The Arizona voter registration database didn't seem like an obvious target for the Russians. But in August, the FBI revealed that Russian hackers disguised themselves as an Arizona election worker and poked a hole in the state's security system.
The hackers played it smart. Rather than go on a spear phishing expedition, they used a stolen user name and password so that an email containing malware "looked like it came from an employee," Michele Reagan, Arizona's Secretary of State, told the audience at this week's Cambridge Cyber Summit in Cambridge, Mass. "It was a Word document that any of you in this room would have opened."
In a case like the Arizona voter registration database breach, it's easy to tell the good guys from the bad. But what happens when the intruder is the United States government and its reason for intrusion is national security? It's a question that puts U.S. companies in a complicated negotiation with Washington: How do they balance customer privacy with public safety?
A panel at the Cyber Summit, co-hosted by CNBC, the Aspen Institute and MIT's Computer Science and Artificial Intelligence Lab (CSAIL), took up the security versus privacy debate against the backdrop of a report from Reuters that Yahoo complied with a demand from the U.S. government to search in real time all of its users' incoming emails and breaking news that an NSA contractor had been arrested for stealing classified information. (More on these developments below.)
The security versus privacy event highlighted by the panel was about how another tech giant -- Apple -- dealt with a government order for access to personal data. Earlier this year, Apple balked at the FBI's demands to access an iPhone used by one of the shooters in the San Bernardino, Calif., terrorist attack that left 14 people dead. At the time, Apple CEO, Tim Cook, said the new software required to do so would be "a master key, capable of opening hundreds of millions of locks."
"Apple offered strong encryption to its users, and it was called every name in the book by the Department of Justice," said Cindy Cohn, executive director at the Electronic Frontier Foundation, a digital rights advocacy. "They got treated like they were a perp on the street." Apple's motion to dismiss the order became moot when the FBI found its own way into the device.
Complex, pervasive and persistent
It's no secret that the U.S. government wants tech companies to build backdoors into their technology. (And if every company is a technology company, no business is excluded.) Panelist Glenn Gerstell, general counsel for the NSA, laid out the reasons. He described hacking, cybercrime and terrorism as a "complex, pervasive and persistent" threat -- one that he expects the intelligence agency will be dealing with for decades. ISIS' use of end-to-end encryption, a method that ensures messages can't be tampered with in transit, has made intelligence gathering difficult. "It's definitely a problem," he said.
So is the threat from state actors. When Russian hackers infiltrate voter registration databases, the U.S. intelligence community has an information war on its hands that, theoretically at least, threatens the country's democracy, as another panel pointed out. "They didn't anticipate that the Russians would have the imagination, the enthusiasm, or the gumption to do what they are doing," said Stewart Baker, former assistant secretary for policy at the Department of Homeland Security, of his former employers.
But acquiescing to requests from the U.S. government to include backdoors could ultimately weaken the system, according to Daniel Weitzner, founding director of MIT's Internet Policy Research Initiative and principal research scientist at CSAIL. "What we know is that when, in the past, there have been efforts to build in backdoors to systems in order to strike the balance that you're looking for, ... those vulnerabilities are exploited to a great degree," he said.
The Edward Snowden revelations about the NSA's massive data collection program, ironically enough, has had a positive result, Weitzner said. According to their roadmaps, Google, Apple and other companies are planning stronger encryption and tougher security measures, "in order to show that they can withstand attacks even from the NSA," he said.
Besides, he said, "there are many, many more good guys than bad guys. Putting the good guys at risk just to catch the bad guys tends to be the wrong equation."
Gerstell interrupted him: "I disagree with the premise: I think we're already at risk."
And the debate rages on.
CIO news roundup for week of Oct. 3
While SearchCIO was listening to the security versus privacy debate, here's what was grabbing headlines:
Phone by Google. The search giant unveiled its new smartphones, Pixel and Pixel XL, at a media event in San Francisco on Tuesday. The devices designed and engineered by Google, signal the company's foray into the smartphone hardware production business and "shows that the company is willing to risk alienating partners like Samsung Electronics Co. and LG Electronics Inc. that sell Android-based phones," Bloomberg reported. With the inbuilt Google Assistant -- a Siri counterpart -- and running on Android's latest Nougat 7.1 operating system, which supports Google's Daydream VR, it could end up being iPhone's first real competitor, according to the report. Pixel's 12.3-megapixel rear camera, compared to iPhone 7's 12-megapixel camera, is the "highest rated smartphone camera," Google claims. Another area where Pixel stands to compete with iPhones is Google's offer of unlimited cloud storage for images and videos shot with the Pixel, compared to Apple's 5GB iCloud allowance.
Yahoo disclosure ignites privacy/security debate. The California-based company secretly scanned its customers' incoming emails for specific information requested by either the Federal Bureau of Investigation or National Security Agency, Reuters reported this week. Yahoo has described the report as "misleading." According to The New York Times, "A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer "signature" tied to the communications of a state-sponsored terrorist organization." The news comes two weeks after the company revealed that 500 million user accounts had been stolen in 2014 by hackers. Now Verizon, which recently agreed to buy Yahoo, is reportedly asking for a discount of $1 billion on the previously agreed-upon deal of $4.8 billion.
Former NSA contractor arrested. A federal government contractor with a top-secret national security clearance was arrested during an FBI raid on his home in late August and was charged with "theft of government property and unauthorized removal and retention of classified materials," according to a press release issued by the U.S. Attorney's Office in Maryland Wednesday. The contractor was identified as Harold Martin III of Glen Burnie, Md., a former Booz Allen Hamilton contractor working on behalf of the National Security Agency, The New York Times reported. His motives remain unclear. Edward Snowden, who leaked NSA documents on mass internet surveillance, also worked for Booz Allen.
'Coopetition' strikes again. Rivals VMware and Amazon Web Services (AWS) are teaming up to enable enterprise customers to run VMware software both on their own internal servers and on AWS' public cloud infrastructure, Fortune's Barb Darrow reported Wednesday. "With this news, VMware has performed an about-face on its AWS stance ... when [VMware CEO Pat] Gelsinger cautioned the company's partners that any computing workloads that went to Amazon were lost to VMware forever," Darrow wrote. The announcement will be made in San Francisco next Thursday. While details of the agreement were unavailable, the partnership could be similar to the one between VMware and IBM, she added.
Assistant editor Mekhala Roy contributed to this week's news roundup.
Edward Snowden on privacy in a networked world
CIOs consider security a priority in 2016, but not privacy
Consumer privacy in the age of big data