Connect with us

Cybersecurity

President-Elect Joe Biden Must Reinforce Democracy in a Digital Age, Say Cybersecurity Experts

Published

on

Screenshot from the webinar

December 7, 2020 – Cybersecurity experts were on the prowl for misinformation emanating from all over the globe about 2020 presidential election. They just didn’t expect that they would find it emanating from the White House.

At a Wednesday event hosted by the Center for Strategic and International Studies held to consider the cybersecurity challenges that will be faced by the administration of President-elect Joe Biden administration will face in the next four years, panelists said that disinformation is very much part of the cybersecurity mix.

Russian interference in the 2016 election was “pushing against an open door,” said Suzanne Spaulding, adviser for the Homeland Security International Security Program at CSIS and former under-secretary for the Department of Homeland Security.

The Russians took advantage of deteriorating trust in American institutions and democracy, she said. More in the national security community need to be recognized not only for their knowledge but also for their integrity. That would help restore public trust in American institutions.

The CSIS event considered the release of a new HBO documentary called “The Perfect Weapon,” based on a book of the same name by David Sanger, about cyber conflict in the digital age.

Sanger, one of the panelists on the webinar, is the national security correspondent for The New York Times.

Sanger also said that he was surprised that President Donald Trump himself became the biggest source of misinformation in 2020.

“We had expected that they [the Russians] would change the playbook this year, as I think we said at some CSIS events, but what we missed out here was that President Trump made their life pretty easy for them,” said Sanger.

Future needs for a more cyber-secure world

The panel also discussed how America could improve cybersecurity and rebuild Americans’ faith in national institutions and democracy.

One aspect is to establish cybersecurity “norms” that nations agree to: cyberattacks against each other that should be off the table, especially during peace time. Spaulding mentioned attacks against “critical infrastructure” upon which the public relies, referencing the December 2015 cyberattack against an electric grid in Ukraine.

The new administration takes office next month, and Sanger explained that the cyber world is much more active now than it was four years ago when Biden left the vice president position.

“We’re well into digital transformation that’s reshaping society and politics and security,” said James Lewis, senior vice president and director for the Strategic Technologies Program at CSIS. “And that’s the fundamental difference from say, five years ago. It’s much further along,” he said.

Lewis mentioned several specific areas of this digital transformation that must be considered, including social media usage (which implicates discussions about Section 230 of the Communications Decency Act), crime and how much it costs the global economy, and how data is used both economically but also for warfare.

Just as the digital age redesigned business, politics and entertainment, reinforcing democracy and American institutions will be one of the key challenges facing the Biden administration.

Reporter Tim White studied communication and political science at the University of Utah, and previously worked on Capitol Hill for a member of Congress. A native of Salt Lake City, he escapes to the Pacific Northwest as often as he can. He is passionate about politics, Star Wars, and breakfast cereal.

China

Report Urges States, Local Governments Follow Federal Rules on Prohibited Equipment Purchases

Only a handful of states have crafted their purchasing decisions after federal rules banning certain companies’ equipment.

Published

on

Members of the Center for Security and Emerging Technology at Georgetown University

WASHINGTON, November 14, 2022 – A think tank is recommending state and local governments align their rules on buying technology from companies with federal guidelines that prevent agencies from purchasing certain prohibited foreign technology, such as ones from Chinese companies.

The Center for Security and Emerging Technology at Georgetown University notified the Federal Communications Commission late last month of a report released that month regarding what it said was a concerning trend of state and local governments having outdated procurement policies that are seeing them purchase equipment banned for federal purchase.

“State and local policymakers should not be expected to independently analyze and address the threats posed by foreign technology, but it would behoove them to align their own procurement practices with the rules set by the federal government,” the report recommends.

The FCC has a list of companies, as required by the Secure and Trusted Communications Networks Act of 2019, that it updates on a rolling basis through commission votes that it says pose a national security threat to the country’s networks. It last updated the list in September, when it added Pacific Network Corp. and China Unicom Operations Ltd. to the growing list that already includes Huawei and ZTE.

Chinese companies and following Communist Party directions

U.S. officials and experts have warned that Chinese companies operating anywhere in the world must follow directions of the Chinese Communist Party, which they say could mean anything from surveillance to American data falling into the hands of that government.

The report notes at least six state governments had their networks breached by a state-sponsored Chinese hacking group between May 2021 and February 2022.

The only states that have enacted local regulations aligned with federal provisions are Florida, Georgia, Louisiana, Texas, and Vermont, the report said. Provisions in Georgia and Texas prohibit private companies from entering into agreements with the covered companies. Vermont, Texas and Florida provisions block state entities from purchasing equipment from countries like China, Russia, Iran, North Korea, Cuba, Venezuela and Syria. Louisiana and Georgia provisions ban public-funded schools from buying prohibited technology.

The remaining 45 states do not explicitly target the equipment and services they produce, nor are they directly responsible for following federal provisions, the report said, leaving state entities vulnerable in obtaining equipment from third party contractors that could pose a security risk.

“Many government entities also lack the in-house technical expertise and procedures to understand and address such threats in the first place, and those that do may prioritize addressing immediate threats like ransomware over the more abstract risks posed by foreign ICTS,” the report said.

Section 889 of the 2019 National Defense Authorization Act is one out of four federal provisions addressing the issue, prohibiting federal agencies from using equipment and services from Huawei, ZTE, Hikvision, Dahua and Hytera as well as working with contractors that use the equipment.

Prohibited products finding their way in

In some cases, the report said, the listed companies will sell their products to third party contractors that are not listed on Section 889 to bypass regulations, according to the report. Due to the low cost of Chinese equipment, public schools and local governments will purchase from the third-party entities that are unknowingly selling prohibited equipment, it added.

“These ‘middle-man’ vendors can mask the origin of their products, which creates major challenges for organizations aiming to keep certain equipment and services off their networks”, the report reads.

“Currently, contractors are responsible for self-certifying that their products and internal networks do not contain covered [products]” and “… inspecting the IT infrastructure—equipment, services, and components – of every contractor that does business with the federal government would require a staggering level of resources, making it difficult for agencies to conduct effective oversight.”

Continue Reading

Cybersecurity

Internet of Things Devices May Provide a Weak Point for Cybersecurity, Says CableLabs

But every device is a potential way into its network, and the recent explosion of IoT devices presents security risks.

Published

on

Screenshot of Brian Scriber, vice president of security and privacy technologies at CableLabs.

WASHINGTON, November 9, 2022 – Since Internet-of-Things appliances are prime “landing spot[s]” for cyber-attackers looking for network access, industry standards and open-source resources are important to maintaining cybersecurity at the device level, said Brian Scriber, vice president of security and privacy technologies at CableLabs, a non-profit the innovation arm of the cable industrylab.

“The mark that we’re really shooting for is how do we get some industry-led initiatives to really make a difference on the… supply” (of IoT devices),” Scriber said Tuesday on during a cybersecurity panel at the American Enterprise Institute, a conservative think tank.

IoT refers to network-connected devices that can interact with their environments. IoT devices can be refrigerators, thermostats, home-security systems, health-monitoring devices, and much else. But every device is a potential way into its network, and the recent explosion of IoT devices presents security risks.

“If you are an attacker, finding a vulnerable device like a lightbulb is fantastic because it has power constantly, it has the computational ability to be able to engage, you gave it network credentials when you brought it on your network,” Scriber argued. And e

Even a secure network can’t protect against the cyber risks associated with vulnerable devices, he added.

In addition to device security, overall network security is crucial and can be enhanced by limiting communication between devices, suggested said Katerina Megas, program manager of the Cybersecurity for Internet of Things Program at the National Institute of Standards and Technology, a federal agency responsible for technical calibration and standard-setting.

“There has to be an ecosystem approach,” Megas said.

In October, President Joe Bidens administration announced preliminary steps towards a cybersecurity labeling system for IoT devices.

By developing and rolling out a common label for products that meet by U.S. Government standards and are tested by vetted and approved entities, we will help American consumers easily identify secure tech to bring into their homes,” the White House said.

Continue Reading

Cybersecurity

Companies Should Adopt Default No Trust Position on Programs to Protect Against Cyberattacks

Panelists identified risks in employees freely accepting links without thinking about their associated risks.

Published

on

Screenshot of Fred Gordy, director of cybersecurity at smart building company Intelligent Buildings

WASHINGTON, August, 24, 2022 – Companies should assume that new programs installed on company systems pose a threat to their networks to ensure a vigilant position on hacking risks, according to an expert on cybersecurity, after the country faced a number of high-profile cyberattacks recently.

The zero trust approach in which the default position is one of distrust of new programs was touted by Osman Saleem, cybersecurity and privacy director of operational technology and internet of things at professional services firm PricewaterHouseCoopers in Canada, who was speaking as a panelist on a Fierce Telecom event on Monday.

The event heard that the vast majority of security breaches at companies were a result of human error, including clicking on links containing malicious software (malware) that can wreak havoc on and suspend company systems. Data, in the case of a ransomware attack, can be locked away until the company pays a monetary sum to get it back.

Fred Gordy, director of cybersecurity at smart building company Intelligent Buildings, said companies sometimes don’t even back-up their systems in the event of an attack and only end up doing so in response to an attack.

Gordy also encouraged the zero trust approach to company security by assuming all digital programs and software have malware.

Opportunities for better cybersecurity

Saleem proposed that cybersecurity documents be reviewed and revised regularly because the cyber landscape always changes. This, he said, can protect the digital infrastructure of the companies’ systems, operations and employees.

Meanwhile, Congress has been pressing the issue, following the high-profile cyberattacks on software company SolarWinds, financial services company Robinhood, meat producer JBS, and oil transport company Colonial Pipeline. President Joe Biden earlier this year signed, as part of a larger budget bill, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires certain critical infrastructure companies to report cyberattacks to the federal government.

A House Oversight and Reform committee investigation concluded that certain hacks on companies were perpetrated through, in one example, an employee accepting a fake browser update. In the case of Colonial Pipeline and JBS, the use of many devices connected to the internet (IoT), the investigation found mass-produced factory password settings may have been the point of vulnerability.

Continue Reading

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Broadband Breakfast Research Partner

Trending