Four things I’m reading this week:
Dispatches from the Front Lines: I’ve just returned from speaking at the Global Cybersecurity Summit in Kiev, Ukraine. It was a great event, with sharp debate around a range of topics. For instance, I had the opportunity to participate in a panel on AI and Machine Learning where we took apart many of the assumptions about AI that seem to infuse the cybersecurity community today, and focused instead on where machine learning really can help organizations protect themselves.
But perhaps the most compelling part of the experience was to be speaking at a conference while experiencing ongoing, determined, overt, and targeted exploitation. There has been plenty of coverage in recent months of the extensive cyber operations conducted in the Ukraine – let's just say that speaking there drives home the reality of the threat in very specific, personal ways. My colleague and fellow speaker Gregory Michaelidis wrote in more detail about the experience – it’s worth a read.
New Law Permits Lawful Hacking of Personal Devices: After only the briefest debate, a new law enacted as part of a broader criminal justice bill enables law enforcement to install malware on personal devices to capture private communications as part of ongoing investigations.
Sound familiar? Advocates in the U.S. have long feared that something like this would happen, except the new bill was passed by the Bundestag, and the law takes effect in Germany, not the United States.
The bill is intended to give new tools to German law enforcement in their fight against terrorism and struggle to pierce encrypted communications. There is already widespread criticism of the new authority, and the broadening debate is an important reminder to those of us that follow security issues here in the United States that we are not the only country grappling with this problem. It is worth watching how these new powers develop and are used in Germany, and remembering that every country faces this challenge, and will try to deal with it in its own way.
I'm reading: "New surveillance law: German police allowed to hack smartphones."
Speaking the Language of Security: A group of researchers from the NSA and the private sector have come together to craft an open standard for defensive responses to network threats. It’s an effort to help vendors and security tools talk to each other, and move defenders from being trapped in a slow, manual detection-and-response cycle into a machine-speed reaction.
It's only recently released into the public, and will need much more careful review, but this is definitely worth watching.