STE WILLIAMS

Demand for cyber security skills in the UK means that salaries for full time IT security jobs are increasing faster than contractor rates, according to a new survey.

Annual IT security permanent salaries climbed by 5 per cent (from Q4 2015 to Q4 2016) to £57,706, compared to a 0.62 per cent increase for contractor day rates (up to £484) over the same period, according to tech recruiting firm Experis.

Experis reports that annual demand for permanent and contract IT security professionals has increased by 46 per cent, driven by demand spurred on by the need to build robust defences against cybercrime in the wake of high profile hacks. The workload of achieving compliance with the European Union’s GDPR data protection rules is also having an effect.

Experis reckons the demand for IT security talent is at an all-time high. Its figures are based on tracking IT jobs advertised (within the five technology disciplines: Big Data, cloud, IT security, mobile and web development) across 10 UK cities. Almost three times as many permanent IT security roles advertised in London (3,164) than in every other tech city in the study combined (1,278). Four in five IT security contractor job adverts came from London, an even more marked difference.

IT security professionals in the capital are still commanding the biggest salaries (£62,596); almost a fifth (19 per cent) higher than any other region.

The Q4 2016 edition of the survey (available here, registration required) shows that companies are prioritising longer-term investment – with a 52.9 per cent surge in demand for permanent staff year-on-year. In comparison, there was a lower 15.3 per cent rise in demand from Q4 2015 – Q4 2016 for IT security contractor support.

Geoff Smith, managing director, Experis UK Ireland, commented: “With business leaders taking cyber security concerns more seriously than ever before, we’re starting to see a shift in how they integrate the necessary skills into their workforce. While there’s still a requirement for contractor support, employers are now prioritising long-term defence, and are increasingly looking for permanent IT security professionals to do this.”

He added: “Businesses must foster a culture of learnability and upskilling to equip existing and new security professionals with the right tools to defend against future attacks.” ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/cybersec_job_salary_survey/

Analysis President Trump’s Executive Order (Enhancing Public Safety in the Interior of the United States) has caused controversy over its temporary ban on all Muslims entering the USA from certain countries. It has consequences for data protection.

However, law-firm Hunton and Williams has just published a blog which concludes that “the Order should not impact the legal viability of the Privacy Shield framework” (see references). This conclusion is reached because, in the blog’s view, EU nationals still have access to USA courts by the Judicial Redress Act which is unaffected by the Executive Order (unless this access is revoked by the USA).

I agree with the blog’s conclusions relating to the Judicial Redress Act; however, I am not convinced that this overcomes the main data protection problem associated with this Order.

This is because implementation of this Order requires enhanced data sharing between Federal Agencies in the USA.  As this data sharing involves EU nationals it directly raises the question: “whether or not the provisions of USA’s Privacy Act 1974 itself offers an adequate level of protection for transfers of personal data to the USA?”.

In other words, the Executive Order will inevitably focus attention on the quality of protections provided by Privacy Act and not on whether these protections are accessible to EU citizens via Judicial Redress Act.

So what are these protections when there is data sharing? In this blog, I explore them.

President Trump’s Executive Order

Section 14 of the Executive Order states that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.

Note that this exclusion relates to data subjects of all visitors and foreign nationals lawfully working in the USA irrespective of nationality.

In addition, there will be increased data sharing of personal data about EU data subjects (permitted by the Privacy Act as we shall see). For instance, Section 4 of the Order “direct agencies to employ all lawful means to ensure the faithful execution of the immigration laws of the United States against all removable aliens” (my emphasis).

One such “lawful means” includes maximising lawful sharing of personal data between Federal Agencies as legitimised by the USA’s Privacy Act.

Section 2(b) of the Order reinforces this increased data sharing impetus as Federal Agencies should “Make use of all available systems and resources to ensure the efficient and faithful execution of the immigration laws of the United States”. Systems and resources obviously include the immense personal datasets now held by Federal Agencies.

The definition of “removable alien” also increases to range of data sharing; a removable alien includes non-USA citizens:

• who engage in “willful misrepresentation in connection with any official matter” (i.e. even if unconnected with immigration);
• who “have abused any program related to receipt of public benefits”; or
• who “in the judgment of an immigration officer, otherwise pose a risk to public safety”.

Finally, the Order states that is “the policy of the executive branch to empower State and local law enforcement agencies across the country to perform the functions of an immigration officer in the interior of the United States to the maximum extent permitted by law”.

The point being made is that it seems quite easy for any non-USA national to qualify for the status of “potential removable alien”, especially if a large number of officials can investigate any individual if they judge that person to be “a risk to public safety” (whatever that means).

It is these low thresholds that can trigger data sharing which will focus attention to the actual protection afforded by the Privacy Act itself. Additionally, if these protections do not exist (as they do in some disclosure circumstances), then access to them by the Judicial Redress Act is rendered irrelevant.

The USA Privacy Act of 1974

According to the Department of Justice (DoJ) website, the Privacy Act of 1974 establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal data processed by Federal Agencies.

Back in 1974, computer technology was largely mainframe based (e.g. a much loved IBM 370 series around the time of my PhD) so at the time of the Privacy Act, much of the detail in personal records, held by Federal Agencies, were in manual form.

Also in data protection terms, 1974 is seven years before Council of Europe Convention (No. 108) of 1981 which is the leading European agreement on Data Protection and just after Younger’s Report into Privacy in 1972 (from which the ubiquitous Data Protection Principles emerged).

The point being made is that, without looking at any text, it would not surprise anybody if the forty-three year old provisions in the USA’s Privacy Act 1974 were found to be out of date. Provisions that were enacted and debated at a time when detailed personal records were manually stored, are now being regularly applied in a wholly different electronic era.

By contrast, most of Europe is enacting its third generation of comprehensive data protection law (i.e. the GDPR) to update the level of data subject protection in an inter-connected world. This alone raises serious doubt as to the adequacy of the level of protection afforded by a 43-year-old piece of legislation.

The DoJ’s own description of the Privacy Act on its website reinforces these doubts (see references). It states that “the Act’s imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply” and “Moreover, even after more than forty years of administrative and judicial analysis, numerous Privacy Act issues remain unresolved or unexplored”.

So, in the forthcoming Trumpian era, if data sharing goes wrong, are the European Commission and EU Data Protection Authorities expecting EU Citizens to cover the expense of litigation in the USA Courts in order to deal with the many “unresolved or unexplored” issues the DoJ have identified?

Does this look like “an adequate level of protection” to you? It doesn’t to me.

Data sharing under the Privacy Act

The Privacy Act 1974 requires that Agencies place a public notice about their processing in a Federal Register and prohibits the disclosure of personal data in the absence of written consent of the data subject, unless the disclosure is exempt from the Privacy Act altogether, or unless the disclosure is pursuant to one of twelve statutory exceptions.

As the Executive Order states that Agencies “privacy policies exclude persons who are not United States citizens”, one can assume that details of any data sharing required by the Order will be absent from such policies.

This raises an immediate question: if EU citizens do not know about data sharing because of the Order’s exhortations, how can such persons know that they can use the Judicial Redress Act to access the protection afforded by the Privacy Act with respect to such data sharing? If you have an answer, can you tweet it to @realDonaldTrump?

Three of these dozen conditions mentioned above are relevant to the further use or disclosure of personal data by Federal Agencies. These conditions are:

• “need to know” within an Agency; this allows an Agency to use the personal data for any official purpose (e.g. if they need to know about potential “removable aliens”).
• “routine uses”; this will allow any Federal Agency to use personal data held by other Agencies in the same set of circumstances (i.e. relating to “removable aliens”).
• “law enforcement request”; a senior officer must make the request and specify the requirements. There is no test of prejudice or necessity associated with the request for personal data (e.g. as per the UK Data Protection Act).

It can be seen that the Privacy Act itself is a “flexible friend” from the perspective of a Federal Agency wanting to use or share personal data. For example, with respect to any potential removable alien:

• if an Agency “needs to know”, the Order states that there is no need for that further purpose to be described in any privacy policy available to data subjects.
• if another Agency seeks “routine use”, then it is very likely that the Agency has a remit in relation to a removable alien and therefore the processing is compatible with its functions. There again the privacy policy will not describe the data sharing purpose (which, by the way, will have nothing to do with law enforcement as that is covered by an even more flexible “law enforcement request” described above).

Finally in the section, data sharing for a data matching purpose linked to a law enforcement is not subject to the Privacy Act at all. For example, if a dataset was identified for a data matching purposes in relation to criminal offences or law enforcement associated with removable aliens.

Concluding comments

In my view, the Executive Order will inevitably focus attention on the limited privacy protection afforded by the USA’s Privacy Act 1974; I suspect that any detailed analysis of that Act will show that the protection to be patchy and deficient.

It is only a matter of time before an event involving a EU citizen (or European NGO) is raised with a data protection authority. The question is not whether there will be a problem with the Privacy Act 1974, but when such a problem manifests itself in a way that cannot be ignored.

Of course, the Working Party 29 could easily maintain its stance on Privacy Shield (i.e. review Privacy Shield once the GDPR has been implemented and the powers of the European Data Protection Board become available). Such a review has to consider the Privacy Act itself.

For instance, last Friday, EU Justice Commissioner Vera Jourova told the press in Malta that “I need to be reassured that Privacy Shield can remain“. Can I use this blog to exhort Ms Jourova to at least ask the right question; it is “whether the USA’s Privacy Act 1974 offers an adequate level of protection for EU Citizens”.

However, the USA is a Third County outside the EEA. If I were a data controller relying on Privacy Shield, I would look at contingency arrangements just in case this Order (or another Trumpian policy) goes horribly pear-shaped. For ideas, see my blog on a Hard Brexit for options (see references).

When Privacy Shield was hurriedly negotiated under President Obama, all the negotiators wanted to extract themselves from a “Safe Harbor” pit, dug for them by the CJEU decision in Schrems. The politicians negotiating the deal were willing to gloss over the actual level of protection afforded by the USA’s Privacy Act of 1974 in order to agree Privacy Shield.

This is not an option given Executive Orders like this; I cannot see how this Privacy Act offers an adequate level of protection.

Indeed, I suspect this was known to be the case with the original Safe Harbor agreement.

References

Enhancing Public Safety in the Interior of the United States (Executive Order): https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united

Hunton and Williams Blog: “Privacy Shield: Impact of Trump’s Executive Order”: https://www.huntonprivacyblog.com/2017/01/28/privacy-shield-impact-of-trumps-executive-order/

DoJ website on the Privacy Act 1974: https://www.justice.gov/opcl/privacy-act-1974 and https://www.justice.gov/opcl/introduction

The options facing a controller in Privacy Shield are the same as in my blog: “If a hard Brexit a-gonna fall what then happens to overseas transfers of personal data? Replace “hard Brexit” with “Privacy Shield implosion” in the text http://amberhawk.typepad.com/amberhawk/2017/01/if-a-hard-brexit-a-gonna-fall-what-then-happens-to-overseas-transfers-of-personal-data.html

Schrems CJEU decision C362/14: http://curia.europa.eu/juris/documents.jsf?num=c-362/14

 

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/trump_executive_order_public_safety_privacy_shield/

Security experts say it’s hard to know for sure without further details.

Some concerns aired lately about potential security implications of President Trump’s use of his Twitter account and apparently an old personal Android smartphone could be based on incomplete information security experts said this week.

Several media reports in recent days have noted Trump’s apparent use of an old and unsecured Android device to post his tweets. Android Central analyzed a couple of photos of Trump using the phone and surmised that it most likely was a Samsung Galaxy S3 released back in 2012, and which hasn’t received any software updates since at least 2012.

Trump was rumored to have turned in the phone for an encrypted US Secret Service-approved device soon after being sworn in as President. But in an interview with The New York Times earlier this week, he seemed to indicate that he still had the old Android and was apparently using it to post on Twitter.

In a separate story, The New York Times described Trump’s alleged use of the old Android as a practice that could expose him and the nation to multiple security threats. The Times cited experts as worrying over whether the device and its contents were properly encrypted, whether it was open to hacking on cellular and Wi-Fi networks, and its susceptibility to location tracking.

Famed cryptographer Bruce Schneier expressed concern about the potential for the phone to be used for eavesdropping, if indeed Trump was using the phone as reported. Meanwhile, there were reports this week that Trump’s official @POTUS Twitter account was possibly connected to a personal Gmail account belonging to White House social media director Dan Scavino – claims that stirred additional security concerns.

A Twitter user with the handle WauchulaGhost noted the problem in how Trump’s Twitter account was secured and that of multiple other Twitter accounts belonging to people close to the President. On Thursday, Trump’s @POTUS account was linked to a White House email account after several media reports had raised the issue.

While such issues are important, the real question is to what extent they are being allowed to become a security problem, several experts said.

“The White House has a solid security team,” says Eddie Schwartz, president and COO of White Ops Inc. “It’s unlikely they and more senior officials would not have briefed the President or his aides on the risks of their personal devices.”

At a minimum, they would have taken steps to lock down personal devices or keep them out of controlled access areas where classified material is discussed, Schwartz says.

Multiple measures are also available to shore up security on off-the-shelf devices like the aging Android that the President is reported to be using, he says. This can include measures like implementing data encryption at rest and in transmission, the use of a secure OS like Knox, and device configuration management.

“Certain hardware and software platforms have more problems than others,” he says. “But I’m confident that the White House has access to all the vulnerabilities that are known by the government.”

Morey Haber, vice president of technology at BeyondTrust, said it’s hard to believe that the Secret Service and the NSA would allow the President direct access to an unsecure device with an unsecure set of credentials based on a commercial Gmail account. It is also very likely that someone other that Trump is tweeting the messages on his behalf, Haber says. The President himself will likely only be allowed to use an authorized Blackberry or STIG-hardened Android device, he noted.

“I have no insight or inside information into what device President Trump really is using,” notes John Pescatore, director of emerging security threat at SANS Institute. But it isn’t unusual at all for a C-level executive or a Command-in-Chief to refuse to be dictated a security function.

If that is the case, “I hope that President Trump is at least using a single-purpose device only for Tweeting and using the strongest authentication possible,” he says, noting Twitter’s available two-factor verification process. Ideally, the President would be using an authorized device that is locked down and monitored and kept secure.

“That said, he has been a prolific Tweeter for many years and doesn’t seemed to have fallen to attacks before,” Pescatore says. “He may be unusually security-aware or just unusually lucky.”

Either way, it is up to the President to set the standard in secure communications from the top-down, according to Pescatore.

Related stories:

• Cyber Deterrence Should Be Key Focus For Trump Administration, Task Force Says
• Trump Plans To Build Anti-Hacking Team
• Anonymous Threatens Trump Ahead Of Inauguration

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/are-security-concerns-over-trumps-android-twitter-use-overblown/d/d-id/1328005?_mc=RSS_DR_EDT

Police in Cockrell Hill, Tex., lost eight years of documents, photos, and videos when a ransomware attack corrupted files on its server.

The server of a police department in Cockrell Hill, Tex., was recently the victim of ransomware. The attack wiped out eight years worth of evidence, including Microsoft documents, photos, body camera video, in-house surveillance video, and in-car camera video, reports BleepingComputer. Officials said they were unsure how this loss would affect ongoing investigations, but few prosecutions are expected to suffer.

Data lost in the attack dates back to 2009, the department reported. Information stored on CDs and DVDs remains intact, but officials are more concerned about data that relates to ongoing investigations.

The hackers used an email with a spoofed address to infect the system and demanded $4,000 to unlock the files. After consulting the FBI, the police ignored the demand. Instead, they wiped the server clean and reinstalled everything.

Although the police claimed to have been attacked by OSIRIS virus, BleepingComputer says the ransomware used was possibly a new version of Locky, which affixes the “.osiris” extension at the end of infected files.

Click here for full story.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/texas-police-unit-loses-years-of-evidence-to-ransomware-/d/d-id/1328008?_mc=RSS_DR_EDT

More than 400,000 phone call recordings that include names, addresses, phone numbers and credit card information have been leaked online by Florida marketing company VICI Marketing following suspected security blunders.

The 28GB database was publicly-accessible and included recordings of inbound and outbound phone calls.

While most of the audio appears to be linked clearly to VICI Marketing, some do not mention the company’s name in the recordings.

Researchers at Cologne-based MacKeeper found and reported the breach, then lambasted the Florida firm for the gaffe.

“There is enough information in each call to provide cyber criminals with all they need to steal the credit card information or commit a wide range of crimes,” researchers says in a disclosure post.

“There is no suspected wrongdoing at this time other than leaking as many as 17,649 audio recordings with credit card numbers and private customer files.”

More than 17,000 of the calls contained financial information.

The database was secured on Thursday but it is not known how long the data has been exposed.

MacKeeper notes some of the recordings do not warn customers that the calls are being recorded or stored, which could be a breach of law should the calls have involved people based in 11 US states where laws mandate consent before recordings can be captured.

The security flub follows a 2008 ruling against the company after it was discovered it had used stolen customer data. The company was found to have failed to validate the provenance of its data sources.

MacKeeper too has had security failings. In December 2015 it exposed a database of 13 million users including their names, email addresses, and weakly-protected passwords.

The software has long-since been regarded an unnecessary irritant for its deliberately confusing pop-up advertising. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/firm_that_leaked_13m_records_laughs_at_firm_that_leaked_400k_records/

IBM has patched twin cross-site scripting (XSS) vulnerabilities in its Hadoop-probing InfoSphere BigInsights platform.

The patches released last week shutter the bugs (CVE-2016-2924, CVE-2016-2992) that could compromise users of the big data analytics software.

Fortinet researcher Honggang Ren quietly reported the flaws to Big Blue last year and offered proof-of-concepts how to reproduce the vulnerabilities on unpatched BigInsights installations.

The bugs allow guest users to own administrators, stealing their credentials and session data, and to then execute various malicious code through stored XSS.

“The data that the user ‘guest’ inputs into the ‘name’ field is stored on the server,” Ren says of the stored XSS bug.

“When the [admin] views the alert list, the value of the relevant alert type is retrieved from the stored data on the server. Its label field value is not correctly checked and special characters are not escaped so that the generated web page contains the malicious code.”

Next, “… the injected code is permanently stored on the vulnerable server [so] when a victim navigates to the affected web page in a browser, the injected XSS code will be served as part of the web page.”

The vulnerability class is notably dangerous in that it does not require victims to be phished by clicking XSS links. Stored XSS mean an attacker’s malcode is plonked into storage and resurfaces as part of web applications, executing in a victim’s browser with the app’s permissions.

It can allow hackers to hijack a victim’s browser, steal app data, run internal port scans, and ship browser-based exploits.

Ren urged all users of the platform to immediately upgrade to the patched version. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/big_blue_bogs_admin_owning_big_data_bugs/

Cisco has turned up a packet fragmentation issue in its TelePresence Multipoint Control Unit software that opens up a denial-of-service and remote code execution vulnerability.

Announced here, the bug has been patched, but if you need time to install the fix, you can configure the TelePresence system to run in “transcoded” content mode instead of “passthrough” mode.

When reassembling fragmented packets – IPv4 and IPv6 – the software doesn’t properly validate packet size. If an attacker sent a crafted packet to a port receiving content in Passthrough mode, it could overflow a buffer.

Vulnerable systems running software version 4.3(1.68) include: TelePresence MCU 5300 Series; TelePresence MCU MSE 8510; and TelePresence MCU 4500.

In other security news, the Cisco WebEx Chrome plug-in bug disclosed by Project Zero’s Tavis Ormandy last week has also turned up in – and been patched in – Firefox and Internet Explorer plug-ins.

Updating its original advisory, Cisco gives users of Firefox and IE the instructions to check their version.

For Firefox, the fix is in Version 106 of the ActiveTouch General Plugin Container. For IE, it’s in Version 10031.6.2017.0127 of the GpcContainer Class for Microsoft Internet Explorer.

Microsoft Edge isn’t affected. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/29/cisco_telepresence_control_software_had_remoteexploitable_bug/

WordPress has fixed three flaws in its content management system, shuttering cross-site scripting and SQL injection bugs three weeks after its last update.

The world’s most popular content management system, used by some 74.7 million web sites, was open to a SQL injection flaw in WP_Query class that handles database and post queries.

The WordPress core is not vulnerable to the flaw and now sports additional hardening to prevent plugins and themes triggering the bug.

Another problem, a cross-site scripting vulnerability in the posts lists table, was spotted by WordPress’ internal security team.

Information disclosure rounded out the short patch run with the relevant fix preventing the leaking of user interface taxonomy in relation to Press This.

All bugs patched under version 4.7.2 were offered up as responsible disclosure.

WordPress last patched its content management system on 13 January which plugged eight vulnerabilities including cross-site scripting, cross-site request forgery, and remote attack vectors. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/29/wordpress_drops_end_of_jan_quick_patch_run/

Criminals infected 70 percent of storage devices tied to closed-circuit TVs in Washington DC eight days before the inauguration of President Donald Trump.

The ransomware infection downed 123 of its 187 network video recorders, each controlling up to four CCTVs, and forced the city to wipe its affected IT systems which it says did not include deeper componentry of the Washington DC network.

Public space cameras were out of action between 12 and 15 January. Police eventually noticed four were not recording, The Washington Post reports.

Technicians wiped and rebooted the devices across the city and did not pay ransom demands.

It is unclear if valuable data was lost or if the encrypted data was decrypted for free, or if the ransomware merely crippled the affected network devices.

Victims unable to restore encrypted data with clean back ups need not always pay ransoms; many malware variants have been undone by white hack hackers working under the No More Ransom Alliance, a recent outfit focused on finding and exploiting holes in ransomware that allows free file decryption.

That effort unifies a formerly scattered and siloed, but furious effort by malware researchers to waste the exploding number of ransomware forms hitting end users and enterprises. ®

Sponsored:
DevOps and continuous delivery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/30/ransomware_killed_70_of_washington_dc_cctv_ahead_of_inauguration/

US President Donald Trump will order a 60-day report on the state of the nation’s cybersecurity, complete with recommendations on whether new legal powers are required.

That’s according to a draft executive order leaked to The Washington Post and posted online.

For the most part, the draft [PDF] reflects the persistent position of the US government – namely that cyberspace is a vital national resource, a source of significant innovation and economic value, and the government should ensure its security and actively defend it.

The executive order also notes that the internet is “currently vulnerable to attacks from both state and non-state actors” “that impose significant costs on the US economy and significantly harm vital national interests” and could lead to “significant property damage and loss of life.”

Where the order starts to veer away from the policies of the previous administration, however, comes in the degree of importance placed on the internet strategically, and by extension the amount of influence that the US government should be given over the internet – which remains a global network of largely private servers communicating with one another.

From the draft order:

Cyberspace has emerged as a new domain of engagement, comparable in significance to land, sea, air, and space, and its significance will increase in the years ahead … The Federal Government has a responsibility to defend America from cyberattacks that could threaten US national interests or cause significant damage to Americans’ personal or economic security. That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure.

The Obama Administration recognized the fact that the vast majority of the internet lies in private hands, and so stressed the need for cooperation between companies and the government (a cooperation that stumbled after the Snowden revelations that the NSA was specifically targeting internet companies’ data centers).

The Trump Administration seems to be taking a more authoritarian approach. “The executive departments and agencies tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collectively/collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions,” the draft order notes – the implication being that government agencies should be given greater resources and more legal power over such networks.

How far?

While the federal government does run significant computer networks and should be expected to protect them as much as possible – particularly given the furor over hacking of highly sensitive networks by the Russian government during the recent election – the executive order may seek to extend that authority beyond government-run networks.

“Critical infrastructure” is defined within the order as:

The term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The big question is whether that definition of “security” and “national economic security” would include private networks like Google’s email servers or Amazon’s cloud servers. The order isn’t clear.

What is clear is that there will be a review with recommendations. The order calls for a “review of the most critical US cyber vulnerabilities” to begin immediately, with initial recommendations supplied in 60 days.

Those recommendations are to cover “the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure, other than US national security systems.” Again the recommendations are expected to cover whether government agencies are “appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to fulfill their missions.”

All of which may mean little, or a lot, depending on what the report finally shows and how much the president decides to try to implement the recommendations.

Say-so

As ever, the reason that the executive order has raised concerns is due to statements made by President Trump during the election campaign, as well as congressional investigations into Russian hacking and ongoing calls for an independent investigation into that hacking.

When it comes to the internet, Trump has said little in policy terms beyond suggesting that it be possible to turn off parts of it, amid a widely mocked suggestion that he contact Bill Gates about how to do so.

In the past, there have also been frequent calls from some lawmakers to introduce an “internet shutoff” for the United States’ internet infrastructure – an approach that has been aggressively criticized and even mocked as impossible – but one that many believe is still possible, given the increasingly frequent use of shutdowns by countries including Brazil, Cameroon, Egypt, India, Iraq, Morocco and Saudi Arabia.

It is unlikely that a cybersecurity review would include a recommendation to add shutoff controls for the United States’ internet infrastructure – one of the largest and most complex in the world – but it is possible that it could be used to insist on access to data in those networks under the pretext of national security. Only time will tell. ®

Sponsored:
Customer Identity and Access Management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/27/trump_60day_cybersecurity_review/