Tag Archive for: proposed

China’s plans for a national cybersecurity barrier. A US Federal role in the open-source software supply chain? A look at proposed reporting deadlines.

/in


CISA: Federal Agencies Taking Steps to Address Log4j Flaw (Decipher) CISA said that thousands of internet-connected assets have been mitigated by federal agencies under its Emergency Directive that addressed the Log4j flaw.

CISA Still Helping Federal Agencies Remediate Log4j Vulnerability (MeriTalk) The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said today that it is continuing to help Federal agencies remediate the Log4j vulnerability that CISA first warned about in December.

Lesson from Log4j: Open-source software improvements need help from feds (POLITICO) The tech industry is readying solutions to the security risks posed by the collaborative software that underpins modern-day computing — but aid from Washington could be essential to the project’s success.

The Case for Cyber-Realism (Foreign Affairs) Geopolitical problems don’t have technical solutions.

Russian troops intervene in protest-roiled Kazakhstan, where security forces have killed dozens of demonstrators (Washington Post) Russian troops landed in Kazakhstan on Thursday after the Central Asian country’s president asked for help to quell sweeping anti-government protests — a major test of a Moscow-led military alliance as the Kremlin deepened its role in the crisis.

Kazakh president gives shoot-to-kill order to put down uprising (Reuters) Kazakhstan’s president said on Friday he had ordered his forces to shoot-to-kill to deal with disturbances from those he called bandits and terrorists, a day after Russia sent troops to put down a countrywide uprising.

Kazakhstan unrest: From Russia to US, the world reacts (Al Jazeera) Bloody protests have drawn the attention of regional powers Russia and China, as well as Western capitals.

West must stand up to Russia in Kazakhstan, opposition leader says (Reuters) The West must pull Kazakhstan out of Moscow’s orbit or Russian President Vladimir Putin will draw the Central Asian state into “a structure like the Soviet Union”, a former minister who is now a Kazakh opposition leader told Reuters.

How Kazakhstan could shift Putin’s calculus on Ukraine (Atlantic Council) The unrest poses a question for Putin: Should he continue…

Source…

Deakin University lays out proposed School of IT restructure – Strategy – Training & Development – Cloud – Security – Software

/in


Deakin University is proposing to cut academic staff in areas such as data science, cyber security and distributed systems and bring in more teaching resources focused on “emerging” technologies.

The proposed changes are part of a university-wide restructure, called Deakin Reimagined, that will result in a reduction of 180 to 220 positions across the institution.

Specific change proposals are currently the subject of staff consultation; a change proposal for the School of Information Technology, sighted by iTnews, shows reductions in several study domains, partially offset by a shift in the focus of IT-related study towards “emerging technologies” – including quantum computing, internet of things (IoT) and blockchain.

Under the proposal, two vacant positions in the school will not be replaced, and an additional 18 academic staff face cuts.

They include professors and senior lecturers in “computer and data science, artificial intelligence & machine learning”; four lecturers in “information and emerging technology”; professors and senior lecturers in “cyber security” and “distributed systems”; and lecturers in “software engineering” and “mathematics and optimisation”.

Crucially, the cuts would impact several “Level E” professors in these fields. 

Under Deakin University’s academic levels, E is the highest tier and denotes someone that has national and/or international recognition “as an eminent authority in his or her discipline”.

Five “Level E” professors would be cut under the plan, offset by the hire of one “Level E” professor in “software engineering/telecommunications”.

The intention of the restructure is in part to shift the focus of the School of Information Technology from these domains to more emerging ones.

It unveiled plans to hire 13 new academics, mostly at lower academic levels, in areas such as robotics, blockchain, quantum computing, machine learning, IoT, and cyber security.

However, the change proposal also notes that the restructure would result in a “reduction of cost” and meet a “shift in expectations around teaching delivery, technical expertise, and innovation”.

A…

Source…

Proposed ‘Hack-Back’ Bill Tells DHS To Study Allowing Companies To Retaliate – Breaking Defense Breaking Defense

/in


A new bill could be the first step in companies being able to “hack back” at bad actors – but doing so could come with major risks, experts say. (File)

WASHINGTON: Two members of the Senate Finance Committee have introduced a bipartisan bill that instructs the Department of Homeland Security to study the “potential consequences and benefits” of allowing private companies to hack back following cyberattacks.

Sens. Steve Daines, R- Mont., and Sheldon Whitehouse, D-R.I., have introduced the legislation as frustration over repeated cyberattacks against US companies has led to growing calls across the national security community and the private sector for retaliatory actions. Some, including military legal advisors, are now calling for the US to revisit its policy on military offensive cyber operations, especially in response to increasing ransomware attacks targeting the public and private sectors.

The draft Study on Cyber-Attack Response Options Act tells DHS to study “amend[ing] section 1030 of title 18, United States Code (commonly known as the Computer Fraud and Abuse Act), to allow private entities to take proportional actions in response to an unlawful network breach, subject to oversight and regulation by a designated Federal agency.”

DHS’s report would provide recommendations to Congress on the “potential impact to national security and foreign affairs.” Specifically, the report would address the following issues:

  • Which federal agency or agencies would authorize “proportional actions by private entities;”
  • Level of certainty in attribution needed to authorize such acts;
  • Who would be allowed to conduct such operations and under what circumstances;
  • Which types of actions would be permissible; and
  • Required safeguards to be in place.

“The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets,” Whitehouse said in a statement to Breaking Defense. “This bill will help us determine whether that process could deter and respond to future attacks, and what guidelines American businesses should follow.” (A request for comment to Daines’s office was not returned by…

Source…

Brazil’s Proposed ‘Fake News’ Law Says Internet Users Are Guilty Until Proven Innocent, Demands Constant Logging From ISPs

/in

Brazil’s legislature is set to vote on its proposed “fake news” law. This law would criminalize speech the government doesn’t like, under the handy theory that anything it doesn’t like must be “fake.” There was some mobilization on this not-even-legal-yet theory back in 2018, ahead of an election, when the Federal Police announced it would be keeping an eye on the internet during the election process. There are plenty of ways to combat misinformation. Giving this job to people with guns is the worst solution.

The EFF has put together a summary of the worst aspects of the proposed law. And they are the worst. First and foremost, lawmakers have realized a law that targets users the government can’t identify is completely worthless. Brazilians will pretty much need a license to communicate with others — something achieved by turning platforms and app makers into bouncers at the internet nightclub.

[T]he bill (Article 7, paragraph 3) requires “large” social networks and private messaging apps (that offer service in Brazil to more than two million users) to identify every account’s user by requesting their national identity cards. It’s a retroactive and general requirement, meaning that identification must be requested for each and every existing user. Article 7 main provision is not limited to the identification of a user by a court order, also including when there is a complaint about an account’s activity, or when the company finds itself unsure of a user’s identity.

No doubt legislators will say comforting things about protecting anonymous speech as the bill is debated. But those platitudes will be emptier than usual. Users are permitted to use pseudonyms. But they’re also required to provide their legal identities to these platforms.

Brazilians can’t bypass this identification process by using only phone apps to communicate. SIM card registration has been in place since 2003 and the proposed law expands on that, requiring private messaging apps to delete accounts that are no longer linked to registered phone numbers.

Since the law is triggered when alleged fake news reaches (a very low) critical mass, social networks and messaging apps are required to log pretty much everything users do, just in case. Since it’s impossible to predict what will go viral, logging will be continuous.

These obligations are conditioned on virality thresholds and apply when an instance of a message has been forwarded to groups or lists by more than 5 users within 15 days, where a message’s content has reached 1,000 or more users. The service provider is also apparently expected to temporarily retain this data for all forwarded messages during the 15-day period in order to determine whether or not the virality threshold for “massively forwarded” will be met.  

This provision basically makes all users guilty until their inability to find an audience proves them innocent. The safest thing for tech companies to do is log continuously and retain forever, since there’s always a chance of sleeper hits reaching a broad audience weeks or months after the content was originally posted. The law mandates a four-month minimum for retention. It does not place a limit on maximum retention length.

The law also mandates that this massive collection of info be available remotely 24/7 for perusal by government regulators. This massively increases the chance of a harmful data breach by expanding the attack surface to every user and every government employee granted access privileges. And if there’s an opportunity for abuse by government employees — and there is — it will be abused.

This logging and demands for identification from messaging/social media users obviously makes any assurances about respecting users’ privacy blatantly false. The proposed law pretty much renders the country’s data privacy law — passed in 2018 — irrelevant. The law can’t protect internet users from careless logging and extended retention of user info — not when the government’s demanding service providers and social media platforms do exactly this to aid in the regulation of third-party content.

Then there’s this problem: even if the law fails to pass, the Federal Police have made it clear they’re going to punish people for spreading “fake news.”

A top police official just yesterday warned that, absent a new law, they will invoke the authorities of one of the dictatorship era’s most repressive laws: the so-called Law of National Security, which contain deliberately vague passages making it a felony to “spread rumors that caused panic.”

The government will be in the censorship business with or without the new law. Since it obviously desires to be more fully involved in the business of censoring, the law will likely pass, since it will give the police (and others) a whole lot of data and PII to work with. The current leader of the country bearing the First Amendment brand declares news he doesn’t like to be “fake.” We shouldn’t expect anything better from other countries which have engaged in open censorship of government criticism in the past, no matter what niceties are said about protecting the public from misinformation.

Techdirt.