Many of the stories from earlier posts this month have continued to evolve. Here are a few:
Privacy and Cryptowars 2.0 (Oct 12) – Obama Won’t Seek Access to Encrypted User Data. This is a major victory for privacy advocates, and has Law Enforcement officials scrambling for alternatives. For a great opinion piece on this topic, see the CSM opinion from Jeffrey Vagle. Policies in this debate never seem to last for long however…
The story also highlights a connection between the Cryptowars discussion and the U.S. – China deal (Oct 5):
“Timothy D. Cook, the chief executive of Apple, sat at the head table with Mr. Obama and Xi Jinping, the Chinese president, at a state dinner at the White House last month. According to government officials and industry executives, Mr. Cook told Mr. Obama that the Chinese were waiting for an opportunity to seize on administration action to insist that Apple devices, which are also encrypted in China, be open to Beijing’s agents.”
Speaking of the U.S. – China deal on economic cyberespionage, China arrested 5 hackers identified by the U.S. Government, the first time China has taken such action. Administration officials are waiting to see whether this is the start of a longer term trend or simply a gesture prior to the State visit; early results indicate the Chinese hacking continues. The U.S. has also gotten aggressive, arresting a Kosovo native in Malaysia for allegedly providing service member personal information to ISIS.
In another story related to the privacy discussion, the New York Times did a piece titled “Behind the European Privacy Ruling That’s Confounding Silicon Valley” indicating among other things:
“Big Brother is no longer the only threat to privacy, and Europe has struggled to regulate the gossipy circle of consumer-data-collecting companies. Facebook currently faces challenges from five European regulators, including a Dutch-led investigation into how the company uses data from services like Instagram and WhatsApp and a Belgian effort to stop it from tracking consumers who have not joined the service.”
Now the U.S. tech community has jumped aboard legislative action to fix this by providing legal redress for EU citizens in the U.S. whose private data has been mis-handled. But many of these same companies are coming out against the Cybersecurity Information Sharing Act legislation, also on privacy grounds. The legal environment is fluid at best!
In a sign that the Cyber Insurance (Oct 8) market continues to evolve, premiums are now seeing massive increases for new policies, which are also seeing more stringent liability caps and coverage limits. This is a hot topic, with NPR running a series on cyber insurance claiming “Cybercrime is costing the global economy nearly half a trillion dollars a year, according to the insurer Allianz.”
On the software side (Oct 6), the ability of Android and Apple App stores to control malware and privacy threats from apps continues to be in the news. Of all things, Apple dumped ad-blocking and content-blocking apps that installed root certificates (which control encryption, among other things) over privacy concerns (presumably allowing more ads and “content” through). Android wishes it were that easy, although the article does provide some useful differentiation among Android device manufacturers.
Finally in the world of financials, US-CERT issued a new Technical Alert for Dridex malware that uses phishing attacks to install itself on Windows machines, and then proceeds to steal your banking credentials. Financial institutions around the world are increasingly concerned. And questions are being raised about the security of mobile payment systems (although some of these concerns are being raised by the banking industry itself, trying to fend off stiff competition).
There is never a shortage of stories about the latest activities in the world of cybersecurity. Although the specifics change, the major themes seem to be firmly established: the various tradeoffs between privacy and security among individuals, companies and Governments, and the methods used to try to implement these policy choices in an increasingly dangerous digital world.