Cyber Week in Review: June 5, 2015

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

• Roughly four million U.S. government employees will receive notifications that their personal information may have been compromised as a result of a data breach at the Office of Personnel Management. Unidentified sources in the Washington Post and New York Times are pointing the finger at Beijing, saying the hack was state-sponsored though it’s unlikely to be the work of the People’s Liberation Army Third Department. In what has now become routine in these cases, China firmly rejected the accusation, with Ministry of Foreign Affairs spokesperson calling it "irresponsible" and "unscientific." While some pundits blame China, the incident doesn’t really fit Beijing’s modus operandi according to Rob. In any case, this and other recent hacking cases are likely to make for an awkward conversation at this year’s U.S.-China Strategic and Economic Dialogue, scheduled for later this month.
• Apple CEO Tim Cook reaffirmed the company’s commitment to protecting privacy this week. In a speech at EPIC’s Champions of Freedom event, he said that “Apple doesn’t want your data” and reiterated Apple’s commitment to strong encryption. He also made a not-to-subtle dig at the Googles and Facebooks of the world who monetize user data. The speech was widely interpreted as a way for Apple to distance itself from its competitors as customers seek privacy-enhancing tools and are increasingly weary of having their data sold to marketers. The speech came the same week an FBI official testified before Congress bemoaning the increased popularity of encryption tools, arguing that tech companies should work with government to "prevent encryption above all else."
• The Senate finally managed to pass the USA Freedom Act earlier this week, which President Obama signed into law. It becomes one of the first efforts to curtial the NSA’s authorities Congress gave it in the aftermath of 9/11. The Act amends the NSA’s call records program by requiring the phone data be held by the telephone companies, which the NSA could only access after a specific request authorized by the Foreign Intelligence Surveillance Court. The Act also allows, for the first time, a privacy advocate to challenge certain government surveillance requests before the Court. This is probably the most important change to the law as it will allow government arguments before the FISC to be challenged. Predictably, civil liberties groups and Edward Snowden hailed the development, though they highlighted that much more work needs to be done to "rein" in the NSA.
• The New York Times and ProPublica made a big splash this week when they released stories that asserted the "Obama administration has expanded the NSA’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking." Using documents provided by Edward Snowden, their stories lay out how the NSA sought the Justice Department’s authority to monitor Internet traffic with a view of identifying signatures, such as Internet protocol addresses, domains or traffic patterns, to attribute malicious cyber actors. Some NSA and cybersecurity experts were unimpressed with the reporting. Ben Wittes at Lawfare thinks that the Times was sensationalizing the story. Jim Lewis at CSIS argues it’s impossible to just look for malicious traffic without capturing benign content.
• Der Spiegel is reporting (in German) that Russian hackers may have been behind a recent cyber incident affecting the German Parliament’s networks. While German officials have not yet publically attributed the incident yet or disclosed what information was compromised, sources in the Bundestag have told the Register that attack was most likely state-sponsored.