The US Has Been Conducting Offensive Cyberattacks against North Korea

The New York Times is reporting that the US has been conducting offensive cyberattacks against North Korea, in an effort to delay its nuclear weapons program….

The New York Times is reporting that the US has been conducting offensive cyberattacks against North Korea, in an effort to delay its nuclear weapons program.

from https://www.schneier.com/blog/

Me at the RSA Conference

This is my talk at the RSA Conference last month. It’s on regulation and the Internet of Things, along the lines of this essay. I am slowly meandering around this as a book topic. It hasn’t quite solidified yet….

This is my talk at the RSA Conference last month. It's on regulation and the Internet of Things, along the lines of this essay.

I am slowly meandering around this as a book topic. It hasn't quite solidified yet.

from https://www.schneier.com/blog/

CSIS’s Cybersecurity Agenda

The Center for Strategic and International Studies (CSIS) published "From Awareness to Action: A Cybersecurity Agenda for the 45th President" (press release here). There’s a lot I agree with — and some things I don’t — but these paragraphs struck me as particularly insightful: The Obama administration made significant progress but suffered from two conceptual problems in its cybersecurity efforts….

The Center for Strategic and International Studies (CSIS) published "From Awareness to Action: A Cybersecurity Agenda for the 45th President" (press release here). There's a lot I agree with -- and some things I don't -- but these paragraphs struck me as particularly insightful:

The Obama administration made significant progress but suffered from two conceptual problems in its cybersecurity efforts. The first was a belief that the private sector would spontaneously generate the solutions needed for cybersecurity and minimize the need for government action. The obvious counter to this is that our problems haven't been solved. There is no technological solution to the problem of cybersecurity, at least any time soon, so turning to technologists was unproductive. The larger national debate over the role of government made it difficult to balance public and private-sector responsibility and created a sense of hesitancy, even timidity, in executive branch actions.

The second was a misunderstanding of how the federal government works. All White Houses tend to float above the bureaucracy, but this one compounded the problem with its desire to bring high-profile business executives into government. These efforts ran counter to what is needed to manage a complex bureaucracy where greatly differing rules, relationships, and procedures determine the success of any initiative. Unlike the private sector, government decisionmaking is more collective, shaped by external pressures both bureaucratic and political, and rife with assorted strictures on resources and personnel.

from https://www.schneier.com/blog/

New Rules on Data Privacy for Non-US Citizens

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US. Here’s the relevant text: Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the…

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.

Here's the relevant text:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans' data without having to follow all EU privacy requirements.

Interpretations of what this means are all over the place: from extremely bad, to more measured, to don't worry and we still have PPD-28.

This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.

from https://www.schneier.com/blog/

Security Risks of the President’s Android Phone

Reports are that President Trump is still using his old Android phone. There are security risks here, but they are not the obvious ones. I’m not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network….

Reports are that President Trump is still using his old Android phone. There are security risks here, but they are not the obvious ones.

I'm not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network. But this is a consumer device, and it's going to have security vulnerabilities. He's at risk from everybody, ranging from lone hackers to the better-funded intelligence agencies of the world. And while the risk of a forged e-mail is real -- it could easily move the stock market -- the bigger risk is eavesdropping. That Android has a microphone, which means that it can be turned into a room bug without anyone's knowledge. That's my real fear.

I commented in this story.

EDITED TO ADD (1/27): Nicholas Weaver comments.

from https://www.schneier.com/blog/