Tag Archives: Cybersecurity

Internet currency Bitcoin lacks privacy protections

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin's transaction history and the user's location.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”

Should corporations give the government information after a hack?

Private sector advises Obama’s cybersecurity proposal

WASHINGTON —President Barack Obama’s cybersecurity information sharing proposal – with its focus on sharing only targeted threat information between private firms and the government is a better approach than “ill-advised” widespread sharing, a former top privacy official for homeland security said Wednesday.

The Committee on Homeland Security’s Cybersecurity, Infrastructure Protection and Security Technologies subcommittee heard from industry, privacy and academic experts regarding what they think cyber threat information sharing should look like. The previous week, Department of Homeland Security representatives went before the entire committee to explain how this legislation could protect Americans from increasing cybersecurity threats.

Obama’s three-part proposal includes increased sharing among private sector companies and between them and the government. It also encourages the formation of Information Sharing and Analysis Organizations and creates certain guidelines for both the private and federal sectors regarding personal information retention and sharing.

Under the legislation, businesses would share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would pass it onto relevant federal agencies and ISAOs. Participating businesses would receive targeted liability protection in return.

Mary Ellen Callahan, former Department of Homeland Security chief privacy officer, agreed with this targeted sharing approach, calling immediate widespread sharing of threats “ill-advised.” According to Callahan, private sector threats–usually IP addresses and URLs–are reported to the DHS, and then distilled to remove any personal information.

In the end, government security professionals only have information on the threat, its source and target, and how to combat it.

Subcommittee Chairman John Ratcliffe, R-Texas, referred to recent breaches at companies such as Anthem, Sony Pictures, Target and J.P. Morgan as examples of why the legislation is needed. “We need to pass legislation that facilitates the sharing of cyber threat indicators and contains robust privacy protections to improve collaboration between federal civilian agencies, like DHS, and the private sector,” he said.

Many companies choose not to share cyber threat indicators or breaches with one another or the government for fear of legal liability, or having their names in the media as companies with poor cybersecurity. Without this sharing of information, hackers can use the same tactics repeatedly with multiple companies.

Private companies want to see a bill that would allow them to voluntarily share cyber threats with other organizations, but have flexibility in what they share with the government, according to Matthew Eggers, senior director of National Security and Emergency Preparedness for the U.S. Chamber of Commerce.

“This is a bill trying to convince them to participate in a voluntary program that makes their lives more difficult. For folks like me saying ‘I’m not fond of government being in my cell or ERP (Enterprise Resource Planning–software for data management),’ that’s going to be a neat trick,” Eggers said.

The key will be convincing companies that Obama’s proposal would better protect everyone in the long run.

“We need a federated sharing community, not a competitive one,” Greg Garcia,
executive director of the Financial Services Sector Coordinating Council, said. “Withholding info to get ahead… Balkanizing or siloing information–that defeats the purpose.”

This is not the first time Obama has proposed legislation to safeguard America from cyber attacks. In 2011, he rolled out his Cybersecurity Legislative Proposal in an effort to give the private sector and government the tools they need to combat cyber threats. In 2013, he issued the Executive Order on Improving Critical Infrastructure Cybersecurity, which established cybersecurity framework standards that were developed in tandem with the private industry.

Weapons of mass instruction: Governments learning to use social media for security purposes

WASHINGTON – “URGENT CALL Wounded desperately need medical supplies…and transport to hospital…”

“2nd Explosion. sounds like tank fire”

“If this isn’t the end, it certainly looks and smells like it.”

These announcements and cries for help were made via Twitter during the Egyptian revolution in January 2011. Despite the government’s attempt to cut off the Internet, protesters still managed to be heard using their phones and other mobile devices.

Political unrest throughout the world has only increased visibility for platforms like Twitter and Facebook. These and other social media tools have become critical elements of conflict – for rebels as well as governments themselves.

Networking equipment manufacturer Cisco estimates that the number of mobile-connected devices will exceed the global population in 2012. The increasing amount of online activity has put countries around the world in a “cyber arms race,” according to James Jay Carafano, author of Wiki at War: Conflict in a Socially Networked World.

“People get it that the Internet was changing how we do business, and the Internet was changing how we date,” Carafano said. “I think after the [2009] Iranian revolution people got it that the Internet was going to change national security. [It] can affect the stability of states.”

Steven Bucci agrees. After 28 years in the Army and a stint with the Department of Defense, Bucci joined IBM to work with the company’s cybersecurity team. He said spending a majority of his professional life “being a threat rather than trying to stop the threat” has given him a unique perspective on cybersecurity.

“Cybersecurity touches everybody – every agency in government and every business that’s out there,” Bucci said. “Social networks and social media are the way we operate today, not just the way we communicate.”

However, Bucci said, the U.S. government is not set up well to deal with it. Because of the fast pace of global technology, “we can fall behind very quickly,” Bucci said.

“The people who know how to use social media use it to their advantage and are more productive,” he continued. “The United States needs to empower [these] people, keeping them within certain limits so we do it correctly.”

 

Government riding the ‘Loop’

One person the government has already inspired is Steve Ressler. A former employee at the Department of Homeland Security, Ressler was frustrated with the lack of connectivity between departments when he tried to complete audits and other tasks.

Out of frustration came creativity – Ressler founded GovLoop, famously known as “Facebook for government.” He now serves as the site’s president.

“We really needed a social network for knowledge sharing,” Ressler said. “LinkedIn, for people, is a Rolodex; Twitter is very interactive. People are going [to GovLoop] to do their job better, which is a very different functionality and engagement level.”

Since it began in 2008, GovLoop has gained more than 50,000 members. Ressler said he hopes that his site will help the government in getting on the cutting edge of social media and using it as a force for good.

“We need to think really strategically about these social networks because we’re not fighting hierarchical wars anymore, we’re working with networks,” Ressler said.

Once he created the site, Ressler received membership requests from some foreign friends. Since connecting with him, groups in Australia, Israel and the Netherlands have created sites similar to GovLoop in their own countries.

“Every country seems to have the same problem [I had when creating GovLoop]– trying to solve problems and work to connect people in government,” Ressler said. “The things we criticize the U.S. government for are the exact same across the globe. It’s been interesting to see how social media works that way.”

 

“The jungle is neutral”

Another thing that remains fairly consistent across the globe is that the Internet exists to be used by all  – no matter the intent.

“Once you have the technology, you use it any way you darn well please,” Bucci said. “Technologies can be used by people with fewer scruples to oppress their people rather than protect them.”

Many dubbed the 2011 uprising against Egyptian President Hosni Mubarak a “Twitter revolution.” The government, unprepared to deal with the amount of online activity surrounding the uprising, tried to solve its problem by shutting off the Internet. The move proved to work against the government, which then was unable to run the country.

Advanced cyber techniques also provided ammunition for WikiLeaks, an online project to leak classified information organized by Australian Internet activist Julian Assange.

“He’s the most prolific spy we’ve ever had by volumes,” Bucci said. “Espionage is still the same as it’s always been, it’s just that you can do it much more quickly, efficiently and therefore damagingly given the cyber techniques.”

Leaks and cyber terrorism have become the facts of life in the 2.0 world. Transnational terrorist networks as well as state actors exist that use the Internet as infrastructure, recruiting, fundraising and otherwise organizing online. Experts agree that the U.S. may have to prepare for a combination of cyber warfare and physical attacks in the future.

“I still think we are going to see cyber terrorism,” Bucci predicted. “I can’t believe that terrorists are not going to try and use this. It’s too elegant, and there’s too much potential there.”

 

Predictive analysis

Can government use social media to predict this kind of activity – and perhaps even prevent it from happening?

Groups inside and outside the government have started some of these “predictive analysis” projects. The Office of the Secretary of Defense, for example, examines Tweets, status updates and blog posts from months preceding events like the Arab Spring, searching for trends or clues that could have predicted the event.

“There is a lot of effort to take advantage of this additional information that’s out there,” Bucci said. “Are we ever going to get it perfectly right? No, we’re not, but we’ve got to keep working at it. Our citizenry demands it.”

Carafano said that these projects are worthwhile, but the government should consider using other tools in conjunction with social media to solve the problem.

“The science isn’t good enough to do the kind of analysis on these large crowds that people want,” he said. “But rather than just accept that, we’re going to spend millions and billions of dollars building tools that aren’t ready for prime time yet, rather than just figuring out what the tools are actually good for, and using them for that.”

 

What does the future hold?

Bucci noted that social media experts are needed to help the government understand the platforms, including members of both older and younger generations.

“Young people generally have no particular concept of security. It’s not in their DNA,” Bucci said. “That requires the ‘old guys’ to understand the issue because, at least for a little while longer, they’ll be making the decisions of how we do things.”

Watchdog group releases recommendations to protect user privacy in upcoming cybersecurity legislation

By Safiya Merchant

WASHINGTON — As government officials criticize Google’s recent decision to revise its privacy policy to monitor and record user activity, watchdog organization The Constitution Project released a report claiming the government must also protect the public’s privacy when heightening online security measures.

The report, released Jan. 27, outlines recommendations  to protect privacy in drafting cypbersecurity legislation.

“As proposals have arisen that would enable the federal government to move toward monitoring all information transferred over private networks, individuals face the risk of being subjected to the equivalent of a perpetual ‘wiretap’ on their tprivate communications and web browsing behavior,” the report stated.

he report also noted aspects of the current federal cybersecurity initiative that could threaten personal information of computer users.

According to the study, the government’s Comprehensive National Cybersecurity Initiative includes components called Einstein, whose purpose is to erase “harmful activity” from federal computer systems.

Because the Einstein programs monitor information transmitted to and from the federal computer system, the Justice Department’s Office of Legal Counsel has stated the Einstein technologies do not breach the civil liberties of federal employees or the public, the report said.

The Justice Department argued that federal employees “do not have a reasonable expectation of privacy in their communications” but even if they do have expectations of privacy, they have consented to this search, the report states.

But the Constitution Project said Einstein could violate Fourth Amendment rights.

If individuals consent to the monitoring of their computer communications for federal security purposes, the report stated, that does not necessarily mean they “consented to having that information stored for human review or transferred to federal or local law enforcement.”

The Constitution Project recommends any legislation establish oversight procedures, create privacy safeguards and minimize the amount of access to or use of computer user information.

“A lot of these bills contemplate information-sharing programs, where private companies would share cybersecurity information with the federal government,” said Sharon Bradford Franklin, senior counsel of The Constitution Project, in an interview with The Federal Drive with Tom Temin. “We want to make sure personally identifiable information is sanitized out of that sharing unless that is absolutely necessary for the cybersecurity purpose.”

Some specific recommendations the report proposes include requiring federal agencies to create Privacy Impact Assessments if they plan to make or expand cybersecurity initiatives; limiting the amount of personally identifiable information that can be shared between the government and the private sector; and prohibiting private industries with access to Einstein from keeping or reviewing user information/communications for projects other than those of the Einstein program.

The State of Cybersecurity in the U.S.

Joseph Giordano, director of the cybersecurity program at Utica College, discusses the state of cybersecurity in the U.S. Prior to joining the faculty, Giordano served as a program manager for the Information Directorate of the U.S. Air Force Research Laboratory. He is known nationally in the area of information and computer security.

Q- What do you see as the most pressing national security issues in the field of cybersecurity today?

Protecting the systems that are involved in our critical infrastructures is at the top of the list. Included in these systems are those that are involved in the financial sector, the power grid, and the oil and gas sector, amongst others. These systems are synonymous with our way of life and are essential to our economy and our national security posture. In addition, protecting the systems that are used in the military and in the Intelligence Community is of paramount importance.

Another area of importance for cybersecurity deals with coming up with ways to make sure that the cloud infrastructure is secure. The movement to the cloud model of computing comes with numerous cybersecurity challenges that need to be addressed. Addressing the cybersecurity issues associated with supply chains is a very important national security issue and is an enormous challenge.

Finally, we need to address the rash of data breaches that we continuously read about. Not only is valuable personal information being lost to these breaches but each data breach situation is costing millions of dollars.

Q- How vulnerable is the electric grid to cybersecurity threats?

The electric grid is one of the most critical infrastructures. Without power, the economy and the security of the nation will be adversely affected. From what one can read in the open source literature, the electric grid has been a target for some time. About two years ago there was an article in TIME magazine that reported that malware was found in the power grid. The other infrastructures have deep inter-dependencies based upon the power grid. A recent report by McAfee and the Center for Strategic and International Studies states that the power sector needs to do more in the area of cybersecurity.

Also, we need to make sure that cybersecurity is an integral part of the emerging Smart Grid. Cybersecurity for the Smart Grid (as with any system) needs to be thought about early and built into the system as early as possible. This is because it is a known fact that it is very difficult to address cybersecurity as an afterthought or to build security into a system after it has been built and fielded.

Q- How real is the threat of cyberwarfare?

There is no doubt that there is a threat out there and that the threat is very serious and very real. We face that threat every day of the week. From the standpoint of the countries that have capabilities to launch cyberattacks, they are very serious about it.

Q- Would you give an example?

Over the past few years North Korea has perpetrated cyberattacks against both South Korea and the United States. I think one of the most significant events that we have seen recently occurred during the 2008 conflict between Russia and Georgia. This conflict was an excellent worked example of what cyberwarfare techniques are capable of doing when combined with a physical attack. And most recently we have heard of Stuxnet and what it was capable of doing in the domain of industrial control systems. Stuxnet was an example of how cyber techniques can create effects in the physical world. I think that we have seen just the tip of the iceberg.

Q- What could be done to safeguard critical infrastructures against cyberattacks?

Make sure you have good security policies in place, bring in the best technology, use firewalls, and have intrusion detection and prevention systems in place. Proper use of encryption is critical. Use security technology properly and build good (assured) software that doesn’t have vulnerabilities and holes in it. And underneath all of this security education, training and awareness for users is a necessity, because a human is usually the weakest link in the chain. Finally, it goes without saying that we need more trained cybersecurity specialists.

Q- Do you think our state and local governments are prepared to combat cybersecurity threats?

I believe that all the states have some degree of preparation when it comes to defending against cyber attacks and for dealing with critical infrastructure protection and homeland security. It’s a matter of having the funds and having the expertise. As we all know, cybersecurity is a very complex problem and I think that the state governments are doing a great job getting their arms around the problem and putting together programs and initiatives to deal with the problem.

Q- Overall is there anything in the cybersecurity area that is not being looked at?

I would say more funding for research and development is needed, because R&D is where you are going to see those breakthroughs, and we need breakthroughs in the area of cybersecurity. In addition, much more needs to be done to educate users on what cybersecurity means and how to keep systems secure.