Some cyber ramifications of TPP

With help from Joseph Marks and David Perera

TPP CONCERNS FOR SECURITY RESEARCHERS — The Trans-Pacific Partnership agreement could put security researchers at risk of arrest by law enforcement or other criminal punishments because of language that defines what a “trade secret” is, the Electronic Frontier Foundation says. The treaty’s language — released officially Thursday — includes a section on trade secrets requiring participating nations to outline criminal penalties for anyone who commits “unauthorized and willful access to a trade secret held in a computer system.” The problem is that “trade secrets” is defined too broadly, EFF’s Jeremy Malcom told MC. The TPP “doesn’t require that it’s valuable, copyrightable, or patentable, anything like that,” he said. Rather, a “trade secret” just has to be a secret. That could lead foreign firms to slap trade secret qualifiers on anything that security researchers might nose through to find vulnerabilities in a bid to limit access, he said.


It’s unlikely U.S. firms will follow suit, he said, since the trade secrets law here is pretty well-settled. But “foreign companies have not had to deal with this before, so they’re going to have to rely on their courts to give sensible interpretations of this.” The intellectual property language is in Chapter 18: http://bit.ly/1QfXnoz

ANOTHER TPP FEAR — Privacy and security advocates are also concerned about a TPP provision that prohibits nations from requiring exporting companies to open up their source code. The provision is useful in cases where it protects companies from nations that want to steal their intellectual property, critics say, but it could also make technology more vulnerable to hackers and government snooping. For example, the provision (14.17), would prohibit nations from requiring industries whose products are particularly vulnerable to hacking and snooping, such as routers, to open them up to security testers. Many security researchers argue that security is best achieved by making software code publicly available and patching vulnerabilities that researchers turn up rather than by keeping code secret.

“There are contexts where you wouldn’t want people to disclose source code publicly and there are circumstances where there would be a benefit for doing so,” said Erik Stallman, director of the Open Internet Project at the Center for Democracy and Technology. “I don’t know that there’s ever a blanket answer one way or another, but, in any event, a trade agreement is not the best vehicle to resolve the issue.” The TPP provision is limited to “mass-market software or products containing such software” and has an explicit exception for software used in critical infrastructure. The provision: http://1.usa.gov/1WDpxtf

HAPPY FRIDAY and welcome to Morning Cybersecurity! Your regular MC host will give way to Dave and Joe in the next couple editions but will return sometime after a restful long weekend. Send your thoughts, feedback and especially your tips to [email protected] and follow @ timstarks, @ POLITICOPro and @ MorningCybersec . Full team info is below.

A REQUEST FOR INTERNATIONAL RULES OF CYBERWAR — Reps. Jim Himes and Lynn Westmoreland, the top Democrat and chairman of the House Intelligence subcommittee with cybersecurity oversight, respectively, are asking the Obama administration to spearhead an “E-Neva Convention” on cyberwar, modeled after the Geneva Conventions. “We write today to urge you to accelerate and to promote U.S. leadership in establishing comprehensive international principles of conduct in cyberspace,” the lawmakers wrote Thursday, along with panel Democrats Jackie Speier, Mike Quigley and Patrick Murphy. “The U.S. should lead the international community to create clear definitions, norms and enforceable guidelines in this developing arena.”

The letter went to National Security Adviser Susan Rice and Secretary of State John Kerry. State’s top cyber official, Chris Painter, has rejected the notion of anything like a cyber treaty as unworkable. More: http://politico.pro/1HdKTMa

CSIS RECCS TO IMPROVE US-JAPAN CYBER ALLIANCE — A report from the Center for Strategic and International Studies out Thursday lays out six recommendations to improve the U.S.-Japan cybersecurity alliance: ramping up cyber spending, especially in Japan; agreeing on a definition for collective defense in cyberspace; creating information sharing mechanisms for cyberthreats; developing “robust” joint training exercises; expanding joint critical infrastructure protection and counterespionage efforts; and creating a framework for cyber confidence building measures in northeast Asia. The report: http://bit.ly/1l9VyOd

IRANIAN HACKING ROLE REVERSAL — Late Wednesday, The Wall Street Journal reported that U.S. officials suspect Iran’s Revolutionary Guard hacked the Obama administration, targeting the email and social media accounts of administration officials. One of the noteworthy elements of the alleged hacking is how it’s a reversal of conventional wisdom on the nuclear deal and Iranian cyber activity. Some cited fears that the nuclear deal would bolster Iran’s cyber activities. Instead, the attackers are said to be motivated by their opposition to the deal, and are using cyberattacks to undermine it. It’s an unusual way of using cyber as a political weapon. More perspective: http://theatln.tc/1RzISdH

For its part, the administration has been mum publicly. “I don’t have anything specific on this particular report to discuss,” said State Department spokesman John Kirby. One senior administration official would only offer: “We're aware of certain reports involving Iran. While I don’t have a comment on the specific reports, we are aware that hackers in Iran and elsewhere often use cyber intrusions to gain information or make connections with targets of interest.”

** A message from Northrop Grumman: Today’s enemy threats have taken on forms like never before. That’s why our full-spectrum cyber capabilities enable our military to tackle challenges at the push of a button. See how at http://bit.ly/1LenDw5 **

HOW LINUX LOST ITS SECURITY EDGE — A decade ago, open source operating system Linux was the safer option in a world dominated by Windows XP. But today, with various Linux distributions powering the infrastructure behind the Internet and poised to become even more ubiquitous via the Internet of Things, many are worried that Linux has unaddressed security weaknesses. For that, look to Linux progenitor Linus Torvalds and his rock solid commitment to prioritizing usability above security. “I personally consider security bugs to be just ‘normal bugs,’” Torvalds said in 2008. Torvalds still leads efforts to update the Linux kernel, the central part of any operating system that turns software requests into hardware commands. And it’s the Linux kernel that security researchers are worried about – with Torvalds resisting “anything smacking of a dramatic overhaul.” More from The Washington Post’s long-read article well worth the time: http://wapo.st/1Mf2y2R

INSIDE THE FBI’S ANTI-ENCRYPTION LAB — The FBI has backed off, for now, on its calls for a “legislative fix” to cop-proof encryption systems offered by consumer tech companies, but the agency continues an all-out push to gain access to suspects’ data whenever it can be found in the clear, according to a Scripps News story out Thursday. The story centers around a tour of the FBI’s National Domestic Communications Assistance Center. From Scripps: “One area, nicknamed ‘the lab,’ is dedicated to testing what the staffers call ‘solutions’ that a partner agency may have found helpful. Every day technology firms update cellphone apps and other communications tools that criminals can use. Now, if one agency has already discovered a lawful way for police to keep up, NDCAC, acting as a hub, can test it and then deploy it to thousands of other partner agencies. … [Officials] stress they cannot help local officials crack [end-to-end] encryption … But they can suggest to local investigators, stymied by an encrypted iMessage, alternate solutions such as turning to iCloud backups.” The story: http://bit.ly/1HdEiRT

MEDIA HACKS ON THE RISE — A year after the Sony hack, media execs are reporting they face more cyberattacks than ever, according to a PwC survey shared with Variety. “Of the 319 execs in the media business surveyed worldwide in May and June, 46 percent reported having been subject to cyberattacks over the past year from third parties such as hackers that targeted digital media in advance of a major launch such as theatrical or DVD releases,” Variety reported. “When asked the same question last year, only 29 percent reported such incursions.” More from Variety: http://bit.ly/1WDpduz

QUICK BYTES

— Some companies don’t make it easy for security researchers to report flaws. Wall Street Journal: http://on.wsj.com/1kdRgVG

— The hackers who took credit for getting into the private email account of CIA Director John Brennan now say they’ve gotten into the work computers of thousands of government employees. Motherboard: http://bit.ly/1kxvOL1

— The National Institute of Standards and Technology has published a guide on “deploying automated application whitelisting to help thwart malicious software from gaining access to organizations’ computer systems.” http://1.usa.gov/1WAbfPt

— Anonymous released its list of alleged KKK members: http://on.recode.net/1QhXhfZ

That’s all for today. We’re off to … http://bit.ly/1MCs0yv

Stay in touch with the whole team: Joseph Marks ( [email protected] , @Joseph_Marks_ ); David Perera ( [email protected] , @daveperera ); and Tim Starks ([email protected] , @timstarks ).

** A message from Northrop Grumman: To meet today’s most advanced enemy threats, our military needs to be able to eliminate them — without putting troops in harm’s way. That’s why we’re the leader in full-spectrum cyber. Learn more at http://bit.ly/1LenDw5 **

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks