Cyberstability Update – March 2019

April 2, 2019 Monthly update

Global Commission Meets Alongside ICANN64 Forum in Japan

The Global Commission on the Stability of Cyberspace (GCSC) conducted its second meeting of 2019 alongside the ICANN64 Community Forum, on March 9-10 in Kobe, Japan. Hosted by the Japanese Ministry of Internal Affairs and Communications and in partnership with ICANN, the meeting offered GCSC members the opportunity to engage with the ICANN community, which lies at the foundation of Internet governance and multistakeholder cooperation. The Commission also met in closed sessions on March 9 and 10, with a focus on developing a definition of “cyber stability” and underlying principles in support of international efforts to advance peace and security in cyberspace. The Commission also continued its work to identify policy recommendations and a governance framework in which to embed norms and anchor stability in cyberspace. During its time in Japan, the Commission participated in several sessions of the ICANN64 program, including holding a public consultation with the ICANN At-Large Advisory Committee. Commissioners also had the opportunity to engage with several ICANN constituencies at the forum, providing briefings to the Generic Names Supporting Organization (GNSO), the Non-Commercial Users Stakeholder’s Group, the Noncommercial Users Constituency, and the Internet Service Providers and Connectivity Providers Constituency. In addition, Commissioners met with members of the ICANN Board and the Security and Stability Advisory Committee (SSAC).

Sign up to the weekly newsletter!

This Cyberstability Update is an overview of all articles included in our Weekly Newsletters for the month. Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.

National Policy

Going Cyber Nuclear: Is It Time For a Big Red Button?

This article by Stan Lowes was published in Forbes, 8 March 2019

It wouldn’t be an actual button. It’s more likely it would be a series of actionable software-script “launch codes,” jointly executed from multiple locations by designated officials and authorized by national command authority. But the impact would be near-instant: The United States of America’s internet would be cleaved off from the rest of the world, isolating U.S. network traffic from outside bad actors. Yes, it’s extreme. And it may not even be possible. But it’s time to consider such an approach given the current state of state-sponsored cyberterrorism. Bad actors have become more aggressive, and their tools, tactics and procedures have become more destructive.

This article by Arthur P.B. Laudrain was published in Lawfare, 26 February 2019

Since its November 2018 announcement of the Paris Call, a code of conduct for cyber space, France has turned to the offensive. On Jan. 18, French armed forces minister Florence Parly unveiled the country’s first doctrine for offensive cyber operations. This announcement is the latest in a series of deep and fast-paced measures aimed at organizing and clarifying the defense of French interests in cyberspace. The French approach to cybersecurity and defense contrasts with that embraced by the United States or the United Kingdom. Most notably, France assumes a clear separation between military and civilian cyber defense.

This article by David Bond and Nic Fildes was published in Financial Times, 28 March 2019

The UK watchdog set up to monitor products supplied by Huawei has issued its harshest warning yet over the cyber security risks posed by the Chinese telecoms company, raising fresh questions over Huawei’s future involvement in critical 5G systems. In a damning report published on Thursday, the Huawei oversight board stopped short of calling for an outright 5G ban on the Chinese company’s equipment in British telecoms networks. But the board, which is chaired by the head of GCHQ’s National Cyber Security Centre, said it will be “difficult to appropriately risk-manage future products in the context of UK deployments, until Huawei’s software engineering and cyber security processes are remediated”.

This article by Charlotte Jee was published in M IT Technology Review, 21 March 2019

Russia is planning to attempt something no other country has tried before. It’s going to test whether it can disconnect from the rest of the world electronically while keeping the internet running for its citizens. This means it will have to reroute all its data internally, rather than relying on servers abroad. If Russia can successfully set up its own DNS infrastructure across the country and compel its ISPs to use it, then Russian users are likely not to notice, unless they try to access a website that’s censored. The purpose, the Kremlin says, is to make Russia’s internet independent and easier to defend against attacks from abroad. Many observers see the move as part of Russia’s long tradition of trying to control the flow of information between citizens. Pulling an iron curtain down over the internet is a simple idea, but don’t be fooled: it’s a fiendishly difficult technical challenge to get right. It is also going to be very expensive. Not only that, but it has already proved deeply unpopular with the general public. Though it’s still not clear when if ever the law will become a reality, the Russian government isn’t known for being flexible or responsive to public pressure. It’s far more likely to be delayed than dead.

This article by Atle Staalesen was published in The Barents Observer, 14 March 2019

A several thousand kilometer long fiber optic cable is to be laid along the Russian Arctic coast as part of the Armed Forces’ building of a new closed internet. The system could ultimately also be used as the basis for a bigger sovereign all-national web, military developers say. The new system for exchange of digital information has been called the Multi-service Transport Network System (MTSS) and is under full development in the country. According to newspaper Izvestia, several fiber optic cables will be built to support the new MTSS. That includes one major cable laid across the country’s Arctic coast from Vladivostok in the east to Murmansk and Severomorsk in the west. The Armed Forces have already started preparing for the laying of the trans-Arctic cable, military officials told the newspaper. The MTSS will be fully isolated from the World Wide Web and all information will be stored on servers controlled by the Ministry of Defense. Data centers are reportedly under development several places in the country. On 11th March, about 15,000 people rallied in downtown Moscow in protest against the government’s plans to build an autonomous Russian internet.

This article was published in BBC, 10 March 2019

Thousands of people in Russia have protested against plans to introduce tighter restrictions on the internet. A mass rally in Moscow and similar demonstrations in two other cities were called after parliament backed the controversial bill last month. The government says the bill, which allows it to isolate Russia’s internet service from the rest of the world, will improve cyber-security. But campaigners say it is an attempt to increase censorship and stifle dissent. Activists say more than 15,000 people gathered in Moscow on Sunday, which is double the estimate given by the police. The government says the so-called digital sovereignty bill will reduce Russia’s reliance on internet servers in the United States. It seeks to stop the country’s internet traffic being routed through foreign servers. A second vote is expected later this month. If it is passed it will eventually need to be signed by President Vladimir Putin. Russia has introduced a swathe of tougher internet laws in recent years. On Thursday, its parliament passed two bills outlawing “disrespect” of authorities and the spreading of what the government deems to be “fake news”.

This article by Tom Field was published in Bank Info Security, 27 March 2019

U.S. cyber-policy has faced a significant set of challenges in the past two years. How the country responds to the growing threats will shape its diplomatic, military and economic power. With the stakes this high, is the U.S. getting it right? In a video interview with Information Security Media Group at RSA Conference 2019 in San Francisco, Christopher Painter, commissioner of the Global Commission on the Stability of Cyberspace and former White House cybersecurity czar, discusses challenges to cybersecurity policy.

This article by Kevin Collier was published in CNN, 27 March 2019

A bipartisan bill set to be introduced on Wednesday aims to close what is regarded as a major gap in congressional cybersecurity and extend the government’s protections to senators and their staffers’ personal phones and computers. The fact that Senate employees, especially those with high security clearance, enjoy federal security on their work devices but not the ones they purchase themselves has long been regarded as a glaring oversight by cybersecurity experts. Called the Senate Cybersecurity Protection Act, the bill, would task the Senate sergeant at arms with extending cybersecurity training and prevention services for staffers’ personal use and devices. The sergeant at arms has previously said that it’s only permitted to use its funding for government-issued devices and accounts.

This article by Joseph Marks was published in The Washington Post, 12 March 2019

When President Trump took the oath of office in January 2017, cybersecurity industry officials were anxious — to put it mildly. They fretted about the possibility of whiplash-inducing policy shifts that would scrap years of progress protecting government and industry from cyberattacks. They feared that the outsider president — who’d already called on supporters to boycott Apple when it refused to help the FBI crack into its own encryption — might go to open war with the cyber and tech companies whose help he needed to secure the nation. Most importantly, they lamented how the incoming president refused to accept intelligence agencies’ conclusion that Russia was responsible for a hacking and influence operation that upended the election that brought him to office. They feared Trump, who famously suggested a lone 400-pound hacker could have been responsible, would stop naming and shaming its greatest foes in cyberspace. What a difference two years can make.

This article by Joseph Marks was published in The Washington Post, 5 March 2019

The country’s critical infrastructure is no safer from cyberattacks today than in May 2017 when President Trump signed an executive order pledging to better protect it, according to more than three-fourths of digital security experts surveyed by The Cybersecurity 202. The results of The Network survey are a sharp rebuke to the Trump administration, which has made protecting critical infrastructure such as airports, hospitals and energy plants a cornerstone of its cybersecurity policy — and is touting its accomplishments at the RSA cybersecurity conference in San Francisco this week. “There is some good work being done by DHS and other agencies, but this needs to be a national priority with presidential leadership and it’s not,” said Chris Painter, a former State Department cybersecurity coordinator.

This article by Kris Holt was published in Engadget, 11 March 2019

President Donald Trump has revealed his proposed budget for the 2020 fiscal year, which “supports the creation” of Space Force (USSF) as the sixth branch of the armed forces. The White House also hopes to bolster cybersecurity and NASA exploration missions. The administration wants to increase Department of Defense spending by five percent to $718 billion. It’s earmarking more than $9.6 billion to support three DOD cybersecurity objectives: “safeguarding DOD’s networks, information, and systems; supporting military commander objectives; and defending the nation.” That funding would help expand Cyber Command, the cyberwarfare division that was last year granted more authority to carry out operations against foreign agencies and actors. The proposal might be dead on arrival when it reaches the Democrat-controlled House, however. Trump wants $5 billion for the southern border wall, a hot-button partisan issue that was the root cause of the month-long government shutdown at the start of the year.

This article by Nick Holland was published in Bank Info Security, 29 March 2019

The latest edition of the ISMG Security Report features Chris Painter, Commissioner of the Global Commission on the Stability of Cyberspace, discussing cybersecurity policy for the 2020 U.S. elections.

This article by Aaron Mehta and Mike Gruss was published in Fifth Domain, 27 March 2019

The Pentagon’s top acquisition official said the department is working with government agencies to develop cybersecurity standards that industry partners would need to follow before they can win a contract. In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies. In written testimony dated March 26 to the Senate Armed Services Committees cybersecurity subpanel, John Luddy, the vice president for national security at the Aerospace Industries Association, said while he applauded the idea of reporting breaches and applying standards, “the dynamic nature of cyber security today makes it extremely difficult for small to mid-size suppliers to create self-sustaining cyber security programs capable of managing the risk posed by advanced adversaries.” AIA has suggested its own standards for cybersecurity, one that it argues is not a one-size-fits-all checklist for compliance.

This article by Phil Goldstein was published in FedTech, 6 March 2019

The Census Bureau, after coming under scrutiny last year that it was not doing enough or being transparent enough about its cybersecurity efforts ahead of the 2020 decennial census, has disclosed it will conduct a red team analysis of its systems. Atri Kalluri, the chief of the decennial IT division, said last month at the regular Census Program Management Review meeting that that the agency recently completed “red team” testing. A red team is an inside group that explicitly challenges an organization’s strategy or ideas and looks at them from the point of view of an adversary to find weaknesses and avoid mistakes. The stepped-up efforts come amid scrutiny of the census. Last summer, 11 former U.S. cybersecurity officials sent a letter to the Commerce Department expressing their concerns about the Census Bureau’s cybersecurity preparations for the count. The letter was signed by several luminaries from the federal cybersecurity world, including J. Michael Daniel, former cybersecurity for the National Security Council; Matthew Olsen, former director of the National Counterterrorism Center; and Christopher Painter, former coordinator for cyber issues at the State Department.

Statement by James A. Lewis, 26 February 2019

James A. Lewis, senior vice president for CSIS, testified before the House Homeland Security Committee on Subcommittees on Transportation and Maritime Security and Cybersecurity, Infrastructure Protection, and Innovation on “Securing U.S. Surface Transportation from Cyber Attacks.”

European Affairs

EU Gathers Momentum in Cyber Security Legislation and Cooperation

This article by Warwick Ashford was published in ComputerWeekly, 25 February 2019

There has been significant progress in cyber security-related legislation in the European Union (EU) in the past two years, according to Carl-Christian Buhr, deputy head of cabinet for Mariya Gabriel, European commissioner for digital economy and society. “Since European Commission president Jean-Claude Juncker set the stage in his state of the union address in 2017, a lot has happened, including the transposition of the directive on security of network and information systems (NIS Directive) into law in member states,” Buhr told the CyberSec Brussels Leaders’ Foresight 2019 event.

This article by Damon Embling was published in EuroNews, 26 March 2019

It’s pitted Europe’s creative industries against tech companies and internet activists. MEPs have thrown their support behind a controversial overhaul of the bloc’s copyright rules, which date back two decades. The changes will force the likes of Google and Facebook to pay publishers for use of news snippets – and filter out protected content. “I’m very relieved that we achieved to announce something and give the signal to all our European creators that the European parliament is on their side,” said German MEP Axel Voss. Greek MEP Maria Spyraki, a former journalist, added: “For all of them, that are protesting in the streets, I would like to say that the liberty of us is finishing, diminishing when it starts the liberty of the others, when the rights of the others has started.” Platforms will have to sign licensing agreements with all sorts of content creators, ranging from musicians to journalists. Critics fear the new rules may be too costly and block too much content. But supporters say it will improve the position of producers. Dutch MEP Marietje Schaake said: “People are promising that publisher rights are going to save the media. If was only that simple, I really think that there is more that needs to happen to protect a pluralist, quality journalism.”

This article by James Vincent was published in The Verge, 27 March 2019

Ten members of the European Parliament (MEPs) have said they voted against a crucial amendment to yesterday’s controversial Copyright Directive by accident. The legislation was approved by the EU Parliament yesterday, with 348 MEPs voting in favor and 274 against. But a last-minute amendment that would have let MEPs take a further vote on the inclusion of Articles 11 and 13 — the most criticized parts of the law, known as the “link tax” and “upload filter,” respectively — was rejected by just five votes. Official voting records published by the EU show that 13 MEPs have declared they accidentally voted the wrong way on this amendment. According to the record, 10 MEPs say they accidentally rejected the amendment when they meant to approve it, two MEPs accidentally approved the amendment, and one MEP says he intended not to vote at all. If these MEPs had voted as they said they meant to, the amendment would have been approved by a slim majority. Then there would have been further votes on whether the law would include Articles 11 and 13 (renamed articles 15 and 17 in the final draft), though no one can say how those would have gone. These voting records are routinely published by the EU, and they give MEPs the chance to correct the record if they voted the wrong way on legislation accidentally. But those corrections have no effect on the outcome of votes, even if a majority one way or the other is gained or lost. “There is zero recourse,” says Marietje Schaake, a Dutch MEP who brought attention to the mistaken votes on Twitter. Schaake told The Verge: “For the record, you can change [your vote], but as the President calls it, that’s the result. Whatever the President calls is what matters.”

This article by the European Parliament was published in Press Releases, 12 March 2019

On Tuesday, MEPs agreed that the EU should remain open to imposing further sanctions if Russia continues to violate international law. Parliament adopted on Tuesday a resolution by 402 votes to 163, with 89 abstentions, assessing the current state of EU-Russia political relations. MEPs condemn Russia‘s disinformation campaigns and cyber attacks, aimed at increasing tensions within the EU and its member states. They are deeply concerned that the EU‘s response to propaganda and disinformation is insufficient and should be further strengthened, in particular before the upcoming European elections in May 2019. In this regard, the funding and human resources for the EU‘s East Stratcom Task Force must be substantially increased, they stress.

Global Governance

How to Govern a Digitally Networked World

This article by Fadi Chehadé and Anne-Marie Slaughter was published in Project Syndicate, 25 March 2019

Governments built the current systems and institutions of international cooperation to address nineteenth- and twentieth-century problems. But in today’s complex and fast-paced digital world, these structures cannot operate at “Internet speed.” Recognizing this, United Nations Secretary-General António Guterres last year assembled a high-level panel – co-chaired by Melinda Gates and Alibaba co-founder Jack Ma – to propose ways to strengthen digital governance and cooperation. (Fadi Chehadé, a co-author of this article, is also a member.) It is hoped that the panel’s final report, expected in June, will represent a significant step forward in managing the potential and risks of digital technologies.

This article by Michael N. Schmitt was published in Harvard Law Review, 29 March 2019

It has become de rigueur to characterize cyberspace as a new dimension of warfare, one devoid of international law and subject to catastrophic abuse. In fact, malevolent states, cyberterrorists, or malicious hackers will likely exploit cyberspace to strike at global critical infrastructure and other essential cyberassets. The ensuing consequences of such operations could range from the disruption of government functions and economic loss to massive physical destruction and widespread death. The prominent place cyberspace occupied in the Director of National Intelligence’s 2013 worldwide threat assessment was therefore neither hype nor hyperbole. History may help place the concerns regarding cyberoperations in perspective.

This article by Ido Kilovaty was published in Lawfare, 28 March 2019

The global regulation of cybersecurity is one of the most contentious topics on the international legal plane. States, the actors primarily responsible for arranging most other international regulatory regimes, have so far been incapable of reaching a consensus on how to govern international cyberspace. For example, in 2017, the United Nations Group of Governmental Experts, arguably the most promising effort to create international norms for cyberspace, collapsed. In this vacuum, private tech companies are seizing the opportunity to create norms and rules for cyber operations, essentially creating a privatized version of cybersecurity law. As Julie Cohen argued recently, the “dominant platforms’ role in the international legal order increasingly resembles that of sovereign states.” This increasing involvement of tech platforms is challenging to the structure, values and future of the international legal system. But tech companies, unlike governments, need not respect values such as accountability, transparency or fairness. This post details the norms that tech companies have articulated or emphasized and highlights the gaps that remain.

This article by Joseph S. Nye was published in Arab News, The Korea Times, The Strategist, and Project Syndicate, 5 March 2019

Deterrence by threat of retaliation remains a crucial but underused tactic for preventing cyberattacks. There has been no attack on US electrical systems, despite the reported presence of Chinese and Russians on the grid. Pentagon doctrine is to respond to damage with any weapon officials choose, and deterrence seems to be working at that level. Presumably, it could also work in the gray zone of hybrid warfare, such as Russia’s disruption of democratic elections. But deterrence will not be enough. The US will also need diplomacy. Negotiating cyber-arms control treaties is problematic, but this does not make diplomacy impossible. If traditional arms control treaties are unworkable, it may still be possible to set limits on certain types of civilian targets, and to negotiate rough rules of the road that minimize conflict.

This video was published in KCTS9, 12 March 2019

In episode 8 of the 2019 season of The Open Mind, former State Department Advisor Chris Painter discusses digital security, foreign policy, and the international order.

Threats and Risk Mitigation

The 7 Biggest Cybersecurity Threats In An IoT World

This article by Jason Compton was published in Forbes, 26 March 2019

Widely cited estimates put current IoT data output at 2.5 quintillion bytes daily, which will grow as the IoT encompasses up to 30 billion devices within the next two years. “With so many devices coming out and the IoT being so new to everybody, it’s difficult for most organizations, especially smaller ones,” says Troy La Huis, digital risk leader at the accounting, consulting and technology firm Crowe. As the scale grows, so do the risks. Take a look at seven of the most significant cybersecurity threats the IoT poses today, and read on to find out how cybersecurity leaders and advisers can stay a head of the challenges.

This article by Danny Palmer was published in ZDNet, 27 March 2019

Industrial control systems in manufacturing, energy, chemical and other environments are coming under an increasing number of cyberattacks, as hacking groups of all kinds attempt to breach these networks. By targeting industrial systems attackers can potentially do vast amounts of damage, ranging from using backdoors to make off with sensitive data, causing the network to shut down due to a ransomware attack, or even leading to dangerous situations and industrial systems break down, causing physical damage. Many control systems still run on old or bespoke operating systems making them vulnerable to interference, and cyber attackers ranging from criminal gangs to state-backed hacking groups know this and are looking to take advantage.

This article by Warwick Ashford was published in ComputerWeekly, 26 March 2019

Global malware attacks rose in 2018 for the third consecutive year, with a record number of 10.52 billion attacks recorded, according to the latest Cyber threat report by security firm SonicWall. The number of malware attacks was up 22% compared with 2017, and up 29% compared with 2016, with more than 391,600 new attack variants identified in the past year, including 74,290 never-seen-before attacks. The report was based on threat intelligence obtained from SonicWall’s more than one million sensors around the world and showed that in addition to an escalation in the volume of cyber attacks, cyber attackers were using new, targeted threat tactics. “The concern over security and privacy is more prevalent than ever before. Industry and government must collaborate to build a more secure environment, mitigate risk, and build citizen trust in government and consumer trust in business,” said Michael Chertoff, executive chairman and co-founder of The Chertoff Group, and former US secretary of homeland security.

This article by Andy Greenberg was published in WIRED, 7 March 2019

At the endless booths of this week’s RSA security trade show in San Francisco, an overflowing industry of vendors will offer any visitor an ad nauseam array of “threat intelligence” and “vulnerability management” systems. But it turns out that there’s already a decent, free feed of vulnerability information that can tell systems administrators what bugs they really need to patch, updated 24/7: Twitter. And one group of researchers has not only measured the value of Twitter’s stream of bug data but is also building a piece of free software that automatically tracks it to pull out hackable software flaws and rate their severity.

This article was published in Digital Journal, 23 March 2019

Botnet Detection Market in Asia Pacific is expected to register an accelerated growth over the forecast timeline due to the rising adoption of IoT and rapidly increasing penetration of smartphones, leading to the increased vulnerability of connected devices. China dominated the global network of botnets in 2017. In June 2017, Kaspersky Lab reported that 17,060 botnets were detected in China where the botnet activity was reported to be 80% higher as compared to the U.S. where 7,350 bots were detected. North America is projected to hold a major share of the botnet detection market due to the rising incidents of botnet attacks in the region. Government agencies, such as the U.S. Department of Defense, are propagating actions for taking necessary steps against the rapid proliferation of malware attacks by developing advanced automation methodologies. A report released by the U.S. Department of Homeland Security and Commerce in May 2018 has identified botnet attacks as a global problem and has advocated enhancing the resilience of the internet and communications ecosystems in the country against botnets and other types of automated and distributed threats.

This article by Sean Hollister was published in The Verge, 26 March 2019

That “critical” software update for your Asus computer may have actually been malware, planted by hackers in a targeted attack now known as “ShadowHammer,” we learned yesterday. Now, Asus says it has a fix in the form of an actual security update — one that you can download using its Live Update software tool. In addition, the company says it has a second “security diagnostic” tool you can use to scan to see if your computer has been affected. “[W]e encourage users who are still concerned to run it as a precaution,” reads part of the company’s press release, which includes a link to the software.

This article by Debra Arbec was published in CBC News, 27 February 2019

In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history, and internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled. As the United Nations body that sets standards for civil aviation around the world, ICAO is the gateway to everyone in the aviation industry, so an uncontained cyberattack left not just ICAO vulnerable, but made sitting ducks of its partners worldwide. The documents obtained by CBC suggest the hacker was most likely a member of Emissary Panda, a sophisticated and stealthy espionage group with ties to the Chinese government.

This article was published in Harvard Law Today, 26 March 2019

A new paper published in Science by a team of researchers from Harvard University and MIT suggests that medical artificial intelligence systems could be vulnerable to adversarial attacks. The paper was co-authored by Harvard Law School Professor Jonathan Zittrain ’95, faculty director of the Berkman Klein Center for Internet & Society at Harvard University; John Bowers, a researcher at Berkman Klein Center; Samuel Finlayson, an M.D. Ph.D. candidate at Harvard and MIT; Isaac Kohane M.D. Ph.D., chair of the department of Biomedical Informatics at Harvard Medical School; Andrew L. Beam Ph.D., an instructor in the department of Biomedical Informatics at Harvard Medical School; and Joichi Ito, director of the MIT Media Lab. In their article, “Adversarial attacks on medical machine learning,” the authors note that medical machine-learning systems may be uniquely susceptible to such attacks because of the specific systems and incentives at play in the medical industry. With competing interests within health care and billions of dollars at stake, various players in the health care system could be motivated to influence the system in “subtle, impactful, and sometimes ethically ambiguous ways,” making medical AI systems a likely ground zero for the emergence of adversarial attacks.

This opinion article by John Naughton was published in The Guardian, 10 March 2019

5G will require eye-watering levels of investment in new kit by the network operators. The big question is: who makes the kit? The answer is a very select group of companies – Nokia, Ericsson, DoCoMo, Samsung, ZTE and Huawei. Things get interesting when we note their countries of origin – respectively, Finland, Sweden, Japan, South Korea, China, China. The dominant company in the market at the moment is Huawei, a $100bn giant which is the world’s largest supplier of telecoms equipment and its second largest smartphone maker. In the normal course of events, therefore, we would expect that the core networks of western mobile operators would have a lot of its kit in them. And initially, that’s what looked like happening. But in recent months someone has pressed the pause button.

This article by Lily Hay Newman was published in WIRED, 28 March 2019

A report on Thursday from a British government oversight group found that Chinese telecom-equipment maker Huawei has basic, but deeply problematic flaws in its product code that create security risks. The shortcomings, many of which Huawei had previously promised to improve, stem from issues with its software development processes, according to the report. Though the geopolitical discourse has gotten heated, the report concluded that the flaws in Huawei’s code are related to “basic engineering competence and cyber security hygiene” and could be exploited by anyone. The report does not conclude that the bugs are intentional backdoors created for the Chinese government. Such broad exposure is still problematic—it could be exploited as well by US espionage agencies and the rest of the Five Eyes, but that’s of less concern to the White House. “There is no backdoor, because Huawei doesn’t need a backdoor. It has a front door,” says James Lewis, a former State Department official and director of the Center for Strategic and International Studies’ Technology and Public Policy Program. “The UK government has lots of problems with Chinese hacking. It’s not like there are Swedish hackers breaking in to steal British intellectual property every week. If Huawei was a Swedish company or a Brazilian company or something it wouldn’t be having these troubles. But it’s seen as a tool of a very aggressive Chinese government.”

This article by David Ignatius was published in the Albuquerque Journal, 24 March 2019

When the debris settles after special counsel Robert Mueller completes his investigation into Russian hacking of the 2016 presidential election, America will still be left with the underlying problem that triggered the probe in the first place – the threat of malicious cyberattacks against political parties, corporations and anybody else who uses the internet. Mueller’s findings about President Trump will have their own fiery afterlife on Capitol Hill, which nobody can predict. But Congress should also be thinking about the less-sexy fallout from the investigation, which highlighted the vulnerability of all data to foreign spies, meddlers and information pirates. Private companies are going on the offensive in cyberspace, too – even though the legal terrain is murky and there’s a big risk of triggering a tit-for-tat melee. American history offers an unlikely lesson in how cyber-offense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book “Exploding Data.”

This article by Nicholas Morgan was published in Global Risk Insights, 26 March 2019

Russian officials have announced plans to disconnect the nation from the wider internet to protect against cyber-attacks. Frequently depicted as a cyber aggressor, Russia suffers from numerous significant weaknesses in its own approach with cyber-attacks. This article covers Russia’s past vulnerabilities to major cyber attacks and how these measures would be deficient in currently preventing one. In February, Russian officials declared that the country would conduct a test to “unplug” itself from the global internet by April 1st. By this, Russia will not completely cut its citizens’ access to the web. Instead, it would route all data between Russian firms and citizens away from international servers towards only domestic ones. Under the draft law, known as the Digital Economy National Program, Internet Service Providers (ISPs) must be capable of servicing domestic users during a shutdown. The process is an internal safeguard. Officials may implement this in the event of any foreign attempts to take the country offline through a cyber-attack. On the surface, the draft law is another step in the Kremlin’s attempts to exert greater control. The focus is over internet traffic within Russian territory. This follows other efforts to censor internet content and force companies to erect data centres for Russian users. However, this exercise may also mask another reality for Russian officials: their ill-preparedness for a major cyber-attack.

This article by Kayla Matthews was published in Security Boulevard, 19 March 2019

Hackathons bring tech-savvy people together in a collaborative setting to solve problems, advance a technology or produce another type of positive outcome. One of the issues hackathons can address is cybersecurity. According to a 2018 study, the global cybersecurity skills gap already comprises almost 3 million people, with the problem most severe in the Asia-Pacific region. Many universities have programs to give students the knowledge they need to quickly take on cybersecurity roles. Hackathons are among the various things students do to get ready to enter the job market. Former Homeland Security Secretary Michael Chertoff once referred to successful cybersecurity as a “team sport.” That may mean working with people from various organizations, which is something many individuals don’t get to experience often. The format of hackathons teaches people to focus on one thing they can contribute to reach the goal.

This article by David Ignatius was published in The Washington Post, 22 March 2019

When the debris settles after special counsel Robert S. Mueller III completes his investigation into Russian hacking of the 2016 presidential election, the United States will still be left with the underlying problem that triggered the probe in the first place: the threat of malicious cyberattacks against political parties, corporations and anybody else who uses the Internet. U.S. history offers an unlikely lesson in how cyberoffense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book “Exploding Data.” Today, Chertoff said, the government could grant the equivalent of letters of marque to private cyberdefense companies. “To bolster its capacity to defend and deter cyberattacks, the government should train and license ‘privateers’ for certain specific operations . . . to assist in deterring attacks against U.S. companies and infrastructure,” he writes.

Interstate conflict

Cyber Warfare Is Still a Free-for-All

This article by Max Eddy was published in PC Magazine, 9 March 2019

Between cyberattacks against power grids and election influence campaigns, nations are increasingly waging war through the internet with the rest of us stuck in the middle. At RSA, experts pondered what, if anything, can be done to make everyone play nice. The main concern for panelists was how to enforce norms and agreements between countries about what they can and cannot do online. One method is to form a coalition of countries to unanimously and publicly condemn the actions of another country. This is especially true with the use of sanctions. Others on the panel were less optimistic about controlling nation-state behavior in the online space. James Lewis, SVP at the Center for Strategic International Studies and former UN advisor on cybersecurity issues, argued that “one thing to bear in mind is that in the application of existing international law, military necessity overrides all other constraints. More than norms, Lewis said what’s needed is an understanding between nations about accountability and consequences.

This article by Max Smeets was published in Lawfare, 20 March 2019

U.S. officials increasingly express old frustrations about the lack of standards for appropriate state behavior in cyberspace. As U.S.-China trade tensions soar, cybersecurity firms have reported that China is renewing its cyber-enabled economic espionage efforts against U.S. companies—if they ever ceased. Russia does not seem to be scaling down its cyber-enabled disinformation operations, threatening democracies worldwide. The Trump administration’s withdrawal from the Iran nuclear deal is also reported to have inspired Iranian actors to conduct a new wave of disruptive attacks. Concerns over North Korean hostile cyber activity have not gone away either. Commentators and lawmakers have described the problem as twofold. First, U.S. government officials fail to set red lines, fearing that doing so would cede freedom to maneuver when responding to cyber operations. But second, whenever red lines are established, the U.S. fails to enforce them. I believe these are problems of the past. Following the shift in strategic thinking documented in the 2018 Department of Defense Cyber Strategy, the U.S. now increasingly faces a new challenge: There are too many red lines. If there is anywhere in cyberspace that state-actors are allowed to compete, it is a very, very small subset of competitive environments. The new challenge is to figure out what adversaries are allowed to do in cyberspace, not what they’re not allowed to do.

This article by Michael Kan was published in PC Magazine, 6 March 2019

Security researchers at IBM have noticed a disturbing trend among companies that’ve been hacked: Their systems are often victimized by not just one state-sponsored hacking group, but several. At RSA, security experts have been discussing state-sponsored hackers and what companies can do to stop them. Unfortunately, the threat is growing; countries such as China and Russia remain prolific on the hacking front, while Iran and North Korea are growing more active. So how might companies address the state-sponsored hackers? Well, don’t expect the world’s governments to rein it in. At RSA, policy experts have also been discussing whether the US and other countries can adopt international standards that’ll help limit state-sponsored hacking. But the big obstacle is figuring out how such a deal will be enforced when many countries prefer the current status quo, in which state-sponsored hacking crimes often go unpunished. “We’re having a great deal of difficulty convincing people, especially bad actors in this space, that any norms are valuable,” said Paul Rosenzweig, a senior fellow at The R Street Institute think tank. “Until we make people pay a penalty for behaving badly, things won’t change,” added James Lewis, program director at the Center for Strategic and International Studies.

This article was published in The Economist, 7 March 2019

CrowdStrike, an American cyber-security company, published its annual report last month. For the first time, this included a ranking of the West’s cyber-foes. It did so by looking not at the sophistication of their tools (which can be bought from others) but instead at “breakout time”. Russian spies, in particular, were blisteringly fast at breaking out into their enemies’ networks, taking an average of just 18 minutes to do so. However, experts and officials caution that faster breakout times do not always reflect sharper skills. For one thing, defensive technology has been getting better in recent years. Hasty lateral movement can trip defensive systems. Spy agencies also have their own personalities. Russia’s speed may reflect insouciance as much as virtuosity. Russian spy agencies compete furiously with each other and often do not care whether they get caught. James Lewis, a bigwig at the CSIS, also observes that different states go after different targets, which will affect their breakout times. North Korea, in particular, has preferred low-hanging fruit like Bangladesh’s central bank to heavily fortified military networks. “Muggers are quick when they mug grandmothers,” notes Mr. Lewis.

This article was published in The Japan Times, 27 March 2019

The Russian military contingent that arrived in Venezuela over the weekend, drawing U.S. condemnation, is believed to be made up of special forces, including “cybersecurity personnel,” a U.S. official told Reuters on Tuesday. The official, speaking on condition of anonymity, said the United States was still assessing the Russian deployment, which Washington has called a “reckless escalation” of the situation in Venezuela. The U.S. assessment that the Russian contingent includes cybersecurity specialists and those from “related fields” suggests that part of their mission could be helping Maduro’s loyalists with surveillance as well as protection of the government’s cyberinfrastructure. Russia’s foreign ministry said on Tuesday that the presence of “Russian specialists” in Venezuela is governed by a military-technical cooperation agreement between the two countries. But it did not provide further details. On Tuesday afternoon the Lima Group of Latin American countries said in a statement it was concerned about the arrival of military airplanes in Venezuela.

This article was published in Al Jazeera, 10 March 2019

Venezuela’s President Nicolas Maduro says the country’s complete electrical failure has been caused by “an international cyber-attack” but that his administration has “defeated their coup”. The blackout heightened tensions between the opposition and government loyalists, who accuse each other of being responsible for the collapse of the power grid. Across Venezuela, millions of people are affected by the continued blackout. The Venezuelan opposition and US officials say Maduro’s attempts to pin blame on his political adversaries is absurd, and that government corruption and mismanagement over many years cause the blackout and wider deterioration of the economy. Netblocks, a non-government group based in Europe that monitors internet censorship, said on Saturday that the second outage had knocked out almost all of Venezuela’s telecommunications infrastructure.

This article was published in France24, 13 March 2019

Venezuelan President Nicolas Maduro’s government has accused the United States of “cyber sabotage” to knock out the country’s central hydroelectric complex and leave the nation largely without electricity since Thursday afternoon. Experts say it’s possible, but a simple breakdown of ageing equipment is much more likely. Venezuela has the fourth largest hydroelectric complex in the world that lies on the Orinoco river at Guri in the southern state of Bolivar. But the power went out in late afternoon on Thursday and five days later, authorities were still struggling to reconnect electricity nationwide. Jeff Middleton, the chief technology officer at TheVault, a company that secures crypto currency transactions, says a cyber attack on a power plant using a virus is possible by a “state actor. But knowing Venezuela, it was likely an internal failure,” he told AFP. James Lewis, senior vice president and director of the technology and public policy program at the Center for Strategic and International Studies in Washington, said a US attack was “unlikely. “The US usually does finance and internet, not electricity. What would we get and why would we bother.”

Cyber Implications of Brexit

This article by Sam Curry was published in Forbes, 27 March 2019

However you slice it, countries like the U.K., France and Germany top lists of cyber-capable countries. With Brexit front and center in the news, the opportunity for a new MDL or Green Line to be drawn through the channel changes the politics and diplomacy of Europe. As I mentioned in Hack-Back, Carl von Clausewitz called war ‘extension of politics by other means,’ and cyber is therefore another tool in the world of international relations and politics. This makes Europe a new potential hotbed for extensions of politics by other means and for cross-channel intrigue. It is to be hoped that no matter how hard or rough Brexit winds up, that pluralist democracies and military allies won’t suddenly get nastier online with one another. Let’s not pretend that there hasn’t been some cross-channel hacking already. In 2015, I attended a presentation by a group of European telcos that cited GCHQ as their main concern with hacks on the continent. This is par for the course among nations to some degree, but it could escalate enormously in the weeks and months to come. It’s also probably fair to say that the harder Brexit is, the more cyber activity we could potentially see.

This article by Viriya Singgih, Arys Aditya and Karlis Salna in Bloomberg, 13 March 2019

Chinese and Russian hackers are attacking Indonesia’s voter data base in a bid to disrupt the country’s upcoming presidential election, according to a senior election commission official. As Indonesia prepares for simultaneous presidential and legislative polls on April 17, authorities are facing a wave of cyber incursions they say may be aimed at discrediting the polling process. The head of Indonesia’s General Elections Commission, Arief Budiman, said some of the attacks originated in Russia and China, and include attempts to “manipulate or modify” content as well as to create so-called ghost voters, or fake voter identities. The commission also started an investigation into separate allegations of voter fraud raised by the campaign team for Subianto, more commonly known as Prabowo, Budiman said. The election pits Prabowo, a former special forces general, against the incumbent in Joko Widodo.

This article by Emre Peker was published in The Wall Street Journal, 6 March 2019

World Trade Organization members launched talks Wednesday on how to govern global digital commerce, for the first time tackling 21st century trade issues that have sparked intense rivalry among the U.S., Europe and China. The negotiations face hurdles from the outset, coming against a backdrop of international trade tensions that have crimped global economic growth since early last year. Meanwhile, the WTO is under pressure to reform from Washington, which is dubious about the body’s effectiveness. At stake in the talks is a global framework to regulate digital trade in goods and services, a market that is currently subject to a patchwork of different rules. Such a system would potentially remove obstacles such as cross-border sales barriers that disrupt access to services and hinder growth in online trade, enabling small companies to access global markets and helping giants like Amazon.com Inc. and Alibaba Group Holding Ltd. tap a bigger market. The creation of such a framework would mark a victory for an organization that has faced a wave of recent criticism. “The failure to create rules around digital trade heads on was emblematic for the declining relevance of the WTO,” said Marietje Schaake, a member of the European Parliament’s International Trade Committee. “Now the signatories, including China, need to put their money where their mouth is.”

This article by Warwick Ashford was published in ComputerWeekly, 27 February 2019

Weapons technology is among the latest targets of a highly adaptable cyber espionage group that uses a wide range of publicly available and custom attack tools, presenting a challenge to network defenders. Cyber attack group Bronze Union has attempted to steal data on cutting-edge weapons technologies as well as spy on dissidents and other civilian groups, according to researchers. The group – also known as Emmissary Panda, LuckyMouse and APT 27 – is believed to be located mainly in China and focuses on collecting political and military intelligence, according to the researchers of the counter threat unit at Secureworks who have been tracking the group since 2013.

This article by Frank Fang was published in The Epoch Times, 3 March 2019

Semiconductor chips power everything from smartphones to missiles. Beijing has already set a goal to become the global leader in the manufacturing of these chips. But a new think tank report warns that the Chinese regime’s aggressive moves to achieve its ambitions are having a negative effect on global industries, and the impact will likely be further exacerbated if trends continued. The report, published by Washington-based Center for Strategic and International Studies (CSIS) on Feb. 27, was drafted by James Andrew Lewis, the think tank’s senior vice president and a former foreign service officer at the departments of State and Commerce. The report warns that if China succeeds in gaining dominance over world markets, “it will use it for intelligence, military, commercial, and political advantage by manipulating the semiconductor supply chains that Western economies and militaries depend upon.”

This article by Stefania Palma was published in the Financial Times, 7 March 2019

The worst cyber attack in Singapore’s history, which involved the theft of medical information linked to the prime minister as well as 1.5m patients, was executed by a state-sponsored espionage group called Whitefly, according to Symantec. The US cyber security group said Whitefly was backed by a nation state, but it could not “say for certain by whom the group is funded or from whom they take direction”. Symantec’s findings are in line with a report published by the Singapore government in January, which said that hackers resembling state-sponsored actors were responsible for the cyber attack at SingHealth, the city state’s largest healthcare group. Singapore’s cyber security agency said it had no comment on Symantec’s findings as “this is an independent investigation report by a commercial entity”.

This article by Warwick Ashford was published in ComputerWeekly, 4 March 2019

Researchers have uncovered clearer links between a North Korean hacking group and a cyber espionage campaign targeting government, defense, nuclear, energy and financial organizations around the world. Security firm McAfee has revealed evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations. The campaign used a malicious Microsoft Word document sent by email that would run a macro to download an implant, which the attackers used to conduct reconnaissance and steal data. The analysis led to the identification of several previously unknown command-and-control centers and indicates that Sharpshooter began as early as September 2017, targeted a broader set of organizations in more industries and countries, and that it is currently ongoing. Analysis of the new evidence has exposed striking similarities between the technical indicators, techniques and procedures exhibited in the 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to North Korea’s Lazarus Group.

Non-state Actors and Private Stakeholders

Takeaways From The Times’s Investigation Into Hackers for Hire

This article by Adam Goldman was published in the New York Times, 21 March 2019

A proliferation of digital spying tools in recent years has helped generate a surge in sophisticated espionage operations, once mostly the purview of major powers like the United States and Russia. Now, small countries, corporations and even simply wealthy people looking to settle scores can all hire private firms to conduct intelligence operations. A New York Times investigation detailed this new era of digital warfare and the multibillion-dollar industry behind it. Two firms — NSO, an Israeli company, and DarkMatter, based in the United Arab Emirates — have hired former government hackers to help their government clients not only hack criminal elements like terrorist groups and drug cartels but in some cases to also act on darker impulses, targeting activists and journalists.

Read the full article ‘A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments’ here.

This article by Leslie Scism was published in The Wall Street Journal, 26 March 2019

Some of the world’s biggest insurers plan to work together on an assessment of the best cybersecurity available to businesses, an unusual collaboration that highlights the rising dangers posed by digital hackers. The program, which was launched Tuesday by the Marsh brokerage unit of Marsh & McLennan Co, will evaluate cybersecurity software and technology sold to businesses. Marsh will collate scores from participating insurers, which will individually size up the offerings, and identify the products and services considered effective in reducing cyber risk. The results will be available to the public on Marsh’s U.S. website. Many insurers see the burgeoning cyber-risk market as a rare growth opportunity when many other insurance lines are growing sluggishly. Dozens of insurers sell cyber-risk policies, with annual premiums now tallying about $4 billion world-wide, Marsh said. Global spending on information-security products and services will likely top $120 billion this year, according to research and advisory firm Gartner Inc.

This article by Brian Corcoran was published in Lawfare, 8 March 2019

This article explores the ongoing litigation in Mondelez International, Inc. v. Zurich American Insurance Co., in which Mondelez is asking an Illinois state court to determine whether a claim for losses Mondelez suffered during the 2017 NotPetya attack is precluded by a “hostile or warlike action” exception in its Zurich cyber insurance policy. Most commentary has revolved around questions of how Zurich might in court attribute the NotPetya ransomware to a state actor. Recall that in February 2018, the U.S., the U.K., and other Five Eyes and NATO nations in a set of coordinated statements publicly attributed the NotPetya malware to the Russian government. The Mondelez case raises questions of whether a court may consider, and how it might weigh, the value of those government attribution statements.

This article by Arjun Kharpal was published in CNBC, 4 March 2019

Huawei would have no choice but to hand over network data to the Chinese government if Beijing asked for it, because of espionage and national security laws in the country, experts told CNBC. Major governments including the United States, Japan and Australia have blocked the Chinese telecommunications equipment maker from providing hardware for next-generation mobile networks known as 5G. “Huawei involvement in the core backbone 5G infrastructure of developed western liberal democracies is a strategic game-changer because 5G is a game-changer,” Nigel Inkster, a senior adviser to the International Institute for Strategic Studies, told CNBC by email. Inkster, a former senior British intelligence official, explained that China has “embarked on an ambitious strategy to reshape the planet in line with its interests” through its massive Belt and Road Initiative. Its “national telecoms champions” are a big part of that. Because of that drive from China, Inkster said that Huawei is part of this “all-of-nation project.” “Huawei has indeed said that it would refuse any Chinese government request to facilitate espionage. But such a statement simply cannot be taken at face value,” Inkster told CNBC. “Huawei is a product and instrument of the Chinese state and has been co-opted to achievement of the state’s strategic objectives,” he said. “The proposition that it is just a telecommunications company has worn beyond thin.”

This article by Robert Delaney was published in the South China Morning Post, 19 March 2019

As US government efforts to restrict American academia’s ties to two Chinese organisations gather steam, many of the country’s best schools have done just that. Huawei Technologies, the private global Chinese tech giant, and Confucius Institute, a Beijing-linked body that promotes China’s language and culture, have been targeted by US lawmakers and numerous federal departments for very different reasons, but the American government believes both undermine its interests. Minnesota isn’t the first university to cut ties with Huawei and Confucius Institute, and will not be the last, said James Lewis, a former foreign service officer who is now a senior vice-president at the Washington-based think tank Centre for Strategic and International Studies. More than just the current case, Lewis said, “Huawei’s track record is deeply troubling to the US government.” He cited several lawsuits charging Huawei with corporate espionage, including a federal civil case brought by Motorola that was settled in 2011 for undisclosed terms.

This article by Paul Mozur and Austin Ramzy was published in The New York Times, 6 March 2019

The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat. The lawsuit will force the government to make its case against the company more public, but it could also leave Huawei vulnerable to deeper scrutiny of its business practices and relationship with the Chinese government. The United States has argued that Huawei poses a risk because its equipment could be used by the Chinese authorities to spy on communications and disrupt telecommunications networks. That position has led major wireless carriers in the United States to avoid Huawei’s equipment. Huawei denies the allegations and says the lawsuit is meant to prove it does not engage in such practices. Huawei’s lawsuit argues that by singling out the company, Congress has violated constitutional principles on the separation of powers and also the bill of attainder clause, which prohibits legislation that singles out a person or entity for punishment without trial. The Russian cybersecurity firm Kaspersky Lab filed, and ultimately lost, a similar legal challenge two years ago. While Huawei is unlikely to reverse American opposition to the company, it may hope to win over government officials in other countries, including some in Europe, who will probably be following the American lawsuit closely.

This article by Noam Cohen was published in WIRED, 7 March 2019

For those of us who worry that Facebook may have serious boundary issues when it comes to the personal information of its users, Mark Zuckerberg’s recent comments at Harvard should get the heart racing. His nearly two-hour interview with Harvard law school professor Jonathan Zittrain in front of Facebook cameras and a classroom of students centered on the company’s unprecedented position as a town square for perhaps 2 billion people. All was going to plan. Zuckerberg had displayed a welcome humility about himself and his company. And then he described what really excited him about the future—and the familiar Silicon Valley hubris had returned. There was this promising new technology, he explained, a brain-computer interface, which Facebook has been researching. The idea is to allow people to use their thoughts to navigate intuitively through augmented reality—the neuro-driven version of the world recently described by Kevin Kelly in these pages.

This article by Sylvia R. Hampton was published in Cision, 13 March 2019

Diamond Key Security, headquartered in Palatine, Illinois, was formed in March 2017 as a not-for-profit corporation described under Section 501(c)(3) of the United States Internal Revenue Code. Its educational, charitable, and scientific purposes include conducting scientific research in the development, enhancement, and deployment of transparent, auditable cryptographic technologies—helping to safeguard the internet for the public good. “We believe that Diamond Key’s cybersecurity presence represents a paradigm shift. Their cryptographic technology will change how people around the globe will be able to trust and afford fundamental components for secure communication,” says Olaf Kolkman, Board Member, Diamond Key Security and Chief Internet Technology Officer, The Internet Society.

Others

Marina Kaljurand Hands Over Chairmanship of the Global Commission

This article was published on the GCSC website, 12 March 2019

Marina Kaljurand, former Foreign Minister of Estonia, announced during the meeting in Kobe, Japan, that she has handed over the chairmanship of the Global Commission on the Stability of Cyberspace (GCSC). Her chairmanship will be continued by the two Co-Chairs Michael Chertoff and Latha Reddy. The GCSC Chair was elected to the Estonian Parliament (Riigikogu) as a member of the Social Democratic Party (SDE). In this context, Marina stepped down as GCSC Chair. The members of the Commission, The Hague Centre for Strategic Studies, the EastWest Institute, the partners and sponsors of the Commission all want to express their gratitude to Marina for the strong leadership and commitment she has shown in taking the Commission forward.

Inside The R&D Of AI Ethics

This article was published in Forbes, 27 March 2019

How do you start to wrap your head around some of the most fundamental issues surrounding new technology and how it impacts society? If you’re Jonathan Zittrain, you take this “brainstorming exercise,” as he calls it, and force it into the real world. Zittrain is, among other honorifics, a Harvard Law School professor and the faculty director of the Berkman Klein Center for Internet and Society. He’s also the force behind Assembly, a collaboration between Berkman Klein and the MIT Media Lab, a program which is taking a unique approach to solving problems related to AI and ethics.

This article by Jessica Haworth was published in The Daily Swig, 29 March 2019

Today marked the end of Black Hat Asia’s 10th year, as thousands of attendees from 85 different countries met to exchange ideas, learn new security research techniques, and network. But the inception of the conference wasn’t without its teething problems. When Black Hat Asia first opened in 2000, the show ran for three years in Singapore before moving to Japan. “When we started in 2000 we were here for only about three years, so we were really early in the market here – too early,” Jeff Moss, Black Hat founder and CEO, told The Daily Swig this week. A show in Japan was followed by one in the Middle East, but Moss said there were issues still – Black Hat just wasn’t working in the regions, he said. They were too early in the game for Asia-Pacific. Fast forward to 2013, and Black Hat Asia was back in Singapore – and the conference has been thriving ever since.

World Wide Web Turns 30 Years Old

This article by Radu Diaconescu was published in WikiTribune, 13 March 2019

Exactly 30 years ago, the World Wide Web was invented at CERN (the European Organization for Nuclear Research) by Tim Berners-Lee and Robert Cailliau. It has doubtlessly been one of the most impactful innovations in the history of telecommunications, though it only reaches 50% of the world’s population at present. To mark the milestone, Berners-Lee went on March 12-13 on a conference tour, speaking in Geneva (“where it all began”), London and Lagos. The World Wide Web Foundation, which fights to “advance the open web as a public good and a basic right”, seized the opportunity to kickstart their “For The Web” campaign, which includes building a crowdfunded timeline of the web’s thirty year history and creating a “Contract for the Web“. This contract will act as a guiding set of principles for states, companies and individuals who shape and contribute to the Web. It is currently in development, with work so far highlighting freedom of speech, security, individual privacy and equality of access. Among the Contract’s supporters are Germany’s Federal Government, Google, Change.org and the Open Rights Group, as well as inviduals like American congressman Ro Khanna, billionaire Richard Branson, Internet law expert Jonathan Zittrain and Tim Berners-Lee himself. On the anniversary, the Web’s inventor published an optimistic open lettercelebrating the technology’s achievements, as well as addressing concerns about the web.

This article was published in BBC News, 11 March 2019

Global action is required to tackle the web’s “downward plunge to a dysfunctional future”, its inventor Sir Tim Berners-Lee has told the BBC. He made the comments in an exclusive interview to mark 30 years since he submitted his proposal for the web. Sir Tim said people had realised how their data could be “manipulated” after the Cambridge Analytica scandal. However, he said he felt problems such as data breaches, hacking and misinformation could be tackled. In an open letter also published on Monday, the web’s creator acknowledged that many people doubted the web could be a force for good. He had his own anxieties about the web’s future, he told the BBC: “I’m very concerned about nastiness and misinformation spreading.” But he said he felt that people were beginning to better understand the risks they faced as web users. Sir Tim’s vision was “at once utopian and realistic”, said Jonathan Zittrain, author of The Future of the Internet and How to Stop It. It rested on the idea that a free and open web would empower its users, rather than reduce them to simply being consumers, he explained. “I see Tim’s letter not only as a call to build a better web, but to rededicate ourselves to the core principles it embodies,” he told the BBC. Those principles, he said, included universality of access and transparency – the ability to see and understand how web applications work.

Events

Secretary Nielsen Announced as Keynote for DHS S&T Cybersecurity and Innovation Showcase

This article was published in NewsWise, 18 March 2019

Secretary of Homeland Security Kirstjen M. Nielsen will speak March 19^th at the 2019 S&T Cybersecurity and Innovation Showcase hosted by the DHS Science and Technology Directorate (S&T). Other attendees include Jeff Moss. The Showcase, scheduled for March 18–20 at the Washington Marriott Wardman Park in Washington, D.C., is not your average government conference. The event, themed “Solutions Now, Innovations for the Future,” highlights S&T’s support to DHS operational components in today’s aggressive threat landscape. During the three-day Cybersecurity and Innovation Showcase, attendees will see more than 130 presentations representing a combined $250 million of federally funded cybersecurity R&D across 20 broad research areas, including mobile security, cybersecurity research infrastructure, cybersecurity forensics, identity management, and data privacy.

The Week That Will Be

This article by Lev Sugarman was published in Lawfare, 18 March 2019

Tuesday, March 19 at 10:00 a.m.: The Wilson Center’s Asia Program will hold an event entitled Securing the Games: Tokyo’s 2020 Cybersecurity Challenge. Discussion between Motohiro Tsuchiya, Meg King and moderator Shihoko Goto will cover the cybersecurity challenges that the Japanese government will confront when hosting the 2020 Olympic Games. Register to attend.

This article was published in Business Insider Malaysia, 20 March 2019

Returning for its 8^th edition, Milipol Asia-Pacific 2019, the region’s flagship international homeland security conference will bring together the region’s leading experts on counter-terrorism, cybersecurity, organised crime and public safety for a three-day conference from 2^nd to 4^th April at Sands Expo and Convention Centre. The conference will attract over 350 international and regional delegates. Furthermore, the exhibition, which will see more than 300 exhibitors in attendance, showcases the latest and future innovations in border security, crowd control, threat detection systems, search and rescue technology, drone and anti-drone technology and field operation equipment for law enforcement. Speakers include Michael Chertoff and Jeff Moss.

This article was published in Back End News, 27 March 2019

In this ever-evolving age, security professionals must utilize the most effective technological innovations to help them make informed decisions about pressing security issues. To fulfill this need, the second day of this year’s conference will be dedicated to discussing the relevance of artificial intelligence and digital technologies to improve homeland security with speakers Michael Chertoff, co-founder and executive chair, The Chertoff Group, and former secretary, US Department of Homeland Security; Fuji Foo, vice president, Business Digitalisation, Certis Technology Singapore, Certis; Michel Cadic, chief scientist of France, Ministry of Interior of France; and Jeff Moss, CEO, DEF CON Communications, Inc., USA

This article by UBM Asia was published in Cision, 28 March 2019

The INSEC WORLD 2019, hosted by UBM Asia, takes place in Hong Kong from September 22-25. The organiser will invite a brain trust of leaders in the security community globally to attend the event hosted by an independent third party. A legion of big names in tech including Jeff Moss and Kevin Mitnick are likely to be present at the event, together with approximately 2,000 executives, IT supervisors and technical personnel alike from the information technology, communications, government, finance, academic institution, healthcare, retail and other related sectors on the scene, to explore industry hotspots, applications and trends.

Cyberstability Update – March 2019

Related

Video: Protecting the Public Core of the Internet: from Formulation to Implementation

Video: GCSC Cyberstability Stocktaking of Norms and Institutional Dialogues

GCSC at the Internet Governance Forum 2020