FBI Director James Comey told an audience he thinks the government should have a back door to gain access to secure devices. (Holly LaFon/MEDILL NSJI)

WASHINGTON — FBI Director James Comey on Wednesday criticized tech giants including Apple and Google for opposing so-called “back doors” in security software for government agencies to access encrypted phones, computers, and other devices.

The tech companies along with academic experts and advocacy groups wrote a letter to President Obama on Tuesday opposing statements by administration officials who have come out strongly against more robust encryption on consumer products. In fact, some officials have advocated that tech companies stop selling encrypted products altogether unless the government has a way to decrypt the data.

The letter makes the case that weakening products’ security would only make them more vulnerable to “innumerable criminal and national security threats.”

But Mr. Comey, addressing the Cybersecurity Law Institute at Georgetown University, said the FBI faces increasing difficulty in unlocking encrypted devices – and those who signed the letter were either not being fair-minded or were failing to see the societal costs to universal strong encryption.

“Either one of those things is depressing to me,” he said.

Citizens’ privacy interests and public safety are coming closer to “a full-on collision,” he said. Acknowledging “tremendous societal benefits” to encryption, Comey said the inability of law enforcement officials to gain access to encrypted devices when they have probable cause and strong oversight threatens public safety.

“As all of our lives become digital, the logic of encryption is all of our lives will be covered by strong encryption,” he said. “Therefore all of our lives … including the lives of criminals and terrorists and spies will be in a place that is utterly unavailable to court-ordered process. And that to a democracy should be utterly concerning.”

However, tech companies and encryption advocates argue in the letter that creating back doors would also pose an economic threat to the companies, especially in light of the Edward Snowden leaks.

“US companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers – be they domestic or international, individual or institutional – to turn away from those compromised products and services,” the letter said.

What’s more, critics – including many lawmakers – who oppose efforts to weaken encryption say that creating a system in which government agencies have access to secure data would also create vulnerabilities exploitable by criminal hackers and other governments.

Comey acknowledged the business pressures and competitive issues involved, but urged tech companies to find a safe way to cooperate with government needs to access information.

“Smart people, reasonable people will disagree mightily, technical people will say it’s too hard,” he said. “My reaction to that is, ‘Really? Too hard? Too hard for the people that we have in this country to figure something out?’ I’m not that pessimistic.”

Published in conjunction with

“I see it as just starting to get attention. It’s an emergent issue on the international agenda,” said Scott Snyder, senior fellow for Korea studies at the Council on Foreign Relations.

Both the Korea Economic Institute and the House’s Tom Lantos Human Rights Commission held meetings in Washington D.C. in April and May to address the trafficking.

North Korea, frequently ranked as the world’s worst human rights abuser, has lured between 50,000 and 60,000 citizens to work in industries around the globe with the promise they would keep their wages, according to a paper from the Database Center for North Korean Human Rights presented on Tuesday. Instead, the wages are sent to the North Korean government, generating as much as $2.3 billion per year.

Industries employing the laborers range from logging and mining to restaurants, and workers who complain or escape risk reprisal against themselves and their families who remain in North Korea, said Robert King, special envoy for North Korea Human Rights Issues at the State Department, at the House hearing.

Workers have been sent through bilateral contracts to around 40 countries, primarily Russia, China, Mongolia and nations in Africa, central Europe and the Middle East, according to a State Department Trafficking in Persons Report from March.

Snyder said the increased trafficking is one of North Korea’s ways of earning foreign exchange. Previously, the government sustained itself through other illicit means, such as drug trafficking, counterfeiting and weapon sales, but those income sources have been declining.

“They’re running a trade deficit with the rest of the world and it’s mostly shown in trade with China,” Snyder said.

“Whatever North Korea can do to make a profit it does, and much of it turns out to be illegal.”

One defector, Lim Il, told the Lantos commission that he had been a state employee in North Korea but went to Kuwait to work at a construction company, where he was required to put in 14-hour days under strict surveillance, with two days off per month.

“I think we were slave laborers,” Il said.

After escaping to the South Korean embassy, he learned that his salary had all gone to the Office of the Worker’s Party that manages foreign currency. “The money obtained through the export of laborers overseas [is] used as a personal fund for Kim Jong-un,” the Database Center for North Korean Human Rights paper said.

The U.S. and international community are facing difficulty curtailing the trafficking, said John Sifton, Asia advocacy director at Human Rights Watch at the House hearing. The biggest reasons are that most of the work occurs in Russia and China, it provides North Koreans minimal exposure to the outside world which may help undermine the government, and officials have not decided whether to approach it from a sanctions or human rights perspective.

“To address this is going to require attention and focus from the international community,” Snyder said. “And the best way of doing that would probably be to make this an issue of concern for the counterparts.”

Published in conjunction with

CLINTON, Md. — From soldier to CEO is a more natural transition than many veterans realize. A large support network has sprung up to help vets start their own businesses, but many do not know it exists.

On Tuesday night the Small Business Administration and VetFran partnered with Marriott’s TownPlace Suites to host a workshop aimed at educating veterans on the basics of entrepreneurship as well as special programs available to former service members. The two biggest components for veterans preparing to start their own business are choosing the right kind of business for them and securing capital, they said.

They also recommended that aspiring business owners take time to think about their passion.

“If they’ve always wanted to own their own business they should definitely write down what they’re passionate about, what their interests are, what they want to do,” said Paul C. Rocchio, senior director of development and member services of International Franchise Association, which owns the franchising organization, Vet Fran. “Maybe tie it into what they did in their military service – what kind of responsibility, what kind of job they had.”

VetFran Manager George Eldridge works with veterans every day

He helped an Air Force veteran start a franchise in his living room and garage that has become so successful the vet has opened a showroom and warehouse.

“He is in his third year of franchising and in the program and doing great,” he said.

Eldridge encourages vets interested in business ownership to do their research and examine all possibilities.

“In the military you think ‘I can’t fail,’ but sometimes you have to think about the risks you’re getting into and have a balance expectation when getting into something like this,” he said.

Veterans interested in franchise ownership may find a good match for their interests on Vet Fran’s website, which offers a plethora of options, he said. Over 100 different industries franchise, the most active being food, followed by hospitality, home-based businesses, childcare and pet care.

Contacting SBA is also a good place to start, advised Laurie Sayles Artis, a Marine vet who owns Civility Management Solutions, a management consulting firm.

“The reason I say that is because they are free mentors there to do just that,” she said. It’s a cost-effective way to decide what area a vet wants to work in compared with paying for training that turns out to be in an area outside of the vet’s passion.

“I’ve watched people fumble through who didn’t know what business they were getting into before they got there,” she said. “I highly recommend no training until you decide what training you want to get.”

Financing opportunities also abound for veterans. The Small Business Administration, which has 68 field offices around the United States and 1,000 resource partners, has Veterans Business Outreach Centers throughout the country offering information on how to gain access to capital.

For veteran-specific programs, the SBA helps businesses obtain reduced loan fees for any loan under $350,000.

Earlier this year, the SBA also launched LINC, Leveraging Information and Networks to Access Capital, an online tool that simplifies the connection between loan seekers and lenders. By answering just a few questions, an applicant can reach out to lenders all over the country.

“If you qualify for something, and even if it’s maybe a non-traditional loan or a micro-loan, the lender will reach back out to you and say hey, maybe this is we can talk about and this is the next level,” Chris James, a SBA assistant administrator said.

At least 3,000 vets have used LINC to make a connection since the program launched two months ago.

“That doesn’t mean it translates into a loan exactly, but at least it’s linking up a business with a potential lender all around the country, and not just your bank,” James said.

VetFran does not provide financing, but, like LINC, it connects veterans to help with funding, working closely with the Small Business Association and lenders within its supplier group to help them afford the franchise opportunity they want.

Those shopping for a franchise can expect to pay from $10,000 to $20,000 for a home-based business, Rocchio said, to in the millions for a McDonald’s or hotel brand, with options everywhere in between.

“Our members that are participating in the Vet Fran program are offering their franchise at a discounted rate or in some cases are waving the initial franchise fee to make it easier for [veterans] to become an owner operator and to own their own business,” he said.

Rocchio and the other speakers urged veterans to think like entrepreneurs and be aggressive in reaching out for help.

“As veterans you do have a few more opportunities than some other folks,” he said.

Text by Holly LaFon. Video by Nick Kariuki.

Published in conjunction with

WASHINGTON — After several European allies applied to join the Asian Infrastructure Investment Bank this week, U.S. officials have begun to soften their critical view on the China-backed initiative.

“We do not ask any country to choose ties with the U.S. to the exclusion of anyone else,” Deputy Secretary of the State Tony Blinken said Tuesday in a speech at the Brookings Institution, the centrist think tank.

Tony Blinken talks about China’s role in Central Asia development

Blinken restated the White House’s earlier concerns about the standards the China-backed will use for making decisions. Treasury Secretary Jack Lew also remarked at a congressional hearing last week that anyone joining the AIIB need to ask those questions.

The AIIB’s operation plan won’t be revealed until later this year. But it is said the bank will model itself after existing development banks, giving founding members the most voting power. China will also reportedly give up veto power, which eased concerns from many countries.

Blinken worries the AIIB could “dilute the standard” of existing institutions

On one front, the environment, the AIIB is not a copy of World Bank

In the “Environmental and Social Framework” released last June, the World Bank sets specific requirements on labor and working conditions, resource efficiency and pollution protection, community health and safety, and three other categories of environmental and social standards. All are mandatory in order to reduce poverty and increase prosperity in a sustainable manner worldwide, the World Bank asserts.

Chen Bin, a commentator in the outspoken Chinese newspaper, Southern Weekly, however, said it’s “inconsiderate” to ask AIIB to stick to and carry out these criteria.

China’s Finance Minister Lou Jiwei said at a recent Asian-Pacific Economic Cooperation meeting that the bank is aimed at promoting connectivity among Asian countries, through commercial infrastructure investment instead of poverty reduction.

Largely commercial, AIIB sets itself apart from the World Bank and the Asian Development Bank, led by Japan, both committed to public welfare. This leaves more space as well as questions in how the bank will select the programs and infrastructures in which to invest.

“The World Bank and other existing multilateral development assistance organizations have strong rules to promote sustainable and inclusive growth,” said Scott Kennedy, director of Project on Chinese Business & Political Economy at the Center for Strategic and International Studies. “China’s bilateral foreign assistance to date is filled with examples where there has been insufficient attention to protecting the environment and ensuring safe and fair treatment of workers. And a substantial portion of this aid has benefitted Chinese companies. Hence, there is good reason to have some concerns about how the AIIB will operate,” he said.

AIIB currently has 30 prospective founding members, including Great Britain, France, Germany and Italy. Seventeen other countries and regions, including Australia and Taiwan, have yet to be approved. The final list will be confirmed on April 15.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”

The Committee on Homeland Security’s Cybersecurity, Infrastructure Protection and Security Technologies subcommittee heard from industry, privacy and academic experts regarding what they think cyber threat information sharing should look like. The previous week, Department of Homeland Security representatives went before the entire committee to explain how this legislation could protect Americans from increasing cybersecurity threats.

Obama’s three-part proposal includes increased sharing among private sector companies and between them and the government. It also encourages the formation of Information Sharing and Analysis Organizations and creates certain guidelines for both the private and federal sectors regarding personal information retention and sharing.

Under the legislation, businesses would share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would pass it onto relevant federal agencies and ISAOs. Participating businesses would receive targeted liability protection in return.

Mary Ellen Callahan, former Department of Homeland Security chief privacy officer, agreed with this targeted sharing approach, calling immediate widespread sharing of threats “ill-advised.” According to Callahan, private sector threats–usually IP addresses and URLs–are reported to the DHS, and then distilled to remove any personal information.

In the end, government security professionals only have information on the threat, its source and target, and how to combat it.

Subcommittee Chairman John Ratcliffe, R-Texas, referred to recent breaches at companies such as Anthem, Sony Pictures, Target and J.P. Morgan as examples of why the legislation is needed. “We need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between federal civilian agencies, like DHS, and the private sector,” he said.

Many companies choose not to share cyber threat indicators or breaches with one another or the government for fear of legal liability, or having their names in the media as companies with poor cybersecurity. Without this sharing of information, hackers can use the same tactics repeatedly with multiple companies.

Private companies want to see a bill that would allow them to voluntarily share cyber threats with other organizations, but have flexibility in what they share with the government, according to Matthew Eggers, senior director of National Security and Emergency Preparedness for the U.S. Chamber of Commerce.

“This is a bill trying to convince them to participate in a voluntary program that makes their lives more difficult. For folks like me saying ‘I’m not fond of government being in my cell or ERP (Enterprise Resource Planning–software for data management),’ that’s going to be a neat trick,” Eggers said.

The key will be convincing companies that Obama’s proposal would better protect everyone in the long run.

“We need a federated sharing community, not a competitive one,” Greg Garcia,
executive director of the Financial Services Sector Coordinating Council, said. “Withholding info to get ahead… Balkanizing or siloing information–that defeats the purpose.”

This is not the first time Obama has proposed legislation to safeguard America from cyber attacks. In 2011, he rolled out his Cybersecurity Legislative Proposal in an effort to give the private sector and government the tools they need to combat cyber threats. In 2013, he issued the Executive Order on Improving Critical Infrastructure Cybersecurity, which established cybersecurity framework standards that were developed in tandem with the private industry.