Pompeo Discusses Cyber Security at the State Department

Former Secretary of State Rex Tillerson eliminated the cyber security position at the State Department about one month ago. Tillerson eliminated this position in hopes to form “a bureau focused on economic and business affairs.” This act disappointed many members of the US government, and eventually resulted in President Trump replacing Tillerson with the current CIA director Mike Pompeo. John Sullivan will serve as Secretary of State until the US Senate confirms Pompeo’s approval.

Shortly after President Trump fired Tillerson, the CIA began to put more resources into cyber security. Last Thursday, CIA Director Mike Pompeo said, “I can only say that, every element of government has a piece of its cyber duty. It’s one of the challenges that is so deeply divided, that we don’t have a central place to do cyber work.” Many believe the removal of the cyber security position at the State Department foreshadows the US not engaging in foreign affairs with cyber security. Fortunately, numerous state officials have insisted that cyber security remains a top priority at the state department. Pompeo has not given any information to his decision on the cyber security position.

-Spencer Fleming

Source : http://thehill.com/policy/cybersecurity/382882-pompeo-pressed-on-plans-for-cyber-at-state

New Laws for Security in the UK Energy Industry

Due to the rapid development and advancement of technology, laws have had a hard time keeping up with modern practices and problems. Increasingly more industries have started to include some connection to the Internet of Things, thus providing more opportunities for hackers to attack. One such industry is the energy industry. Currently, the UK is in the process of developing laws to ensure a certain amount of security is implemented by energy companies. These laws will require that the energy companies put particular measures in place in order to protect sensitive personal data. One aspect of these laws is that the process for reporting a company’s compliance will be more involved, and require the company to show how they are meeting the requirements, not just say that they are. Consequences of not complying with these regulations will be in the form of fees based on either a flat rate or an amount based off of their global turnover depending on the size of the company.

While this does place more burden on the companies in terms of forcing them to invest in security properly, one aim of these laws is actually beneficial to them. These laws aim to increase public trust in industries using network connections. This past year, the UK has seen a great increase in attacks compared to previous years, which has taken a toll on the confidence the public has in online security. Therefore, this law hopes to help push companies to increase their protection and save them from attacks which will not only lead to stolen customer data but also to a drop in public confidence.

~Rebecca Medina

Source: http://www.powerengineeringint.com/articles/print/volume-26/issue-2/features/the-cybersecurity-laws-you-must-know.html

New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.




Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton


Court Ruling (German):


German Court News:




Belgian Court News:


Cybersecurity is the ‘greatest concern’ for the U.S.

We’ve all heard the stories about the latest cybersecurity breach or hack that’s shaken up the world, but recently these types of attacks have been dubbed one of the top priorities for the United States. No longer should terrorism or weapons of mass destruction stand out as our greatest threats, because at the Senate Intelligence Committee’s annual ‘Worldwide Threats’ hearing, the Director of National Intelligence, Dan Coats, regarded cybersecurity as his ‘greatest concern’. “From US businesses to the federal government to state and local governments, the United States is threatened by cyber attacks every day,” said Coats.

Cybersecurity isn’t any new worry for our country. Back in December, a new national security strategy document that described cybersecurity as a top priority was issued by President Donald Trump. In this document, it cited hacks from places like Russia, China and Iran. The reasoning for this comes after a long year of cyber attacks including the WannaCry ransomware attack, the revelations of Russian misinformation campaigns waged through social media, and general hacking of critical infrastructure.

Coats wasn’t the only one to speak out for a greater emphasis on cybersecurity. Sen. Mark Warner, the committee’s vice chairman, spoke on the spreading of propaganda through popular social media sites like Facebook, Google, and Twitter by the Russians. Warner says that, “This campaign of innuendo and misinformation should alarm us all,” and that it’s, “a dangerous trend.”  FBI Director Christopher Wray says that social media companies are getting better at taking down propaganda posts, but it still needs to improve. Adding that they hope the government can help work with them so they can eventually police themselves better.

With most of our lives incorporating the internet in some way, it’s not hard to grasp the threat that a weak cyber defence can pose to the stability of the nation. So it’s not a surprise when someone like Bill Gates comes out with a statement regarding cybersecurity, too. He recently said, “There’s always the question how much technology is empowering a small group of people to cause damage. A small group can have an impact — in the case of nuclear [weapons], on millions; and in the case of bio[terror], on billions. That is scary to me.” But it’s not like there is an easy solution to solving this problem. Sen. Richard Burr, the committee’s chairman, said “Cyber is clearly the most challenging threat vector this country faces. It’s also one of the most concerning, given how many aspects of our daily lives can be disrupted by a well-planned, well-executed cyberattack.”

We are left off worrying about how our lives can be so easily effected, but that’s not even the worst part. With technology changing everyday and attackers discovering newer and better ways to exploit our vulnerabilities, it leaves our defensive line on the back foot and having to constantly catch back up. The problems are only going to get more and more challenging, but we are on the right track towards a safer future, because the first step in solving a problem of this scale is to identify it.





-Jeremy McGrath