Nuclear facilities unprotected against cyber attacks

A new report by the Nuclear Threat Initiative found that twenty countries with either nuclear weapon materials or power plants “do not even have basic requirements to protect nuclear facilities from cyber attacks.”

The report draws relevance from a recent cyber attack that caused a power outage in Ukraine—the first blackout ever induced by hackers. The event created international concern about the industrial sector’s susceptibility to cyber attacks.

According to Page Stoutland, NTI’s vice president for scientific and technical affairs, countries with developed nuclear programs have established safeguards against hackings whereas nations with burgeoning programs have greater gaps in their regulatory policies. “What we have observed is what I call enormous unevenness on the global stage to address this issue,” he said.

The United States, for example, takes several precautions to keep nuclear power plants secure. Plant systems are disconnected from the Internet and specialized hardware separates business computer systems from nuclear operation computer systems to prevent hackers from infiltrating operations through the Web.

“Nothing suggests that a cyber attack executed through the Internet could cause a nuclear reactor to malfunction and breach containment,” stated a 2015 report by the Department of Homeland Security.

Other groups disagree. According to a 2013 CNN report, command and control systems of nuclear power plants could be navigated online. Moreover, a 2015 report by the London-based think tank Chatham House stated that there was an “element of denial” among nuclear power plant operators about the likelihood of cyber attacks.

“Often, nuclear facilities will have undocumented connections to the internet” that hackers can use to infiltrate nuclear systems, said Chatham House.

Article via The Washington Post, 15 January 2016

Photo: Central nuclear de Trillo by Tonymadrid Photography [Creative Commons Attribution-NonCommercial-NoDerivs]


NSA ceases bulk data collection

The National Security Agency has been collecting metadata, which is information such as phone numbers and duration of calls, since shortly after the attacks of September 11. The collection of this metadata has ceased as of November 28th. So what changed?

There is a new law in place, known as the USA Freedom Act of 2015. This law is being seen as a victory for privacy activists and tech companies looking to protect their user data. The USA Freedom Act of 2015 came about as a response to the revelations of Edward Snowden, a former NSA contractor that revealed the deep surveillance of the NSA on the American people. This new law prohibits the bulk collection of phone data previously done by the NSA. Although the agency won’t keep the bulk data, investigators will still have access to these types of records when they are investigating a particular person, or targeting specific groups. The existing metadata that has been captured during the last 5 years will be kept until next February 29th in order to ensure a smooth transition.

National Security Council spokesperson Ned Price stated that this new law, “struck a reasonable compromise which allows us to protect the country while implementing various reforms”.

Some have concerns, since the new law is going into effect so soon after the terrorist attacks in Paris. At a time when America is scaling back its surveillance, countries like England and France are considering new bills to enhance surveillance. Since American companies like Verizon would be involved, it may mean the creation of new treaties between Great Britain and the United States.  It is likely that this type of confounding circumstance will present itself more in the future due to the international nature of terrorism.

Article via ABAJournal, 30 November 2015

Photo: National Security Agency Seal via Donkey Hotey [Creative Commons Attribution-NonCommercial-NoDerivs]


Data surveillance versus privacy: finding a balance

With the ISIS attack in Paris still fresh in everyone’s minds, many concerns are being raised about data surveillance laws. Even though there has not been any evidence that the terrorist attacks involved the use of encrypted data, some supporters of expanding data surveillance are citing the attacks as proof that wider-ranging laws are needed. This is nothing new; the ongoing battle between privacy proponents and lawmakers supporting more surveillance is thrust into the spotlight increasingly often. Disagreements over data encryption will likely only increase, with 75% of internet interactions expected to be encrypted in the next ten to fifteen years. And while supporters of internet and data privacy have no problem with this rise in data encryption, it will cause technical problems for government agencies and law officials who need to access information to bring criminals and terrorists to justice.

A compromise has been suggested: some officials have proposed instituting laws that require tech companies to develop methods for police to obtain access to encrypted information, although this may not even be possible. Some companies such as Apple and Google cannot even access data encrypted in their own devices and services. Even if it is possible, the White House has agreed to not move forward with any legislation that would require companies to make encrypted data available whenever the police needed.

Finding a balance between protecting users’ privacy online and surveillance in the name of preserving law and order is an ongoing process and should not be determined quickly in the wake of a crisis. While there should be legal limits on the seizure of encrypted data, there must also be limits on how and what is encrypted. Determining these limits will take time.

Article via The Washington PostNovember 18, 2015

Photo: Point Cloud Data via Daniel V [Creative Commons Attribution-NonCommercial-NoDerivs]


New bill protecting companies from cyberattacks compromises individual privacy

The US Senate voted this past Tuesday to pass the Cybersecurity Information Sharing Act (CISA), which allows companies to share evidence of cyberattacks with the US government, even if that data includes the personal information of individuals.

Those in favor of the bill argue that CISA will help the government protect companies. Most big tech companies comprise the opposition, and say that the new act is another loophole that allows the US government to snoop on citizens. President Obama supports CISA.

Al Franken, a senator from Minnesota and one of 21 who voted against the bill, said in a statement following CISA’s passing, “There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security. This bill doesn’t do that.”

Companies are supposed to remove personal information about customers—such as emails and text messages—before sending data to the government. Currently, however, no accountability system exists to ensure that personal identifiers are in fact deleted before reaching government databases.

CISA was most likely passed in response to recent high-profile hackings, such as those committed against Sony Pictures, Ashley Madison, and United Airlines.

“With security breaches like T-Mobile, Target, and [the US government’s Office of Personnel Management] becoming the norm, Congress knows it needs to do something about cybersecurity,” said Mark Jaycox, Legislative Analyst of the Electronic Frontier Foundation. “It chose to do the wrong thing.”

Article via CNET, October 27, 2015

Photo: The Capitol, in Washington, D.C. US Senate and The House of Representatives via DeusXFlorida [Creative Commons Attribution-NonCommercial-NoDerivs]


US Senate passes controversial cybersecurity bill

On Tuesday, October 27, the US Senate voted to pass the Cybersecurity Information Sharing Act.

This bill allows companies to share evidence of cyber-attacks to the US government even if it violates a person’s privacy. Supporters say this act will make it easier for the government to monitor threats and responses across companies. Others like Apple and other top tech companies argued that this bill could give government more liberty to spy on US citizens.

US Chamber of Commerce President and CEO Thomas Donohue said this legislation is a “positive step toward enhancing our nation’s cybersecurity.”

21 Senators voted against the act. Among them was Minnesota Democrat Al Franken who believes there is a need for “effective legislation that balances security and privacy” and “the CISA does not do that.”

Just last year, the CISA was first introduced and passed by the House but it did not go through the Senate. High profile cyberattacks on companies like Sony Pictures, United Airlines, and Ashley Madison may have prompted the Senate to approve it this time around.

The issue at hand is that personal identifiers such as text messages and e-mails may slip through when sending information to law enforcement and intelligence agencies, even though companies are supposed to delete that information.

US Department of Homeland Security acknowledged that the bill does raise “privacy and civil liberty concerns.”

CISA is now going to a Congressional Conference whose members must match the passed Senate and House bills before sending it to President Obama.

Article via CNET Security News , October 27, 2015

Photo: Washington DC – Capitol Hill: United States Capitol via Wally Gobetz [Creative Commons Attribution-NonCommercial-NoDerivs]


Internet of Things makes hackers jobs easier

Every day, more and more digitally-connected devices are being integrated into our daily lives. In fact, researchers predict that there will be more than 40 billion devices wirelessly connected to the internet by the year 2020. This surge in the number of devices we use has led us into an era known as the Internet of Things, or IoT. Although there are many advantages to being able to utilize the internet in so many different ways, the more devices one has, the more paths a hacker can take to steal information. Recently, reports have come to light that internet-enabled cars could be turned off remotely by a hacker, and certain baby monitors could be hacked to monitor individuals without their knowledge. And as the medical field release technology that fits into the Internet of Things, the potential problems only become more worrisome; hackers could potentially have control over someone’s health or even their life.

Thankfully, companies are trying to find solutions to make their Internet of Things devices safer to use. For example, digital security companies such as Gemalto are offering their experience to car manufacturers, and Microsoft has promised to add extra encryption and security software to their new Windows 10 IoT, their operating system for all of the Internet of Things devices Microsoft produces. Additionally, multiple tech firms have come together to form the Internet of Things Security Foundation, which will review devices that connect to the internet and offer support and advice to tech companies. In time, manufacturers of Internet of Things devices will need to determine how to make sure each device that an individual owns is continually updated and protected from hackers.

Article: TechCrunchOctober 24, 2015

Photo: Internet of Things World Forum via Schneider Electric España [Creative Commons Attribution-NonCommercial-NoDerivs]