Risks in Governmental Cybersecurity Program : Case Study of the Einstein Project

The Risk of Secrecy in Governmental Cybersecurity Program : Case Study of the Einstein Project

Charlotte Clément-Cottuz

This paper argues that the over-secretive nature of cybersecurity national programs that protect national agencies actually hinders such programs while it demonstrates that a more transparent implementation could enhance its efficiency. This argument can appear paradoxical as logically the more transparent a cybersecurity program is, the easier it can be for hackers to find loopholes in these programs and thus to perpetuate their malicious intents. However, based on the case study of the US Einstein program, this paper demonstrates that the shortcomings of such programs are majorly caused by unnecessary exaggerated secrecy.

Einstein, or formally called the US National Cybersecurity Program System, was developed by the United States Computer Emergency Readiness Team (US-CERT) which is the operational arm of the National Cyber Security Division of the US Department of Homeland Security (DHS). This department “has the mission to provide a common baseline of security across the federal civilian executive branch and to help agencies manage their cyber security risk” (CDT, 2009). Internationally, national governments have implemented similar programs to defend their national organisations against cyber offensives. For example, in France, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) ensures the cybersecurity of national public and private sector operators. Nevertheless, confronted with the lack of information concerning the digital control and supervisory control and data acquisition systems (DC/SCADA) put in place by the ANSII (Dila, 2013) or other national governments across the globe, this post focuses on the US and its Einstein program.

More precisely, Einstein was developed to fulfil two key roles in federal government cybersecurity. First, as an intrusion detection capability, it detects and blocks cyberattacks from compromising federal agencies by monitoring these federal agencies internet connections for specific predefined signatures of know malicious activity and anomalies and alerts US-CERT when specific network activity or host-based intrusions match the predetermined signatures are detected. Second, Einstein was enhanced to also become an intrusion prevention capability that automatically blocks malicious traffic from entering or leaving the federal civilian executive branch agency networks. To this extent, Einstein has the capability of analysing the content of emails and other Internet websites (Gorman, 2009). This raises massive privacy questions. Indeed, there are no clear or transparent guidelines made public about Einstein’s exact mission, who reads these emails, what are the tools implemented against cyber threats and which precise cyber threats are encompassed in such a vast definition (CDT, 2009). Therefore, the US-CERT and the DHS profit from a lot a legal leeway when they are questioned or held accountable and overall they benefit from this lack of transparency (Gao, 2010) at the expense of the Einstein users.

On top of the privacy risks caused by the lack of transparency, the latter also impairs on Einstein’s efficiency. Indeed, another role of Einstein is cross-collaboration between the agencies: once an agency acknowledges an intrusion/signature/zero day, it alerts the US-CERT which then informs the other agencies of the newly determined intrusion. Therefore like a network effect, the more agencies using Einstein and hence finding signatures and exchanging them, the higher is Einstein’s global success rate. However, Einstein is only implemented in 5 agencies out of 23 because each agency implements different technologies to protect its sensitive data that are not compatible with the Einstein program. Therefore, the lack of transparency between federal cybersecurity programs impairs on the effort of the federal Einstein program and diminishes its efficiencies. Indeed, during a test to flag a portion of vulnerabilities associated with common softwares applications across multiple federal agencies, only 6% of all the security bugs tested were found. That’s 29 out of 489 vulnerabilities (Paganini, 2016). If more transparent, Einstein’s would be easier to implement and hence more efficient.

Finally, the efficiency shortcomings of the Einstein program could be straightened up by informing the federal employees whose computers are running the Einstein program. Indeed, over-preoccupied by the secrecy of the program, the DHS did not inform the federal employees whose computer were running the program. However, if the US-CERT simply informed the employees that the program is running, communicated on the EINSTEIN program, employees would be more aware and careful of malwares and phishing tentatives. Furthermore, if the US-CERT encouraged cybersecurity awareness programs, it would definitively increase the efficiency of Einstein. And to a certain extent, “agencies should ultimately employ a multi-layered approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies” (Cooney, 2015).

Even though it is being amended, Einstein raises serious concerns of transparency. Its lack thereof causes privacy contingencies but also inefficiencies and failures, which can endanger the US national sovereignty to a certain point. However, a more transparent implementation with more thorough information concerning the program communicated by the US-CERT would increase the number of federal agencies relying on the Einstein program and hence its
capability. Furthermore, at the grass roots level or in other words at the user level, awareness and communication on the EINSTEIN program would increase the number of signatures detected and hence once again EINSTEIN’s efficiency. In a few words, transparency is the best policy.

References

CDT, 2009. ‘Einstein Intrusion Detection System: Questions that Should be Addressed’, Center for Democracy & Technology, July 2009.

Dila, 2013, Direction de l’information  légale et administrative. Livre Blanc Défense et Sécurité Nationale, 2013.

Gorman, S. 2009. ‘Trouble Plague Cyberspy Defense’, Wall Street journal, July 3rd 2009.

CDT, 2009. ‘CDT report : Privacy, Legal Concerns Surround Secret Government Cybersecurity System’, CDT, July 28, 2009.

Gao, 2010. ’Cybersecurity: Progress made but challenges remain in defining and coordinating the comprehensive national initiative’, Report to Congressional Requesters, March 2010.

Paganini, P. 2016. ‘Audit shows Department of Homeland Security 6 billion U.S. Dollar firewall not so effective against hackers’, Security Affairs, February 1, 2016.

Cooney, M. 2015. ‘GAO: Early look at fed’s “Einstein 3” security weapon finds challenge’, Network world, July 9th 2015.

Read the full blog post here: Risk in Governmental Cybersecurity Program JSTI 2017

Blockchain Regulatory Framework, Legal Challenges and the Financial Industry

Blockchain Regulatory Framework, Legal Challenges and the Financial Industry

Camille Madec

Introduction

In order to stay competitive, financial industry must seize the opportunities of the on-going technological disruption, and particularly with the recent so-called blockchain innovation when some argue that this new technology has the potential to replace banks as financial intermediaries for transfer and exchanges of money. In this transitional context, financial sector could face new cybersecurity risks, with sophisticated attacks, which eventually call for a renewed regulation framework. Here the financial sector means banks, insurers, asset managers, and advisory firms.

Blockchain can be defined as “a peer-to-peer operated public digital ledger that records all transactions executed for a particular asset (…) The Blockchain maintains this record across a network of computers, and anyone on the network can access the ledger. Blockchain is ‘decentralised’ meaning people on the network maintain the ledger, requiring no central or third party intermediary involvement. […] Users known as ‘miners’ use specialized software to look for these time stamped ‘blocks’, verify their accuracy using a special algorithm, and add the block to the chain. The chain maintains chronological order for all blocks added because of these time-stamps.” (Alderman, 2015)

Hence, Blockchain, well known through the so-called bit coin, could open much more perspective and should guaranty security and the validation of all the exchange of data. In addition to open room for new business opportunities, this new technology could disrupt the legal conception of privacy, intellectual property right, and presents some issues regarding financial institution accountability given the new associated risks. As a consequence while financial institutions have been under strengths by the new regulatory requirements in the aftermath of the 2008 financial crisis, they might see their accountability rises again to address cybersecurity risks and associated prejudices related to blockchain innovation.

This paper explains how business compliance to new cyber regulatory framework is a strategic issue for financial institutions. It presents the financial institutions specific data profile and linked eventual collateral damages. It highlights blockchain innovation opportunities and associated new cybercrime challenges. It describes the current European regulatory framework and legal accountability scenarios. It then finally supports the hypothesis of cyber compliance as a corporate competitive advantage and maps out some elements
of potential recommendations to strengthen cybersecurity resilience.

Read the full strategic report here: regulatory compliance and cybersecurity

References

Alderman, P. (2015). Blockchain –emerging legal issues. Lexology, Global.

Privacy on the Internet: a sweet dream?

 Privacy on the Internet: a sweet dream?

Quentin Jaubert, Adrien Zamora

Introduction

Big Brother is watching you” wrote Georges Orwell. In this groundbreaking book, Orwell describes a society in which the officials know everything that would happen inside the country by performing an omnipresent surveillance over the inhabitants. Today’s police forces and secret services own a numerous number of surveillance tools such as biometry, chips, facial recognition, localization that allow them to become very intrusive security forces. But the “policing” has now also become the property of major private companies (social media platforms, search engines, telecommunication carriers etc). A funny way of rethinking Orwell’s quote in our modern world would be: “Big Browser is watching you”.

There was a time where people had their privacy. One could go shopping when exiting the office, buy several stuffs in cash, go back home, close the doors and curtains, and run their private life. That was it. But privacy has evolved over time. If “privacy” can be defined as a “right to be let alone” (Warren and Brandeis, 1890), or even “the right to prevent the disclosure of personal information to others” (Westin, 1968), the concept has recently taken a multidimensional nature regarding “information, accessibility and expression” (Decew, 1997), and with the rise of the Internet, technology has created new privacy issues (Austin, 2003) which lead us to wonder: is online privacy a sweet dream?

In order to understand the issues linked to our online privacy and generate insights from it, we adopted the following method:

How has the privacy concept evolved with the appearance of the Internet?

In such a connected world, should we/can we protect our privacy? If yes, how?

Where will we be standing in the next 5, 10, 20 years? Will “online privacy” ever mean anything in the next decades?

Read the full strategic report here: privacy on the internet: a sweet dream?

References

Austin, L. (2003). Privacy and the Question of Technology. Law and Philosophy, 22(2), 119-166.

DeCew, J. W. (1997). In pursuit of privacy: Law, ethics, and the rise of technology. Cornell University Press.
Orwell, G. (2009). Nineteen eighty-four. Everyman’s Library.
Warren, S. D., & Brandeis, L. D. (1890). The right to privacy. Harvard law review, 193-220.
Westin, A. F. (1968). Privacy and freedom. Washington and Lee Law Review, 25(1), 166.

Cybersecurity, a new challenge for the aviation and automotive industries

Cybersecurity, a new challenge for the aviation and automotive industries

Hélène Duchamp, Ibrahim Bayram, Ranim Korhani

Abstract:
This paper will focus on cybersecurity in the civil aviation industry, but will also present some of the threats that exist in a much more daily transportation mode: personal cars.
We will present the stakeholders involved in the aviation industry, point out the sources of the vulnerability of the industry to cyber attacks, and then analyze the efforts put in place to deter cyber attacks against commercial aircraft. The same order of reasoning will be applied to the automotive industry

Introduction

The aviation industry is important to the global economy. In 2013, the air transportation network carried over 48 million tons of freight and over 2.6 billion passengers. Its global economic value was estimated at 2.2 trillion dollars (AIAA, 2013). Any (cyber)-attack in this industry would result in important social and economic consequences.

With the development of new technologies such as internet, the global aviation industry is subject to a new and growing type of threat coming from cyberspace. As in the other industries, cyber threats purposes are for example the robbery of information, political actions, make profit, or simply weaken one stakeholder of the industry.

Because of its complexity and its weight in the economy, breaking the aviation industry’s security constitutes a great challenge for hackers and terrorists. Moreover, this industry relies more and more on information and communication technology (ICT). As an industry that is well known for providing one of the safest type of transportation, it is mandatory for all its stakeholders to understand the risks and to prevent any malicious events for the good of the industry, the economy, the population and the environment.

Read the full strategic report here: cybersecurity, a new challenge for the aviation and automotive industries

References

AIAA. (2013). The connectivity challenge: protecting critical assets in a networked world – a framework for aviation cybersecurity.

Can ISIS’s cyber-strategy really be thwarted?

Can ISIS’s cyber-strategy really be thwarted?

Kenza Berrada, Marie Boudier

Abstract:

Never in the history of terrorism had an organization appeared as web-savvy as the Islamic State. The extensive use of the internet allows ISIS to conduct its most vital operations. It can easily spread its hateful and violent messages to every corner of the world, reach vulnerable young people and lure them into joining the force, send orders and raise funds. All of it without much sophistication, only using available tools such as Telegram or the Deep&Dark net. Confronted to the issue, the US government, Silicon Valley’s top executives or the hackers organization Anonymous have each taken action to fight the terrorist organization’s sprawl on the internet. There is no evidence for the moment proving the effectiveness of their initiatives as ISIS continues to recruit, plan attacks and does not show any sign of weakness.

Introduction

Google stated in February 2016 that more than 50,000 people search for the phrase “Join ISIS” each month. This fact illustrated the latest trend in today’s world terrorism, which is the heavy use of social media and cyber capabilities to assert their domination. The Islamic State of Iraq and Syria (ISIS) is by far one of the most advanced terrorist organizations in terms of their social media capabilities (Farwell, 2014). It is no coincidence ISIS is so successful on the virtual landscape. The group benefits from an extremely elaborate media and public relations strategy. Indeed, Al Hayat Media Center, their own media hub, produces, distributes and manages all their virtual content. With a designated press officer and their own designed mobile application, ISIS takes advantage of a true branding and marketing strategy, as if it were a regular business.
ISIS’s cyber-strategy will be studied first, looking how it uses the Internet for their personal agenda, such as recruitment, propaganda, internal communication, fundraising, and cyber-attacks. Then, focus will be on the possibility to block the Internet, and how diverse stakeholders like the US or private companies plan on controlling the terrorist organization and thwart their online presence.

Read the full strategic report here: ISIS Cyberstrategy

References

Farwell, J. P. (2014). The media strategy of ISIS. Survival, 56(6), 49-55.

Cybersecurity and the Internet of Things

Cybersecurity and the Internet of Things

Sarah Baker, Grégoire Frison-Roche, Barbora Kuncikova

Abstract:

The Internet of Things (IoT) is a topic that gets a lot of attention and has become somewhat of buzzword in business and technology today. In many ways, this hype and excitement is not misplaced, as IoT has fascinating implications and opportunities for both consumers and businesses. However, the cybersecurity threats that this explosive growth represents are sometimes overlooked or not clearly understood. This paper will introduce the concept of IoT, including the definition, trends and applications. The next section will discuss the potential cybersecurity risks for IoT, for both industries and consumers. Finally, the last section will discuss recommended preventative measures and defense mechanisms available, while considering the fast changing nature of IoT technology.

Introduction: What is the Internet of Things?

The past decades have seen huge advances in electronic communications, from the rise of the Internet to the ubiquity of mobile devices. However, this communication is now shifting from devices that simply connect users to the Internet, to communication linking the physical world to the cyber world (Borgia, 2014). Generally speaking, this notion is called Cyber Physical Systems (CPS) and includes technologies such as (i) automation of knowledge work, (ii) Internet of Things, (iii) advanced robotics, and (iv) autonomous/ near autonomous vehicles (Borgia, 2014). However, IoT is considered to be the CPS technology with the largest expected economic impact (Manyika et al., 2013).

Given IoT is one of the most talked about trends in IT, there are as many definitions of the phenomena as there are angles to study. The origins of the concept IoT can be traced back to a group at MIT, who defined it as “an intelligent infrastructure linking objects, information and people through the computer networks, and where the RFID technology found the basis for its realization’’ (Brock, 2001). Today, IoT extends far beyond RFID technology. A more recent definition describes IoT as “a highly interconnected network of heterogeneous entities such as tags, sensors, embedded devices, handheld devices and backend servers” (Malina et al., 2016). The International Telecommunication Union (ITU) describes IoT as “anytime, any place connectivity for anyone… connectivity for anything. Connections will multiply and create an entirely new dynamic network of networks – an Internet of Things’’ (ITU, 2005).

Therefore, the defining attribute of IoT is that it involves things, moving beyond networked computers, tablets or smartphones to include just about any physical object that can be connected and communicate. The value offered by IoT comes from the fact that these objects which are not machines, and do not function like machines are able to gather and communicate data, which means information can be translated into action at astounding rates (Burrus, 2014). The concept behind IoT was aptly captured back in 1999:

If we had computers that knew everything there was to know about things — using data they gathered without any help from us — we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so” (Ashton, 2009)

This strategic report focuses on securing the Internet of Things. Read the full report here: Cybersecurity and the Internet of Things

References

Ashton, K. (2009). That ‘internet of things’ thing. RFiD Journal, 22(7), 97-114.
Borgia, E. (2014). The Internet of Things vision: Key features, applications and open issues. Computer Communications, 54, 1-31.
Brock, D. L. (2001). The electronic product code (epc). Auto-ID Center White Paper MIT-AUTOID-WH-002.
Burrus, D. (2014). The Internet of Things is far bigger than anyone realizes. Wired. Accessed November.
ITU. (2005). ITU Internet Reports 2005: The internet of things. Geneva: International Telecommunication Union (ITU).
Malina, L., Hajny, J., Fujdiak, R., & Hosek, J. (2016). On perspective of security and privacy-preserving solutions in the internet of things. Computer Networks, 102, 83-95.
Manyika, J., Chui, M., Bughin, J., Dobbs, R., Bisson, P., & Marrs, A. (2013). Disruptive technologies: Advances that will transform life, business, and the global economy (Vol. 12). San Francisco, CA: McKinsey Global Institute.

Cybersecurity & Cyber Threats in Healthcare Organizations

Cybersecurity & Cyber Threats in Healthcare Organizations

Aurore Le Bris, Walid El Asri

Abstract:

Cybersecurity has become a strategic issue for healthcare facilities. This current risky situation comes from an internal double threat: the misuse of IT systems by employees due to their low risk awareness and the lack of proper funding dedicating to Information Security. Simultaneously, the democratization of hacking techniques has also increased the number of potential perpetrators and the variety of their profile. The multiplication of healthcare facilities hit by such attacks reveals how absolutely necessary the question of cybersecurity is. Thanks to the mediatization of these incidents, concerns now grow among general public and authorities, which trigger more and more initiatives to turn things around: FDA, AHA, HITRUST in the USA. A move towards more coordination in necessary. Furthermore, facilities’ staff is essential in solving the hacking issues. Indeed, cybersecurity cannot be improved without training employees to use devices properly, raising their awareness on cyber threats and ensuring their compliance with security policies.

Introduction

Cybersecurity has become a crucial issue for many organizations but also for private individuals. As well as for “regular” crime, anyone may become a target of ill-intentioned people, exploiting the vulnerabilities of information systems (IS) in any possible way. Healthcare organizations are some of the entities we trust the most and that hold the most sensitive information about us: name, date and place of birth, medical records, social security details, etc. Suffering from many flaws (low budget, lack of IT organization, excessive use of legacy systems…), healthcare actors have become easy targets for hackers, facing more and more pressure and threats from them (Fu and Blum, 2013).

This article aims at depicting the current state of cybersecurity in healthcare organizations as well as at understanding the main cyber threats they face and how these last ones could be addressed.

First of all, the stakes and risks associated to the healthcare environment will be presented. The different types of assets likely to be targeted will be reviewed as well as the profile of the potential attackers/threats and their objectives. Then, examples of attack scenarios – that occurred in real life or pentests – will be studied in order to highlight the consequences they may have on healthcare IS. Finally, the current state of cybersecurity in healthcare facilities will be portrayed and possible measures to enhance it will be discussed.

The following strategic report assess new risks and threats towards healthcare facilities and organizations. Read the full report here:
Cybersecurity & Cyber Threats in Healthcare Organizations

References

Fu, K., & Blum, J. (2013). Controlling for cybersecurity risks of medical device software. Communications of the ACM, 56(10), 35-37.

A Strategic Approach to the Tor Network

A Strategic Approach to the Tor Network

Why should firms go dark?

François Courset,­ Margot Favennec, Candice Hamou

Abstract:

The dark web should be considered by companies for various reasons. It offers a large panel of useful tools that can be crucial for negotiation or security. Moreover, even if it can appear as a niche network, opening an onion version of the companies’ websites might help them to boost their image. It can also bring new users to the website, users that usually cannot reach it because of censorship issues. Finally, we have seen new emerging trends related to the dark web. The Tor network might be seen in the future as a guarantee of security online but it can also deeply change the way data are used. Taking into consideration the dark web, not only as a place of illegal activities, but also as a new channel with its own opportunities and constraints is thus essential for all decision-­makers.

Introduction: For the Web is dark, and full of terrors?

The Dark Web has been fascinating and fueling the imagination of many Internet users for a few years now. The collective art group Mediengruppe Bitnik even created a Random Darknet Shoper, a bot which bought a random object from the darknet market place Agora and then sent it to the two artists in charge of the project. This artistic project, aiming at debunking consumerism, showed yet that drugs are not the only things you can find on the Dark Net. You can also find everything you buy in the “clean world”, and buy these with a refund service -­ the two artists received a refund for a bag that was no longer available.

The Dark Web, instead of being the place gathering the worst side of humanity (drugs, pedophilian contents…) could also thus be a place where a real economy grows and prospers.

That’s why the following question deserves to be asked: can the Dark Web be profitable for firms then? Could a reliable “dark” business model exists and could the dark web be used as a almost regular tool to increase a firm’s profit?

First things first, the Dark Web is often misperceived among the global population since the media hype mainly focuses on scandals such as Silk Road’s. This tends to depict it as a place where you can find barely anything illegal, from drugs to hitmen. Yet the Dark Web is not only about illegal traffic. It is much more than that. What’s more, a distinction has to be made, a distinction that is far to often forgotten or neglected. As shown by the two pictures you will find in the report (page 3), there are different levels beneath the “Surface Web” we all know. First comes the “Deep Web”, where you can find many reports, storage datas, and again underneath this Deep Web comes the “Dark Web”, where all communications are encrypted. Now let’s clarify what each term means:

Deep Web: information not accessible with a regular search engine. It is a Web concept regarding search engine (Bergman, 2001).

DarkNet = Dark Web = Tor = information not accessible with a regular search engine or a browser.

The Deep Web has a far larger content that the Surface Web: 1GO of indexed page versus 550GO of deep web page and 19TB of indexed content versus 7500 TB of deep web content, to quote only but a few numbers from a recent study. To be really thorough, Dark Nets are all the overlay networks on the Deepweb, and Dark Web is the content of some Darknets. Thus one DarkWeb may be considered as a small portion of Deep Web. Deep Web and DarkWeb are very often confond, yet they are not the same!

We chose to focus on Tor since this is what most people use to get into Darknets and to browse the Web anonimously. Tor enables you to protect your privacy while looking at any webcontent, and from our point of view, this is one crucial asset for a business model based on the use of Darknets. In the wake of the growing yearn for privacy and of protest against wild data collection, Tor is definitely something firms should get interested in.

The following report assess the strategic value of Tor for businesses. Read the full report here: A Strategic Approach to the Tor Network

References

Bergman, M. K. (2001). White paper: the deep web: surfacing hidden value. Journal of electronic publishing, 7(1).

Cybersecurity, Cybercrime and cyberwarfare research