Author: admin

It should deeply concern us that cyber insurance is becoming less available.

The CEO of Zurich Insurance (the company that denied Mondelez’s USD 100m claim after NotPetya on the grounds of it being warfare) says “What will become uninsurable is going to be cyber,” and he asks “What if someone takes control of vital parts of our infrastructure, the consequences of that?”

https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

He’s right – and also right that ransomware payments are creating perverse incentives for insurance companies. This is something like the equivalent of submitting a claim to your home insurance for $10,000 when you had to pay that 10k to a criminal threatening to burn your house down, and telling the insurance company that they should be happy that they aren’t paying the full value of your home instead.

Now, the issue here is that there’s no law enforcement agency with the ability to save you from ransomware attacks in the same way that you can turn in a criminal threatening arson, leaving especially small and mid-sized businesses in the lurch. Ransomware is existential for them in a way it is simply not for larger organizations.

The burden will be put on organizations to save themselves from ransomware with what I think is an ever more likely push by USG to ban ransomware payments. Because this ban will not hit SMBs (existential threat) the same way it will for enterprises (closer to a cost of doing business), USG must provide more services at the state and local level for SMBs to prevent and recover from ransomware attacks. I and @ciaranmartin wrote an article on this last year which is still 100% true: attacking critical infrastructure via ransomware payments along any point in the supply chain is a national security risk, not simply a financial one.

https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/

There is an entire world of small and mid-sized businesses that are absolutely helpless in front of the kinds of attacks that we call “basic” in infosec. Invoice spearphishing, BEC, credential harvesting – these are the kinds of things we think of as entry-level hacks.

Ok, I’m a little angry here. I’ve heard a dozen stories this year from professional services providers like accountants and lawyers and MSPs about the jargon, contempt, and expense from enterprise product companies and infosec consultancies.

I’d like to challenge every infosec pro: can you talk to your friends, barista, gardening service, local cafe owner, bookkeeper, day care provider, personal trainer, housekeeper (really, any person whose job is actively being replaced by the gig economy) and find out if their business has implemented 2FA? If they don’t understand what you’re talking about, can you explain it clearly and helpfully enough that they’re happy to become the internal advocate at their SMB for more security?

If you can, thanks. If you can’t, ask yourself and your company and your community: what are we doing to protect the half of American workers who don’t work at enterprises large enough to force security measures and profitable enough to pay for them?

Originally published in Brookings TechStream.

March 17, 2022 Savannah Sly and Tarah Wheeler

In recent weeks, a misguided legislative initiative to provide children with better protection online has gained momentum on Capitol Hill. In its current form, the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2022—better known as the EARN IT Act—would strip technology companies of protection from liability for child sexual abuse material (CSAM) uploaded onto their platforms by users. The bill is premised on the idea that technology companies aren’t doing enough to combat the presence of such material and need to face the prospect of greater legal penalties to do so.

The bill is deeply flawed, and a chorus of technologists and researchers argue that the bill not only won’t achieve what it aims to do (protecting children) but will also harm a much larger group of internet users in trying and failing to protect kids from being exploited online. One of EARN IT’s key provisions potentially exposes technology companies to liability if their encryption features are found to enable the spread of CSAM—a move that may lead many companies to conclude that offering encryption to users simply isn’t worth it and doing away with secure messaging tools entirely. Such a move would be disastrous for privacy, human rights, free speech, and communities at risk for surveillance. 

EARN IT’s backers are motivated by a desire to help children, but in their attempt to do so, they’ve misdirected their efforts at computer security systems that enable the spread of CSAM as part of enabling all communications of any kind. Rather than focusing on preventing the production of CSAM in the first place, they are attempting to make changes to the security features of modern computing that allow it to be spread once created. The digitally enabled sexual abuse of children is a serious, horrific problem, but addressing it requires a different, more proactive approach. Instead of attacking security systems, policymakers could direct their efforts in a more useful direction: educating children how to be safe online. Investing in childhood education, primary care, adolescent education in consent, community support for ombuds and social work, and appropriate financial incentives for primary caregivers is difficult and expensive—and it works to prevent child sexual abuse. The EARN-IT Act, flatly, will not.

The EARN-IT Act takes aim at CSAM by altering the liability protections of Section 230 of the Communications Decency Act, and it isn’t the first time Congress has sought to regulate the presence of sexually explicit content online. In 2018, Congress sought to address commercial sexual exploitation by passing SESTA and FOSTA, two bills that increased liability for content hosts under Section 230. The result of SESTA and FOSTA was the immediate voluntary shutdown of dozens of websites that sex workers used to advertise and vet potential clients, the ripple effects of which inadvertently increased vulnerabilities to exploitation and violence in the sex trade. When sex trade websites close or get shut down, it is more difficult for law enforcement to identify and combat sex trafficking. Given how badly SESTA and FOSTA backfired, it’s alarming that lawmakers would entertain the EARN IT Act before passing legislation that would evaluate the full effects of these online censorship laws. 

One of the most discouraging aspects of the EARN IT Act is that it does nothing to prevent child abuse from happening in the first place. EARN IT does not bolster preventative tools that can protect young people from harm, such as age appropriate comprehensive sexuality education. Predators lurking on chat sites would have a harder time grooming and exploiting youth if young people were equipped with knowledge about boundaries, consent, and healthy/unhealthy relationships. Ironically, anti-abuse organizations such as the National Survivor Network have suggested that the EARN IT Act may prevent young people from accessing online information about sexual health, gender, and consent that could help keep them safe. Queer youth are particularly vulnerable to the unintended consequences of a bill like EARN IT, especially in light of the many anti-LGBTQ bills cropping up around the country. Given that an estimated 9-10%  of youth in the US identify as LGBTQ, it would be difficult to overstate the potential harms of this bill.

It Is well-established that victims of child abuse are usually harmed at the hands of someone in or connected to their family, and preventing abuse at home starts with adults taking responsibility, being active in the lives of young people, and learning how to identify signs of abuse. Decreasing stress and offering pathways to treatment by ensuring families have access to stable housing and healthcare may do more to curb abuse at home than a bill like EARN IT ever could. EARN IT plays whack-a-mole with CSAM instead of actively stopping it from occurring. 

EARN IT will never be able to eradicate the increasing practice of young people taking and sharing intimate photos and videos of themselves, and preventing such material from circulating online would be better done through education. This material, referred to as self-generated child sexual exploitation materials (SG-CSAM) is the result of youth having increased access to media and communications technology. While EARN IT may attempt to stop SG-CSAM from being circulated, it’s more important to have realistic conversations with youth about the enduring nature of digital media and the risks of sharing intimate media of themselves. In our increasingly digital world, arming youth (and adults) with education about risks to privacy is critical. Additionally, we must collectively stop victim blaming people who have their nude photos non-consensually or illegally shared with the public, regardless of their age or occupation. 

Just as SESTA and FOSTA did not stop sex trafficking (and in fact may have made things worse), EARN IT will not stop child abuse materials from coming into existence. EARN IT may in fact make it harder for law enforcement to locate CSAM files being circulated. Once it becomes known that encrypted services are no longer useful for transmitting CSAM, abusers will pivot to other tools, such as snail mail or niche platforms, to circulate offensive materials. A move toward such platforms or an embrace of ordinary mail would make CSAM investigations even more difficult than they already are. 

A lingering question yet to be addressed is exactly how CSAM materials will be identified, should EARN IT pass. EARN IT will stifle sexual expression and hinder consenting adult sex workers from making a living online but not actually solve the problem of CSAM. How would an abuse video of a 16 year old be differentiated from a legal video created by an 18 year old? Given the complexity of of this task, it’s likely that many formerly encrypted services would bar the transmission of any erotic or explicitely sexual content. EARN IT could mark the death of sexting as we know it. Not only does this violate sexual expression freedoms, but it prevents adult sex workers from supporting themselves financially through the relative safety of online work. Sex workers who produce pornography already maintain records proving that everyone in the film is of age and consents to being filmed. Law abiding webites that host pornographic content already require proof of age documentation, reducing the odds that CSAM will end up on their platforms. 

For decades, cryptographers have made the case that the compromises politicians seek in encrypted computer systems—to crack down on CSAM or to listen in on the contents of terrorist communications—can’t be made without consequences for the broader computer security ecosystem crucial to businesses and citizens. This conflict—between the demands of politicians on the one hand and encryption on the other—has become a fact of modern life, and the EARN IT Act is merely its latest iteration. There are no technologists who can tell you how to safely and securely enforce this new EARN IT Act—because it’s not possible. As a recent Washington Post piece noted, the EARN IT Act  has made strange bedfellows of Big Tech, free speech activists, industry groups, sex workers rights activists, the infosec community, and civil society groups, all of whom are united in their belief that this legislation is infeasible and a net negative. On the other side of the debate are law enforcement groups, moral crusaders (primarily the National Center on Sexual Exploitation, which before it rebranded was known as Morality in Media), and some well-meaning abuse victims organizations looking to crack down on CSAM. But even for the latter group, EARN IT will not do what they hope and will instead make CSAM prosecutions substantially more difficult. 

If lawmakers want to curb rates of CSAM production, we must create policies that prevent CSAM upstream, rather than increase the attention and resources to downstream mitigation that can never catch everything. Washington state recently passed a measure mandating age appropriate comprehensive sex education in schools which will help students understand consent, safety, and “choose healthy behaviors and relationships that are based on mutual respect and affection, and are free from violence, coercion, and intimidation”. Educational policies in schools such as age appropriate sex ed will do far more to prevent the creation of CSAM than reactive like EARN IT ever would.

Politics, it’s often said, is the art of compromise. A life in politics teaches the art of the partial achievement. When politics bumps up against a universal constant, or a truth of math and physics, politicians often simply cannot grok that there are things they can’t change, can’t bargain against, can’t shift, can’t manipulate. Encryption is one of these things, but in this latest iteration of the three-decade long fight between technologists and politicians seeking to limit the availability of encryption technology, political leaders with a genuine interest in curbing the spread of CSAM would benefit from seeking solutions that actually address the problem. Educating children how to be safe online is the first step to reduce the prevalence of abusive material online. 

Savannah Sly is an advisor to the Woodhull Freedom Foundation and a sex worker rights advocate who resides in Seattle, WA. @SavannahSly
Tarah Wheeler is a contributing editor to TechStream, a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, an International Security Fellow at New America leading a new international cybersecurity capacity building project with the Hewlett Foundation’s Cyber Initiative and a US/UK Fulbright Scholar in Cyber Security for the 2020/2021 year.

Original post on Medium.

I was recently asked by someone involved in policymaking for a short bulleted reading list on cybercrime and how to understand the major issues since they didn’t come from a technical background. I started writing the email and then realized I might as well post it here so I can refer back and possibly update. This is massively simplified and is my short hot take if I’m given one minute to explain a problem to someone who doesn’t have a lot of time but has to act on issues related to cybercrime.

1. When you experience cybercrime, the police probably can’t help you. If you think the cybersecurity staffing shortage is bad in industry and government, try your local sheriff. You are often required to report a crime to secure social help after being victimized, and that experience is rarely a positive one, especially for marginalized persons. The police in general will treat a report of a $250 purse theft differently than a report that $250 was phished from your bank account, even if you know precisely who did it. If you don’t know where the cybercrime was committed or originated from, the police will tell you that you can’t report it. In general they will refer you either to social services or tell you to report an online crime to the FBI (who generally won’t lift a finger for $250). This refusal to accept reports locally by the police and lack of action from the FBI makes these crimes invisible. There’s effectively nothing anyone can do if you’re a victim of cybercrime other than report you as a statistic. (If you need to, here’s where to report to the FBI). Here, read this. Also, advocate for clear jurisdiction over internet crime and fund the people investigating it.
2. Going dark is a myth. The complaints that the FBI and other law enforcement organizations have over the use of encryption on personal devices are about their convenience, their backlog of investigations, and in general a lack of technical people inside their organizations, not truly about responding to potential crimes. The FBI and other law enforcement organizations should consider creating an appealing workplace environment with market-rate salaries to attract some technologists rather than trying to sue their way into slowing down technological innovation so they can keep pace. LEOs can get into phones whenever it’s actually important for them to do so. Note: domestic cybercrime is a different conversation in terms of policy than in espionage, where the ability to access and read a device in another country could be important. However, note that the technology to remotely access and decrypt devices and communications is the same whether being used by a local sheriff’s deputy or the CIA — so authorize its use carefully. Here, read this. Also, fight backdoors in encryption.
3. We have a domestic law preventing the creation and training of people who could help with the cybercrime problem. We already have the names of crimes like theft, fraud, and abuse of the public trust. Saying it’s somehow worse to do crimes with a laptop instead of a mailbox only works because prosecutors and juries are frequently able to be convinced that computers are apocalyptically mysterious wizard boxes instead of some sand and steel that we bossed around until it did what we told it to do. The 1986 Computer Fraud and Abuse Act (CFAA) is the cause of much pixel spillage, but suffice to say that it’s a terrible law that penalizes security researchers and doesn’t stop real criminals. It’s primarily used to sprinkle magic cyber dust over a stack of criminal charges against a defendant to scare juries, with a lovely secondary use of threats of prosecution for intellectual property theft against former employees of a monopolistic company afraid of competition. Smart young people have died in this country due to the CFAA. Here, read this and this and this. Also, repeal and replace the CFAA as fast as possible.
4. Policymakers who don’t understand technology not only make bad law, but they scare others from wanting to help and enable bad actors to flourish. I try to be a reasonably tactful person, but there’s something especially blithering about the idiocy of politicians who think that because they cannot read HTML that it’s encryption (“I can’t read Spanish, so this Mexico City newspaper must be deliberately hiding its meaning from all English speakers!”). Or, that someone with the skills to notice that an entire US state has published the Social Security numbers of all their teachers and the kindness to tell someone so must be a computer criminal. Intentionally ignorant policymakers who take out their own inadequacies in understanding technology by either mocking or hurting techies or by trying to somehow declare that politics is determining the outcomes of math are dangerous. When policymakers don’t understand the fundamentals of technology or how the online world works, it makes them a figure of ridicule and unable to perform the oversight function necessary to regulate and protect the public. Here, read this and this and watch this. Also, if the policymaker you’re talking to has no intelligent technical people they’re listening to, empathetically find them some to talk to — or, if they have no interest in learning new things, back slowly away and primary the hell out of them next time.

Thanks for comments on this to @KendraSerra and to other distinguished colleagues unnamed here.

Originally on Foreign Policy, December 22nd, 2020.

Wargames can provide essential cybersecurity training for soldiers. But they won’t succeed unless the players confront real, independent hackers.

BY TARAH WHEELER, AMY ERTAN | DECEMBER 22, 2020, 7:53 AM

In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.

In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.

This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.

Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.

The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent tools that can automate overwhelming attacks based on leaked personal data.

Unfortunately, NATO does not include nonstate actors in the annual cybergames. This creates three problems. First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country. Bad actors will use whatever low-cost hacks they can find, make, buy, or steal.

Second—and crucially—defending cyberspace requires people who think differently. Even the U.S. government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realizing that traditional information technology education does not produce innovative offensive security researchers. Limiting contributions to active military and public sector employees will result in a certain amount of groupthink. It is critical for NATO to include nonstate actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).

Third, we in the cybersecurity community have been aware that civilian medical facilities and research stations have not only been fair game but the primary targets of international bad actors for half a decade. After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry and the cybersecurity community predicted repeatedly that vaccine production would be targeted by nation-states, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct. NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news.

In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers. In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway. NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all—until real-world Russia actually began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.

Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons—and managing their air, water, fuel, targeting, and health—were not permissible targets in this engagement. Russia’s behavior highlighted the absurdity of NATO excluding the cyberdomain from conflict simulations. Even after this real-world mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.

Recent attacks on vaccine production facilities show how failing to model cyberthreats appropriately will come back to bite you, and we predict that medical facilities will be a popular target for cyberattackers in the future.

Therefore military and government cyberdefense forces should use hackers’ skills and noninstitutional creativity to help predict attacker tactics.

The organizers of future wargames need to recognize that having independent experts see and participate in wargames means the ability to model opponents other than nation-states, test the scenario and the network under use from a fresh perspective, and ultimately make for a stronger training outcome. Cyberwar is new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, strangely, and innovatively.

It is important to build NATO’s ability to monitor, manage, and conduct cyberwar because these simulations often lead to a de-escalation of conflict after capabilities become known to the players (and their potential opponents). The same quality that makes cyberwarfare so rapid and difficult to detect—its relative cheapness in terms of cost and time—also makes it much easier to simulate than naval warfare, for instance.

The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming wargames. Including them would increase the reality of the game and the skills of the soldiers building and training on these networks. Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.

Diversity of thought leads to better solutions. We in the information security community strongly support the involvement of acknowledged nonmilitary experts in the development and testing of future cyberwar scenarios. We are confident that independent experts, many of whom see sharing their skills as public service, would view participation in these cybergames as a challenge and an honor.