Cyber Week in Review: October 14, 2016

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. The United States weighing its options. After publicly accusing Russia of attempting to interfere with U.S. elections, the White House stated that it was mulling a “proportionate” response but remained mum on what it could look like. That’s led to a lot of speculation. My sense is that the White House will want to respond via non-cyber means given the challenges associated with controlling escalation in cyberspace. Former NATO Supreme Allied Commander James Stavridis argues that the United States should expose the Russian officials behind the compromises and their tools. Over at Lawfare, Jack Goldsmith speculates that the U.S. response could be covert but notes that such action would undermine the United States’ vaunted attempts at deterring potential adversaries. It is impossible to deter third parties when they can’t see the action the United States may take in response to the hack. If the White House is looking for more options, it might want to read this Council on Foreign Relations brief, which addresses the challenges with developing a proportionate response to a cyber incident.

2. The Microsoft-Ireland case may not be over. The Department of Justice wants the second circuit of the federal court of appeals to rehear the Microsoft-Ireland case. Microsoft won a significant legal victory this summer when the second circuit decided the company did not have to hand the U.S. government data stored on a server in Ireland. Justice department lawyers want the full second circuit to hear the case, arguing that this summer’s decision significantly limits “an essential investigative tool used thousands of times a year, harming important criminal investigations around the country, and causing confusion and chaos among providers as they struggle to determine how to comply.”

3. Europe to push for internet of things (IoT) regulations. The European Commission is preparing to introduce legislation that will seek to improve the cybersecurity for internet-connected devices. The legislation will create tougher security standards and a certification process for labeling IoT devices in a manner similar to energy consumption ratings. IoT devices have been getting a lot of bad press recently. Computer security reporter Brian Krebs had his website bombarded with junk internet traffic largely thanks to internet-connected cameras. Many IoT device manufacturers don’t think of the security of their products and don’t provide security updates once vulnerabilities have been found.

4. That internet kill switch is probably a bad idea. A recently released Brookings report argues that state-imposed internet shutdowns cost billions in lost productivity and economic activity. According to the report, over $2 billion was lost last year due to internet shutdowns. Surprisingly, authoritarian regimes are not the only ones pulling the plug. Last year, Indian authorities cut off internet access twenty-two times and Iraq regularly disconnects at the end of each school year to stem cheating on final exams. In India, where internet-related goods and services account for 5.6 percent of gross domestic product, internet shutdowns cost $968 million in 2015.

5. The Group of Seven (G7) agree to cybersecurity rules. Will banks listen? Following the Bangladesh Bank heist, G7 countries announced that they had agreed on a set of cybersecurity guidelines for banks. The G7’s new guidelines instruct governments to cooperate in continually monitoring and updating cybersecurity systems, both for the governments themselves and the companies they regulate. It also encourages banks and financial institutions to share information about their cybersecurity challenges. This last piece may be the most critical, as Reuters states that the vast majority of incidents at British banks are not reported, even as banks are becoming ever more conscious of the brand damage caused by cybersecurity breaches.