‘Digital Geneva Convention’ needed to deter nation-state hacking: Microsoft president

microsoft president brad smith

By Dustin Volz

SAN FRANCISCO (Reuters) – Microsoft President Brad Smith on Tuesday pressed the world’s governments to form an international body to protect civilians from state-sponsored hacking, saying recent high-profile attacks showed a need for global norms to police government activity in cyberspace.

Countries need to develop and abide by global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two, Smith said. Technology companies, he added, need to preserve trust and stability online by pledging neutrality in cyber conflict.

“We need a Digital Geneva Convention that will commit governments to implement the norms needed to protect civilians on the internet in times of peace,” Smith said in a blog post.

Smith outlined his proposal during keynote remarks at this week’s RSA cybersecurity conference in San Francisco, following a 2016 U.S. presidential election marred by the hacking and disclosure of Democratic Party emails that U.S. intelligence agencies concluded were carried out by Russia in order to help Republican Donald Trump win.

Cyber attacks have increasingly been used in recent years by governments to achieve foreign policy or national security objectives, sometimes in direct support of traditional battlefield operations. Despite a rise in attacks on governments, infrastructure and political institutions, few international agreements currently exist governing acceptable use of nation-state cyber attacks.

The United States and China signed a bilateral pledge in 2015 to refrain from hacking companies in order to steal intellectual property. A similar deal was forged months later among the Group of 20 nations.

Smith said President Donald Trump has an opportunity to build on those agreements by sitting down with Russian President Vladimir Putin to “hammer out a future agreement to ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures.”

A Digital Geneva Convention would benefit from the creation of an independent organization to investigate and publicly disclose evidence that attributes nation-state attacks to specific countries, Smith said in his blog post.

Smith likened such an organization, which would include technical experts from governments and the private sector, to the International Atomic Energy Agency, a watchdog based at the United Nations that works to deter the use of nuclear weapons.

Smith also said the technology sector needed to work collectively and neutrally to protect internet users around the world from cyber attacks, including a pledge not to aid governments in offensive activity and the adoption of a coordinated disclosure process for software and hardware vulnerabilities.

(Reporting by Dustin Volz; Editing by Dan Grebler)

‘Alphabet soup’ of agencies leave UK exposed to cyber attacks: report

projection of man in binary code representing cyber security or cyber attack

LONDON (Reuters) – Britain’s government has taken too long to coordinate an “alphabet soup” of agencies tasked with protecting the country from an ever-increasing risk of cyber attack, a parliamentary report said on Friday.

The Public Accounts Committee report said that as of last April there were at least 12 separate organizations in Britain responsible for protecting information, with “several lines of accountability with little coherence between them.”

Processes for recording breaches of personal data by government departments are inconsistent and chaotic, the report said, adding that the government is struggling to meet a skills gap in the security profession.

The findings come in the wake of a spate of cyber attacks that have targeted banks, businesses and institutions, including Tesco Bank, Lloyd’s Bank, Talk-Talk, and the National Health Service.

“The threat of cyber-crime is ever-growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure,” said committee chair Meg Hillier.

“Leadership from the center is inadequate and, while the National Cyber Security Centre (NCSC) has the potential to address this, practical aspects of its role must be clarified quickly.”

The NCSC was established by the government last October as part of a 1.9 billion-pound ($2.37 billion) program to tighten cyber security.

An NCSC spokesman said in response to the report: “The government has been clear that the newly formed NCSC is the UK’s definitive authority on cyber security.”

On Thursday night, British defense minister Michael Fallon said Russian president Vladimir Putin was trying to undermine the West by spreading lies and attacking critical infrastructure with hackers.

The Kremlin called the accusation baseless.

Britain launched a cyber security review in January after U.S. intelligence agencies said Putin ordered an effort to help President Donald Trump’s electoral chances by discrediting his rival Hillary Clinton in the 2016 U.S. presidential campaign.

(Reporting by Ritvik Carvalho)

U.S. makes limited exceptions to sanctions on Russian spy agency

cars drive past headquarters

By Joel Schectman and Dustin Volz

WASHINGTON (Reuters) – The U.S. Treasury Department on Thursday adjusted sanctions on Russian intelligence agency FSB, making limited exceptions to the measures put in place by former President Barack Obama over accusations Moscow tried to influence the 2016 U.S. presidential election with cyber attacks on political organizations.

The department said in a statement it would allow U.S. companies to make limited transactions with FSB that are needed to gain approval to import information technology products into Russia.

At the White House, President Donald Trump responded to a reporter’s question about whether he was easing sanctions on Russia, saying, “I’m not easing anything.”

Sanctions experts and former Obama administration officials stressed the exceptions to the sanctions imposed in December do not signal a broader shift in Russia policy.

In a conference call with reporters, a senior Treasury Department official said the exceptions were “a very technical fix” made in response to “direct complaints” from companies that were unable to import many consumer technology products without a permit from the FSB. The action had been in the making for weeks before Trump took office on Jan. 20, the official said.

Beyond its intelligence function, the FSB also regulates the importation of software and hardware that contains cryptography. Companies need FSB approval even to import broadly available commercial products such as cell phones and printers if they contain encryption.

Peter Harrell, a sanctions expert and former senior U.S. State Department official, said Treasury officials likely had not considered the issue in December.

“I don’t think when they sanctioned FSB they were intending to complicate the sale of cell phones and tablets,” Harrell said.

David Mortlock, a former National Security Council advisor for Obama said that before granting such exceptions, the administration would ask who a sanction was hurting and who it was benefiting.

Mortlock, now an attorney, said “here it’s a pretty easy calculus” because it was clear tech companies were the ones harmed by not being able to import software into Russia, not the spy agencies.

U.S. intelligence agencies accused the FSB of involvement in hacking of Democratic Party organizations during the election to discredit Democrat Hillary Clinton and help Republican Trump.

The agencies and private cyber security experts concluded the FSB first broke into the Democratic National Committee’s computer system in the summer of 2015 and began monitoring email and chat conversations.

They said FSB was one of two Russian spy agencies involved in a broad operation approved by top-ranking people in the Russian government. In December, Obama expelled 35 suspected Russian spies and sanctioned two spy agencies. He also sanctioned four Russian intelligence officers and three companies that he said provided support to the cyber operations.

(Reporting by Joel Schectman and Dustin Volz; additional reporting by Yeganeh Torbati and Jason Lange; Editing by Alistair Bell and Grant McCool)

Trump expected to sign cyber security executive order Tuesday: source

President Donald Trump signing executive orders

By Dustin Volz and Steve Holland

WASHINGTON (Reuters) – President Donald Trump is expected to sign an executive order on cyber security on Tuesday, two sources familiar with the situation said, marking the first action to address what he has called a top priority of his administration.

The order is expected to commission several different reviews of the government’s offensive and defensive cyber capabilities, according to one of the sources and a third briefed on a draft of the order that circulated last week.

The move follows a presidential campaign that was dominated by running storylines related to cyber security, including the hacking and subsequent leaking of Democratic emails as part of what U.S. intelligence agencies determined was a wide-ranging influence operation intended to help Trump win the White House and denigrate his challenger, Democrat Hillary Clinton.

For months Trump refused to accept the conclusions of the agencies that Russia was responsible, before stating at a press conference on January 11 that, “as far as hacking I think it was Russia.”

In his answer, Trump, then the president-elect, pivoted to say that “we also get hacked by other countries, and other people” while vowing to launch a government-wide review of vulnerabilities to cyber attacks.

The order is expected to also initiate a audit of several federal agencies’ cyber capabilities, seek input on how to improve protections for critical infrastructure, and review government efforts to attract and train a technically sophisticated workforce, according to two of the sources briefed on the draft, which was first published by the Washington Post.

The draft order would also seek ways to give the private sector incentives to adopt strong security measures.

(Reporting by Steve Holland and Dustin Volz; Editing by Chris Reese and Grant McCool)

Hong Kong securities brokers hit by cyber attacks, may face more: regulator

lock icon to represent cyber security

HONG KONG (Reuters) – Hong Kong’s securities regulator said brokers in the city had suffered cyber attacks and warned of possible further incidents across the industry.

Regulators in Hong Kong have been stepping up efforts over the past year to combat the growing menace of cyber attacks on companies. A survey in November showed the average number of such attacks detected by firms in mainland China and Hong Kong grew a whopping 969 percent between 2014 and 2016. [nL4N1DU35T]

In a circular to licensed firms late on Thursday, the Securities and Futures Commission (SFC) said it had been informed by the Hong Kong police that brokers had encountered so-called “distributed denial of service” (DDoS) attacks targeting their websites and received blackmails from criminals.

“The DDoS attacks have caused service disruption to the brokers for a short period. It is possible that similar cyber security incidents would be observed across the securities industry,” the SFC said in the notice.

Distributed denial of service (DDoS) attacks, among the most common on the Internet, involve cyber criminals using hijacked and virus-infected computers to target websites with data requests, until they are overwhelmed and unable to function.

The SFC urged firms in the financial center to implement protective measures, including reviews of the IT systems and DDoS mitigation plans.

(Reporting by Michelle Price; Editing by Himani Sarkar)

Microsoft to continue to invest over $1 billion a year on cyber security

Microsoft

By Tova Cohen

TEL AVIV (Reuters) – U.S. software firm Microsoft Corp <MSFT.O> will continue to invest over $1 billion annually on cyber security research and development in the coming years, a senior executive said.

This amount does not include acquisitions Microsoft may make in the sector, Bharat Shah, Microsoft vice president of security, told Reuters on the sidelines of the firm’s BlueHat cyber security conference in Tel Aviv.

“As more and more people use cloud, that spending has to go up,” Shah said.

While the number of attempted cyber attacks was 20,000 a week two or three years ago, that figure had now risen to 600,000-700,000, according to Microsoft data.

Long known for its Windows software, Microsoft has shifted focus to the cloud where it is dueling with larger rival Amazon.com <AMZN.O> to control the still fledgling market.

In October it said quarterly sales from its flagship cloud product Azure, which businesses can use to host their websites, apps or data, rose 116 percent.

In addition to its internal security investments, Microsoft has bought three security firms, all in Israel, in a little over two years: enterprise security startup Aorato, cloud security firm Adallom, and Secure Islands, whose data and file protection technology has been integrated into cloud service Azure Information Protection.

Financial details of these deals were not disclosed.

“If you are talking about an ecosystem with more than 400 start-ups it’s not really a coincidence. Israel is huge in security,” said Secure Islands founder Yuval Eldar.

Microsoft’s venture arm has also made three cyber security investments in Israel, including this week an undisclosed amount in Illusive Networks, which uses deception technology to detect attacks and has been installed at banks and retailers.

Earlier this month Microsoft said it invested in Israel’s Team8, which created Illusive Networks.

Though Microsoft does not have any near-term plans to implement deception technology, “we look at lots of different technologies that might be of use in the future,” Shah said.

Shah believes that in the next year or so progress should be made in moving toward broader implementation of user authentication without need for a password.

Microsoft’s Windows 10 operating system includes Windows Hello, which allows users to scan their face, iris or fingerprints to verify their identity and sign in.

(Reporting by Tova Cohen; Editing by Steven Scheer and Adrian Croft)

As attacks grow, EU mulls banking stress tests for cyber risks

file graphic of man using a computer representing cyber attacks

By Francesco Guarascio

BRUSSELS (Reuters) – The European Union is considering testing banks’ defenses against cyber attacks, EU officials and sources said, as concerns grow about the industry’s vulnerability to hacking.

Cyber attacks against banks have increased in numbers and sophistication in recent years, with criminals finding new ways to target banks beyond trying to illicitly obtain details of their customers’ online accounts. Last February $81 million was taken from the Bangladesh central bank when hackers broke into its system and gained access to the SWIFT international transactions network.

Global regulators have tightened security requirements for banks after that giant cyber fraud, one of the biggest in history, and in some countries have carried out checks on lenders’ security systems.

But complex cyber attacks have kept rising, as revealed in November by SWIFT in a letter to client banks and by the theft of 2.5 million pounds ($3 million) from Tesco Plc’s banking arm in the first mass hacking of accounts at a Western lender.

Banks “are struggling to demonstrate their ability to cope with the rising threat of intruders gaining unauthorized access to their critical systems and data,” a report of the European Banking Authority (EBA) warned in December.

The next step from European regulators to boost security could be an EU-wide stress test.

The European executive commission is assessing additional initiatives to counter cyber attacks, a commission official told Reuters. “These include cyber-threat information sharing or penetration and resilience testing of systems.”

The European Central Bank announced last year it would set up a database to register incidents of cyber crime at commercial banks in the 19-country euro zone. But exchanges of information among national authorities on cyber incidents remains scant.

The Commission is studying whether EU-wide tests would help step up security, a source at the EU executive said. This would be in addition to controls already carried out by national authorities.

EBA, which is in charge of stress-testing the bloc’s banks, is expected to detail in summer the checks it intends to conduct in the next exercise planned in mid 2018.

EBA tests banks’ capital cushions and can conduct checks on specific issues. Last year it monitored risks caused by fines, as EU lenders faced sanctions from U.S. regulators.

An EBA official said cyber security was on the agency’s radar but no decision had been made on a possible stress test. The body’s chairman, Andrea Enria, has urged EU states to stress-test their financial institutions for cyber risks.

Lloyds Banking Group is working with law enforcement agencies to trace who was behind a cyber attack that caused intermittent outages for customers of its personal banking websites almost two weeks ago, according to a source familiar with the incident. Lloyds said it would not speculate on the cause of the attack. No customers suffered any losses.

BLOCKCHAIN

As European banks keep relying on digital infrastructure that is “rigid and outdated”, according to EBA, regulators are considering new technologies that could boost security.

Blockchain, the technology behind the most successful virtual currency, Bitcoin, is being closely monitored in Brussels “to establish the advantages and possible risks” but also to weigh possible moves to enable blockchain where it is hindered, the Commission source said.

More than 1 billion euros have been invested in blockchain startups, a World Economic Forum report said.

The EU agency for network and information security (ENISA) said in a report last week the technology offered new opportunities and could cut costs, but may also pose new cyber security challenges, mostly caused by its decentralized network.

Russia says facing increased cyber attacks from abroad

graphic representing hacking or cyber attacks

MOSCOW (Reuters) – Russia is facing increased cyber attacks from abroad, a senior security official was quoted on Sunday as saying, responding to Western accusations that Moscow is aggressively targeting information networks in the United States and Europe.

U.S. intelligence agencies say Russian President Vladimir Putin ordered a cyber campaign aimed at boosting Donald Trump’s electoral chances by discrediting his Democrat rival Hillary Clinton in the 2016 presidential campaign.

Russia has dismissed the accusations as a “witch-hunt”.

“Recently we have noted a significant increase in attempts to inflict harm on Russia’s informational systems from external forces,” Nikolai Patrushev, secretary of Russia’s Security Council, told the Rossiiskaya Gazeta daily, according to excerpts of an interview to be published in full on Monday.

“The global (Internet) operators and providers are widely used, while the methods they use constantly evolve,” said Patrushev, a former head of the FSB secret service and a close ally of Putin.

Patrushev accused the outgoing U.S. administration of President Barack Obama of “deliberately ignoring the fact that the main Internet servers are based on the territory of the United States and are used by Washington for intelligence and other purposes aimed at retaining its global domination”.

But he added that Moscow hoped to establish “constructive contacts” with the Trump administration. Trump, who praised Putin during the election campaign and has called for better ties with Moscow, will be inaugurated as president on Jan. 20.

(Reporting by Vladimir Soldatkin; Editing by Gareth Jones)

Lithuania said found Russian spyware on its government computers

A man types on a computer keyboard in this illustration picture

By Andrius Sytas

VILNIUS (Reuters) – The Baltic state of Lithuania, on the frontline of growing tensions between the West and Russia, says the Kremlin is responsible for cyber attacks that have hit government computers over the last two years.

The head of cyber security told Reuters three cases of Russian spyware on its government computers had been discovered since 2015, and there had been 20 attempts to infect them this year

“The spyware we found was operating for at least half a year before it was detected – similar to how it was in the USA,” Rimtautas Cerniauskas, head of Lithuanian Cyber Security Centre said.

The Kremlin did not immediately respond to a Reuters written request for comments over the Lithuanian claims. But Russia has in the past denied accusations of hacking Western institutions.

Fears of cyber attacks have come to the fore since the U.S. election campaign when hacking of Democratic Party emails led to allegations from U.S. intelligence that Russia was involved.

Lithuania, Estonia and Latvia, all ruled by Moscow in communist times, have been alarmed by Russia’s annexation of Ukraine’s Crimea peninsula in 2014 and its support for pro-Russian separatists in eastern Ukraine.

In what Baltic officials say was a wake-up call, Estonia was hit by cyber attacks on extensive private and government Internet sites in 2007. State websites were brought to a crawl and an online banking site was closed.

Lithuanian intelligence services, in their annual report, say cyber attacks have moved from being mainly targeted at financial crimes to more political spying on state institutions.

Russian spyware was transferring all documents it could find, as well as all passwords entered on websites such as GMail or Facebook, to an internet address commonly used by Russian spy agencies, Cerniaukas said.

“This only confirms that attempts are made to infiltrate our political sphere,” said Cerniaukas.

PREPARATIONS

Germany’s domestic intelligence agency reported earlier this month a striking increase in Russian targeted cyber attacks against political parties and propaganda and disinformation campaigns aimed at destabilizing German society.

The domestic intelligence chief said Russia may seek to interfere in its national elections next year.

Although no Russian cyber meddling was detected in the run up and during the Lithuanian general election in October, Cerniauskas said his country needs to understand it is vulnerable to such meddling.

“Russians are really quite good in this area. They have been using information warfare since the old times. Cyberspace is part of that, only more frowned upon by law than simple propaganda”, he said.

“They have capacity, they have the attitude, they are interested, and they will get to it – so we need to prepare for it and we need to apply countermeasures.”

Lithuanian officials targeted by the Russian spyware held mid-to-low ranking positions at the government, but their computers contained a stream of drafts for government decisions of its positions on various matters, said Cerniauskas.

The head of the Lithuanian counter-intelligence agency Darius Jauniskis said Russia tried to sow chaos in Lithuania by orchestrating a cyber attack in 2012 against the Lithuanian central bank and its top online news website.

“It is all part of psychological warfare,” he told Reuters earlier this month.

(Reporting By Andrius Sytas; Editing by Alistair Scrutton)

Exclusive: Top U.S. spy agency has not embraced CIA assessment on Russia hacking – sources

Padlock with the word hack, a representation of cyber attacks

By Mark Hosenball and Jonathan Landay

WASHINGTON (Reuters) – The overseers of the U.S. intelligence community have not embraced a CIA assessment that Russian cyber attacks were aimed at helping Republican President-elect Donald Trump win the 2016 election, three American officials said on Monday.

While the Office of the Director of National Intelligence (ODNI) does not dispute the CIA’s analysis of Russian hacking operations, it has not endorsed their assessment because of a lack of conclusive evidence that Moscow intended to boost Trump over Democratic opponent Hillary Clinton, said the officials, who declined to be named.

The position of the ODNI, which oversees the 17 agency-strong U.S. intelligence community, could give Trump fresh ammunition to dispute the CIA assessment, which he rejected as “ridiculous” in weekend remarks, and press his assertion that no evidence implicates Russia in the cyber attacks.

Trump’s rejection of the CIA’s judgment marks the latest in a string of disputes over Russia’s international conduct that have erupted between the president-elect and the intelligence community he will soon command.

An ODNI spokesman declined to comment on the issue.

“ODNI is not arguing that the agency (CIA) is wrong, only that they can’t prove intent,” said one of the three U.S. officials. “Of course they can’t, absent agents in on the decision-making in Moscow.”

The Federal Bureau of Investigation, whose evidentiary standards require it to make cases that can stand up in court, declined to accept the CIA’s analysis – a deductive assessment of the available intelligence – for the same reason, the three officials said.

The ODNI, headed by James Clapper, was established after the Sept. 11, 2001, attacks on the recommendation of the commission that investigated the attacks. The commission, which identified major intelligence failures, recommended the office’s creation to improve coordination among U.S. intelligence agencies.

In October, the U.S. government formally accused Russia of a campaign of cyber attacks against American political organizations ahead of the Nov. 8 presidential election. Democratic President Barack Obama has said he warned Russian President Vladimir Putin about consequences for the attacks.

Reports of the assessment by the CIA, which has not publicly disclosed its findings, have prompted congressional leaders to call for an investigation.

Obama last week ordered intelligence agencies to review the cyber attacks and foreign intervention in the presidential election and to deliver a report before he turns power over to Trump on Jan. 20.

The CIA assessed after the election that the attacks on political organizations were aimed at swaying the vote for Trump because the targeting of Republican organizations diminished toward the end of the summer and focused on Democratic groups, a senior U.S. official told Reuters on Friday.

Moreover, only materials filched from Democratic groups – such as emails stolen from John Podesta, the Clinton campaign chairman – were made public via WikiLeaks, the anti-secrecy organization, and other outlets, U.S. officials said.

“THIN REED”

The CIA conclusion was a “judgment based on the fact that Russian entities hacked both Democrats and Republicans and only the Democratic information was leaked,” one of the three officials said on Monday.

“(It was) a thin reed upon which to base an analytical judgment,” the official added.

Republican Senator John McCain said on Monday there was “no information” that Russian hacking of American political organizations was aimed at swaying the outcome of the election.

“It’s obvious that the Russians hacked into our campaigns,” McCain said. “But there is no information that they were intending to affect the outcome of our election and that’s why we need a congressional investigation,” he told Reuters.

McCain questioned an assertion made on Sunday by Republican National Committee Chairman Reince Priebus, tapped by Trump to be his White House chief of staff, that there were no hacks of computers belonging to Republican organizations.

“Actually, because Mr. Priebus said that doesn’t mean it’s true,” said McCain. “We need a thorough investigation of it, whether both (Democratic and Republican organizations) were hacked into, what the Russian intentions were. We cannot draw a conclusion yet. That’s why we need a thorough investigation.”

In an angry letter sent to ODNI chief Clapper on Monday, House Intelligence Committee Chairman Devin Nunes said he was “dismayed” that the top U.S. intelligence official had not informed the panel of the CIA’s analysis and the difference between its judgment and the FBI’s assessment.

Noting that Clapper in November testified that intelligence agencies lacked strong evidence linking Russian cyber attacks to the WikiLeaks disclosures, Nunes asked that Clapper, together with CIA and FBI counterparts, brief the panel by Friday on the latest intelligence assessment of Russian hacking during the election campaign.

(Editing by Yara Bayoumy and Jonathan Oatis)