Week in Review: November 11, 2016

by Priscilla Guo

The DDoS Attack that Disrupted the Internet

On October 21, the largest distributed denial-of-service (DDoS) attack was launched against Dyn, a domain name system (DNS) infrastructure provider company in the United States. For more than two hours, users were unable to access major websites, including The New York Times, Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, EA, the Playstation Network, among others. Two security firms, Flashpoint and Akamai, confirmed that a large source of the attack originated from the Mirai botnet, which has infected many Internet of Things (IoT) devices. Cybersecurity expert Bruce Schneier raises multiple concerns in the aftermath of such an attack. He suspects that the DDoS attack was a part of a probing effort, which is a “calibrated kind of attack, one that’s designed to take advantage of an individual website’s precise security weaknesses.” Furthermore, Schneier is alarmed by botnets and the security of these IoT devices. IoT devices are unsecure and will remain so because there is no incentive for either buyer or seller to improve the security at a higher cost. Analysts estimate the number of IoT devices to increase by a factor of 10 or more. This most recent DDoS attack used millions of IoT devices to overwhelm Dyn.

China’s Tightens Internet Control through New Cybersecurity Law

This week, China passed new cybersecurity regulations that will go into effect by the summer of 2017. The proposed aims of the law are to “strengthen the protection of personal information and combat online fraud.” The new regulations impose data localization, surveillance, and real-name requirements on technology companies that will increase China’s control over the Internet. First, all “critical infrastructure operators” will need to store data within China’s borders. In August, more than 40 business groups from the U.S., Europe, and Asia submitted a petition to the Chinese Premier Li Keqiang to challenge the law because data localization will remove China from the digital economy, inhibiting trade and innovation. “We believe this is a step backwards for innovation in China that won’t do much to improve security,” said James Zimmerman, the chairman of the American Chamber of Commerce in China. Furthermore, users must register with their real names and personal information on instant messaging services and other Internet companies. According to TechCrunch, the real-name policy will bolster the incidents of self-censorship within the community. Finally, companies are required to support Chinese censorship measures and to provide “technical support” to Chinese government agencies during investigations. Technical support could be loosely defined to incorporate government surveillance programs or technological backdoors. Ultimately, China’s new law threatens to counteract its original purpose – inadvertently reducing security and potentially exposing personal information.

The Hacking of the U.S. Presidential Election

The 2016 U.S. Presidential Election has been one of the most interesting elections that we’ve had in American history. Never before has the integrity of the presidential election been questioned at such a large scale due to cyberattacks and hacks. Earlier this year, Russian hackers gained access to two voter registration databases in Illinois and downloaded the data of as many as 200,000 voters. Russian hackers purportedly influenced the election further through the release of Democratic National Committee (DNC) emails, which resulted in the resignation of DNC Chairwoman Debbie Wasserman Schultz. In response to these threats, for the first time ever, hundreds of military and intelligence cyber experts were on stand-by this Tuesday to monitor the U.S. presidential election. The U.S. Department of Homeland Security had been testing voting systems throughout the country in preparation.

FCC Requires Broadband Providers to Allow Users to Opt-In

On October 27th, the Federal Communications Commission (FCC) voted to pass a new set of broadband privacy rules, which will protect consumer privacy. The new rules require Internet service providers (ISPs) to get express consumer consent for their data. Consumers must “opt-in” before these ISPs can collect, use, or sell data deemed sensitive. This sensitive information includes the “content of communications, location information, and web browsing and app usage history”. The rule does not make explicit mention of IP and MAC addresses, but privacy advocates are pushing for the inclusion of these addresses in web browsing and app usage history. The FCC’s decision is part of a larger reclassification of ISPs as common carriers in 2015, which allows the FCC to make these new requirements under Section 222 of the Communications Act. Broadband providers are likely to push back on these changes. But Chairman of the FCC Tom Wheeler said: “There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information.”