Tag Archives: counterfeit

SEC Urged to Give Stronger Guidance on Cyber Disclosure

SEC Urged to Give Stronger Guidance on Cyber Disclosure

By Elizabeth Wasserman
Bloomberg

A U.S. Senate leader asked the new Securities and Exchange Commission chairman to give more authoritative guidance to companies on disclosing cyber attacks, saying reporting so far is “insufficient.”

“While the staff guidance has had a positive impact on the information available to investors on these matters, the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices,” Senate Commerce Committee Chairman Jay Rockefeller said in a letter today to agency Chairman Mary Jo White.

“The SEC should elevate this guidance and issue it at the Commission level as well,” Rockefeller wrote to White, who was confirmed April 8. Rockefeller, a West Virginia Democrat, convinced the SEC to issue staff-level guidance to companies on cybersecurity in October 2011.

The SEC declined to comment before White responds to Rockefeller, John Nester, an agency spokesman, said in an e- mail.

The 27 largest U.S. companies disclosing cyber attacks to the SEC this year all said they sustained no major financial losses, according to a Bloomberg review of company filings. The reports contrasted with statements from U.S. government officials who say billions of dollars in corporate secrets are being stolen.

“Investors deserve to know whether companies are effectively addressing their cybersecurity risks — just as investors should know whether companies are managing their financial and operational risks,” Rockefeller said in the letter to White. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cybersecurity efforts seriously.”

’Malicious Actors’

Rockefeller in May 2011 wrote to then-SEC Chairman Mary Schapiro pointing out the growing risk posed to U.S. companies by “malicious actors” who “attack and disrupt computer networks to steal valuable trade secrets, intellectual property, and financial and confidential information.”

He asked the SEC to develop and publish guidance to clarify disclosure requirements pertaining to “information security risk, including material information security breaches involving intellectual property or trade secrets.”

The SEC then advised publicly traded companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk.

Rockefeller has since pushed legislation to make the SEC issue stronger guidelines for disclosing risks of cyber attacks, urging that it be included in cybersecurity legislation in 2012. That measure died in the Senate.

In 2012 annual reports filed with the SEC, companies including MetLife Inc. (MET), Coca-Cola Co., and Honeywell International Inc. (HON) were among the 100 largest U.S. companies by revenue to disclose online attacks. Citigroup Inc. reported “limited losses” while the others said there was no material impact.

Attack Origin

The SEC staff is interested in knowing the origin of cyber attacks, including whether the intruder is a competitor, foreign government or hacker group, Mark Kronforst, the SEC’s associate director for disclosure operations, said at a panel discussion in Washington April 5. The staff also wants to know when an attack isn’t discovered by the company and found by a third party.

The SEC staff hasn’t asked those questions in correspondence with public companies, Lona Nallengara, the SEC’s corporation finance director, said in an interview after the panel discussion.

“If you’re an investor and you want to see the company you are investing in is adequately protected against cyber attack, you’d want to know did their systems detect it?” Nallengara said. “Did they know they got breached? Or did they find out a month later when someone told them that we found records this came from your company?”

Information about the source of an attack could yield insight into whether it’s material to investors, Nallengara said. “Is it a competitor? Someone seeking your proprietary information or your technology. Or on the contrary, is it someone simply out to destroy or simply not motivated by financial gain?”

Disclosure about specific attacks “is still fairly rare at this point,” Kronforst said on the panel discussion.

Pentagon Defends Weapons Despite Chinese Hacks

The U.S. Defense Department said its weapons systems give it a “technological edge” despite a report that found many of the designs have been compromised by Chinese hackers.

“We maintain full confidence in our weapons platforms,” Pentagon spokesman George Little said May 28 in an e-mailed statement. “Suggestions that cyber intrusions have somehow led to the erosion of our capabilities or technological edge are incorrect.”

Little was responding to an article in The Washington Post that detailed the existence of a classified section of a Defense Science Board report listing more than two dozen compromised systems to include the F-35 Joint Strike Fighter, the Littoral Combat Ship, and the Aegis Ballistic Missile Defense System among others.

The platforms are among the most critical in the U.S. government’s weapons portfolio and made by its biggest defense contractors, including Lockheed Martin Corp., based in Bethesda, Md., and General Dynamics Corp., based in Falls Church, Va.

The electronic intrusions may allow China to build similar products in shorter time, saving it billions in development costs, and to develop better countermeasures, giving it a potential advantage during a conflict, according to the article.

 

 

The January report by the Defense Science Board, a panel of government and civilian scientists and experts, didn’t specify the timing and extent of the attacks, or whether prime contractors or subcontractors were targeted, according to the article. But it did find that the Chinese also sought to exploit military technologies such as directed energy, aerial drones and satellite communications.

A Chinese espionage group since 2006 has stolen hundreds of terabytes of information from at least 141 companies across 20 major industries, including aerospace and defense, according to a February reportfrom Mandiant, a closely held company based in Alexandria, Va., which sells information-security services.

The Pentagon in its latest annual assessment of China’s armed forces for the first time blamed China directly for targeting its computer networks. The attacks were focused on extracting information, including sensitive defense technology.

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” it states. “The accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks.”

That document also concluded that the People’s Liberation Army, or PLA, considers the strategy of “information dominance” a critical form of defense against countries that it views as “information dependent,” such as the U.S.

China called the accusations “groundless” and “not in line with the efforts made by both sides to strengthen mutual trust and cooperation,” according to a May 9 article published on the state-run website, “People’s Daily Online.” The country is a “victim itself of cyberattacks,” it states.

President Barack Obama is expected to discuss the issue during his meeting next month with President Xi Jinping.

A bill sponsored by Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, would make it easier for intelligence agencies to share information with the private sector. The legislation, Cyber Intelligence Sharing and Protection Act, H.R. 624, has been referred to the Senate Intelligence Committee.

The Pentagon wants to better protect its networks from attack and asked Congress to increase funding for so-called cyberspace operations 21 percent to $4.7 billion in fiscal 2014, which begins Oct. 1.

The military over the next three years plans to hire more military and civilian personnel and contractors at U.S. Cyber Command. It would also fund efforts to automatically detect vulnerabilities on classified networks, buy software that looks for suspect files, and support other operations to “detect, deter and, if directed, respond to threats,” according to an overview of the budget.

“The Department of Defense takes the threat of cyber espionage and cyber security very seriously, which is why we have taken a number of steps to increase funding to strengthen our capabilities, harden our networks, and work with the defense industrial base to achieve greater visibility into the threats our industrial partners are facing,” Little said in the statement.

China Denies Oz Spy Agency HQ Cyber-Attack

China has denied it was behind a cyber-attack on Australia’s new intelligence agency headquarters.

Local media had reported Chinese hackers were responsible for the cyber-theft of top secret blueprints that would make the building and those within it vulnerable to international espionage.

An investigation by the Four Corners current affairs television programme had said the cyber attack on a contractor involved with building the new Canberra HQ of the Australian Security Intelligence Organisation (Asio) had been traced to a server in China.

However, China – Australia’s largest trading partner – has denied responsibility.

China foreign minister Hong Lei said: “Because the (source of the hacking) is untraceable, it is difficult to identify the source of the cyber attack and it is also difficult to identify the hacker.

“So I do not know where the evidence comes from that the relevant reports say is so reliable. Groundless accusations cannot solve the issue.”

Australian government ministers have refused to confirm the attack, but say relations with China would not be hurt should the incident have taken place.

Foreign Minister Bob Carr said the government was “very alive” to the threat of cyber attacks on national security, adding “nothing that is being speculated about takes us by surprise.”

“I won’t comment on whether the Chinese have done what is being alleged or not,” he said.

“I won’t comment on matters of intelligence and security for the obvious reason – we don’t want to share with the world and potential aggressors what we know about what they might be doing and how they might be doing it.”

State broadcaster the Australian Broadcasting Corporation, responsible for the Four Corners programme, said the documents taken by hackers included cabling layouts for the huge building’s security and communications systems, its floor plan and its server locations.

Mr Carr insisted that the relationship would not be damaged by the allegations, which follow several other hacking attacks on government facilities in the past two years.

“It’s got absolutely no implications for a strategic partnership,” he said. “We have enormous areas of cooperation with China.”

The Four Corners programme cited security experts as saying the cyber theft made the agency vulnerable to remote spying and had probably delayed the opening of the building.

Des Ball, from the Australian National University’s Strategic and Defence Studies Centre, said: “Once you get those building plans you can start constructing your own wiring diagrams, where the linkages are through telephone connections, through wi-fi connections.”

The report, which did not say when the alleged theft took place, comes amid deepening concern about aggressive state-sponsored hacking by China.

In 2011, the computers of Australia’s prime minister, foreign minister and defence minister were all suspected of being hacked, with the attacks reportedly originating in China.

At the time, Canberra said cyber attacks had become so frequent that government and private networks were under “continuous threat”.

Beijing dismissed the allegations as “groundless and made out of ulterior purposes”.

Earlier this year, computer networks at the Reserve Bank of Australia were hacked, with some said to be infected by Chinese-developed malware searching for sensitive information.

In 2012, Chinese telecoms giant Huawei was barred from bidding for contracts on Australia’s ambitious £23bn broadband rollout due to fears of cyber attacks.

New wave of cyber attacks on US ‘traced to Iran’

new wave of cyber attacks on US companies have been traced to Iran, American officials told The New York Times.

Security experts said Friday they believed the main goal of the digital weapons, which targeted oil, gas and electricity companies, was sabotage, not espionage.

The fresh attacks “were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines,” the newspaper reported. An official described them as “probes that suggest someone is looking at how to take control of these systems.”

Officials were unclear whether the activity was state-sponsored. The Islamic Republic’s highly-centralized control over the Internet, however, made it hard to imagine the activity went on without the government’s knowledge, officials added.

Government leaders also confirmed on Friday a previous Wall Street Journal report that fingered Iran for the attacks.

Investigators began examining the attacks a few months ago, prompting Homeland Security officials to compare the threat to the computer virus that hit Saudi Arabia’s largest oil producer last year, Aramco. Some 30,000 computers in the Saudi state-owned company were said to be destroyed in the incident.

Iran, for its part, has denied being behind any of the attacks. The spokesman for the country’s mission to the UN, Alireza Miryousefi, responded earlier this week to claims about involvement in the Saudi Arabian digital attacks by stating Iran wasn’t involved in that type of activity and that it has always maintained positive relations with its Persian Gulf neighbors.

Meanwhile, fears of cyber attacks have made legislators in Washington, D.C. consider enacting laws that would help thwart viruses and other cyber threats. The House of Representatives, for example, recently passed a bill, the Cyber Intelligence Sharing and Protection Act, which encourages information sharing on threats between the government and private sectors.

US security experts have warned, however, that legislation promoting information sharing isn’t nearly enough to prevent malicious cyber attacks, which have become savvier and adept at penetrating computer systems.

Rep. Adam Schiff, a House Intelligence Committee member who represents California, told CNN Friday that officials were seeing “disturbing indications” that Iranian-linked groups were targeting US infrastructure.

“The Iranians seem less interested in stealing our military secrets or stealing how we’re going to make the next Apple product,” Schiff told the news outlet. “They’re more interested in probing our vulnerabilities – our financial structure vulnerabilities, our critical infrastructure vulnerabilities, so they can attack us – literally shut down, manipulate – cause an industrial accident.”

Cyber security expert Eugene Kaspersky says cyber ‘hactivists’ the greatest threat at next year’s G20 Summit

INTERNATIONAL cyber spies loom as one of the biggest security threats at next year’s G20 summit in Brisbane, according to one of the world’s leading security experts.

Eugene Kaspersky, once voted the world’s most powerful security executive, said espionage was a very real risk at the G20, to be held in November next year.

In 2011, more than 150 French finance ministry computers were affected by an electronic attack targeting the G20 in Paris.

Chinese spies were blamed for the scandal as investigators traced the attack back to Chinese computer servers, but nothing was ever proven.

On the Gold Coast yesterday for the annual AusCERT security conference, Mr Kaspersky said electronic attacks could wreak havoc at G20.

“Everything is at risk,” he said.

“The threat of espionage attacks on high-profile summits (such as the G20) is very real. Critical infrastructure, computer systems, it is a very serious situation.”

Security at the Brisbane G20, set to feature some of the world’s most powerful leaders, will be amongst the most stringent for any event ever held in Australia.

More than 5000 police officers, including special covert surveillance teams, will be on duty throughout the summit.

However, Mr Kaspersky said governments were yet to recognise how much damage computer terrorists and “hactivists” could inflict.

“They have other issues which they see as more critical, but cyber risks are getting more and more. Human nature shows they do not pay enough attention to the problem until there is a catastrophe.”

He pointed to recent black-outs and internet meltdowns in the US and Europe as examples where criminals could cause major disruptions.

However, he was heartened to see the British government invest heavily in defences against computer crime in the lead-up to last year’s London Olympics.

That followed the massive espionage scandal rocking the 2011 G20 in Paris.

Internationally, many governments remain paranoid about espionage and spies stealing top-level government secrets.

Just this month, a US embassy staff member in Moscow was arrested on suspicion of espionage activities.

The lead-up to the 2010 G20 summit in Canada also saw massive spy operations involving police and uncover agents targeting potential agitators in the months before the Ontario forum.

Cryptography Research to Speak on Anti-Counterfeiting IC Design Techniques at DATE 2013 Conference

At a recent conference, cryptography researcher talked about new design methods for preventing counterfeit chips. Counterfeit is a growing problem in the electronics, as a record number of counterfeit part incidents presented a $169 billion risk. It is important that the new designs will be very effective, so that the industry will remain functional.

 

Cryptography Research to Speak on Anti-Counterfeiting IC Design Techniques at DATE 2013 Conference

PRESS RELEASE

March 20, 2013

Cryptography Research (CRI) Technical Director Benjamin Levine will lead a presentation on design methods to prevent counterfeit chips at the Europe Design, Automation & Test (DATE) Conference 2013.

During his talk, Mr. Levine will highlight multiple anti-counterfeiting techniques based on the inclusion of dedicated security logic, while pointing to specific reverse-engineering methodologies often undertaken by counterfeiters.

The presentation is part of a larger DATE 2013 track on anti-counterfeiting, which represents a significant and growing concern within the electronics industry as a record high of 1,363 counterfeit-part incidents were reported worldwide in 2011, representing a $169 billion risk.

Presentation Details:

Title: ANTI-COUNTERFEITING TECHNIQUES IN IC DESIGN 5:30 p.m. – 6:00 p.m. GMT

For additional details, visit: www.cryptography.com

About Cryptography Research

Cryptography Research (CRI), a division of Rambus Inc.,  is a leader in semiconductor security research and development. Established by internationally renowned cryptographer Paul Kocher, CRI develops and licenses innovative technologies in areas including tamper resistance, content protection, anti-counterfeiting, network security, and financial services. Over seven billion security products are made each year under license from CRI. Security systems designed by CRI scientists and engineers protect hundreds of billions of dollars in commerce annually.