Welcome to Threat Level Thursday, where this week we will listen to the White House "talk" about cybsecurity, watch lawmakers make laws with loopholes, realize that our energy sector has been under attack, and give Microsoft a thumbs up for standing up to Big Brother.
Let's Talk, Really Talk
White House Cybersecurity Coordinator Michael Daniel took to the White House blog Wednesday to elaborate on key cybersecurity talking points he delivered at the Gartner Security and Risk Management Summit in Maryland a week before. He stresses that throwing layers of security and technical expertise at the issue is secondary to fundamental changes in the way the very topic of cybersecurity is discussed.
"In an overall strategic context, I think that we need to continue to work on how we can flip the economics of cyberspace; specifically, how we can change our overall approach to cybersecurity to more directly address economic and human behavioral factors," Daniel wrote.
"For example, we need to figure out how to use economic incentives to create a market for systems that are secure by default and that increase cost of conducting malicious activities in cyberspace. In the end, what makes cybersecurity hard is the non-technical aspects of it. As a result, cybersecurity requires a holistic approach that takes into account human behaviors and economics, as well as the technical factors."
Which leads us to the second part of Threat Level Thursday...
Making Things Worse
The Cybersecurity Information Act of 2014 (CISA) has been making rounds and its language is rifling some feathers. For starters, although its intent is to increase transparency between the private sector and government, it provides enough leeway for companies to share personal information under the guise of a security threat. In fact they could act accordingly to any threat they perceive, including throttling Netflix -- bringing up net neutrality.
A number of coalitions, including the American Civil Liberties Union, penned this letter to Senators Dianne Feinstein and Saxby Chambliss in which they sketch out the inadequacies of the bill. For all intents and purposes, they seem have good points.
The Energy Cyber Crisis
Security firm Symantec recently uncovered a malicious, ongoing campaign against energy sectors around the world by a group dubbed "Dragonfly." The hackers have been infecting computers around the world, mostly in the energy sector, creating a very dangerous scenario. Affected countries include the United States, Spain, France, Italy, Germany, Turkey and Poland.
"The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations' networks, but also gave them the means to mount sabotage operations against infected ICS computers."
Most systems under attack have been informed, although as with every first uncovering, there are most likely more.
Microsoft Fights Back, Passively
Microsoft, which is currently embroiled in a legal tangle with the U.S. government over a customer's privacy, stepped up its game Tuesday by bolstering encryption services for its OneDrive and Outlook services. Microsoft also announced the opening of a transparency center on its Redmond, Wash. campus.
"Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day," wrote Microsoft vice president of Trustworthy Computing Security Matt Thomlinson. "This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data."
Take that, NSA.
For more stories like this, follow us on Twitter!