Cyber Week in Review: February 16, 2018

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. J'accuse! The United States, United Kingdom, Australia, New Zealand, Canada, and Denmark publicly accused Russia of carrying out last year's NotPetya operation. In June 2017, Russia deployed NotPetya, which encrypted data and rendered it useless on infected machines in Ukraine. The malware spread to approximately 200,000 computers around the world due to a vulnerability in Microsoft software made public through a leak of U.S. National Security Agency tools. Particularly hard hit was Danish shipping giant Maersk, which spent roughly $300 million to recover from the incident. The White House called NotPetya “the most destructive and costly cyberattack in history.” Though the U.S. statement said it would be "met with international consequences," the statements from the other governments did not. Over the course of the last year, the United States signaled that it would work with allies to call out countries that don't follow internationally-agreed cyber norms and impose costs on them. This latest action demonstrates that the United States is following through on its strategy, though it remains to be seen what costs Washington and its allies will impose on Moscow.

2. We're number one! In its annual worldwide threat briefing, the U.S. intelligence community once again named cyber threats as the biggest national security challenge facing the United States. Intelligence chiefs predicted that Russia will continue its efforts to “exacerbate social and political fissures” and diminish trust in democratic processes within the United States and European Union. CIA director Mike Pompeo suggested that the United States was retaliating to Russian efforts to influence U.S. elections, though in ways that would act as signals to Russia but might be unknown to the broader public. The U.S. threat assessment also specified a concern with China purchasing technology start-ups that would help it pursue its ambitious artificial intelligence strategy. Every assessment since 2013 has identified cyber attacks as the number one threat to the United States.

3. No need to work overtime. The Internet Corporation for Assigned Names and Numbers (ICANN), which manages the global domain name system, including top level domains like .com and .org, decided .home, .mail, and .corp will not be used on the internet. ICANN decided against making these domains available as part of their generic top level domain program because they are often used to manage private networks. Using .home, .mail, or .corp on a private network and the global internet could have created domain collisions, as computers looking to reach a .home domain would not know whether to connect to a computer on a private network or the internet. Havoc and confusion would have ensued. System administrators everywhere are breathing a sigh of relief. 

4. Remember Equifax? Yeah? Well it's worse than you thought. Equifax disclosed to the U.S. Senate Banking Committee that the network compromise it announced last year was worse than previously thought. In September 2017, Equifax disclosed that the names, addresses, and social security numbers of over 145 million U.S. customers could have been compromised. This week, the company said that tax identification numbers, email addresses, phone, and credit card expiration numbers could also have been compromised. Equifax became a poster child for how not to manage and disclose a cybersecurity compromise, and has become a data point for those in favor of stronger data protection laws in the United States. In a recent CFR brief, Nuala O'Connor of the Center of Democracy and Technology argues that the only way to prevent the next Equifax is to create the right incentives for companies to protect consumer data through comprehensive data protection legislation.