NYC Cyber Command’s NYC Secure Initiative Will Protect New Yorkers’ Wireless Data
HACK NYC 2018 kicked off its 3-day conference on May 8 with the details that New York City Cyber Command will launch NYC Secure by the end of 2018. This new citywide initiative will feature a free mobile app that will protect the city’s 8.4 million residents’ wireless data and a new technology that will protect individuals who use the city’s public Wi-Fi network.
The free app will send notifications to users’ Apple or Android smartphones when suspicious activity is detected on their devices. It will do this without requiring personal information from their phones.
“Users will receive recommendations on how to protect themselves, such as advice when disconnecting from a malicious Wi-Fi network or navigating away from a compromised website or un-installing a malicious app,” stated Mike Krygier, New York City Cyber Command’s Deputy Chief Information Security Officer of Urban Technology. “The app won’t take actions on your phone by itself. It will just advise you.” The app will be available to Apple and Android users in their online stores.
NYC Secure will also focus on Wi-Fi protection. "We’re adding a new layer of world-class protection to strengthen our city’s public Wi-Fi network,” Krygier said. “We’ve partnered with the non-profits, the Global Cyber Alliance and Quad9, to leverage the internet’s domain name system for protection.”
This partnership will help protect users who are browsing the internet using the city’s guest wireless networks from getting victimized by websites known to spread malicious software (e.g., ransomware and phishing sites).
The group will check the domains (websites) people visit on their smartphones against 18 public and private threat intelligence providers that Quad 9 brought together. “If a website turns out to be malicious, Quad 9 will keep the device from connecting to domains that contain malware,” Krygier shared.
It will do this without storing any personal identifiable information (PII) and will adhere to the highest privacy standards.
As Deputy CISO of the NYC Cyber Command’s Urban Technology Department, Krygier handles the cybersecurity of the Internet of Things and smart cities’ technologies, including the 1,200 LINK NYC Wi-Fi kiosks and the city’s 800,000 smart water meters. He also oversees the critical infrastructure security of the city’s fresh water and wastewater systems, building management systems, 12,000 signalized intersections, its next generation 911 Project and network vulnerability management.
In addition to Urban Technology, NYC Cyber Command includes three other divisions. Threat Management operates the city’s 24X7 security operations center; Security Sciences and Engineering designs, delivers and builds the security infrastructure and the City and Governance Division handles policy and compliance.
The Debate Over Digital Privacy and Public Safety Continues
During HACK NYC’s May 8 Digital Evidence: A Double-Edged Sword Roundtable discussion, Lt. Col. James Emerson, USMC (Ret.), and chairman of the Computer Crime and Digital Evidence Committee with the International Association of Chiefs of Police, FBI Assistant Special Agent in the New York Division’s Cyber Branch field office Richard Jacobs and Tor Ekeland, an attorney who oversees the Computer Law and Trial Practice at Tor Ekeland Law PLLC, shared their views about balancing U.S. citizens’ privacy while protecting society when law enforcement agencies obtain digital evidence on mobile phones, laptops, servers, computers and other electronic devices to catch criminals.
Here are some highlights of the event during which the panelists discuss “going dark,” back doors and the U.S. Constitution.
The Challenges U.S. Law Enforcement Agencies Face Today
“Increasingly, we see all kinds of rapid change and complexity as we're confronting change in technology and everything is produced by technology. The difference is there's a legal end game for us with regard to taking data away from a system and presenting it in a viable way, defensible way in a piece of litigation. But the speed and the volatility of what we're dealing with is becoming quite a challenge to everyone,” Emerson said.
“And at the same time, increasingly we're confronted with this term you may have read in the media ‘going dark.’ Typically, it’s got military origins. Essentially to us it means we're losing access. Now, it's not just technical. From the perspective of what's happening for us there are legislative challenges that are in front of us,” Emerson continued.
He stated GDPR, along with third party cloud storage complicate evidence-gathering when authorities try to build a criminal case against a person. "This whole notion of cloud means that evidence could be anywhere on the planet at any given moment in time...”
The NSA’s Surveillance Activities Raised Privacy Issues
“And the truth of the matter is that a lot of the civil society--us--woke up in the aftermath of this event (National Security Agency contractor Edward Snowden’s revelations in 2013 that the NSA conducted internet and phone surveillance on Americans) and started to really pay attention to privacy advocates, civil libertarians and what they were talking about,” commented Emerson.
It was ironic that Snowden’s revelation materialized around the same time the U.S. government published an information-sharing strategy and the Cybersecurity Act of 2015 to share cyber threat information between federal and non federal entities was enacted, he stated.
Emerson also cited law enforcement resources are limited at the local, state, tribal and territorial levels, specifically when it comes to surveillance. “73 percent of those agencies are less than 25 officers or deputies and when you've got an organization that that's small, it's a small business. And you wouldn't expect as much more sophistication than you would out of the family-run Dunkin’ Donuts or 7-Eleven when you're trying to get an agency to put somebody in a car to respond to a call to do basic non-technical things day in and day out.”
He also said that law enforcement follows quality management initiatives from the National Commission on Forensic Science.
Technology Makes it Hard to Collect Evidence
“The FBI for many years now has been very vocal on the issue of ‘going dark’ and the problems that law enforcement as a whole faces when it comes to today's capturing of digital evidence and what we expect in the future. It is not just an FBI problem. We are advocating on behalf of the entire law enforcement community. Quite frankly, when we're dealing with things like phones or laptops we have our share of devices that we may need to access at some point in connection with our cases. But by and large, state and local law enforcement officials are dealing with much more than we are because they're making arrest after arrest on the streets every day,” said Jacobs, who runs the largest FBI field branch, which conducts cyber investigations and goes after illegal hacking, stolen data and other activities on the national security and criminal sides.
“So the challenges today are much of the evidence that is valuable to our cases is stored on electronic media, be it a computer or a server, a phone. With the advancement of technology, as you know, we are very limited even with a lawful court order in terms of what we're able to obtain. I want to be clear though, keep in mind perspective. This is not about law enforcement or government versus the citizenry by any means. In many ways we are all on the same team. Remembering that our job is to protect society. It’s the go after people that are doing others harm and taking them off the street. To do that, we need to have a very strong case in order to get those individuals convicted and put in prison.”
Should the U.S. Have a Law Requiring Companies Give Law Enforcement Access to Mobile Devices?
Jacobs stressed that the FBI needs “a lot of evidence” to build a case to get a criminal convicted and in many situations this evidence is stored on a phone or computer. If the agency cannot use a court order to get a vendor like Apple to provide access to a user’s phone to obtain that evidence, the agency has to look “elsewhere,” and it may not yield anything that can help build a case.
But a mandate requiring manufacturers to give law enforcement access to their devices so it can access a person’s digital data is not one the FBI will create.
“So it's very concerning to us, but it is not a decision that the FBI or any law enforcement agency is going to make. It is not a decision that any company, Apple or otherwise is going to make. It is a decision that society is going to make in conversation with their congressmen because this ultimately needs to be legislation or regulation that is passed by Congress or some agency. As a citizen, I am equally as concerned about encryption as anyone else,” Jacobs said.
Ekeland stated there is no simple answer to “how do we balance our society's commitment as embodied in the Constitution of individual privacy against legitimate needs of law enforcement without messing up that equation.”
He contended the framers of U.S. Constitution wrote the Bill of Rights to limit the power of the state with the First Amendment, Second Amendment, Third Amendment and “all the way through.”
“So, the issue that I have with, say, back doors to everyone's device that law enforcement can just access or a company can just hand over is not a new concern. The technology is new, but the concern is very old and it goes back to what we fought the Revolution in this country over. And that is the power of the state to access your information. And it is a balancing act I think because there can be an individual situation where law enforcement needs to get into a phone to prevent some kind of harm...”
He proposed that an actual incident that requires law enforcement to access a person’s digital device might have to take place to weigh society’s rights over individual privacy.
“I can't think of a concrete example of that ever having happened yet...but it may be the situation where the balancing act is such as that we actually have to let that harm happen to balance it against the privacy rights of society.”
The attorney cited China’s use of biometrics and data mining to aid in the surveillance of its residents as an example of the power of a state over personal privacy. Jacobs countered that the FBI works in accordance with the Fourth Amendment to obtain a lawful court order when it needs access to stored information.
He emphasized that except for the San Bernardino situation that publicized the FBI’s efforts to get Apple to give the agency access to shooter Syed Rizwan Farook’s iPhone through a court order, the agency has “not had an issue” in what it can obtain from court orders to access evidence on phones associated with kidnapping and terrorist incidents that take place “every single day, around the country.” He also disagreed with the comparison of the U.S. to China.
“We're dealing with a communist state with no rules versus law enforcement in the U.S. acting in accordance with the U.S. Constitution. They are two totally different things,” Jacobs stated.
The FBI’s Data Collection Methods
Ekeland cited the FBI’s history under the organization’s founder J. Edgar Hoover and his illegal surveillance activities known as “black bag” jobs. He also mentioned the 1976 Church Committee Report that documented the FBI and NSA’s surveillance of Americans and led to the creation of the Foreign Intelligence Surveillance (FISA) Act.
He also referenced the FBI forensics lab “falsifying evidence, going on the stand, testifying falsely against witnesses and putting innocent people in jail” in the 1990s.
He added that a magistrate judge “generally rubber stamps search warrants” and “warrants were considered to be an exceptional circumstance” in the context of the Fourth Amendment’s history.
Ekeland voiced his concerns with Rule 41(b) of the Federal Rules of Criminal Procedure for the Fourth Amendment that “under certain circumstances it allows law enforcement to hack into a computer outside the jurisdiction of the warrant to do so was obtained.”
“How many people in this room are aware that under federal Criminal Rules of Procedure 41 the FBI could put malware, you know, getting a search warrant from a magistrate judge, put malware and surveillance software on your computer if they suspect your computer is being used in some kind of crime. You can be completely innocent of the crime, but say if there was a bot on your laptop. How many people are aware that the FBI if they can go to a magistrate judge and say, put surveillance software on your laptop,” Ekeland shared.
Jacobs acknowledged the FBI received negative media attention recently but he and his colleagues avoid politics and drama.
“I've been in the FBI now for 20 years. I have gotten many search warrants, I served many subpoenas...I will tell you, okay, from my experience, having worked there every day for 20 years, that everything we have done, and granted there are 10,000 agents around the world. That's the 30,000 employees around the world. I can't speak for every single person around the world. What I can say is, dishonesty is an anomaly. Yes, it happens. It's an anomaly, it's not institutional. From everything that I have seen and been involved with in the past 20 years, we have done it correctly, in accordance with the law.”
He emphasized the FBI conducts a lot of internal vetting with its legal department with chains of command to ensure the agency has the “right” burdens of proof and the “right” facts in evidence in a document and application before it goes before a judge.
“And again, we have had search warrants, we have had subpoenas shot down by a judge because we didn't have enough or it wasn't compelling enough. We were forced to go back and investigate more before you can go back and get that warrant. So there are plenty of checks and balances and I don't want to give you the impression that we literally stand up before a judge because we felt like at that morning, raise our right hand and basically the judge says, 'Yes, go ahead.' It doesn't quite work that way,” Jacobs explained.
CREST International Focuses on U.S. Accreditation
Tom Brennan, organizer of HACK NYC 2018, discussed the cybersecurity accreditation and certification process from CREST INTERNATIONAL, during a Roundtable discussion on first day of HACK NYC 2018 on May 8.
CREST is a not-for-profit “accreditation body whose role is to create and maintain high standards within the cyber security sector and to drive a consistency of quality across its member organisations to offer assurance to the buying community.”
Aimed at creating a standard for buyers and sellers of cybersecurity products and services, Brennan emphasized the CREST accreditation is a process that concentrates on the methodologies, remediation and compliance for penetration testing for individuals and companies. It is not a regulatory body.
“This is manual humans doing penetration testing, SOC management things of that nature in a product agnostic, neutral way. This has nothing to do with a widget with a blinky light,” said Brennan, who serves as a CREST Americas board member. “This has to do with do the people on the team understand the process of data handling controls when they prove beyond a reasonable doubt there is traceability in a chain of custody.”
Brennan and attendees discussed comparable information security certifications and standards, including the Offensive Security Certified Professional (OSCP), the PCI Data Security Standard (PCI DSS) and the National Security Agency’s Cyber Assurance Program (NSCAP).
GCHQ helped roll out CREST in the U.K. and Singapore before CREST took over the management of the NSA’s Cyber Incident Response Assistance (CIRA) accreditation program in 2016. The program screens cybersecurity organizations for qualifications to become potential business partners.
BugHeist Partners with Penteston to Provide Crowd Testing Services
A cloud-based platform, PENTESTON tests network devices, custom web applications and internet telecommunications devices for software bugs and flaws.