Blogs

The dark web, a part of the Internet that promises relative anonymity by requiring specific software for access, is shrinking after years of defunct sites, exit scams, and indictments. A new generation of criminals, dissidents, and privacy enthusiasts, however, will likely revive it using stronger anonymizing protocols while also conducting more criminal activity on the clear web.

The dark web aims to hide its users’ web browsing, e-mail, and even instant messaging from law enforcement and oppressive regimes by using “The Onion Router,” or Tor software. A free web browser partially developed by the US government, Tor provides its users with free access to a worldwide network of thousands of relays maintained by volunteers. By encrypting user traffic and by bouncing it around the relay network at random, Tor obfuscates a user’s activity. This shielding enables users in countries with controlled media to anonymously access restricted information, such as the New York Times’ dark web site. This same anonymizing ability, however, also allows criminals to buy and sell narcotics, firearms, malware, stolen identities, and illegal pornography with a decent chance of not getting caught.

On the weekend of May 5, a month after a truce was agreed between Israel and Hamas forces in the Gaza Strip, violence again rose to levels not seen since 2014. Reports indicate that over 600 rockets were fired into Israel by Palestinian militants and were met by Israeli airstrikes on more than 300 targets. Upwards of twenty-three Palestinians and four Israelis were killed.

But the headlines from the weekend—at least in cybersecurity circles—focused on a single strike by the Israel Defense Forces (IDF) against an office building in Hamas territory. According to a May 5 tweet from the IDF, after successfully preventing an alleged Hamas cyberattack against Israeli civilian targets, IDF forces targeted and destroyed the building housing Hamas’s cyber capability.

A tweet can reveal your location, an Apple Watch monitors your health, a grocery chain loyalty card allows the supermarket to track your purchases. All of this constitutes what Michael Chertoff describes as “digital exhaust”—data that we constantly and unconsciously emit. The challenge this poses is how to protect that data in an increasingly interconnected world.


Even as governments grapple with this challenge, “we also should consider the next generation of technology that is going to support the Internet—and that is 5G,” said Chertoff, who served as secretary of the US Department of Homeland Security from 2005 to 2009.

In the year since the US Cyber Command was elevated to a unified combatant command there has been an “increase in clarity” on the US cyber strategy, specifically on the Department of Defense’s role, and an “alignment in the law,” US Air Force Brig. Gen. Timothy D. Haugh, commander, Cyber National Mission Force at US Cyber Command, said in Washington on April 23.

“What we are focused on in terms of military activities in cyberspace is…not about what the Department of Defense’s role is, it’s how can we enable our international partners, our domestic partners, and industry to be able to defend those things that are critical to our nation’s success,” said Haugh.

One of the United States’ top cybersecurity officials noted the progress the US government has made in engaging potential domestic and international targets of cyberattacks, but argued that “information sharing is the minimum bar” the federal government should clear. According to Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, “we have to get beyond information sharing… to operationalizing information security.”

Krebs, who spoke at the eighth annual International Conference on Cyber Engagement (ICCE) in Washington, DC, on April 23, argued that more action is needed to defend US businesses and critical infrastructures as hostile nation states are ramping up their attacks on US entities.

US and international cybersecurity officials called for greater international cooperation to combat Internet crime and malign cyber activity during the 8th annual International Conference on Cyber Engagement (ICCE) in Washington, DC, on April 23.

David Koh, who serves as commissioner of cybersecurity, chief executive of the Cyber Security Agency, and defense cyber chief in Singapore’s Ministry of Defense, called for likeminded nations to establish “a rules-based cyberspace based on applicable international law and the adoption of voluntary operational norms.” Koh argued that other global common spaces, such as maritime and aviation, are governed by complex international rule systems, and “cyberspace should not be any different from the physical domains.”

We have put almost everything out there in cyberspace—personal data, intellectual property, even access to the controls of critical infrastructure. And we have been woefully deficient in defending it. With each passing day, our nation faces an onslaught of cyber threats from various adversaries, including nation states.


The good news is that the White House and the Department of Defense (DoD) both have released closely aligned cyber strategies that stress the importance of tackling these threats head-on through partnerships with our allies, the private sector, and between agencies, to “defend forward, shape the day-to-day competition, and prepare for war.”

The Cyber 9/12 Strategy Challenge—the brainchild of the Atlantic Council’s Cyber Statecraft Initiative—got underway in London on February 11. The two-day event is a unique and innovative cyber crisis and policy response simulation. The UK edition is part of a wider Atlantic Council effort to foster the next generation of multidisciplinary cyber professionals.

“The UK government’s National Cyber Security Strategy is clear that more must be done for the UK to meet the future national demand. Much like the NCSC’s CyberFirst courses, Cyber 9/12 is an effective way to nurture the next generation of cyber security experts,” said Paul Chichester, director for operations at the National Cyber Security Centre in London.

Polish Prime Minister Mateusz Morawiecki on January 16 called for a collective Western response to cyber threats while urging allies to increase spending on cybersecurity.


“I call on you today and encourage your leaders and governments to spend more money on cyber warfare, as we do, on cyber soldiers to protect our Internet frontier,” Morawiecki said on the opening day of a two-day conference jointly hosted by PKO Bank Polski and the Atlantic Council in Warsaw, Poland.


“Our enemies will not wait,” Morawiecki said, adding, “They are arming up as we speak. Only a collective response will keep he threat at bay, and only a decisive one.”


The conference, “A New Initiative for Poland: A Future Global Leader in Securing the 4th Industrial Revolution,” seeks to deepen US-Polish ties by developing cybersecurity as a key pillar in the relationship.

British ‘Code of Practice for Consumer IoT Security’ draws on Atlantic Council report

Consumer Internet of Things (IoT) products are notoriously insecure. In October 2016, the Mirai botnet amassed a massive botnet army of IoT-connected devices, eventually used in a distributed denial of service (DDoS) attack that overwhelmed the capabilities of some of the largest Internet providers in the world and took down the Internet across the US East Coast. Mirai’s authors began building their tool as teenagers, amassing an IoT zombie horde using techniques known (and easily preventable) for decades. Unfortunately, the norm for IoT devices is lax security—simple, hardcoded (unchangeable) passwords, and operating systems that can’t be patched or updated with security protection.


    

RELATED CONTENT