Estimating the Costs of Cyber Attacks Against the U.S., Billions

Posted on February 20, 2018February 20, 2018 by Denise Simon

Cyberattacks cost the United States between $57 billion and $109 billion in 2016

The report published by the White House Council of Economic Advisers examines the cyberattacks cost that malicious cyber activities cause to the U.S. economy.

Paganini: How much cost cyber attacks to the US? According to a report published by the White House Council of Economic Advisers last week, the cyberattacks cost between $57 billion and $109 billion in 2016, and things can go worse in the future.

“This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries. Due to common vulnerabilities, instances of security breaches occur across firms and in patterns that are difficult to anticipate.” states the report.

“Firms in critical infrastructure sectors may generate especially large negative spillover effects into the wider economy.”

The report analyzed the impact of malicious cyber activities on public and private entities, including DoS attacks, sabotage, business disruption, and theft of proprietary data, intellectual property, and sensitive financial and strategic information.

Damages and losses caused by a cyber attack may spill over from the initial target to economically linked organizations. More exposed are critical infrastructure sectors, at attack against companies and organization in this industry could have a severe impact on the US economy.

The document warns of nation-state actors such as Russia, China, Iran, and North Korea, that are well funded and often conduct sophisticated targeted attacks for both sabotage and cyber espionage.

“Finally, and perhaps most important, if a firm owns a critical infrastructure asset, an attack against this firm could cause major disruption throughout the economy.” reads the report.

“Insufficient cybersecurity investment in these sectors exacerbates the risks of cyberattacks and data breaches. The economic implications of attacks against critical infrastructure assets are described in more detail later in the paper. “

The reports also warn of devastating cyberattacks that would target sectors that are internally interconnected and interdependent with other sectors.

The report offered little in the way of new recommendations on improving cybersecurity, but noted that the situation is hurt by “insufficient data” as well as “underinvestment” in defensive systems by the private sector.

“Cyber connectivity is an important driver of productivity, innovation, and growth for the U.S. economy, but it comes at a cost. Companies, individuals, and the government are vulnerable to malicious cyber activity.” concludes the report. “Effective public and private-sector efforts to combat this malicious activity would contribute to domestic GDP growth. However, the ever-evolving nature and scope of cyber threats suggest that additional and continued efforts are critical, and the cooperation between public and private sectors is key.”

***

The forecast of the cost damage in coming years….

In part from Forbes: In 2015, the British insurance company Lloyd’s estimated that cyber attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. Some vendor and media forecasts over the past year put the cybercrime figure as high as $500 billion and more.

From 2013 to 2015 the cyber crime costs quadrupled, and it looks like there will be another quadrupling from 2015 to 2019. Juniper research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.

The World Economic Forum (WEF) says a significant portion of cybercrime goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot. Those crimes would arguably move the needle on the cyber crime numbers much higher.

Large banks, retailers, and federal agencies make the headlines when they are hacked – but all businesses are at risk. According to Microsoft, 20% of small to mid sized businesses have been cyber crime targets.

For anyone who wants to tally their own bill from cyber crime, check out Cyber Tab from Booz Allen. It is an anonymous, free tool that helps information security and other senior executives understand the damage to companies inflicted by cyber crime and attacks. More here.

U.S Ethics Office: we know how to rebuild the public’s trust

Posted on February 15, 2018February 15, 2018 by Denise Simon

Ah what?

Keeping Our Oath

February 5, 2018

When we become public servants– custodians of the people’s government–we take an oath.

We take an oath to faithfully perform our duties, an oath to protect and defend the Constitution of the United States.

The success of our Constitution, the success of our government, depends on the trust of the people that we serve. Today, our fellow citizens are suspicious of their government. A recent Transparency International report found that a clear majority of the American People think that corruption is getting worse.¹

Fortunately, we know how to rebuild the public’s trust.

We build their trust by doing our jobs, faithfully.

We build their trust by acting solely for the public good and eliminating conflicts of interests.

We build their trust by telling the truth.

The good news is that most of you are carrying out the people’s business with honor and integrity. You’re keeping your oath. Thank you. Remember what is at stake and take pride in your service.

On the other hand, those who are doing things that undermine the public’s trust, even if they don’t violate a rule, need to stop. Nothing you could gain economically or politically could possibly justify putting our democracy at risk. These are perilous times.

So, keep your oath and earn the public’s trust. We, as public servants, hold our positions of trust “for such a time as this.”

But then…get a load of this document citing how bad things are and what is at the core of the matter.

So, if things are so great…then why these issues below?

Financial Conflicts of Interest & Impartiality
An executive branch employee’s personal or “imputed” financial interests or other circumstances may require that the employee be disqualified from working on a particular Government matter, be prohibited from holding specified property, or be prohibited from accepting a payment from a non-Federal source.
Learn More ›

Gifts and Payments
An executive branch employee generally may not give (or solicit contributions for) a gift to an official superior or accept a gift from another employee who receives less pay; generally may not solicit or accept a gift from a “prohibited source” or given because of the employee’s official position, and may be prohibited from accepting a payment from a non-Federal source.
Learn More ›

Use of Government Position & Resources
An executive branch employee is required to act impartially; may not make improper use of Government position, title, or authority; and may not use Government property, nonpublic information, or time (including the time of a subordinate) for other than authorized purposes.
Learn More ›

Outside Employment and Activities
An executive branch employee may be required to seek approval before engaging in an outside activity; may be disqualified from working on a particular Government matter while engaged in the activity; may be prohibited from accepting compensation for an activity; or may be prohibited from engaging in a particular outside activity.
Learn More ›

Post-Government Employment
An executive branch employee may be disqualified from working on a particular Government matter while seeking post-Government employment and, after leaving Government service, a former employee is prohibited from engaging in certain activities.
Learn More ›

Selected Employee Categories
Executive branch ethics provisions generally apply only to Government “employees”; may apply only to certain categories of employees or may apply differently to certain categories of employees or not at all; and generally do not apply to “representatives” serving on an advisory committee or to independent contractors.
Learn More ›

Enforcement
When ethics officials find evidence that an employee has violated an ethics criminal statute or regulation, they must refer that evidence to the appropriate authority for action.
Learn More ›

*** A program called Integrity? Yup…

Integrity

Integrity is an electronic financial disclosure system created by the U.S. Office of Government Ethics (OGE).

What is the purpose of financial disclosure?

Financial disclosure reports are the primary tool used to identify and resolve potential conflicts of interest between an employee’s official duties and his or her private financial interests and affiliations.

Why did OGE create Integrity?

The Stop Trading on Congressional Knowledge Act of 2012, as amended, directed the President, acting through the Director of OGE, to develop an electronic system for filing executive branch public financial disclosure reports. As a result, OGE developed a system named Integrity to collect, manage, process, and store financial disclosures.

Who uses Integrity?

Senior officials in the executive branch who are required to file public financial disclosure reports use Integrity to file their reports. OGE and agency ethics officials use Integrity to review financial disclosure reports for conflicts of interest and manage the executive branch financial disclosure program.

What are the benefits of Integrity?

Integrity was designed to help produce quality reports, enhance oversight, and promote transparency.

Integrity produces quality reports by helping filers more quickly, easily, and completely report required information.

Integrity enhances oversight of the executive branch ethics program by allowing OGE to monitor agencies’ progress in administering their individual financial disclosure programs.

Integrity promotes transparency by producing a clear and concise public financial disclosure report that allows the public to have confidence that their government leaders are making decisions free from conflicts of interest.

List of Companies, Amicus Brief Against Trump’s Sanctuary City Policy

Posted on February 15, 2018February 15, 2018 by Denise Simon

The Senate defeated a GOP proposal based on President Donald Trump’s immigration framework.
The plan would have offered a path to citizenship for “Dreamers” and increased border security while also cutting legal immigration.
The vote was 39-60, with 60 votes needed for approval.

I say GOOD. It was fraught with loopholes and the actual number of illegals in question remained unknown.

Meanwhile, there is more going on with the whole sanctuary city thing. Hold on, you wont like this.

In 2017, State Atty. Gen. Xavier Becerra on Wednesday filed a brief in support of a Santa Clara County lawsuit challenging President Trump’s executive order targeting “sanctuary” cities that refuse to help federal authorities enforce immigration laws.

The amicus brief cites Trump’s threat to withhold federal funds from sanctuary cities and counties as well as the state’s interest in protecting state laws and policies that promote public safety and protect the constitutional rights of residents, Becerra said.

*** It gets worse… to read how the brief is cherry-picked on facts, go here.

So, there is a pile of companies that have filed an amicus brief against the Trump administration position on sanctuary cities.

The full list of tech companies (and a few others) that signed the amicus brief opposing President Trump’s executive order on immigration.

The full brief is available online.

1. AdRoll, Inc.

2. Aeris Communications, Inc.

3. Airbnb, Inc.

4. AltSchool, PBC

5. Ancestry.com, LLC

6. Appboy, Inc.

7. Apple Inc.

8. AppNexus Inc.

9. Asana, Inc.

10. Atlassian Corp Plc

11. Autodesk, Inc.

12. Automattic Inc.

13. Box, Inc.

14. Brightcove Inc.

15. Brit + Co

16. CareZone Inc.

17. Castlight Health

18. Checkr, Inc.

19. Chobani, LLC

20. Citrix Systems, Inc.

21. Cloudera, Inc.

22. Cloudflare, Inc.

23. Copia Institute

24. DocuSign, Inc.

25. DoorDash, Inc.

26. Dropbox, Inc.

27. Dynatrace LLC

28. eBay Inc.

29. Engine Advocacy

30. Etsy Inc.

31. Facebook, Inc.

32. Fastly, Inc.

33. Flipboard, Inc.

34. Foursquare Labs, Inc.

35. Fuze, Inc.

36. General Assembly

37. GitHub

38. Glassdoor, Inc.

39. Google Inc.

40. GoPro, Inc.

41. Harmonic Inc.

42. Hipmunk, Inc.

43. Indiegogo, Inc.

44. Intel Corporation

45. JAND, Inc. d/b/a Warby Parker

46. Kargo Global, Inc.

47. Kickstarter, PBC

48. KIND, LLC

49. Knotel

50. Levi Strauss & Co.

51. LinkedIn Corporation

52. Lithium Technologies, Inc.

53. Lyft, Inc.

54. Mapbox, Inc.

55. Maplebear Inc. d/b/a Instacart

56. Marin Software Incorporated

57. Medallia, Inc.

58. A Medium Corporation

59. Meetup, Inc.

60. Microsoft Corporation

61. Motivate International Inc.

62. Mozilla Corporation

63. Netflix, Inc.

64. NETGEAR, Inc.

65. NewsCred, Inc.

66. Patreon, Inc.

67. PayPal Holdings, Inc.

68. Pinterest, Inc.

69. Quora, Inc.

70. Reddit, Inc.

71. Rocket Fuel Inc.

72. SaaStr Inc.

73. Salesforce.com, Inc.

74. Scopely, Inc.

75. Shutterstock, Inc.

76. Snap Inc.

77. Spokeo, Inc.

78. Spotify USA Inc.

79. Square, Inc.

80. Squarespace, Inc.

81. Strava, Inc.

82. Stripe, Inc.

83. SurveyMonkey Inc.

84. TaskRabbit, Inc

85. Tech:NYC

86. Thumbtack, Inc.

87. Turn Inc.

88. Twilio Inc.

89. Twitter Inc.

90. Uber Technologies, Inc.

91. Via

92. Wikimedia Foundation, Inc.

93. Workday

94. Y Combinator Management, LLC

95. Yelp Inc.

96. Zynga Inc.

ADDED Feb. 6, 2017

97. Adobe Systems Inc.

98. Affirm, Inc.

99. Ampush LLC

100. Brocade Communications Systems Inc.

101. Bungie, Inc.

102. Casper Sleep, Inc.

103. Cavium, Inc.

104. Chegg, Inc.

105. ClassPass Inc.

106. Coursera

107. EquityZen Inc.

108. Evernote

109. Gusto

110. Handy Technologies, Inc.

111. HP Inc.

112. IAC/InterActive Corp.

113. Linden Lab

114. Managed by Q Inc.

115. MobileIron

116. New Relic, Inc.

117. Pandora Media, Inc.

118. Planet Labs Inc.

119. RPX Corporation

120. Shift Technologies, Inc.

121. Slack Technologies, Inc.

122. SpaceX

123. Tesla, Inc.

124. TripAdvisor, Inc.

125. Udacity, Inc.

126. Zendesk, Inc.

127. Zenefits

Do You Know What CTIIC is? You Should

Posted on February 13, 2018February 13, 2018 by Denise Simon

First…there is no policy as admitted in a Senate Intelligence Hearing of the heads of the intelligence agencies and confirmed by Senator Angus King (Maine).

Image result for CTIIC

CTIIC is the federal lead for intelligence support in response to significant cyber incidents, working—on behalf of the IC—to integrate analysis of threat trends and events, build situational awareness, and support interagency efforts to develop options for degrading or mitigating adversary threat capabilities.

The idea of creating a cyber threat framework came from observations among the US policy community that cyber was being described by different agencies in a variety of ways that made consistent understanding difficult. There are over a dozen analytic models being used across government, academia, and the private sector. Each model reflects the priorities and interests of its developer, but the wide disparities across models made it difficult to facilitate efficient situational analysis that was based on objective data.

The framework will be scalable and facilitate data sharing at “machine speed.” Implementation within the USG will include processes to reduce or eliminate double-counting of threat data.

Cyber Threat Framework Frequently Asked Questions

A Common Threat Framework Food for Thought

Cyber Threat Framework – Overview

Cyber Threat Framework – How to Use Lesson Plan

Cyber Threat Framework – Lexicon

A Common Cyber Threat Framework: A Foundation for Communication

A Common Cyber Threat Framework: A Foundation for Communication – Short Version

So….In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.

Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

Compromised records include names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.

Now experts argue the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.

This means that crooks have all necessary data to arrange any king of fraud by steal victims’ identities. More here.

Further, the Trump administration appears to omitted any reference to the Chinese cyber threat domestically….here is a clue on their activity and how they cannot be trusted…and we have not even mentioned Russia..

In 2012 Chinese companies Huawei and ZTE were considered high threat risks to the United States and sadly, both were introduced again at this same Senate hearing on February 13, 2018.

China’s government has denied reports that it spied on the servers at the African Union’s Chinese-built headquarters for more than five years, gaining access to confidential information.

In an investigation published by French newspaper Le Monde, China, which also paid and built the computer network at the AU, allegedly inserted a backdoor (in French) that allowed it to transfer data. The hack wasn’t detected until Jan. 2017 when technicians noticed that between midnight and 2 am every night, there was a peak in data usage even though the building was empty. After investigating, it was found that the continental organization’s confidential data was being copied on to servers in Shanghai.

China’s ambassador to the AU dismissed the reports as “absurd” and “preposterous.” Kuang Weilin told reporters in Ethiopia that it was “very difficult to understand” Le Monde’s claims and that the story was certain to “create problems for China-Africa relations.”

The revelations come as African presidents convene in Addis Ababa to attend the continental summit on governance. In 2012, when the AU building was completed, it was signified as a symbolic gesture aimed at solidifying Sino-Africa relations. The landmark 20-story office tower overlooking a pearl-shaped conference center was “a gift” from the Chinese government to help African nations integrate better and improve their institutional capacity.

But the alleged data theft puts a spin on that rosy affair and might strain the relationship between the two sides. China is heavily involved in Africa, with its companies and entrepreneurs conducting trade and investing heavily in African countries. Chinese aid has also been blamed for propping up authoritarian regimes, constructing shoddy roads and infrastructure built by imported Chinese workers, and focusing mainly on countries home to oil, minerals, and other resources that China needs. But China is also cultivating the next generation of African leaders, with Beijing taking thousands of African leaders, bureaucrats, students, and business people to China for training and education. More here.

For sure there is no policy and lawmakers are dumbfounded on introducing any kind of offensive or consequential legislation. Hello Angus?

State Dept Proposes Lead Agency on Economic/Cyber Bureau

Posted on February 6, 2018February 6, 2018 by Denise Simon

This sounds great until one considers there is no lawful cyber policy against any nation, rogue or otherwise where there are consequences for hacks, malicious malware or cyber theft. Meanwhile, all cyber units within the Federal government as well as independent outside corporations are well aware of China, North Korea, Russia and proxies are the constant and proven cyber threats to the United States without punishment.

Further, there are two details that are omitted in the summary below, the global actions of cybercurrencies and how governments are plotting regulations but more the global economic agenda. There is no way to stop a borderless world.

The 2016 State Department posture on foreign cyber threats is here.

Image result for tillerson russia cyber photo

Tillerson proposes new unified bureau at State to focus on cyber

Secretary of State Rex Tillerson is proposing the consolidation of two separate offices at the State Department to form a single bureau that will focus on a wide range of cyber issues.

A State Department spokesperson told The Hill that the two offices, the Office of the Cybersecurity Coordinator and the Bureau of Economic Affairs’ Office of International Communications and Information Policy, would be unified in order to form the proposed Bureau for Cyberspace and the Digital Economy.

“The combination of these offices in a new Bureau for Cyberspace and the Digital Economy will align existing resources under a single Department of State official to formulate and coordinate a strategic approach necessary to address current and emerging cyber security and digital economic challenges,” Tillerson said in a Tuesday letter to House Foreign Affairs Committee Chairman Ed Royce (R-Calif.).

“The Department of State must be organized to lead diplomatic efforts related to all aspects of cyberspace,” the secretary added.

The decision comes after Tillerson faced scrutiny from both parties last year over his decision to fold the standalone Office of Cybersecurity Coordinator into an economic-focused bureau as part of his broad efforts to reorganize the agency.

Royce first relayed the news during a cyber diplomacy briefing on Tuesday that focused on the need to engage the international community on cybersecurity-related issues.

“The proposal will elevate the stature of the department official leading cyberspace policy to one that is confirmed by the U.S. Senate — an assistant secretary — to lead high-level diplomatic engagements around the world,” the secretary argued.

Last year, Royce introduced a bill, titled the Cyber Diplomacy Act, that seeks to restore a State Department office specifically focusing on cyber diplomacy efforts. The House passed the bill last month, which also calls for the official leading the cyber office to have the rank of ambassador.

Royce said Tillerson’s proposal is a “welcomed” move, but continued to vouch for the Cyber Diplomacy Act to “help keep America safe and strong.”

“Cyberspace is vital to America’s national security, and to our economy. That’s why I have long called for the State Department to have a high-ranking diplomat who can confront the full range of challenges we face online,” Royce said in a statement in response to Tillerson’s letter.

“The Foreign Affairs Committee will continue to work with the department and our colleagues in the Senate to ensure this assistant secretary and bureau is empowered to engage on the full range of cyber issues, dealing with security, human rights, and the economy,” he continued.

A State Department spokesperson said the proposal is part of an effort to spearhead cyber policy and address cybersecurity on a global scale.

“The State Department recognizes its leadership role of diplomatic efforts related to all aspects of cyberspace and the need to have an effective platform from which to engage relevant global stakeholders and exercise that leadership role,” the spokesperson said.

Under Tillerson’s proposal, the cyber bureau would seek to establish a “global deterrence framework” in an effort to outline how countries can respond when other nations “engage in malicious cyber activities.”

It would also seek to develop strategies against adversaries, promote programs that help with cyber threat prevention and responses, establish partnerships to keep the nature of the Internet open with a cross-border flow of data and open lines of dialogue for diplomatic officials to further engage on such issues.

At the start of the hearing, Royce emphasized the importance of the State Department’s role in cybersecurity issues as other countries attempt to impose control over cyberspace.

“The department’s role becomes essential when you consider that it’s not just computer networks and infrastructure that the United States needs to protect. The open nature of the internet is increasingly under assault by authoritarian regimes, like China, that aggressively promote a vision of ‘cyber sovereignty,’ which emphasizes state control over cyberspace,” Royce said in his opening remarks.

Three cyber experts testified before the lawmakers for roughly three hours on Tuesday, including the State Department’s former top cyber diplomat.

Chris Painter, the agency’s former cybersecurity coordinator, had already emphasized the need for the State Department to assume a key role in cyber policy before Tillerson’s proposal became public.

“[G]iven the international nature of the threats and the technology itself, that the State Department should play a leading role in that effort and that effective cyber diplomacy,” Painter told the lawmakers.

“For the U.S. to continue to lead, as it must, cyber issues must be re-prioritized and appropriately resourced at the State Department. Moreover, it is important that the position of the individual leading these efforts be at a very high-level — not buried in the bureaucracy or reporting through any one functionally or perspective limited chain of command,” he added.

Under the proposal, an assistant secretary will lead the new bureau and report to the Under Secretary for Economic Growth, Energy and the Environment.

Painter praised Tillerson’s plan after Royce relayed Tillerson’s proposal at the hearing. But he argued that it “makes a lot more sense” for the assistant secretary to report to the undersecretary for political affairs rather than economic affairs.

“I applaud the fact that they’ve taken action. I think it’s great they’re elevating it. That’s exactly what should be done,” Painter said.

In July, Painter left his top position shortly before Tillerson alerted Congress about his plans to close the cybersecurity office.