Understanding the Role of Connected Devices in Recent Cyber Attacks

On November 16, 2016 the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.” The hearing was in response to the unprecedented distribution denial of service (DDos) on October 21, 2016 which saw consumer websites such as Netflix, Twitter and CNN as well as others go down following a botnet attack directed from malware in millions of American devices. The hacked devices used maliciously, (known as bots or collectively as botnets) flooded these websites with junk traffic, overwhelming the sites and preventing them from being able to distinguish from legitimate traffic. The hearing focused on what vulnerabilities are present, possible solutions, possible ramifications of attacks on consumer devices, critical infrastructure and public safety mechanisms from a wide array of malicious actors.

The witnesses were industry experts, Dale Drew, of  Level 3 Communications; Kevin Fu, of  Virta Labs, and the University of Michigan; and Bruce Schneier, from the Berkman Klein Center, at Harvard University.

Chairman Greg Walden began the hearing highlighting the increasing use of technology in Americans daily lives, the dependence of Americans on the internet of things, devices that allow them to control elements of their lives, such as applications and devices that remotely unlock doors, baby monitors, and smart appliances. Many members of the subcommittee remarked how the DDoS attack stressed the importance to secure these devices without losing the benefits, the balance between functionality, innovation and security. Representative Marsha Blackburn made the important point that the internet of things is growing extremely quickly, the average American has more than three devices. This illustrates the widening gap of insecurity.

The expert witnesses were firm in their recommendations that while the DDoS attack in October 2016 was just on popular websites and not critical elements, that attacks towards critical apparatuses such as public safety mechanisms, hospital systems, and critical infrastructure points are highly likely. The internet of things devices have major security flaws that do not have built in security updates or patch mechanisms and consumers are greatly unaware of the threat posed by their devices. Mr. Schneier pointed out that many of these devices are the same, having the same basic configuration which, limits consumer control. He also pointed out the various elements that need to be secure, from software to hardware to internet communications. All three panelists discussed the lack of incentives for manufacturers to secure the devices or integrate security mechanism into the production. The panelist urged action for oversight due to the growth of the issue and inevitable nature of growth in vulnerabilities.

Mr. Fu added that regulations, standards and liabilities for security need to be “built in, not bolted on.” All panelists stressed the importance of addressing the vulnerabilities posed by the internet of things and the unprecedented threat that the United States faces. As in almost every cybersecurity field the government is clearly very far behind. As experts point out vulnerabilities in basic systems have and will only grow exponentially fast. The government is behind addressing these issues, these vulnerabilities. Greater oversight is called for because of the critical consequences attacks can and will have on both the public and private sectors.

Tagged with: , ,
Posted in cybersecurity

Post-Election Projections

I recently shared my reaction to how President-Elect Donald Trump may govern with the Philadelphia Business Journal in a post-election piece, “Greater Philadelphia business leaders react to Trump’s victory.” I said that the country can expect substantial shifts in policy “from health care to energy to financial services issues.” I added, “Everything is on the table and it creates opportunity to roll back some of the things that have been coming out of Washington that business feels are unfriendly.” I also was sure to note that while President-Elect Trump will have to learn how to work with Congress, there are also changes he can accomplish unilaterally through his executive power. “An example [of this] would be labor policy. The overtime rule that raised the standard for which employees could receive time and a half pay. That’s within the realm of the executive branch and he will have the business community in his face trying to influence him to make those type of changes and I think he will,” I explained. View the full article here.

Tagged with: , , ,
Posted in Uncategorized

Department of Transportation Issues Guidance on Vehicle Cybersecurity

In the latest iteration of the Obama Administration’s cyber push, the Department of Transportation last week released guidance to the automotive industry regarding improving motor vehicle cybersecurity.

The guidance passed down from the National Highway Traffic Safety Administration (NHTSA) offers several key recommendations to auto makers and parts manufacturers, including ensuring that cars can respond and recover from cyber attacks, securing consumers’ personal data, and streamlining internal company communications regarding cybersecurity.

This twenty-two page guidance marks an important first step in both prioritizing cybersecurity among public and private transportation stakeholders as well as recognizing the research and public comment that is required before taking meaningful steps to securing vehicles from cyber threats. However, given the rapidly changing dynamics of transportation technology, the federal government must get out in front of emerging threats rather than employ a reactive and delayed response to threats that will have already quickly become surpassed by more advanced methods of attack.

Cyber is not an area where the government can afford to be slow paced. Technology changes rapidly in both sophistication and precision, and federal guidance must not match but surpass the pace of that growth. The rise of self-driving cars is especially indicative of Department of Transportation’s need to stop trailing industry trends. As this new industry sees explosive growth that is not matched by important cyber safety checks, public safety will be put in harm’s way.

The government’s response to technological advancement has been lampooned before, even by those on the inside. President Obama has called for greater regulatory innovation with regard to technology in order to replace “old creaky systems.” Simply pointing out these creaky systems is not nearly enough, however; they must be either oiled or replaced before they collapse.

Tagged with: ,
Posted in cybersecurity

Trump’s New Cyber Security Plan?

With the recent news regarding Yahoo’s massive data breach and the continuing posting of Clinton Foundation emails by Wikileaks, cybersecurity policy is beginning to get the discourse it is due. Secretary Clinton’s campaign was swift to publish a lengthy briefing on her cybersecurity policy agenda when she declared her candidacy. Much of it focuses on investment and development in science and technology. In a speech in August Clinton called for cyber-attacks to be treated as an assault on the country and should require “a serious political, economic and military response.” However, the plurality of Secretary Clinton cyber proposals would likely continue much of the Obama Administration’s own cybersecurity policy.

Mr. Trump had no cybersecurity platform available or had even discussed a policy platform until a recent speech to the Retired American Warriors PAC in Virginia in early October. Prior to the speech Trump had said little other than to admonish the failure of U.S. cybersecurity policy. In his speech, Mr. Trump outlined cybersecurity as “an immediate and top priority” for his administration and put forward his plan for strengthening American cybersecurity. At the core of Mr. Trump’s policy suggestions was a panel of “our best military, civilian and private sector cybersecurity experts.” This Cyber Review Team would undertake a “comprehensive review” of U.S. cybersecurity systems and technologies. Among its responsibilities would be to “establish detailed protocols” and “remaining current on evolving methods of cyber-attack.”

What’s the issue with this seemingly harmless and possibly efficient idea?

President Obama had the idea first and it’s already underway. In February of this year the White House issued the Cybersecurity National Action Plan. The first order of business was the creation of a “Commission on Enhancing National Cybersecurity.” Like Trump’s, this commission would also be formed of public and private sector thinkers and a bipartisan congressional delegation. The commission’s mandate is to “make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors.” The commission members who were announced in April 2016 include: Tom Donilon, former National Security advisor, General Keith Alexander, former Director of the NSA and former Director of U.S. Cyber Command, Joe Sullivan, Chief Security Officer of Uber and former Security Officer of Facebook, Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech, and Ajay Banga, President and CEO of Mastercard. These are only a selected few examples of the twelve member commission but the commission clearly represent military, civilian and private sector experts in cybersecurity.

Other than his Cyber Review Team, Mr. Trump hasn’t offered any other solid cybersecurity recommendations. Neither major party candidate is offering real solutions to a critical crisis that is unfolding. Hackings and intrusions will not dissipate but will only grow in size and aggression barring any serious attention by the federal government. At least in this element Secretary Clinton and Mr. Trump agree: cyber is of increasing importance for U.S. national security, infrastructure and business and should be taken much more seriously. This understanding is not enough to prevent potentially debilitating attacks in the future.

Cybersecurity is a dynamic and fast-paced policy realm. Technology is ever-changing and requires almost constant attention and modernization. The federal government’s bureaucratic nature prevents any meaningful progress, both in establishing policy and enacting it. Because of this much of federal level policy making is playing catch-up. Cybersecurity needs greater attention at the executive level. The federal government needs a greater understanding of cybersecurity’s ever evolving nature and a determination to lead the field. These principles apply to whomever becomes the next President.

Tagged with: , ,
Posted in Cyber, cybersecurity

U.S. DOT Issues New Air Travel Consumer Protection Rulemaking Initiatives

The U.S. Department of Transportation (DOT) has announced a new round of consumer protection-related rulemaking initiatives affecting U.S. and foreign airlines, ticket agents, and air travel consumers. As part of these initiatives, DOT has issued:

  • a third final rule (PP3) further strengthening airline passenger protection regulations;
  • a final rule amending requirements for airline reporting of mishandled-baggage data and establishing new requirements for airlines to report statistics for mishandled wheelchairs and scooters used by disabled passengers and transported in aircraft cargo compartments;
  • an Advance Notice of Proposed Rulemaking (ANPRM) requesting comments on how airlines should refund checked baggage fees when they fail to deliver passengers’ baggage in a timely manner, as required by the FAA Extension, Safety, and Security Act of 2016; and
  • a request for information regarding airline restrictions on the distribution and display of flight schedules and fare information.

DOT also announced that it plans to issue a Supplemental Notice of Proposed Rulemaking (SNPRM) on the disclosure of ancillary services fees to consumers at all points/channels of sale, including global distribution systems (GDSs). DOT will also issue at a later date a final rule on the definition of “ticket agent,” customer service commitments by large ticket agents, and the prohibition of post-purchase price increases for ancillary services and those relating to “mistaken fares.”

Learn more about these developments here.

Tagged with: ,
Posted in Uncategorized

OFAC Issues General License to Authorize US persons to Enter Contingent Contracts for Trade with Cuba

On Friday, October 14, 2016, the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury issued a General License to authorize U.S. persons to enter into certain contingent contracts for trade with Cuba.  All U.S. trade with Cuba is subject to OFAC enforcement and must be authorized by either a specific license focused on an individual transaction or a general license that covers all transactions associated with a trade area.

This change in OFAC policy and regulations is a significant step forward in expanding opportunities for U.S. persons to explore and develop business relationships in Cuba.  Previous authorizations regarding contract negotiations and execution had been limited to specific business sectors or tied directly to licensed transactions.  These new regulations will allow a broad cross-section of U.S. business to move forward with exploring trade with Cuba in a manner previously prohibited.

The General License issued Friday, while allowing U.S. business to negotiate and enter into contracts, requires that the performance of such a contract be “expressly made contingent” upon the prior authorization of the covered transaction by OFAC (e.g., by specific or general license) or upon authorization no longer being required (e.g., the lifting of sanctions).  The General License specifically defines contingent contracts to include executory contracts, executory pro forma invoices, agreements in principle, executory offers capable of acceptance such as bids or proposals in response to public tenders, binding memoranda of understanding, or any other similar agreement.  If the contemplated transaction is subject to licensing by another federal agency, the contract must also be made contingent on obtaining such a license or the removal of those license requirements.  Additionally, OFAC updated existing regulations to authorize travel and transactions that are “ordinarily incident” to the negotiation of and entry into contingent contracts.

It is important to note that the current OFAC licensing regime can be arduous and time consuming for businesses.  We anticipate that as U.S. businesses enter into contingent contracts, there will be increased calls for changes to OFAC licensing requirements and the broader U.S. embargo towards Cuba.

Additional areas impacted by today’s announcement include: FDA approval of Cuban-origin pharmaceuticals; vessel transactions; civil aviation safety; travel; and humanitarian-related transactions. For more information, please see OFAC’s Fact Sheet here and see Cozen O’Connor’s alert here.

Tagged with:
Posted in Uncategorized

A Turning Point on Substance for Trump?

On August 31, Trump delivered a campaign-defining speech on immigration. In the past, Trump’s speeches and interviews have mostly consisted of easily digestible phrases that leave no room for fleshing out substantive policy proposals. He has boiled complicated issues down to good and bad, tremendous and disastrous. While Clinton is well known for being wonkish almost to a fault, Trump does not have a clear plan for most aspects of foreign or domestic policy.

His speech in Phoenix for the first time laid out specific pieces of legislation and programs that Trump would champion to achieve immigration reform. Secure Community Programs. 287g partnerships. The Davis-Oliver bill. Biometric entry/exit visa tracking programs. During his hour- long speech, Trump appeared somewhat wonkish in a way he never has before, and he slammed Clinton for not having a specific plan herself. While the Washington Post has determined that most of Trump’s solutions were based on faulty research, Trump nevertheless emerged from Phoenix looking like a candidate who had some semblance of knowing what he was talking about.

In the course of giving this speech, Trump has started to appear as he has co-opted the characteristics that have traditionally been associated with Clinton’s reputation, thereby pushing back against the unpredictable versus measured dichotomy that distinguished the two candidates for most of the campaign. While he will never surpass Clinton on either of those fronts or rid himself of his fiery reputation, Trump’s busy day on immigration has proved that he can move between the spheres of straight-talker, schoolyard bully, representative of America, and thinker-in-chief.

Tagged with: , ,
Posted in immigration reform

7 Reasons Why Trump Would Hate Being President [Politico]

In an op-ed “7 Reasons Why Trump Would Hate Being President” published byPolitico MagazineHoward Schweitzer, managing partner of Cozen O’Connor Public Strategies, writes about how Donald Trump may actually feel about the duties and restrictions of being POTUS. There have been various conjectures that Donald Trump may be sabotaging his own campaign and in this piece, Howard writes, “As outlandish as that may seem on its face, there are reasons that it may very well be true. Should he win, Trump will loathe the next 1,460 days of his life.” Before presenting the reasons, Howard said, “As someone who has never worked in Washington, never obtained a security clearance, never received an ethics briefing, and never assembled a team of experienced policy aides, Donald Trump will be in for the shock of his life when he realizes starting January 20, 2017 just how much harder – and different – running a government is from running a private business. The Republican nominee will hate the presidency, so much so that even if he won the White House, he would be sorely tempted to quit before his term even ends.”

In reason number 2 regarding Trump’s potential frustration with Congress, Howard references his own government experience. He writes, “I know from my firsthand experience as the program’s chief operating officer that when it was created in October 2008 the bailout was not simply a matter of executive prerogative. The president and his Treasury secretary couldn’t just snap their fingers and execute – and in this instance the security of the financial system was hanging in the balance.”

To read the full article, please click here.

Posted in Uncategorized

Trump and Clinton Continue to Offer Very Differing Approaches to Campaigning

Blake Rutherford joined “Making Money with Charles Payne” on Fox Business News to discuss the presidential campaign and recent developments related to Trump’s social media antics and Hillary Clinton’s campaign approach. Blake commented on the problems that Trump’s Twitter use has caused, saying that his constant presence on Twitter detracts from his ability to concentrate on the actual issues of the campaign that could distinguish him from Hillary Clinton. “Donald Trump is the most undisciplined nominee in the history of presidential politics,” said Blake. “[He] ought to focus on getting Twitter off his mobile phone and instead get focused on the issues that are important in this campaign.”

Blake then discussed Hillary Clinton’s recent $80 million ad buy spend and use of campaign resources. When asked if the campaign’s recent decisions indicate overconfidence, Blake disagreed, asserting that her strategy demonstrates a “concerted effort to not only engage in an effective paid advertising campaign but also a grassroots mobilization campaign and a digital outreach campaign that is going to win this election in November.” Blake also refuted alleged concerns that Hillary Clinton will not raise adequate funds to remain competitive, explaining, “She’s organized in every battleground state; Donald Trump is not. She’s up on the air in every battleground state; Donald Trump is not. What you’re seeing from the Clinton campaign is a commitment to win this race on the ground. My home state of Pennsylvania is a great example of where ground game is going to make a very big difference. Donald Trump is simply not organized there. She’s putting the resources that she raised into the battleground states. Twitter is just not going to be enough for Donald Trump to win.”

View the full clips here and here.

Tagged with:
Posted in Uncategorized

Pennsylvania Likely Remains a Democratic Stronghold

In a Wall Street Journal article discussing whether Pennsylvania remains a definite win for the Democrats in the 2016 presidential election, I explained what the Hillary Clinton campaign must do in order to secure the state in their favor. Expanding on the notion that the minority vote is key to keeping the state blue, I said, “She’s got to mobilize turnout in Philadelphia County. That’s the key for any Democrat to win Pennsylvania.”

View the full article here.

Tagged with:
Posted in Uncategorized
About The Hot Button Blog
For many businesses, nothing seems more remote than the maneuvering of Beltway insiders. But what happens in Washington and in state and local government is critically important to your company and your industry. With government more involved in business than at any time since the 1930s, organizations that can negotiate the government labyrinth of politics, policy, and process will come out on top.
Subscribe To Our Posts

Email:

Cozen O’Connor Blogs