Cyber Week in Review: December 11, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed.

1. Blame the Internet! Following terrorist attacks in San Bernardino and Paris, a lot of people were jumping on the "we need to do something about people using the Internet in ways we don’t like" bandwagon this week. President Barack Obama asked the tech sector “to make it harder for terrorists to use technology,” FBI Director James Comey claimed tech firms’ inability to provide encryption backdoors was a “business model problem” rather than a technical one, and Senator Dianne Feinstein declared she was working on legislation giving law enforcement the authority “to look into an encrypted web” and forcing social media companies to report terrorist content to the government. In France, Le Monde revealed that the Ministry of the Interior was planning to ban free public Wi-Fi in a state of emergency and block Tor, although the French Prime Minister later backed away from that proposal. Despite these calls, security experts and tech industry leaders still almost universally agree that it’s impossible to give law enforcement access to encrypted devices and data without weakening that encryption overall. As the Washington Post noted this week, at it’s most basic level, encryption is just math and math, like any other idea or concept, is almost impossible to regulate. To help cut through the noise, Representative Mike McCaul advocated for the creation of a new commission that would examine the challenges technologies like encryption present for law enforcement and intelligence officials.

2. The European Union agrees to cybersecurity legislation. The European Parliament and the EU Council of Ministers agreed to cybersecurity legislation that would, among other things, require certain companies in Europe to report significant cyber incidents to national computer emergency response teams (CERTs) or face fines. The legislation stems from a two-year process where the European Commission, the EU’s executive branch, proposed cybersecurity legislation as part of the bloc’s cybersecurity strategy. Under the legislation, operators of essential services such as energy companies and financial firms would be subject to more strenuous rules than digital service providers--the Amazons and Googles of the world. Although both would be required to have cybersecurity plans in place and report incidents to national authorities, the digital service providers would be subject to less oversight. According to experts, the European Parliament wanted to exclude digital service providers from the law entirely but were rebuffed by Ministers and the Commission, so the lighter regulatory regime is somewhat of a compromise. The law is expected to enter into force early next year, at which point EU member states will have twenty-one months to implement it into domestic law.

3. Root servers DDoS’d.Three of the thirteen root servers that underpin all Internet activity were briefly knocked offline last week as a result of a sustained denial of service attack. The root servers sustain the domain name system, the Internet’s address book that allows for the translation of web addresses, like cfr.org, into Internet protocol addresses that computers can read and connect to each other. Without the root servers and the domain name system, the global Internet as we know it wouldn’t exist. According to some accounts, the root servers were bombarded with 250 times the traffic that they’re used to handling, causing some of them to become unresponsive. Although the incident is noteworthy, it is by no means cause for panic. The domain name system has a built-in redundancy as the root servers are mirrored in thousands of servers across the world. Of the billions of Internet users, the outage might have made for a slightly more stressful day for the hundreds of people who work directly with the Internet’s core infrastructure.

4. The European Union chides Russian government for privacy violations. In human right news, the European Court of Human Rights took Russia to task over its surveillance practices. According to Marko Milanovic quoted in Lawfare, the court found a lack of safeguards against abuse of surveillance, that Russian judges didn’t consider the necessity and proportionality of surveillance operations, and that Russian courts had a propensity to authorize bulk surveillance practices. The court also criticized Russian intelligence agencies for having direct access to "databases and networks of telecommunications and content providers," probably a reference to the Russian SORM program. The decision is unlikely to make Russia rethink its surveillance practices or tamper down its criticisms of Western surveillance practices at the United Nations. However, it may be slightly harder for them to make their accusations with a straight face.

5. The FBI admits to hacking. The Federal Bureau of Investigation admitted publicly for the first time this week that it uses zero-day exploits to help conduct criminal investigations. In a profile published in the Washington Post, FBI Executive Assistant Director for Science and Technology Amy Hess said that the agency carefully weighs the public safety benefits of using a vulnerability to help an investigation versus revealing it to manufacturers so they can release a patch. In addition, she explained that zero-days aren’t the first tool the FBI turns to, saying that they are “not reliable” due to the frequency of software updates. The admission wasn’t necessarily a surprise given that there’s long been evidence that they do so. In fact, some academics have even advocated that the FBI do more of it instead of requiring communications service providers maintain a capability to decrypt communication.

6. In case you missed it: Net Politics’ Rob Knake published a brief in which he argues that the United States should do considerably more to take down botnets if it is to remain credible in the promotion of global norms for cyberspace. You can read the whole thing here.