GW CSPRI Newsletter

July 8, 2013 From the Cyber Security Policy and Research Institute of The George Washington University, www.cspri.seas.gwu.edu. This newsletter is a weekly summary of events related to cyber security policy and research, with a special focus on developments and events in the Washington, DC area. Faculty and student readers of this newsletter with new and important cyber security research to report (especially new papers or results by GW faculty and students) are encouraged to send notifications of this to cspriaa@gwu.edu. A short (up to three sentences) description of why you think the research is important is required.

Contents
Events Legislative Lowdown Cyber Security Policy News

Events
-July 9, 9:30 a.m. -4:30 p.m., Privacy and Civil Liberties Oversight Board Workshop - The board, an independent agency within the executive branch established by Congress to advise the president of the United States and other senior executive branch officials to ensure that concerns with respect to privacy and civil liberties, will conduct a public workshop with invited experts, academics and advocacy organizations regarding surveillance programs operated pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act. The workshop will be open to the public. The Board is contemplating moderated panel discussions with invited experts, academics, and advocacy organizations. Renaissance Mayflower Hotel, Grand Ballroom, 1127 Connecticut Ave. NW, in Washington. An article on the board and its newly appointed chairman appears here. -July 9, 10:15 a.m., Cyber Espionage and the Theft of U.S. Intellectual Property and Technology - The House Commerce Committee's Subcommittee on Oversight and Investigations will hold a hearing. Witnesses will include Slade Gorton, former U.S. Senator from Washington State, commission member, Commission on the Theft of American Intellectual Property; Larry M. Wortzel, commissioner, U.S.- China Economic and Security Review Commission; James A. Lewis, director and senior fellow, technology and public policy program, Center for Strategic and International Studies; and Susan Offutt, chief economist, applied

research and methods. Government Accountability Office Rayburn House Office Bldg., Room 2123. More information. -July 9, 1:00 p.m. - 5:00 p.m., Multistakeholder Meeting To Develop Consumer Data Privacy Code of Conduct Concerning Mobile Application Transparency - The Department of Commerce's National Telecommunications and Information Administration will host an event. American Institute of Architects, 1735 New York Ave., NW. More information. -July 10, 8:00 - 9:30 a.m., Secured Space: What It Is, Who Has It and Who Needs It? - The Howard County Chamber of Commerce and GovConnects will host a discussion on the technologies available to protect your intellectual property from cyber theft. University of Maryland University College, Dorsey Station, 6865 Deerpath Rd., Elkridge, Md. 21075. More information. -July 10, 6:00 p.m. - 9:00 p.m., NovaInfosec Meetup, East - An informal gathering of security professionals. NoVA Infosec is dedicated to the community of Northern Virginia-, Washington, DC-, and southern Maryland-based security professionals and whitehat hackers involved in the federal government and other regulated verticals like critical infrastructure, financial, and healthcare. Velocity Five, 8111 Lee Highway, Fall Church, Va 22042. More information. -July 15, 5:30 p.m. - 8:30 p.m., NoVA Hackers Association Meetup - This informal group of security professionals from around the NoVA/DC area coordinates one or two monthly events an evening meetup with presentations on the second Monday of the month and various lunch or bar meetups. SRA International, 4300 Fair Lakes Ct., Fairfax, Va., 22033. -July 16, 12 noon - 1:00 p.m., The Growing Importance of Trade Secrets - The D.C. Bar Intellectual Property Law Section will present a luncheon program which will explore the policies in place for using trade secrets to protect intellectual property values. Faculty experts Walter D. Davis Jr. of Axinn, Veltrop & Harkrider LLP and Jia Lu of Finnegan, Henderson, Farabow, Garrett & Dunner, LLP will highlight some of the most relevant policy changes and recent court decisions and provide participants with vital information to make better decisions about using trade secrets to protect intellectual property. D.C. Bar Conference Center, 1101 K Street NW, first floor. More information. -July 16, 6:30 p.m. - 8:00 p.m., ISSA DC Meetup - Through its meetings and other events, the chapter fosters professional development and support for computer and information security professionals. Membership is open to practicing security professionals or to those with an interest in the profession. New members are always welcome please feel free to attend one of our open meetings or to contact the chapter for more information. Center for American Progress, 1333 H Street, NW. More information. -July 17, 1:00 p.m., Communicating Cyber Risks to Business Leaders - In this Webcast, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Booz Allen Hamilton executive vice president Thomas Sanzone and principal Sedar Labarre will discuss how CISOs can communicate with their business leaders when it comes to investing in cyber risk solutions. More information.

- July 18, 12 noon to 1 p.m., Cyberwar, Without the Magical Thinking - In this free Webcast event, attorney Stewart Baker from Steptoe & Johnson will discuss ongoing improvements in attribution and that "we have a growing ability to identify and eventually to deter attackers by exploiting their inevitable security errors." Stewart maintains that identifying and punishing intruders must be a major part of any cyberwar or cyberespionage technological strategy. Secure systems, he argues, should seek not so much to lock out attackers as to force them to make such heavy investments that they put at risk their own anonymity and their own networks: That means more digital dyepacks and network mantraps, he asserts, not stronger network walls. National Science Foundation, Stafford I Room 110, 4201 Wilson Boulevard, Arlington, VA. More information. -July 18, 3:30 p.m. - 5:00 p.m., A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 Frank Cilluffo, director of The George Washington University's Homeland Security Policy Institute, will moderate a discussion with Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, to explore the findings in this first book on the history of cyber conflict. The George Washington University, The Alumni House, 1918 F St., NW. More information.

Legislative Lowdown
-A draft directive outlining minimum jail terms for some crimes was adopted by the European Parliament on 4 July, the BBC reports. The directive says those found guilty of running a botnet of hijacked home computers should serve at least three years in jail. It also seeks to improve cooperation between member states to investigate crimes and prosecute offenders. The directive builds on Europe-wide rules that have been in force since 2005 but introduces new offences that cover use of a botnet, the theft of confidential details such as passwords and use of tools that make cybercrimes possible.

Cyber Security Policy News

-Revelations of U.S. spying on Chinese universities and businesses risk undermining cybersecurity talks with China scheduled for this week, according to The Hill. The Obama administration had hoped to press China on the issue during the fifth round of the U.S.-China Strategic & Economic Dialogue. Instead, it finds itself on the defensive amid former contractor Edward Snowden's allegations that the National Security Agency has been spying not only on the Chinese government but on universities, students and businesses as well. President Obama put newly elected Chinese leader Xi Jinping on notice when he hosted him at Sunnylands in California last month and explained that the United States wants an end to Chinese hacking. Next week's summit was expected to be an opportunity for officials from the State and Treasury departments to make concrete progress on that front. The New York Times carries a story noting that while he was employed at the National Security Agency in 2010, Snowden took a course that trains security professionals to think like hackers and understand their techniques. The Times observes that the certification, listed on a rsum that Mr. Snowden later prepared, would also have given him some of the skills he needed to

rummage undetected through N.S.A. computer systems and gather the highly classified surveillance documents that he leaked last month, security experts say. -Using the July 4 Indepedence Day as a backdrop, Reddit, Mozilla and a host of other websites launched an online protest against the National Security Agency's alleged sweeping surveillance of telephone records and Internet traffic, CNet writes. Rather than going black, like many sites did during the 2012 protests of Congress' Stop Online Privacy Act, or SOPA, these sites prominently displayed a Fourth Amendment banner. The banner quoted the text of the amendment, which says, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." Additionally, site visitors were asked to sign an online petition, e-mail Congress, or join street protests. A group called Restore the Fourth organized the street demonstrations in nearly 100 U.S. cities, including New York, Washington, D.C., and San Francisco. -U.S. courts have issued conflicting rulings on whether federal law enforcement agents need probably-cause warrants from judges to track a suspect's cell phone, according to Wired.com. "Federal law enforcement agents have been using warrantless cell-tower locational tracking of criminal suspects in the wake of the Supreme Courts ruling 18 months ago that they need probable-cause warrants from judges to affix covert GPS devices to vehicles," Wired David Kravets writes. "The legal crossroads comes as a record number of Americans are embracing mobile phones, which are a de facto style of tracking device consumers willingly place in their pockets and purses." -European privacy watchdogs are ordering Google to rewrite their privacy policy or face legal sanctions, The Guardian reports. The move follows similar complaints to the US company last month from the equivalent organizations in France and Spain, and ratchets up the attention over its handling of the huge amounts of personal data that it collects from users every day. Google has already been censured in Europe over its collection of Wi-Fi data, including usernames, passwords and web page viewing while collecting photos for its Street View system. Both European privacy authorities and US legislators have demanded clarification from the company about the data protection implications of its Google Glass head-mounted system, which can take pictures and video without onlookers knowing. Now, the Information Commissioner's Office in the UK says that the new privacy policy, introduced in March 2012, raises "serious questions" about compliance with the UK Data Protection Act, and has given Google until 20 September to recast it. -The National Institute of Standards and Technology on Wednesday released a draft of its new cybersecurity playbook (PDF) that teaches businesses how to defend themselves from hackers. This is the first time we've had a chance to assess President Obama's efforts at crafting a national cybersecurity policy since he signed an executive order on the issue in February. The National Journal reports that the draft guide presents companies with a rubric of sorts to score themselves. Companies will be asked to evaluate their security along five "functions": know, prevent, detect, respond, and recover. Think of each function as a layer of defenseyou can't prevent attacks, for instance, until you know what assets you've got and what your vulnerabilities are. And you can't effectively respond to a cyberattack unless you have the capability to detect one.

The Cyber Security Policy and Research Institute (CSPRI) is a center for GW and the Washington area to promote technical research and policy analysis of problems that have a significant computer security and information assurance component. More information is available at our website, http://www.cspri.seas.gwu.edu.