Cybersecurity – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Too early to judge the China-U.S. cyber agreement http://nationalsecurityzone.medill.northwestern.edu/blog/2015/10/06/too-early-to-judge-the-china-u-s-cyber-agreement/ Tue, 06 Oct 2015 15:50:52 +0000 http://nationalsecurityzone.medill.northwestern.edu/?p=23230

U.S and China signed a agreement aiming to stop cyberespoinagee and promote international cyber norms, but many experts say the the four-point plan is symbolic without specifics. Continue reading ]]>

WASHINGTON — The agreement between the U.S. and China, signed during President Xi Jinping’s visit to the White House last month, aims to stop cyberespoinagee and promote international cyber norms, but many experts say the the four-point plan is symbolic without specifics.

Some called it a “paper agreement,” while some recognized the agreement as major progress but took a “wait-and-see” attitude about how China will honor the agreement.

What is the agreement about?

According to the White House, the agreement covered four aspects of cybersecurity: Providing timely response to assist each other’s cyberinvestigations; vowing not to conduct online intellectual property theft; working together on international norms in cyberspace; and establishing a high-level information-sharing mechanism on fighting cybercrime.

For Christopher K. Johnson, senior China studies adviser at the Center for Strategic and International Studies, the most significant component of the agreement was the second aspect on the list: that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property.”

“We can and should expect that the next time the U.S. has releasable evidence of this type of activity emanating from China, the administration will present such evidence to the Chinese, with the expectation that the responsible parties will be prosecuted to the full extent of Chinese law,” he testified at a Senate Foreign Relations Committee hearing on Sept. 29.

However, David Inserra, a policy analyst at the Heritage Foundation, a conservative think tank, argued it was “another paper agreement.”

He said that China had never admitted to engaging in cyberthefts. “They have agreed to stop a behavior that they deny ever engaging in. That doesn’t bode well as an indicator of their future behavior,” he wrote in Daily Signal, a website sponsored by the Heritage Foundation.

Nir Kshetri, management professor at University of North Carolina-Greensboro, said the two countries’ agreement to provide timely responses to requests for information and assistance related to cyberattacks was a major achievement.

“The lack of timely response has been the main point of complaint against each other,” he wrote in an email.

Kshetri gave two examples. “It was reported that in 2010, the FBI office in Beijing forwarded 10 letters through the Ministry of Foreign Affairs and received responses to two. Likewise, in 2010, Gu Lian of the Chinese Ministry of Public Security had noted that China received no response in its request for cooperation from the U.S. on 13 cybercrime cases involving issues such as fake bank websites and child pornography,” he wrote.

Inserra was again skeptical. “Will the Chinese help the U.S. investigate the five Chinese military officers that the U.S. charged with cybercrimes last year? Doubtful.”

Why now?

For years, the U.S. and China have blamed each other for cyberespionages and competed in military cybercapabilities. In May 2014, the Department of Justice charged five Chinese military officers with computer hacking and economic espionage against U.S. nuclear power, metals and solar products industries.

In June, The Washington Post reported that Chinese hackers stole personal data from the Office of Personnel Management, affecting about 4 million federal employees.

China denied both accusations and blamed the U.S. for large-scale cybertheft, wiretapping and surveillance activities revealed by Edward Snowden.

Kshetri, said that the two nations view each other as major sources of cyberattacks and a cybersecurity agreement was “a logical way to proceed.”

 

How will it affect both sides?

Another witness at the Sept. 29 Senate Foreign Relations Committee hearing, Melanie Hart, director of China policy at the Center for American Progress, acknowledged that the agreement would not “completely eliminate” cyberespionages from China. But she projected that China might apply new restrictions and require higher-level approvals for cyberspace intrusions targeting U.S. commercial entities and therefore reduce harm to U.S commercial interests.

James Andrew Lewis, senior fellow at Center for Strategic and International Studies, called the agreement “a significant step forward” in another Foreign Relations Committee hearing on Sept 30. He said this was the first time the Chinese leaders addressed the issues of commercial espionage.

But he also said, “In talking to administration officials, they know they have wiggle room in the language. They told me they would be watching closely to see how well the Chinese would live up to their commitment.”

“What I was told by (an Obama) administration official is that sanction is still on the table,” he added.

Johnson said economic sanctions are the “most effective punishment” but carries risks. Imposing sanctions is a “naming and shaming” approach that gives China “very little room to react, which is not what we want,” he said. “We want them to change their behaviors.”

 

 

 

]]>
Experts say retaliation over OPM cyber attacks may be misguided http://nationalsecurityzone.medill.northwestern.edu/blog/2015/09/03/experts-say-retaliation-over-opm-cyber-attacks-may-be-misguided/ Thu, 03 Sep 2015 23:59:43 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23117 Continue reading ]]> WASHINGTON — With cyber attacks grabbing the public’s attention, calls for retaliation, especially against suspected state-sponsored intrusions, have escalated.

Critics argue that a passive approach by the U.S. government only emboldens perpetrators. Draw a red line, they urge; the massive Office of Personnel Management breach, in particular, warranted a decisive response by the government.

But on the other side, some experts warn that retaliation, in any form, would be shortsighted, simplistic, and unrealistic, potentially undermining America’s interests. The rules of engagement, even informal guidelines, have yet to be written, they say.

Those advocating hacking back say the OPM breach should have been the final straw. But where to strike? The Obama administration has not openly accused the Chinese government,or any government, of being behind the OPM cyber attack.

The OPM, which handles security clearance for federal government employees, discovered in June that the agency had been hacked. The latest figures reveal that records of 22 million workers were compromised.

But Robert Knake, former head of cybersecurity policy at the National Security Council, said those advocating for hacking back are overreacting.

“It’s bad. But it’s not devastating,” said Knake of the names and Social Security numbers exposed by the breach. “The reason it’s not devastating is that we know about it.”

Speaking at an Atlantic Council panel last week debating the consequences of retaliating for cyberattacks, Knake said identifying the breach offers the opportunity to mitigate the damage. Once armed with this knowledge, the government can use the hack to its advantage, he argued.

For example, in the unlikely event that China uses information gleaned from the breach to identify Americans involved in sensitive activities, Knake said the U.S. could respond with misdirection by changing personnel.

Knake said the leaking of classified National Security Agency information by NSA contractor Edward Snowden, changed the norms in cyberspace.

“We are in the post-Snowden period where the whole world knows the U.S. engages in this kind of [surveillance] activity,” said Knake. “That we have a very strong program. And we got through all those disclosures without … Angela Merkel or anyone else declaring that it was an act of war.”

Fighting cyber espionage requires a different skillset than defending against pre-Internet, traditional Cold War espionage, said Austin Berglas, former head of the FBI’s New York Cyber Branch. “Whatever country is trying to steal our state secrets or international property doesn’t have to have a physical body. They can do it from their own home. There is a cloak of anonymity that people can hide behind to deny the actions.”

Unlike the Cold War when the adversary was clear, there are many more nations engaged in cyber espionage. China, Russia North Korea and Iran have all been suspected as culprits.

Jason Healey, senior fellow, at the Atlantic Council’s Cyber Statecraft Initiative, said that in the Cold War, there was a set of unwritten “Moscow rules” illuminating red lines that would not be crossed.

“It wasn’t a treaty, but there was this sense of where each side could go and if they overstep that, than there might be repercussions,” Healey said at the Aug. 19 panel discussion. “We would never kill a Russian. They will never kill an American spy.”

In contrast, Healey said no set of unifying standards exist for resolving cyber espionage conflicts.

“We have had some cyber espionage cases going back to 1986 where the KGB was spying,” said Healey.

In a telephone interview, Daniel Garrie, founder and editor in chief of the Journal of Law and Cyber Warfare, said countries’ varying attitudes towards cyber warfare make it harder to establish standards between the U.S. and other countries.

“Not only is there no playbook for countries and companies looking to respond to a cyberattack,” said Garrie, “but there are arguably a hundred different play-books, for each country, making the appropriate and permissible response all the more challenging, assuming your legal team understands what sort of action you are seeking to take,”
In some countries, Garrie said hacking is “not per-se illegal and it is certainly not taboo or shameful, in fact, it appears in some countries that such activity is encouraged.”

While it would seem tempting to fighting back against perpetrators aggressively, a tit-for-tat approach in the OPM affair, risks giving rise to many more problems than it would solve.

]]>
People are generally clueless when it comes to cybersecurity http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/26/people-are-generally-clueless-when-it-comes-to-cyber-security/ Wed, 26 Aug 2015 17:54:22 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=23032 Continue reading ]]> WASHINGTON – The scariness of cyber attacks seems like something straight out of the Twilight Zone. Think about it: The world revolves around computers and personal information can be stolen with one click of a mouse. The problem is that most people do not think about cyber threats.

Dr. Marshini Chetty, an assistant professor of Human-Computer Interaction at the University of Maryland, said that people don’t tend to think about cybersecurity unless they are actually in the industry or in some situation where they have to be aware of security.

“We find that if they haven’t heard about it in some big news story or someone hasn’t informed them that there’s been like a big credit card breach or something like that,” Chetty said, “They aren’t really aware of security on a daily basis.”

Chetty said that the media plays a huge role to raise awareness about cybersecurity issues to the general public. “The more educated the public is, the better it is for everyone,” she said.

She noted that the U.S. government is taking great measures to educate people about their online safety. Her government-funded research, which focuses on evaluating people’s behaviors when it comes to completing software updates, is required to have a component that makes educational materials available to the public.

Antoinette Isama, a 23-year-old student from Silver Spring, Md., knows that security threats loom. “I definitely take it seriously, even in regards to online shopping. I don’t save my credit card information. I think it should be taken more serious because it’s easier and easier for someone to steal your information.”

Although individuals can take measures to protect themselves from hackers, there is only so much that can be done. “If you’ve entrusted your data to a third party….it’s up to them to make sure their systems are secure.” Chetty said. She warned of a possible cyber attack that could be targeted at the network system of a company that is not properly protected or equipped to handle a large-scale breach, which could possibly put millions of people’s personal data at risk of being stolen.

“Generally when people are not aware of privacy and security issues they can easily get themselves into trouble,” Chetty said, “Whether that’s sharing information that they didn’t intend to share or having machines that are not protected.”

According to Chetty, individuals can take steps to keep their personal information safe in cyberspace. Making sure personal machines are always up to date, securing passwords and not staying logged in to public computers are all measures that can be taken to protect against a cyber attack.

Isama said that worrying about cyber attacks is wasting time.

“I don’t [worry] because attempts are already happening. It’s a reality now. Now it’s about being preventative.”

 

]]>
Seeking better government cybersecurity, before and after the OPM data breach http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/10/seeking-better-government-cybersecurity-before-and-after-opm-data-breach/ Mon, 10 Aug 2015 20:59:49 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22852 Continue reading ]]> WASHINGTON – After personnel data held by the Office of Personnel Management was compromised by hackers, the dispute over the improvement and possible reform of federal government’s cybersecurity system has become heated.

The OPM data breach resulted from a compromise of a highly privileged user’s credential, which also gave them access to the data center of the Department of Interior. Although no data was stolen from within DOI’s system, it triggered a large concern about the department’s computer network protection system.

According to the Federal Information Security Management Act, each deferral agency should develop, document and implement an agency-wide program to provide information security. But in reality, many federal agencies are using information protection services provided by other departments, such as DOI. The reason behind it is for economy purposes, according to Sylvia Burns, chief information officer of DOI. “You can gain economy from the scale. So it’s less expensive and more efficient for a customer to consume services from a provider like that.”

In 2005, OPM first became a customer of DOI’s data hosting service. DOI offers its IT infrastructure and host information, ensures the connection between DOI and OPM, and encrypts the connection between the two agencies.

“Shared service is a concept of creating a more robust, centralized point of service around specific activities,” Burns said, explaining the origin of this concept. According to Burns, a 2001 data breach in DOI resulted in disconnecting five DOI bureaus from the Internet for about six and half years. For the fear of being disconnected again, all the bureaus and offices in the department created separate protections for themselves. In that state, cooperation became hard because they were trying to protect themselves from being associated with trust data. In 2008, DOI reconnected those organizations back to Internet, and it turned out that they had difficulty just doing day-to-day work because of the security controls. That’s when the department began to create the segmented system.

Although this time’s data breach was not a result of technical failure, DOI hasn’t seriously treated the 3,000 critical vulnerabilities in its hundreds of publicly accessible computers that were identified by the Office of Inspector General. But viewing this issue from a broader perspective, OPM fell into a trap of an outdated model of cybersecurity system, which we call “line of sight governance.” This is a belief that I can walk down a corridor to where everybody is working and then I have the control of the security surrounding them. In the era of Internet when everyone is connected with the outside world, it’s just impossible to ensure their security by believing that internal system is absolutely secure.

The new model, called the BeyondCorp initiative, assumes that the internal network is as dangerous as the Internet. Using authentication, authorization and encryption, trust is moved from the network level to the device level. For example, Google staff are required to use a security key when connecting their computers to the Internet. When the security key is plugged into the USB portal, it automatically generates a one-time password. With this one-time password and the staff’s own username and password, the Internet is accessible.

“It’s relatively easy to get online in the company, but it can be very hard to access to the internal system when you are at home because a VPN is needed. And not everyone can get it unless you are at certain rank,” said Jiasong Sun, a Google employee. Some companies including Coca-Cola Co., Verizon Communications Inc. and Mazda Motor Corp. are taking a similar approach.

Several questions about DOI’s role in the breach remain unanswered, including whether or not other agencies may have been compromised, how many breaches took place at DOI and whether or not the attackers are still in the system. But this two factor authentication system is a possible solution that the DOI is considering to take after the data breach.

Rep. Will Hurd (R—TX) urges federal agencies and their CIOs to review past IG reports and address the vulnerabilities that have been identified. “We know what needs to be done, we just need to do it,” Hurd said.

]]>
Opportunity for tech companies after OPM data breach http://nationalsecurityzone.medill.northwestern.edu/blog/2015/08/03/opportunity-for-tech-companies-after-opm-data-breach/ Mon, 03 Aug 2015 17:42:16 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22837 Continue reading ]]> WASHINGTON – In the wake of the huge data breach at the Office of Personnel Management, tech companies are in a competition to provide cheaper, more reliable cybersecurity service to the federal government.

The Defense Leadership Forum, an organization specializing in defense issues, sponsored a summit Tuesday offering details and insights related to landing contracts with the Department of Defense.

Sylvia Burns, chief information officer of the Interior Department, which provides cybersecurity service to OPM and other federal agencies, said that centralizing data protection service – the model in place when the OPM data breach occurred in April – is affordable and efficient, but has a big downside. When the OPM data was compromised, the hacker also had access to the data center at Department of Interior.

As a consequence, the Defense Department wants tech companies, including small businesses, to propose cheaper, yet still reliable ways of protecting the Pentagon’s vast storehouse of sensitive information. The government still needs a competitive environment for cost reduction purposes, said Kenneth Bible, deputy chief information officer of the United States Marine Corps.

Shawn McCarthy, research director of International Data Corp., a company that provides advisory services on information technology, said the Defense Department’s information technology budget has actually decreased by 12 percent since 2006. That budget includes hardware and software development and IT service. But money spend on IT service – data hosting, data encryption and the like – has seen a significant increase, compared to the other two areas, McCarthy said.

The reason behind that is the emergence of the so-called 3rd platform era, which has cloud as its core. In the coming 3rd platform era, hackers may be able to reach trillions of IP-addressable devices, monitors, and sensors of billions of users through new applications. That’s why government is paying more attention to cybercrime.

It is going to be a big business opportunity for tech companies when the Pentagon’s budget on cloud service reaches to $21.1 billion next year. In order to have a win-win relationship with the government, “IT vendors need to keep a close eye on price points while government is becoming increasingly sophisticated when it comes to comparing price and functionality,” McCarthy said.

]]>
Experts: Commercial airliners need air gap for cyberprotection (video) http://nationalsecurityzone.medill.northwestern.edu/blog/2015/06/11/commercial-airliners-need-air-gap-for-cyberprotection-experts-say-video/ Thu, 11 Jun 2015 16:28:56 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22476 Continue reading ]]> WASHINGTON – At a time when cybersecurity is at the forefront of many Americans’ minds, that manufacturing companies are producing commercial planes that experts say are more likely to be hacked than previous versions.

Recently a cybersecurity expert was pulled off a United Airlines flight after tweeting that he had the ability to access the plane’s systems, such as control of the oxygen masks on board.

The expert, Chris Roberts, was then taken into FBI custody and questioned for hours.

While Roberts says he was not attempting to harm anyone on board, the event drew attention worldwide to possible gaps in security onboard commercial flights with in-flight Wi-Fi.

According to a recent report by the Government Accountability Office, there is more connectivity in the Boeing 787 and Airbus A350 between cockpit and cabin Wi-Fi systems than in previous models.

Aaron Rinehart, CEO of cybersecurity company Testbed Inc. and a former security expert for the U.S. Transportation Security Administration, says that this is a step backward in terms of security and safety.

 

Rinehart says cockpit systems should be air gapped, meaning that the system is physically isolated from all unsecured computer networks, including the in-flight entertainment system onboard. This disconnects the cockpit from outside systems to prevent hackers from accessing it.

“It doesn’t seem to me either logical or rational to combine in-flight Wi-Fi with the avionics systems,” Rinehart said.

Why anyone would combine these systems and take the extra risk isn’t clear.

“My guess would be they want to combine the signal and maybe just either save money or save the amount of power because all those antennas require power,” he said.

“If there’s multiple antennas [putting off] separate signals, it may require more power for that… which to me represents a considerable threat.”

In its report, the GAO found that firewalls are currently protecting avionics systems on planes from hacks, but, like any software, firewalls don’t always prevent attacks on networked systems.

Rinehart says the systems should remain completely separate to avoid problems, including downed airliners.

What do the airlines say about this, especially United, since they’re the ones that pulled Roberts off the plane?

Although the argument can be made that it is difficult to hack into a plane’s avionics system and launch such an attack, experts say the threat of malicious activities grows along with increased connectivity.

For example, Macworld recently reported that American Airlines’ fleet of Boeing 737 aircrafts experienced a glitch in an iPad app used by pilots in their cockpits. This caused all of the fleet’s iPads to go dead at once and leaving passengers delayed for hours at airports across the country.

According to Rinehart, if it were decided that all systems needed to be air gapped, planes can be retrofitted with these systems, but it is easier to design with air gapping in mind in the beginning while factoring in the cost.

“We’ve already had enough [problems] in the past two years,” he said. “Our regulatory authorities don’t need to contribute to that.”

]]>
FBI director calls tech giants’ stance on strong encryption ‘depressing’ http://nationalsecurityzone.medill.northwestern.edu/blog/2015/05/21/fbi-director-calls-tech-giants-stance-on-strong-encryption-depressing/ Thu, 21 May 2015 16:47:30 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=22128 Continue reading ]]> Comey

FBI Director James Comey told an audience he thinks the government should have a back door to gain access to secure devices. (Holly LaFon/MEDILL NSJI)

 

WASHINGTON — FBI Director James Comey on Wednesday criticized tech giants including Apple and Google for opposing so-called “back doors” in security software for government agencies to access encrypted phones, computers, and other devices.

The tech companies along with academic experts and advocacy groups wrote a letter to President Obama on Tuesday opposing statements by administration officials who have come out strongly against more robust encryption on consumer products. In fact, some officials have advocated that tech companies stop selling encrypted products altogether unless the government has a way to decrypt the data.

The letter makes the case that weakening products’ security would only make them more vulnerable to “innumerable criminal and national security threats.”

But Mr. Comey, addressing the Cybersecurity Law Institute at Georgetown University, said the FBI faces increasing difficulty in unlocking encrypted devices – and those who signed the letter were either not being fair-minded or were failing to see the societal costs to universal strong encryption.

“Either one of those things is depressing to me,” he said.

Citizens’ privacy interests and public safety are coming closer to “a full-on collision,” he said. Acknowledging “tremendous societal benefits” to encryption, Comey said the inability of law enforcement officials to gain access to encrypted devices when they have probable cause and strong oversight threatens public safety.

“As all of our lives become digital, the logic of encryption is all of our lives will be covered by strong encryption,” he said. “Therefore all of our lives … including the lives of criminals and terrorists and spies will be in a place that is utterly unavailable to court-ordered process. And that to a democracy should be utterly concerning.”

However, tech companies and encryption advocates argue in the letter that creating back doors would also pose an economic threat to the companies, especially in light of the Edward Snowden leaks.

“US companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers – be they domestic or international, individual or institutional – to turn away from those compromised products and services,” the letter said.

What’s more, critics – including many lawmakers – who oppose efforts to weaken encryption say that creating a system in which government agencies have access to secure data would also create vulnerabilities exploitable by criminal hackers and other governments.

Comey acknowledged the business pressures and competitive issues involved, but urged tech companies to find a safe way to cooperate with government needs to access information.

“Smart people, reasonable people will disagree mightily, technical people will say it’s too hard,” he said. “My reaction to that is, ‘Really? Too hard? Too hard for the people that we have in this country to figure something out?’ I’m not that pessimistic.”


Published in conjunction with Arkansas Democrat-Gazette Logo

]]>
Encryption Becomes a Part of Journalists’ Toolkit http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/13/encryption-becomes-a-part-of-journalists-toolkit/ Mon, 13 Apr 2015 19:32:40 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21351 Continue reading ]]> TEXT AND PHOTOS BY J. ZACH HOLLO FOR THE GROUNDTRUTH PROJECT & REPRINTED WITH PERMISSION.

WASHINGTON — When whistleblower Edward Snowden used an email encryption program called PGP to contact documentary filmmaker Laura Poitras, only a tiny fraction of journalists used it. The precaution, designed to scramble messages so only the sender and receiver can read them, was essential for Snowden to leak the information.

The series of stories that followed shocked the world and radically altered the way people think about government surveillance and the Internet. Now, encryption is becoming a standard item of the journalism toolkit, a must-have for anyone hoping to report on sensitive issues that might upset institutions of power. It was also the subject of a workshop recently held at Northwestern’s Medill newsroom in Washington, DC, which walked about 15 journalists through the basic software installations involved in setting up PGP, which is short for “Pretty Good Privacy” and ironically named after a grocery store in Garrison Keillor’s fictional town of Lake Wobegon.

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

For Aaron Rinehart, one of the workshop’s leaders, the goal is to protect the relationship between journalists and their sources, “to get journalists confident using these tools so sources feel they can give them information safely,” said Rinehart. Without that possibility, he said, the Fourth Estate could be fundamentally crippled.

And it’s not just the NSA journalists and sources need to protect themselves from, warned Rinehart. He used an example of a story exposing pharmaceutical malpractice. “It’s not that sexy of an issue, right? But just think of the potential adversaries.” There’s the government whose regulators screwed up, the drug companies who are poisoning people, and their stakeholders who don’t want to lose profits. With any story, there are likely a host of people who want to hack the journalist and sources to prevent the information from being aired.

The workshop was taught by Rinehart and digital security advisers David Reese and Ferdous Al-Faruque. Rinehart and Reese recently founded TestBed Inc., a technology consulting company. And Al-Faruque is a master’s journalism student at the University of Missouri who said he wants to establish a class there on encryption and cyber security.

Rinehart, who spent time in Djibouti while serving in the Marine Corps, said his motivation for putting on the workshop came from a time when journalism salvaged his college career. “The media saved me,” he said. About a decade ago, Rinehart faced a bureaucratic nightmare at the University of Missouri, when he returned from serving abroad and was not permitted to complete his studies. A local paper led an investigation into the problems veterans were having there, and the university changed policies. Since then, Rinehart said he tries to do all he can to help journalists.

Of the reporters who attended, many are intent on investigative work like the kind that exposed the NSA’s mass, indiscriminate surveillance. “Since I cover national security and defense, I would definitely use this to coax sources to communicate with me or send me documents that they don’t want their government or our government to see or know about,” said Kristina Wong, a reporter for The Hill.

But others also attended, including a cryptologist who said he comes to events like this out of professional interest, and a human rights worker.

“In a lot of countries, activists and human rights defenders especially are really targeted,” said Sarah Kinosian, who monitors American security assistance in Latin America for the Center for International Policy. “So we want to make sure [victims] can pass documentation to us in a safe way.”

The workshop began with Rinehart and Reese playing a segment of Citizen Four, Poitras’s documentary on Snowden and government surveillance that recently won an academy award.

“I would like to confirm out of email that the keys we exchanged were not intercepted and replaced by your surveillance,” a narrator said, reading Snowden’s correspondence with Poitras as a line of ominous tunnel light split darkness on the screen. “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase.” Rinehart interjected: “That is what we will be teaching you today.”

He then spoke for a while on the importance of responsible password management, recommending a program called KeePass, before moving on to downloading email client software and installing extensions designed to encrypt communications.

The way it works can seem daunting and complex, especially for anyone not tech-savvy. The email extension, called GPG or PGP, generates both a public and private key for each user. When PGP is used to send an email, the sender uses the receiver’s public key to encrypt the contents of the email so only the receiver’s private key can decrypt it.

Also on the other end, the receiver can see that the sender’s identity is confirmed. A public key is just what it sounds like: something meant to be made public along with an email address so the owner can be contacted by anyone. The private key must be kept secret by the owner, and is used to decrypt messages sent using his or her public key.

In essence, it’s is the same concept of an email. Anyone can send a message to someone but only that someone can read it. But encryption makes it nearly impossible for that message to be intercepted. And while subpoenas can force Google or Yahoo to turn over peoples’ emails, PGP makes it impossible for Google and Yahoo to read the messages, so they’d be turning over incoherent nonsense (although it is still possible to see who the sender and receiver are, and the subject line of the email is not encrypted. Ergo, aliases are commonly used once initial contact is made).

Click here to see my public key.

Encryption’s complexity has deterred it from becoming widespread, even in newsrooms. “At The Hill, not many people use it at all,” said Wong, something many would deem troublesome given the publication’s focus on politics and aim to bring transparency to Washington.

But most people agree the complexity is in the technical details behind the process, not in its application. “The world of cryptology and algorithms and coding that goes into encryption tools is difficult for just about anyone to comprehend,” Rinehart said. “But using the tools is quite simple for people who take the time to learn.”

While the majority journalists still do not use encryption, it is becoming common practice for many organizations who do investigative work. The New Yorker, The Intercept, Washington Post, and ProPublica are a few of the early sign-ons for Secure Drop, a new encryption system for journalists designed by the Freedom of the Press Foundation and originally coded by Kevin Poulsen and the late Aaron Swartz. Gawker is another publication that uses it, showing encryption may become more widespread for groups focused on less hard-hitting subjects as well.

[Editor’s note: This piece originally appeared in The Huffington Post.]

]]>
Cracking the code: Workshop gives journalists a crash course in encryption http://nationalsecurityzone.medill.northwestern.edu/blog/2015/04/08/cracking-the-code-workshop-gives-journalists-a-crash-course-in-encryption/ Wed, 08 Apr 2015 16:41:46 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21300 Continue reading ]]>
  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”

 

]]>
Private sector remains wary of government efforts to increase cybersecurity collaboration http://nationalsecurityzone.medill.northwestern.edu/blog/2015/03/19/private-sector-remains-wary-of-government-efforts-to-increase-cybersecurity-collaboration/ Thu, 19 Mar 2015 14:49:28 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=21085 Continue reading ]]> WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.

Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.

Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.

“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.

One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.

DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.

“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”

Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.

“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”

Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.

Despite these efforts, robust information sharing is still lacking.

“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.

Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.

Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.

“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”

Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.

The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.

“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said. 

To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.

The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.

In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.

However, experts remain skeptical about the center.

“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”

The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.

“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”

Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.

While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.

“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”

]]>