Obama's comments come after a record number of public and private sector data breaches last year
SAN FRANCISCO — Responding to unprecedented data breaches and cyberattacks, President Barack Obama is trying to spark alliances between policymakers who want to regulate the online world and tech innovators who traditionally shun Beltway bureaucracies.
In California’s Silicon Valley on Friday, Obama was participating in a White House summit on cybersecurity and consumer protection, joining hundreds of administration officials, tech and other CEOs, law enforcement officials and consumer and privacy advocates. The focus is on encouraging every player to do better at sharing information that can help the private sector prevent and respond to costly and potentially crippling threats to the security of their online networks.
Obama was delivering the keynote address at the daylong event, as well as leading a round-table discussion with a group of business leaders.
J.J. Thompson, CEO and managing director of Rook Security, a consulting firm founded in San Jose, California, said the symbolic significance of the gathering could not be overstated, despite its “dog and pony show” aspects. The summit is being held at Stanford University, a hub of tech innovation.
“Cybersecurity is at the forefront of everyone in America right now, from the Beltway to California,” Thompson said in an interview.
Jeff Zients, a top economic adviser to Obama, said a goal of the summit is to drive home the message that strong cybersecurity can provide companies with a competitive edge.
“Cybersecurity is not a problem for just one or two sectors of the economy,” he told reporters. “All industry sectors and types of businesses face cybersecurity risks.”
Numerous companies, ranging from mass retailers like Target and Home Depot to Sony Pictures Entertainment to health insurer Anthem, have suffered costly and embarrassing data breaches in recent months. The Twitter feed of U.S. Central Command, which oversees military operations in the volatile Middle East, was hacked recently, while the White House reported detecting “activity of concern” last October on the unclassified computer network used by White House staffers.
While a growing cadre of information security experts have for years grappled with cybersecurity as online communications boomed, their concerns have largely been downplayed.
But with record public and private sector data breaches last year — the Identity Theft Resource Center found that 85 million records were exposed last year — the discussion has moved from the tech geeks to policy wonks.
And the federal government itself is struggling: cyberattackers trumped terrorists as the No. 1 threat to national security, according to an annual review by intelligence officials last year.
The Obama administration wants Congress to supersede an existing patchwork of state laws by setting a national standard for when companies must notify consumers that their personal information has been compromised. Obama was signing an executive order Friday to encourage members of the private sector to share information about threats to cybersecurity with each other and with the federal government, but he also wants Congress to pass legislation.
“What we as an industry, spanning across public and private sector security teams, need to improve on is breaking down the silos of ‘how’ and ‘to whom’ threat data and threat intelligence is being shared,” said Barmak Meftah, president of the San Mateo, California, cybersecurity startup AlienVault.
Stanford is in the heart of the Silicon Valley, home to Google, Apple, Facebook, Intel and most other tech leaders. The valley is also a national hub of innovation, with the most patents, venture capital investment and startups per capita in the U.S. The university launched a $15 million initiative in November to research the technical and governance issues involved in maintaining security online.
A sore point for the private sector is that while most states require them to report breaches, the federal government isn’t required to publicize its own data losses.
By announcing that US and Chinese ships are in "active combat"
Hackers appear to have infiltrated the Twitter accounts of two news organizations Friday to announce a fictional battle between China and the United States.
Identical tweets posted to the feeds of the New York Post and news agency United Press International about “active combat” between U.S. and Chinese navy vessels in the South China sea appear to be the work of hackers:
The New York Post announced they had been hacked in a follow-up tweet:
UPI’s Twitter also posted a tweet saying that Pope Francis had declared “World War III has begun,” also presumably the work of hackers.
The U.S. Navy confirmed to the Military Times that the USS George Washington was in port, and not engaged in battle in the South China Sea.
Hacking remains closer to your Facebook and email passwords than you may think
This story was originally published at the Daily Dot.
Online security is increasingly an issue rich for headlines as everyone from movie studios and celebrities to major retailers and CENTCOM find themselves the victims of digital infiltrators. However, “hacking” is also a very technical issue and, like many technical issues, one the media often gets wrong.
So as a citizen of the 21st century, it’s increasingly important to arm yourself with some basic facts about hacking, cybersecurity, and the real threats they pose, as well as those they don’t. With that in mind, here are seven common misconceptions you might have about hacking.
1) Taking down a site is akin to hacking that site
One of the most common headline-grabbing moves by so-called hackers is to take down their site through a DDoS attack. A group calling itself Lizard Squad has been using this method to take down the networks of Playstation and Xbox Live. It’s a common method of protest by the hacker collective Anonymous, which has used it against such varied entities as the Westboro Baptist Church and, most recently, French jihadists.
These are not “hacks,” however, in the traditional sense of the term. A “hacker” is defined by the National Initiative for Cybersecurity as “an unauthorized user who attempts to or gains access to an information system.” Taking down a website or even a server does not take so much effort and certainly doesn’t demand infiltrating the host of the target. All you need is a simple distributed denial of service, or DDoS.
A DDoS is a network of computers all sending data packets towards one server with the goal of overloading said server. Far from many individuals sending data from their computers, however, the most common form of DDoS consists of networks of computers—typically hacked for this purpose without their owners knowing—all being used to flood a particular target.
CEO broke weeks of silence about 'The Interview' hack on Monday+ READ ARTICLE
Sony’s chief executive offered his first public comments about the December cyberattack that exposed his company’s inner workings, and ultimately sabotaged the worldwide premiere of The Interview.
CEO Kazuo Hirai called the attack one of the most “vicious and malicous” hacks in recent history, CNN reports. He broke his silence during a speech at the Consumer Electronics Show in Las Vegas on Monday, adding, “I am very proud of all the employees, and certainly the partners that we work with as well, who stood up against some of the extortionist efforts of the criminals.”
American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong
When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.
Many of us in the computer-security field are skeptical of the U.S. government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.
On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren’t convinced. This implies that there’s classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, “The NSA has been trying to eavesdrop on North Korea’s government communications since the Korean War, and it’s reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un’s sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq’s weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.”
The NSA is extremely reluctant to reveal its intelligence capabilities — or what it refers to as “sources and methods” — against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government’s unequivocal attribution of the attack without seeing the evidence. Iraq’s mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.
Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don’t come with return addresses, and you can never be sure that what you think is the originating computer hasn’t itself been hacked. Even worse, it’s hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it’s usually because a lone hacker admitted it or because there was a months-long forensic investigation.
Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.
What this all means is that it’s in the U.S.’s best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the U.S.: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the U.S. has been cagey about whether it caused North Korea’s Internet outage in late December.
It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.
The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we’re expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA’s sources and methods is going to have to take a backseat to the public’s right to know. And in cyberspace, we’re going to have to accept the uncomfortable fact that there’s a lot we don’t know.
Bruce Schneier is a security technologist, a fellow at the Berkman Center for Internet and Society at Harvard Law School and the CTO of Co3 Systems Inc. He blogs at schneier.com and tweets at @schneierblog.
TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email firstname.lastname@example.org.
Two days after a Christmas hack downed Sony's Playstation and Microsoft's Xbox online networks
Sony’s Playstation network is “gradually coming back online,” the company announced early Saturday, two days after a hacking group claimed responsibility for downing it.
A group known as “Lizard Squad” said they hacked both the Playstation network and Microsoft’s Xbox Live just as new users were launching consoles they received on Christmas. The console’s networks allow users to play games with an online community.
On Friday, the Xbox network was “up and running,” according to NBC News.
"All of us have to adapt to the possibility of cyber attacks"
President Obama said he does not believe the Sony hack is an act of war, defending his position that Sony made a mistake in pulling The Interview.
“I don’t think [the hack] was an act of war. I think it was an act of cyber vandalism that was very costly, very expensive. We take it very seriously,” Obama said during CNN’s State of the Union, which aired Sunday.
Obama said in an earlier press conference Friday that he wished Sony Pictures, which suffered a devastating hack last month, had consulted him before deciding to cancel the film’s slated release. The fictional comedy starring Seth Rogen and James Franco is about an assassination attempt on North Korean dictator Kim Jong-un. Terror threats surfaced last week targeting theaters who planned to screen the movie.
Sony Entertainment CEO Michael Lynton appeared on CNN shortly after Obama’s Friday statement, and said that Obama and the public “are mistaken as to what actually happened.” Lynton said that The Interview was pulled because many major theater chains decided not to show the film.
In Sunday’s interview, Obama reinforced his sympathy for Sony’s cancellation of the film for practical reasons, but stressed again that Sony had nonetheless set a precedence for self-censorship in several sectors.
“What happens if in fact there’s a breach in CNN‘s cyberspace?” Obama said during the broadcast. “Are we going to suddenly say, ‘Well, we better not report on North Korea?’ So the key here is not to suggest that Sony was a bad actor. It’s making a broader point that all of us have to adapt to the possibility of cyber attacks.”
"We have not given up," Michael Lynton said after his studio cancelled the movie under pressure+ READ ARTICLE
Sony Pictures Entertainment CEO Michael Lynton defended his company’s decision to cancel the release of The Interview on Friday, even as the company refused to rule out releasing the movie in other ways.
Lynton said Sony’s decision was prompted by movie theaters opting not to show the film after hackers, who U.S. officials believe are linked to North Korea and who have wreaked havoc on the studio by disclosing emails and other company information, threatened 9/11-style attacks. Moments earlier, President Barack Obama had called the move to cancel the Christmas Day release a “mistake.”
“The unfortunate part is in this instance the President, the press, and the public are mistaken as to what actually happened,” Lynton said on CNN. “When it came to the crucial moment… the movie theaters came to us one by one over the course of a very short period of time. We were completely surprised by it.”
Sony said in a statement later Friday that its decision was only about the Christmas Day release.
“After that decision, we immediately began actively surveying alternatives to enable us to release the movie on a different platform,” the studio said. “It is still our hope that anyone who wants to see this movie will get the opportunity to do so.”
Obama told reporters he wished Sony had reached out to him before canceling the film’s Christmas day release. It depicts a fictional assassination attempt against North Korean leader Kim Jong Un.
“We cannot have a society where some dictator someplace can start imposing censorship here in the United States,” he said. “Imagine if producers and distributors and others start engaging in self-censorship because they don’t want to offend the sensibilities of someone who’s sensibilities probably need to be offended.”
Lynton denied the studio had given into the hackers’ threats.
“We have not caved. We have not given up,” he said. “We have always had every desire to have the American public see this movie.”
Norton anti-virus technology is now available in stretch denim
A wearable tech firm has joined forces with Norton to develop a new pair of jeans that prevent “digital pickpockets” from scanning your credit cards and passports as you walk by.
The pockets in Betabrand’s “Ready Active Jeans” are lined with a specially designed fabric that blocks RFID (radio-frequency identification) signals, which are used in a growing number of credit cards and passports to enable secure wireless scanning. Betabrand, however, says identity thieves armed with handheld scanners have exploited the technology in upwards of 10 million heists a year.
“That’s why we partnered with with global information-protection authority Norton to create the world’s first RFID-blocking jeans,” Betabrand wrote in an announcement of the new jeans.
The jeans are currently selling for $151, and can be purchased with a matching, RFID-repellant blazer. Machine wash cold.