THE KEY
“The companies now understand that if they do not take it upon themselves to self-regulate, which is essentially the theme of my talk today, that they will face the potential of governmental regulation,” Rosenstein said during a symposium on cybercrime organized by the Georgetown University Law Center and the Justice Department's Computer Crime and Intellectual Property section.
Rosenstein’s shot at Silicon Valley behemoths was especially notable just days before the White House is scheduled to host top executives including Google chief executive Sundar Pichai, Microsoft chief executive Satya Nadella and Qualcomm chief executive Steve Mollenkopf. Pichai is also expected to testify before the House Judiciary Committee.
Tech companies remain in the eye of the political storm in Washington for their response to Russia's campaign to influence the past presidential election or data breaches -- and the spread of encryption so strong the companies can't access it. As some in Washington call for a privacy bill or mandate to give investigators access to encrypted data with a warrant, Rosenstein’s speech belied an “us vs. them” mentality.
“When you hear corporate lawyers complain about law enforcement demands, it’s important to keep in mind what is good for a technology company in terms of bottom-line profits is not necessarily good for America. Their interests are not always aligned with yours.” He added: “We should not let ideology or dogma stand in the way of constructive academic engagement” to solve the debate over encryption.
Rosenstein said he expects “responsible encryption” from tech companies: “Whatever structures we build, whether physical or virtual, someone should always have the ability to access it in an emergency, but the key does not need to be held by a single entity, and it certainly does not need to be held by the government. It just needs to be available somewhere so that in the event of an emergency with the appropriate standard of proof and an order by an independent court, it’s accessible — just like everything else throughout history has been accessible with proper, lawful process.”
But security pros weren’t having it.
Matthew Green, a cryptography expert and assistant professor at Johns Hopkins University, said that the federal government has not tried to explore new options to solve the encryption standoff that has persisted since the 1990s.
So the new talking point is “it’s not our job”, let’s get the eggheads to figure it out. If they can’t make it work, it must be because of their politics. 5/
— Matthew Green (@matthew_d_green) November 29, 2018
Alright, maybe we are being stubborn. But that’s because we keep seeing the same proposal over and over again. When someone proposes an idea that might resist abuse by criminals, law enforcement has an objection (too slow, too expensive, might reveal info about investigations.)
— Matthew Green (@matthew_d_green) November 29, 2018
In his speech, Rosenstein sought to enlist help from academics and other professionals to look for ways to address the issue. “I encourage security researchers, technology companies, academics, information security professionals and others in the private sector to keep searching for constructive solutions that will enable us to harness the wonder of new advances without descending into technological anarchy,” he said.
Yet Green took issue with the argument that academics have not been engaged enough.
All of which are valid objections on their part! But also help to explain why the problem is so hard. It’s not failure to engage. It’s like trying to build a popcorn maker when you can’t have popcorn, heat, or electricity. 10/10
— Matthew Green (@matthew_d_green) November 29, 2018
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: Marriott disclosed Friday that a data breach may have compromised the personal information of up to 500 million guests -- in what's potentially one of the biggest breaches of consumer data in history, NBC's Erik Ortiz reported. "The world's largest hotel chain said it first received an alert in September from an internal security tool that there was an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014, and that an 'unauthorized party' had copied and encrypted information. On Nov. 19, Marriott said it determined that information was from its Starwood database... For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. There are some customers who may have also had their credit card information taken."
PATCHED: The Trump administration is weighing measures to further scrutinize Chinese students seeking to attend U.S. universities in order to help prevent espionage, according to Reuters's Patricia Zengerle and Matt Spetalnick. “The ideas under consideration, previously unreported, include checks of student phone records and scouring of personal accounts on Chinese and U.S. social media platforms for anything that might raise concerns about students’ intentions in the United States, including affiliations with government organizations, a U.S. official and three congressional and university sources told Reuters,” Zengerle and Spetalnick wrote. “U.S. law enforcement is also expected to provide training to academic officials on how to detect spying and cyber theft that it provides to people in government, a senior U.S. official said.”
Several universities worry about the Trump administration's stance, especially after the State Department this summer reduced the length of validity of visas for certain Chinese graduate students, according to Reuters. “Many Ivy League schools and other top research universities, such as the Massachusetts Institute of Technology (MIT) and Stanford University, have become so alarmed that they regularly share strategies to thwart the effort, according to three people familiar with the discussions,” Zengerle and Spetalnick reported. “U.S. authorities see ample reason for closer scrutiny, pointing to recently publicized cases of espionage, or alleged espionage, linked to former students from Louisiana State University and Duke University and the Illinois Institute of Technology in Chicago.”
PWNED: Google executives maintained a veil of secrecy over the company's project to develop a search engine for China that would abide by the country's censorship regime and “worked to suppress employee criticism” of the plan, according to the Intercept's Ryan Gallagher. “Google’s leadership considered Dragonfly so sensitive that they would often communicate only verbally about it and would not take written notes during high-level meetings to reduce the paper trail, two sources said,” Gallagher wrote. “Only a few hundred of Google’s 88,000 workforce were briefed about the censorship plan. Some engineers and other staff who were informed about the project were told that they risked losing their jobs if they dared to discuss it with colleagues who were themselves not working on Dragonfly.”
Gallagher also reported that Scott Beaumont, Google’s head of operations in China, and other executives of the firm “shut out members of the company’s security and privacy team from key meetings about the search engine . . . and tried to sideline a privacy review of the plan that sought to address potential human rights abuses.” Moreover, “Beaumont micromanaged the project and ensured that discussions about Dragonfly and access to documents about it were tightly controlled,” according to the Intercept.
PUBLIC KEY
— Pennsylvania just took an additional step toward adopting paper trails for elections throughout the state. “Gov. Tom Wolf’s administration is settling a vote-counting lawsuit stemming from the 2016 presidential election, in part by affirming a commitment it made previously to push Pennsylvania’s counties to buy voting systems that leave a verifiable paper trail by 2020,” the Associated Press's Marc Levy reported. “Paperwork filed Thursday in federal court in Philadelphia caps a lawsuit that Green Party presidential candidate Jill Stein filed in 2016 as she sought recounts in Wisconsin, Pennsylvania and Michigan.” Moreover, under the settlement, Pennsylvania will have “to institute audits of election results by 2022 before the results are certified, based on recommendations from a working group the state must assemble by Jan. 1,” according to Levy.
—A “Department of Homeland Security team has found no evidence of intrusion on Maryland’s election system” after conducting a review, the AP's Brian Witte reported. The FBI told Maryland officials this summer that ByteGrid, a vendor involved in the state's election systems, had ties to a Russian-backed firm. “I am relieved that a comprehensive federal and state review found no evidence of hostile activity on Maryland’s state election systems and other networks,” Rep. Elijah E. Cummings (D-Md.) said in a statement. “I want to commend the cooperative efforts by state officials, DHS, and the FBI to ensure that our networks are strong and resilient.”
— “In two major developments this week, President Trump has been labeled in the parlance of criminal investigations as a major subject of interest, complete with an opaque legal code name: ‘Individual 1,’” The Washington Post's Carol D. Leonnig and Josh Dawsey reported. “New evidence from two separate fronts of special counsel Robert S. Mueller III’s investigation casts fresh doubts on Trump’s version of key events involving Russia, signaling potential political and legal peril for the president. Investigators have now publicly cast Trump as a central figure of their probe into whether Trump’s campaign conspired with the Russian government during the 2016 campaign.”
— “The House passed the SMART IoT Act on Nov. 28 in a unanimous voice vote, sending the bill to the Senate with just over two weeks until Congress is set to adjourn,” FCW's Matt Leonard reported. “The legislation, introduced by Rep. Robert Latta (R-Ohio), tasks the Department of Commerce with studying the current internet-of-things industry in the United States. The research would look into what companies develop IoT technology, what federal agencies have jurisdiction in overseeing this industry and what regulations have already been developed.”
— “Lawmakers on Thursday approved a bipartisan bill that would revamp federal websites to enhance citizen services,” Nextgov's Jack Corrigan wrote. “The House passed by voice vote the 21st Century Integrated Digital Experience Act, or 21st Century IDEA, which would require agencies to improve online customer experience by making new websites more user-friendly. The bill ultimately aims to make citizens less reliant on paper processes when interacting with federal agencies.”
— More cybersecurity news from the public sector:
PRIVATE KEY
SECURITY FAILS
— “If you use the Dunkin’ Donuts app, DD Perks, to grab your morning coffee, you may want to change your password,” the Boston Globe's Abbi Matheson reported. “The company was notified of a security breach on Oct. 31 that included hackers attempting to log into DD Perks accounts, according to a statement posted to their website.”
— More news about security incidents:
THE NEW WILD WEST
— “A notorious Russian hacking group tried to exploit the latest flurry of Brexit-related news to spread malware to unsuspecting victims, according to a report from Accenture released Thursday,” CyberScoop's Zaid Shoorbajee reported. “APT28, which Accenture refers to as SNAKEMACKEREL, used a malware-laced Microsoft Word document that appeared to be about the United Kingdom’s planned separation from the European Union to try breaching a wide variety of targets’ systems, researchers said.”
— More cybersecurity news from abroad:
ZERO DAYBOOK
Today
- The Federal Communications Commission hosts a conference on artificial intelligence and machine learning in Washington.
Coming soon
- Symantec PrivacyCon 2018 in Washington on Dec. 5.
EASTER EGGS
What Nancy Pelosi’s speaker nomination means for House Democrats:
How Waymo is trying to get people used to self-driving cars:
Rockefeller Center Christmas tree lights up in New York:
