching attacks in the first place, the international community needs to make it clear that the costs of such actions outweigh the benefits. According to Strayer, that calculation is a lot easier when multiple countries are threatening retaliation. However, unifying countries’ responses to cyberattacks won’t be an easy task, said Chris Painter, a fellow at Stanford University’s Center for International Security and Cooperation who previously held the State Department’s top cyber position before it was eliminated by a reorganization. During his tenure, it was hard enough to get U.S. government agencies to agree on sanctions, and building consensus on an international level will be a much heavier lift, Painter said during the panel.

Tags: GCSC Commissioner Christopher Painter.

This article by Theresa Hitchens was published in Breaking Defense, 24 April 2019

The Trump administration is wooing a broad coalition of “like-minded” nations to join a US-led “deterrence initiative” that includes collective response to malicious cyber activities by China, Russia, Iran and North Korea, says Robert Strayer, deputy assistant secretary of state for cyber and international communications and information policy. “If we don’t stand together to defend our vision and values online, they will continue to be undermined,” he told the Atlantic Council’s annual cyber engagement conference yesterday. This may be harder to do than Washington thinks, however. While most of the so-called Five Eyes allies (those with which the US shares high-level intelligence) express support for the idea of cooperation on “norms enforcement,” other countries are more skeptical. Christopher Painter, cyber czar at the State Department under Obama, agrees on the need for states to respond to norms violations. “I agree we need to do it, or we embolden (bad actors) to do more — creating a norm, if you will, of inaction,” he told me. “I also think it is better to do this collectively with other countries. It’s more powerful and has more legitimacy despite the difficulties getting coalitions of countries to act.”

Tags: GCSC Commissioner Christopher Painter.

This article by Joseph Marks was published in The Washington Post, 8 April 2019

Kirstjen Nielsen’s resignation as secretary of homeland security could deal a blow to the Trump administration’s cybersecurity efforts — as she was one of the last civilians in its top ranks with extensive cybersecurity expertise. That’s a dangerous position, experts say, as the nation barrels toward a 2020 election that will likely be targeted by Russian hackers and the Homeland Security Department launches a major campaign to get government and industry to stop buying technology from China’s Huawei and other companies deemed national security threats. “Hopefully whoever runs DHS will prioritize its vital cybersecurity mission, but it makes a difference if the person at the top has a background in cyber and knows from experience how important it is rather than just being told,” former State Department cyber coordinator Chris Painter told me. “DHS is spread thin among multiple priorities as it is, and without a clear mandate from department leadership that cybersecurity is a prime mission, their efforts risk being sidelined.”

This article by John Bowers was published in Just Security, 8 April 2019

In June of 2018, the White House announced that the government’s security clearance program would be consolidated under the Department of Defense. This reorganization, largely motivated by an enormous backlog of clearance investigations, is aimed at streamlining the clearance process, and in particular the “reinvestigation” of individuals with clearances that require periodic review. At the core of these new efficiencies, the DoD claims, will be a “continuous evaluation” system which autonomously analyzes applicants’ behavior – using telemetry such as court records, purchase histories, and credit profiles – to proactively identify security risks. The rollout is already underway – the DoD had enrolled upwards of 1.2 million people in continuous evaluation as of November 2018. But the program is far from uncontroversial, raising credible privacy concerns and the hackles of advocacy groups including the Consumer Financial Protection Bureau. As the DoD takes over millions of new civilian clearances, these worries will find a broader audience. The attractiveness of an autonomous system capable of identifying security risks before they become security failures is obvious. But pinning individuals’ clearance statuses – upon which many rely for their livelihoods, and to work effectively in service of national security – to automated inference-making raises a range of troubling questions. Jonathan Zittrain of the Berkman Klein Center is fond of dividing challenges in machine learning into two broad categories – those that arise when machine learning goes off the rails, and those that arise when it works as intended.

European Affairs

European Commission recommends common EU approach to the security of 5G networks

This press release was published by the European Commission, 26 March 2019

Following the support from Heads of State or Government expressed at the European Council on 22 March for a concerted approach to the security of 5G networks, the European Commission is today recommending a set of concrete actions to assess cybersecurity risks of 5G networks and to strengthen preventive measures. The recommendations are a combination of legislative and policy instruments meant to protect our economies, societies and democratic systems. With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union. Any vulnerability in 5G networks or a cyber-attack targeting the future networks in one Member State would affect the Union as a whole. This is why concerted measures taken both at national and European levels must ensure a high level of cybersecurity.

This article by Ryan Heath was published in POLITICO, 11 April 2019

#17 Marietje Schaake ran the first successful digital-first campaign to get elected to Parliament in 2009, and went on to became one of the savviest legislators on digital issues, leaving her mark on export control rules governing dual-use technologies (those that often end up being used for spying or illegal activities). An outspoken advocate for free trade, Schaake has some of the EU’s strongest transatlantic links. Schaake is retiring from Parliament at 40 and switching to a new tech-focused career.

Global Governance

Why global collaboration is needed to protect against a new generation of cyber threats

This article by Amy Jordan was published in World Economic Forum, 25 April 2019

The internet is a vastly complicated patchwork of protocols, data and codes, which only a limited number of true tech geeks really understand. And yet it pervades our day-to-day lives on a scale no one could have envisaged when the world wide web was created only 30 years ago. New technologies and applications are arising at a dizzying speed, and it’s not only consumers who are trying to keep pace with the array of new offerings at their disposal. Security professionals are also trying to keep up with the implications of new devices and their uses, and to ensure that they cannot be turned against their users or put to use for malicious purposes. At the same time as defending against the misuse of new technologies, the fundamental technical architecture of the internet itself appears to be increasingly under threat from those who wish to seek new ways to attack and undermine it.
Tags: GCSC Call to Protect the Public Core of the Internet.

Setting Global Rules in Cyberspace

This article was published in The Cipher Brief, 19 April 2019

Chris Painter has been on the vanguard of U.S. and international cyber issues for over twenty-five years and serves as a current Commissioner on the Global Commission for the Stability of Cyberspace. He is also a Perry Fellow at the Center for International Security and Cooperation at Stanford University. Painter created the Office of the Coordinator for Cyber Issues at the Department of State and will be moderating a discussion on global cyber norms next week at the International Cyber Conference on Engagement in Washington D.C., produced by Dr. Catherine Lotrionte and The Atlantic Council. The Cipher Brief caught up with Painter ahead of the conference to talk about the progress, or lack of, when it comes to the development of international cyber norms, how important they are, and what the latest thinking is on just how they would be enforced.

This article by Theresa Hitchens and Nancy W. Gallagher was published in the Journal of Cyber Policy, 9 April 2019

As use of the internet has become critical to global economic development and international security, there is near-unanimous agreement on the need for more international cooperation to increase stability and security in cyberspace. This paper compares what the United Nations’ (UN) Group of Governmental Experts (GGE) and the Organization for Security and Co-operation in Europe’s (OSCE) norm-building processes have achieved so far and what disagreements have impeded these efforts. It identifies several priorities for cooperation identified by participants in both forums. It also proposes three practical projects related to these priorities that members of regional or global organisations might be able to work on together, despite political tensions and philosophical disputes. The first would help state and non-state actors share information and communicate about various types of cybersecurity threats using a flexible and intuitive effects-based taxonomy to categorise cyber activity. The second would develop a more sophisticated way for state and non-state actors to assess the risks of different types of cyber incidents and the potential benefits of cooperation. The third would identify aspects of the internet that might be considered the core of a public utility, worthy of special protection in their own right and for their support of trans-border critical infrastructure.

This declaration by the G7 Foreign Ministers was published in France Diplomatie, 6 April 2019

The G7 Foreign Ministers met in Dinard and Saint Malo on 5 and 6 April 2019. One of the outcomes of this meeting is the Dinard Declaration on the Cyber Norm Initiative. In the Declaration, the Foreign Ministers state the following: “We affirm our willingness to establish a Cyber Norm Initiative (CNI) dedicated to sharing best practices and lessons learned on the implementation of previously recognized voluntary, nonbinding norms of responsible State behavior. We encourage, where possible, other interested partners to join us in this endeavor or to complete a similar exercise. This would contribute to the work by the UN Open-ended Working Group and Group of Governmental Experts, and by regional organizations, and would aim to demonstrate strong examples of adherence to these norms.”

This article by Robert K. Ackerman was published in The Cyber Edge, 1 April 2019

NATO is taking a comprehensive approach to building a cyber policy that would deter adversaries, defend its member nations and provide key capabilities in multidomain operations. This approach to the alliance’s cyberspace strategy takes into account resilience, counter-cyber activities and operational capabilities in both civilian and military elements. Yet when it comes to NATO cyber policy, much remains to be established. With 29 member nations all having different needs and different approaches to cyber operations, the alliance has not yet arrived at a fully functional policy. It continues to seek input from its nations while incorporating necessary capabilities amid continuing changes in the cyber domain.

This opinion article by David Ignatius was published in The Washington Post, 27 March 2019

Russian claims this week that they’ve been exonerated by special counsel Robert S. Mueller III’s final report make my skin crawl. But they highlight the critical question of how the United States and Russia can begin to move back toward a saner relationship. Frankly speaking (as Russians like to say), the first step is for Russia to stop pretending it didn’t interfere in the 2016 presidential election. The Kremlin got caught red-handed, one could say, and if it keeps claiming otherwise, it obstructs the dialogue it says it wants. Chris Painter, who was the Obama administration’s top cyber diplomat, told me Wednesday that a resumption of working-level contacts about cyber would be fine. But he cautioned against any top-rank contacts about cyber issues now, because they might allow Russia to pretend the 2016 cyberattacks didn’t happen. “If you resume high-level dialogue, that says everything’s okay — no harm, no foul,” explains Painter. This would be a mistake, he argues, because it would allow Moscow “to whitewash what has happened.” A policymakers’ discussion about cyber and other issues “has to have clearly defined goals and outcomes that advance our interests.”

Threats and Risk Mitigation

DNS Hijacking Abuses Trust In Core Internet Service

This article by Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres was published in Talos Blog, 17 April 2019.

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

This article by Shannon Vavra was published in CyberScoop, 24 April 2019

Any nation-state behind recent hijackings of Domain Name System (DNS) records should, in theory, be held responsible under the latest cyberwarfare norms agreement made by 20 countries at the UN in 2015, says America’s top cyber diplomat. “One of the norms is disrupting physical infrastructure providing services to the public, and I think that fully encapsulates the internet’s DNS function,” Amb. Robert Strayer told CyberScoop Tuesday on the sidelines of the Atlantic Council’s International Conference on Cyber Engagement. Former Homeland Security Secretary Michael Chertoff, who also spoke at the Atlantic Council conference, said nation-states are still divided over the principles underpinning when to escalate responsibility for cyberattacks to the nation-state level in cyber norms accords. “This really is kind of a fundamental divide in the global attitude to the internet,” Chertoff told CyberScoop. “Most Western countries want to have essentially an international regime that’ll leave international … reciprocity in treaties. The Russian and Chinese are very focused on their sovereignty.”

Tags: GCSC Co-Chair Michael Chertoff, GCSC Call to Protect the Public Core of the Internet.

This article by Thomas Brewster was published in Forbes, 17 April 2019

A group of government-backed hackers have taken over chunks of the Domain Name System (DNS). That’s according to researchers who say the brazen attacks aren’t just damaging for the targeted companies, but for the trust in the internet as a whole. During the first stage in this latest spate of attacks, in late December and early January, the targets included domains managed by two major DNS providers, Packet Clearing House (PCH) and Netnod. PCH and Netnod both disclosed breaches earlier this year, though in its online statement the latter said “no customers who used the services during this time were affected,” but admitted that it had suffered from three attacks in January, two of which involved changes in DNS which affected a small number of customers. The third attack tried to redirect users heading to a web portal at Netnod to a hacker-controlled computer. “In this attack, we concluded that no customers that were users of that web portal were affected,” said Lars Michael Jogbäck, CEO of Netnod. PCH contacted Forbes after publication, also saying none of its customers had been affected by the attacks. It said that a “compromise of a domain name registrar’s security allowed the delegation name servers for the pch.net domain to be changed to servers not controlled by PCH.” But PCH also said it had “direct knowledge” of more than 150 victims, well above the 40 number Cisco’s cybersecurity arm provided. “Given that, I’d be surprised if the actual number were lower than, say, 300,” said Bill Woodcock, executive director of PCH.

This article by Geetha Nandikotkur was published in Bank Info Security Asia, 23 April 2019

Latha Reddy, former deputy national security adviser to India, says the nation should designate election infrastructure as “critical information infrastructure” to help ensure that cybersecurity is a much higher priority. “If we were to do that, giving very high priority to the most sophisticated cybersecurity techniques, it would certainly strengthen the election infrastructure and make it less vulnerable to attacks,” she says in an interview with Information Security Media Group. Although the Computer Emergency Response Team for India is available to help tackle vulnerabilities, Reddy recommends that the Election Commission develop a CERT of its own, going well beyond the recent appointment of a CISO. Reddy, who serves as a co-chair of the Global Commission on the Stability of Cyberspace, also calls for global standards for protecting election infrastructures. Action must be taken to protect voting machines, the voter database, voting software and IT systems, which could be vulnerable to attacks, she says.

Tags: GCSC Co-Chair Latha Reddy, GCSC Call to Protect Electoral Infrastructure.

Cyber hygiene is at an all-time low

This article by Ian Barker was published in Beta News, 15 April 2019

Well-known attacks and attack vectors remained successful because security personnel did not address vulnerabilities and apply patches according to a new report from cybersecurity and visibility business Ixia. IT vendors created code or configurations that led to many successful security breaches in 2018, but IT operations and security personnel shared the blame due to ignorance of the latest patches and challenges in deploying patches in a timely manner. In addition Ixia observed more new devices joining networks than ever before, but also more devices designed and deployed without proper measures to stop or even limit threats. Well-understood SQL injections and cross-site scripting vulnerabilities have been used by bad actors to target web applications. Code sharing poses a risk too, despite efforts by the open source community to standardize controls and measures in web development.

You can find out more about the findings on the Ixia website.

This article by Mathew J. Schwartz was published in Bank Info Security, 24 April 2019

For the first time, members of the secretive “Five Eyes” intelligence-sharing group are set to make a joint public appearance to discuss how they work together. At this week’s CyberUK conference in Glasgow, Scotland, members of intelligence agencies from all five countries are set to appear on stage to discuss common global cyber problems, including election security and retaining qualified personnel. They’re also expected to share details about how they work together, including joint approaches to incident management, data sharing and attack attribution.

This article by Jory Heckman was published in the Federal News Network, 17 April 2019

The intelligence community’s advanced research agency has laid the groundwork for two programs focused on ways to overcome adversarial machine learning and prevent adversaries from using artificial intelligence tools against users. Stacey Dixon, director of the Intelligence Advanced Research Projects Activity (IARPA), said the agency expects both programs to run for about two years. “We appreciate the fact that AI is going to be in a lot more things in our life, and we’re going to be relying on it a lot more, so we would want to be able to take advantage of, or at least mitigate, those vulnerabilities that we know exist,” Dixon said Tuesday at an Intelligence and National Security Alliance (INSA) conference in Arlington, Virginia. The first project, called Trojans in Artificial Intelligence (TrojAI), looks to sound the alarm whenever an adversary has compromised the training data for a machine-learning algorithm. Another program, which Dixon said would have a draft announcement coming later this year, will look to protect the identities of people whose images have served as training data for facial recognition tools.

This article by Rick Weber was published in Inside Cybersecurity, 1 April 2019

Former Homeland Security Secretary Michael Chertoff is urging the makers and developers of connected consumer products, part of an emerging Internet of Things, to take steps to manage their security risks or face the likely consequence of tough new regulatory and legal requirements. “The consumer IoT industry should work hard to support the development of a liability standard and a functioning insurance market.”

Cyber conflict

The Daily 202: How the nature of cyberwar is changing

This article by James Hohmann was published in The Washington Post, 15 April 2019

Lisa Monaco, who served as the homeland security adviser in Barack Obama’s White House, said many countries are changing how they approach the digital battlefield, from focusing primarily on espionage toward “geopolitical one-upmanship.” “The game is getting disrupted,” she said. “If we had this conversation two and a half years ago, I would have described the threat I was seeing at the time as more diffuse, more sophisticated and more dangerous than at any other time in my career in government. Today I have an overwhelming sense that if we look at the threat actors as basically aligned in a drag race – nation states, non-state actors, hacktivists, criminal groups – the nation states have far and away set themselves apart.” Monaco spoke on Friday night during a four-day cybersecurity conference sponsored by the nonpartisan Hewlett Foundation, which convened a few dozen insiders from the national security community along with executives from technology companies to discuss threats facing the United States in the brave new digital world and how to better respond to them.

This article by Frank C. Sanchez, Weilun Lin and Kent Korunka was published in Eurasia Review, 1 April 2019

The cyberspace threat exists in a realm that does not conform to the physical limits of land, sea, air, and space. Unlike these traditional domains, cyberspace fosters an unpredictable threat that can adjust, morph, and reproduce without a national identity or face. The challenge of the military is to posture its approach to cyberspace and cyberspace threats that are initiated by faceless, borderless, and sometimes nationless enemies. These enemies manifest in a domain neither confined nor governed by the traditional norms and rules of war, which the broader military has no experience undertaking. To ensure the United States maintains cyberspace dominance and can foresee, rapidly respond to, and counter cyberspace threats, the U.S. military’s strategy and approach to cyberspace must adapt and incorporate unconventional approaches and hybrid warfare into its operational capability.

This article was published in IT Web, 8 April 2019

The 2019 SonicWall Cyber Threat Report delivers an in-depth look at threat intelligence obtained from its more than 1 million sensors from around the world. Analysed by the SonicWall Capture Labs, an elite team of threat researchers, threat data collected over the course of 2018 indicates an escalation in the volume of cyber attacks and new, targeted threat tactics used by cyber criminals. “The concern over security and privacy is more prevalent than ever before. Industry and government must collaborate to build a more secure environment, mitigate risk, and build citizen trust in government and consumer trust in business,” said Michael Chertoff, Executive Chairman and Co-Founder of The Chertoff Group, and former US Secretary of Homeland Security. “This report provides critical analysis into the evolution of cyber adversaries’ threat tactics and methods. As organizations increasingly rely on metrics to understand and forecast risk, this intelligence will help enterprises and governments make informed decisions on their security investment.”

This article by Barbara Darrow was published in InformationWeek, 11 April 2019

Many people see the black hat/white hat struggle to break into or protect data as never-ending spy vs. spy one-upmanship. In their view, the bad guys and good guys take turns using the same increasingly smarter tools to attack and defend data stores. But others now argue that cloud changes that equation drastically and shifts the power balance in favor of good guys. At a recent Center for Strategic and International Studies event in Washington D.C., Edward Screven, Chief Corporate Architect at Oracle, said the idea that there is rough parity between attackers and defenders is no longer accurate. Companies that handle troves of customer data and traffic have aggregate knowledge of usage patterns that no hackers can replicate, he argued. Nor is it easy for companies that run their own data centers using diverse hardware and software to keep all that gear updated and patched. That means hackers can roam from company to company in search of vulnerabilities to exploit, and all too often, find them. Last year research found that 60% of companies that suffered a breach attributed it to the use of unpatched software. “It is very difficult for most organizations to apply updates and patches as quickly as attackers can turn them around for exploits,” James Lewis, senior vice president of CSIS and director of its technology program said after the event. “It’s a race that large enterprises can almost never win.”

This article by Alistair Bunkall was published in Sky News, 3 April 2019

Iran is being blamed for a wave of cyber attacks that targeted key parts of the UK’s national infrastructure in a major assault just before Christmas. It is understood that private sector companies, including banks, were also compromised in what has been described as an “ongoing” campaign. Sky News has learnt that the Post Office and local government networks were both hit in coordinated attacks on 23 December. The National Cyber Security Centre said it was “aware of a cyber incident affecting some UK organisations in late 2018” and that it was “working with victims and advising on mitigation measures”. Personal details belonging to thousands of employees were stolen, including the email address and mobile phone number of the Post Office chief executive Paula Vennells.

This article by Joseph Marks was published in The Washington Post, 17 April 2019

The Luhansk People’s Republic, a region that has claimed independence from Ukraine with the backing of Russia’s military, isn’t recognized by the United States, the European Union or NATO. But it has a hacking army and it’s targeting the Ukrainian government and military, according to new research from the cybersecurity company FireEye. This is probably the most extreme case to date of an ultra-small group targeting a national government with a sophisticated hacking operation, John Hultquist, FireEye’s director of intelligence analysis who co-wrote the report, told me. And it could usher in a new era of small nations or nonstate actors developing sophisticated hacking operations, he said. That could mean a big headache for the United States and other global powers, which will have to defend themselves against a new slate of digital adversaries.

This article by Lukasz Olejnik was published in Council on Foreign Relations, 1 April 2019

Cyber conflicts involving state actors are quickly becoming a geopolitical reality. Perhaps the most cited example, the alleged Russian interference in the 2016 U.S. election, is a continued source of conflict in U.S.-Russia relations. The story took another turn last October when the U.S. Cyber Command conducted an offensive cyber operation against the Internet Research Agency (IRA), the “Russian troll factory” linked to using disinformation campaigns during the 2016 elections, and onwards. While the operation has yet to be confirmed by the U.S. government, media reports and U.S. officials’ commentary taken together suggest the event occurred. The U.S. action, which took place during the 2018 midterm elections, has been portrayed as a defensive warning against Russia and other U.S. adversaries online. But the result of the offensive operation may, however, in the end benefit Russia and possibly contribute to escalation in the cyber domain globally.

This article by Elizabeth Schulze was published in CNBC, 21 April 2019

The United States and China are racing to build out high-speed 5G networks, and President Donald Trump doesn’t want America to come in second place. Last week, Trump introduced initiatives to speed up the rollout of new wireless networks across the U.S., saying “the race to 5G is a race America must win.” But experts say the U.S. still lacks a clear 5G strategy that goes beyond attacking Huawei, a Chinese tech giant and the world’s biggest supplier of telecommunications equipment. “I think they’ve been rather leaden-footed in the way they’ve responded,” Nigel Inkster, a former British intelligence official and senior advisor at the International Institute for Strategic Studies, told CNBC’s Beyond the Valley. “Firstly by lacking an explicit, government-articulated strategy in relation to 5G which is only now starting to emerge, but also in arguing or shaping the challenge from China and from Huawei solely as an espionage issue.”

Tags: GCSC Commissioner Nigel Inkster.

This article by Motohiro Tsuchiya was published in Nippon, 16 April 2019

Rising trade tensions between the United States and China are just one facet of a high-stakes geopolitical fight for techno-hegemony, writes political scientist and GCSC Commissioner Tsuchiya Motohiro. The 55th Munich Security Conference, held in February 2019, bore witness to the rise of a bitter US-China rivalry as the defining force in twenty-first century geopolitics. The MSC, described by the Japanese Ministry of Defense as “one of the most prestigious privately sponsored international security conferences in the West,” began in 1963, during the Cold War years, as a low-key dialogue between the United States and what was then West Germany. Since then, it has grown into the largest gathering of its kind, drawing heads of state and other officials from around the world, together with representatives of academia, civil society, private industry, and the media. (Among the attendees last February were 52 members of the US Congress.) With its origins as a Cold War security forum, the MSC long focused on tensions between the North Atlantic Treaty Organization on the one hand and the Soviet Union on the other. Even after the collapse of the Soviet Union, the NATO-Russia standoff continued to dominate the conversation. (Indeed, NATO Secretary General Jens Stoltenberg and Russian Foreign Minister Sergey Lavrov were among the featured speakers this year.) But this past February, the emphasis began to shift.

Non-state Actors and Private Stakeholders

Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

This article by Adam Satariano and Nicole Perlroth was published in The New York Times, 15 April 2019

Mondelez, owner of dozens of well-known food brands like Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the so-called NotPetya cyberstrike in 2017. After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought. Mondelez’s insurer, Zurich Insurance, said it would not be sending a reimbursement check. It cited a common, but rarely used, clause in insurance contracts: the “war exclusion,” which protects insurers from being saddled with costs related to damage from war. Mondelez was deemed collateral damage in a cyberwar. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. In the Mondelez and Merck lawsuits, the central question is whether the government’s attribution of the NotPetya attack to Russia meets the bar for the war exclusion.

This article by Greg Otto was published in CyberScoop, 24 April 2019

The last few years have been an awakening for Election Systems & Software. Before 2016, very few people were publicly pressing the company to change the way it handled its cybersecurity practices. Now, the nation’s leading manufacturer of election technology has become a lightning rod for critics.

Tags: GCSC Call to Protect Electoral Infrastructure.

This article by Scott Ikeda was published in CPO Magazine, 24 April 2019

Supply chain attacks have been in the news recently due to suspicions of nation-state agencies planting surveillance chips at the hardware manufacturing level. While these spy tales are fascinating, they also are not the most immediate threat that the average business faces from their supply chain. As the March attack on major IT outsourcing firm Wipro Ltd. illustrates, vulnerable IT service providers are much more likely to create an entry point into a business network.

Tags: GCSC Norm to Reduce and Mitigate Significant Vulnerabilities.

This article by Andy Greenberg was published in WIRED, 23 April 2019

The Security sector is waking up to the insidious threat posed by software supply chain attacks, where hackers don’t attack individual devices or networks directly, but rather the companies that distribute the code used by their targets. Now researchers at security firms Kaspersky and ESET have uncovered evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools relied on by game developers.

Tags: GCSC Norm to Avoid Tampering, GCSC Norm to Reduce and Mitigate Significant Vulnerabilities.

This article by Eileen Yu was published in ZDNet, 6 April 2019

Dropbox has uncovered 264 vulnerabilities, paying out US$319,300 in bounties, after a one-day bug hunt in Singapore that brought together hackers from 10 nations around the world. Hosted by bug bounty platform HackerOne, the live event saw 45 of its members from countries such as Japan, India, Australia, Hong Kong, and Sweden, and some as young as 19, band together in the city-state in an attempt to infiltrate Dropbox’s targeted systems. Noting that the company already had a mature bug bounty program, the Dropbox spokesperson said it had established a “well-defined process” for reviewing bugs reported from such initiatives as well as determining their severity and necessary remedies.

This article by Lily Hay Newman was published in WIRED, 9 April 2019

In March 2017, the Android security team was feeling pleased with itself. The group had detected, analyzed, and neutralized a sophisticated botnet built on tainted apps that all worked together to power ad and SMS fraud. Dubbed Chamois, the malware family had already cropped up in 2016 and was being distributed both through Google Play and third-party app stores. So the Android team started aggressively flagging and helping to uninstall Chamois until they were sure it was dead. Eight months later, though, in November 2017, Chamois roared back into the Android ecosystem, more ferocious than before. By March 2018, a year after Google thought it had been vanquished, Chamois hit an all-time high, infecting 20.8 million devices. Now, a year after that zenith, the Android team has whittled that number back down to fewer than 2 million infections. And at the Kaspersky Security Analyst Summit in Singapore this week, Android security engineer Maddie Stone is presenting a full post-mortem on how Google fought back against Chamois—again—and how personal the rivalry became.

This article by Lily Hay Newman was published in WIRED, 15 April 2019

On Friday night, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this year, hackers used a set of stolen credentials for a Microsoft customer support platform to access account data like email addresses in messages, message subject lines, and folder names inside accounts. By Sunday, it acknowledged that the problem was actually much worse. It may seem odd that a single set of customer support credentials could be the keys to such a massive kingdom. But within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure. On the one hand, support agents need enough account or device access to be able to actually help people. But as the Microsoft incident shows, too much access in the wrong hands can cascade into a dangerous situation.

This article by Catalin Cimpanu was published in ZDNet, 11 April 2019

Microsoft published today a generic “security configuration framework” that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. “We sat down and asked ourselves this question: if we didn’t know anything at all about your environment, what security policies and security controls would we suggest you implement first?,” said Chris Jackson, Principal Program Manager at Microsoft. The end result was what Microsoft has named the SECCON framework, which organizes Windows 10 devices into one of five distinct security configurations. “Mimicking the DEFCON levels used to determine alert state by the United States Armed Forces, lower numbers indicate a higher degree of security hardening,” Jackson said.

This article by Todd Spangler was published in Variety, 4 April 2019

Facebook chairman and CEO Mark Zuckerberg reiterated his call for governments to step in with new regulations governing internet platforms, saying in an ABC Newsinterview that his company needs laws regulating political speech. “We need new rules,” Zuckerberg said. He was interviewed by ABC News chief anchor George Stephanopoulos at Facebook’s Menlo Park, Calif., headquarters. The interview, recorded Wednesday, aired on “Good Morning America” Thursday morning. “The current laws around what is political advertising don’t consider discussion issues to be political,” Zuckerberg said, referring to attempts by Russia and others to disrupt elections with misinformation campaigns on social media. “It’s not clear to me that we want a private company to be making that kind of a fundamental decision about what is political speech and how should that be regulated. That seems like something there should be a more democratic process around.”

This article by Quinta Jurecic was published in Lawfare, 15 April 2019

Julian Assange’s arrest was a long time coming. After seven years hiding in Ecuador’s London embassy and a number of false alarms, the WikiLeaks founder was finally evicted from the building and passed to British law enforcement on April 11. Though journalists and commentators have long speculated that U.S. charges against Assange might stem from Assange’s role in coordinating the release of Democratic Party information hacked by the Russian government, the truth turned out to be very different: The United States unsealed an indictment charging Assange with conspiracy, dating back to his 2010 exchanges with Chelsea Manning that led to the release of 250,000 classified U.S. diplomatic cables. The indictment and arrest created a natural opportunity to look back over the controversies that have long swirled around Assange. In the days after his arrest, I sat down to watch two documentaries on the WikiLeaks founder: “We Steal Secrets,” a 2013 film by Alex Gibney, and Laura Poitras’s 2017 “Risk.” Though the documentaries are very different, both are accounts of the filmmakers’ darkening view of Assange, who goes from a maverick hero to a much more difficult and complicated figure over both features’ running time. Poitras, in fact, recut her entire movie to show Assange in a harsher light following the 2016 election.

Others

Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity

This report was published by ENISA, 16 April 2019

There is a growing recognition that technical cyber security measures do not exist in a vacuum, and need to operate in harmony with people. This has led to a plethora of academic research that seeks to address the role of the human in cybersecurity. It is against this backdrop that ENISA has conducted four evidence-based reviews of human aspects of cybersecurity: two based on the use (and effectiveness) of models from social science; one on qualitative studies; and one on current practise within organisations.

This article by Steve Olshansky and Robin Wilton was published in Internet Society, 11 April 2019

As adoption of Internet of Things devices increases, so does the number of insecure IoT devices on the network. These devices represent an ever-increasing pool of computing and communications capacity open to misuse. They can be hijacked to spread malware, recruited to form botnets to attack other Internet users, and even used to attack critical national infrastructure, or the structural functions of the Internet itself. The problem this poses is what to do about IoT as a source of risk. This blog post includes reflections on events that came to light in recent weeks, sets out some thoughts about technical mitigations, and sketches out the boundaries of what we think can be done technically.

Breaking Down Modern Botnets

This article by Geraldine Hunt was published in TitanHQ, 17 April 2019

“Botnets” is the term given to a group of computers infected with malware and used in collaborated attacks against publicly accessible servers. An attacker controls all malware-infected computers from a central location. Once the attacker determines a target, the central location sends commands to botnet computers to flood traffic to the target. The result can be an overwhelming amount of traffic sent to a server that is unable to handle these traffic volumes and services are taken offline. Botnets are responsible for DDoS attacks on Internet resources.

This article by Andy Greenberg was published in WIRED, 11 April 2019

For the first time since 2012, WikiLeaks founder Julian Assange no longer has the legal protections of the Ecuadorean Embassy in London. He now faces the criminal charges he’s always suspected and feared—although it’s now clear that he’s accused of criminal behavior not as a journalist, or even a spy, but a hacker. The indictment centers on an incident nine years ago, when Assange allegedly told his source, then Army private Chelsea Manning, that he would help crack a password that would have given her deeper access to the military computers from which she was leaking classified material to WikiLeaks. It’s not clear if Assange ever successfully cracked the password. Furthermore, the Justice Department is charging Assange under a statute that labels his alleged hacking an “act of terrorism.” But prosecutors have at least skirted a potentially bigger source of controversy: the First Amendment.

This article by J.M. Porup was published in CSO, 8 April 2019

An attacker claiming to be ISIS took control of the official email account of the Saudi Embassy in the Netherlands in August, 2014 and sent emails to more than a dozen embassies at The Hague demanding $50 million for ISIS, or they would blow up a major diplomatic reception, documents seen by CSO reveal. The attack compromised the Saudi embassy’s non-classified computer network. They deployed a garden-variety rootkit on the workstation of the ambassador’s secretary and took over the embassy’s official email account. No one was ever formally held accountable, despite an internal investigation. Given the low sophistication of the attack, experts tell CSO it’s impossible to say whether the attacker really was part of an organized effort by ISIS, a random supporter, or a nation-state intelligence agency masquerading as ISIS for motives unknown.

This article by Ashish Kumar Sen was published in the Atlantic Council, 23 April 2019

A tweet can reveal your location, an Apple Watch monitors your health, a grocery chain loyalty card allows the supermarket to track your purchases. All of this constitutes what Michael Chertoff describes as “digital exhaust”—data that we constantly and unconsciously emit. The challenge this poses is how to protect that data in an increasingly interconnected world. Even as governments grapple with this challenge, “we also should consider the next generation of technology that is going to support the Internet—and that is 5G,” said Chertoff.

Tags: GCSC Co-Chair Michael Chertoff.

This article by Meaghan Tobin was published in the South China Morning Post, 20 April 2019

The region is shaping up as a key battleground in a war between the US and China to influence the roll-out of superfast 5G internet services, billed by experts as an era-defining technological shift that could pave the way for breakthroughs in everything from artificial intelligence to the creation of smart cities. In the West, the battles are going Washington’s way. Its claims that Huawei is a front for Chinese espionage have prompted every single one of its fellow members in the Five Eyes intelligence sharing community – Canada, the United Kingdom, Australia and New Zealand – to question the wisdom of dealing with the company. But in Southeast Asia, where Huawei estimates there will be 80 million customers within the next year and US$1.2 trillion of business opportunities over the next five years, Washington’s fears have had little impact. For James Andrew Lewis, director of the technology policy programme at Washington think tank the Centre for Strategic and International Studies (CSIS), the fundamental problem is “no one trusts China, not even its friends”. “The lack of trust is the result of China’s coercive policies and from its massive global espionage campaign. Huawei offers good equipment at heavily subsidised prices, and this is tempting for most governments – many countries will choose cheap but not secure. If Huawei was a Brazilian company, most of its problems would go away, but because it is seen as a tool of the Chinese state, people are nervous about buying from them,” said Lewis, who previously worked for the US government as a foreign service officer.

Tags: GCSC Commissioner James Lewis.

This article by Joseph Marks was published in The Washington Post, 18 April 2019

Want to know the most effective ways businesses defend themselves against hacking? Good luck. There’s a mountain of marketing material about that and other cybersecurity topics, but a dearth of high-quality, vetted data that researchers can use to draw their own conclusions, cybersecurity academic Tyler Moore tells me. That’s because most cybersecurity research relies on data from companies about hacking attempts against their clients — and the companies are wary of sharing that data too broadly because of privacy concerns. But without more public raw data, researchers are only seeing a slice of the pie. And that makes it difficult to draw big-picture conclusions or to give definitive answers to even basic questions — such as where our greatest digital vulnerabilities are and which defensive measures are most effective at combating them, said Moore, an associate professor of cybersecurity and information assurance at the University of Tulsa.

This article by Anri van der Spuy was published in Research ICT Africa, 16 April 2019

UNESCO published its Internet Universality Indicators: A Framework for Assessing Internet Development. As a member of the consortium responsible for undertaking project for UNESCO, Research ICT Africa undertook pre-testing and pilots of the indicators in Senegal and Nigeria, and GCSC Research Advisory Group member Anri van der Spuy is one of the co-authors of the report with Dr David Souter. The final framework contains 303 indicators, including 109 core indicators, distributed under six categories, 25 themes, and 124 questions. Besides the four ROAM categories, 79 cross-cutting indicators address issues related to gender equality and the needs of children and young people, sustainable development, trust and security, as well as legal and ethical aspects of the Internet. The framework was developed through a global, open, and inclusive multistakeholder consultation both online and offline.

A full-text version of the framework is available here: https://unesdoc.unesco.org/ark:/48223/ pf0000367617.

This video was published in Bloomberg, 9 April 2019

Former U.S. State Department Cybersecurity Coordinator Chris Painter discusses the breach of security at President Donald Trump’s Mar-a-Lago resort, and the departure of U.S. Homeland Security Secretary Kirstjen Nielsen from her position. He speaks with Bloomberg’s Emily Chang on “Bloomberg Technology.”

Events

Chatham House Cyber 2019: Securing the future: governance, protection and accountability

This article was published in Chatham House

Cyberspace is growing at a faster rate than industries and governments have been able to keep pace. It has become a global imperative to build a policy infrastructure and governance framework that can hold nation states and corporations accountable and keep citizens safe. Building on UN efforts, French President Emmanuel Macron announced the Paris Call for Trust and Security in Cyberspace in November 2018, and the Global Commission on Cyberspace has released its Norm Package to promote stability in cyberspace. However, the US, Russia and China have all refused to support the former and their competing resolutions continue to obstruct progress. State-to-state threats remain a complex issue, and with little consensus legislation and policy-making are struggling to keep up. Cyber attacks and cybercrime have also blurred the lines on accountability and attribution between governments, industry, and individuals. As cyber risks proliferate, it is critical that collaborative strategies and coherent policies are developed that facilitate responsible information sharing and protect critical infrastructure, business assets, and consumer data. The increased cyber risk environment is also an opportunity to assess how new technologies – artificial intelligence (AI), quantum computing – are shaping the threat landscape, and ways to future-proof cyberspace and retroactively address Internet of Things (IoT) vulnerabilities. There is little precedent for many of the issues raised, and society, governments and businesses are also now forced to consider the ethical implications of accelerated innovation. Securing cyberspace has turned philosophical problems into practical political concerns, with fundamental questions that need to be resolved on issues of governance, regulation and security.

TEISS Amsterdam 2019

This article was published in Qwoted, 21 April 2019

TEISS Amsterdam will feature parallel Streams, focusing on Culture & Education and Threats & Risks – giving you two conferences in one. In addition, TEISS Amsterdam will feature dedicated workshop sessions and in-depth Roundtable discussions. Join over 200 Cyber Security and Information Technology professionals to stay up-to-date on the latest threats and best-practice in leading organisational change. Speakers will include GCSC Commissioner Uri Rosenthal.

This article was published in the Atlantic Council, 23 April 2019

The eighth annual International Conference on Cyber Engagement (ICCE) was held on April 23, 2019, at the Lisner Auditorium in Washington, DC. The International Conference on Cyber Engagement has been organized since 2011 by Dr. Catherine Lotrionte, founder of the International Conference on Cyber Engagement and Brent Scowcroft Scholar at the Atlantic Council. This year, it was hosted for the first time by the Atlantic Council’s Scowcroft Center for Strategy and Security, in partnership with Dentons, PKO Bank Polski, and Texas A&M University. The International Conference on Cyber Engagement draws on the experience of government practitioners, industry representatives, and academic scholars to bring a multidisciplinary and global approach to challenges in cyberspace. Click here to view the full agenda with speakers in PDF form. Speakers included GCSC Co-Chair Michael Chertoff, GCSC Commissioner Christopher Painter, and ambassador Timo Koster of the GCSC Management Board.

Recordings of this conference are available on YouTube.

This article was published in Internet Governance Forum, 14 April 2019

The 2019 edition of the Best Practice Forum on Cybersecurity will focus on exploring best practices in relation to recent International Cybersecurity Initiatives. The BPF will analyse existing initiatives such as the Paris Call, the GCSC’s Six Critical Norms Towards Cyber Stability, the UN OEWG and GGE, and collect and share best practices around the implementation of suggested measures. Complete BPF proposal for 2019 work is available here.

This article by Mirko Zorz was published in Help Net Security, 17 April 2019

Cyber Week is a large international cybersecurity event, hosted each year at Tel Aviv University in Israel. Over the past eight years, Cyber Week has become internationally acclaimed as one of the top cybersecurity events in the world. In this interview with Help Net Security, Major Gen. (Ret.) Prof. Isaac Ben-Israel, Director of the ICRC – Blavatnik Interdisciplinary Cyber Research Center, talks about this unique gathering of cybersecurity experts, industry leaders, startups, investors, academics, diplomats, and government officials.

This article was published in the Atlantic Council, 16 April 2019

The Atlantic Council’s Scowcroft Center for Strategy and Security has announced its keynote speakers for the International Conference on Cyber Engagement (ICCE) 2019: Building Commonality in a Dynamic Global Domain. This will be the eighth annual ICCE, hosted on April 23, 2019, in Washington, DC, in partnership with Dentons, PKO Bank Polski, Texas A&M University and media partner The Cipher Brief. Speakers include GCSC Co-Chair Michael Chertoff.

This article was published by Leiden University, 16 April 2019

Former NATO Assistant Secretary General for Emerging Security Challenges, new director of the EU Satellite Centre and GCSC special advisor, Ambassador Sorin Ducaru, will give a guest lecture for students on the “Challenges for the Security and Stability of Cyberspace and their Impact upon Global Stability”.

Discussant: Prof. Joachim Koops, Scientific Director of the Institute of Security and Global Affairs.

Moderator: Dr. Vlad Niculescu-Dinca

Please register for this lecture via this form.

This article by Tan Tam Mei was published in The Straits Times, 4 April 2019

Singapore is discussing the right issues when it comes to laws against fake news but there are no easy answers, said former United States secretary for homeland security Michael Chertoff. Rather than debate aspects of misinformation that are outright deceptive – such as impersonation, artificial amplification of content and intervention by foreign entities – the harder question to answer is what constitutes fake news, said Mr Chertoff in his keynote speech on the second day of regional security conference Milipol Asia-Pacific 2019. “What’s fake or false? Sometimes it gets into the area of exaggeration or taking things out of context. Who decides what is false? And what is the remedy – do you shut it down completely or give a warning that the info is not true?”

This article was published in Market Watch, 4 April 2019

Unisys Corporation Chairman and CEO Peter Altabef will participate in a panel discussion on “Technological Transformations and Threats” on April 11 as part of the George W. Bush Presidential Center’s Forum on Leadership, a landmark annual gathering to develop, recognize and celebrate leadership. Altabef will appear on the panel along with Michael Chertoff, former secretary of the U.S. Department of Homeland Security and founder and executive chairman of The Chertoff Group. To be moderated by Eva Chiang, director of research and evaluation for the George W. Bush Presidential Center, the session is scheduled to begin at 1:15 pm on April 11 and will be live-streamed for media who cannot attend.

The Best of RSA Conference 2019

This article was published in Bank Info Security, 8 April 2019

At RSA Conference 2019 in San Francisco, Information Security Media Group’s editorial team conducted more than 150 video interviews with industry thought leaders. ISMG’s editorial team leveraged the power of two video studios – a closed studio within the confines of the nearby Marriott Marquis and an open studio along the new Broadcast Alley at the Moscone West main venue. Editors conducted more than 150 exclusive video interviews with some of the top thought leaders in the industry. These include CEOs, CISOs, analysts, researchers, law enforcement agents and educators. The topics included DevSecOps, GDPR compliance, security orchestration and automation, supply chain risk and how to improve cybersecurity education. Among those interviewed was GCSC Commissioner Christopher Painter.

Cyberstability Update – April 2019

Related

Video: Protecting the Public Core of the Internet: from Formulation to Implementation

Video: GCSC Cyberstability Stocktaking of Norms and Institutional Dialogues

GCSC at the Internet Governance Forum 2020