About Jonathan Cilley

Apr.24

Daily Crunch: How the government shutdown is damaging cybersecurity and future IPOs – TechCrunch

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:

1. How Trump’s government shutdown is harming cyber and national security
The government has been shut down for nearly three weeks, and there’s no end in sight. While most of the core government departments — State, Treasury, Justice and Defense — are still operational, others like Homeland Security, which takes the bulk of the government’s cybersecurity responsibilities, are suffering the most.

2. With SEC workers offline, the government shutdown could screw IPO-ready companies
The SEC has been shut down since December 27 and only has 285 of its 4,436 employees on the clock for emergency situations. While tech’s most buzz-worthy unicorns like Uber and Lyft won’t suffer too much from the shutdown, smaller businesses, particularly those in need of an infusion of capital to continue operating, will bear the brunt of any IPO delays.

In 2018, seed activity as a percentage of all deals shrank from 31 percent to 25 percent — a decade low — while the share and size of late-stage deals swelled to record highs.

N26 is building a retail bank from scratch. The company prides itself on the speed and simplicity of setting up an account and managing assets. In the past year, N26’s valuation has exploded as its user base has tripled, with nearly a third of customers paying for a premium account.

Bird is reportedly nearing a deal to extend its Series C round with a $300 million infusion led by Fidelity. The funding, however, comes at a time when scooter companies are losing steam and struggling to prove that its product is the clear solution to last-mile transportation.

It’s no secret that AWS has long been accused of taking the best open-source projects and re-using and re-branding them without always giving back to those communities.

Looks like Samsung is giving Mobile World Congress the cold shoulder and has decided to announce its latest flagship phone a week earlier in San Francisco.

This content was originally published here.

Management

Apr.24

City-crippling ransomware, crypto hijackings, and more: our 2018 mid-year cybersecurity update

Here’s what we’ve gotten right so far …

One of my predictions was that we’d see more huge data breaches, and that hypothesis was proved pretty quickly. In March, exercise- and diet-tracking app MyFitnessPal said it had suffered one of the biggest breaches in history: hackers stole the usernames, e-mail addresses, and passwords associated with some 150 million accounts. 

That made the breach even larger in terms of sheer numbers than the massive Equifax hack of 2017. The only silver lining was that many of the passwords were protected by strong encryption, which seems to have limited fallout from the attack.

Then there’s the Facebook imbroglio with Cambridge Analytica, which blew up the same month. Some 87 million users of the social network had their data shared without their knowledge or consent. Strictly speaking, this wasn’t a hack. But I think it merits a (dis)honorable mention here because had the social network put tighter controls in place, it could have spotted the unauthorized use of the data faster and stopped it. 

In the past few months, we’ve seen mining-minded hackers use popular malware such as Coinhive and Crypto Miner to hijack cloud computing capacity at companies like Tesla and British insurer Aviva. And one big security company, Darktrace, says it has found rogue mining software on the systems of a thousand of its customers. 

Another forecast was that hackers would be likely to target more cryptocurrency exchanges. The latest assault happened earlier this month when Coinrail, a South Korean exchange, was compromised and almost a third of the coins it held were stolen.

… and kind of right

In January, I warned that ransomware attacks would cause even more damage. These involve malware that locks down computer files with strong encryption and decrypts them only after a ransom has been paid, typically in untraceable cryptocurrency.

I thought ransomware would cause a headache for big cloud providers like Amazon and Google, but the big story so far in 2018 has been the huge attack on the US city of Atlanta, which paralyzed a wide range of its municipal systems. The data kidnappers, who demanded $51,000 in Bitcoin, did some lasting damage, including erasing years of police video records. 

Separately, I highlighted the potential risk of a significant cyberattack on physical infrastructure. I’m delighted to report that this prediction hasn’t proved correct so far, but the US Department of Homeland Security, the FBI, and Britain’s National Cyber Security Center did take the unprecedented step in April of issuing a joint warning that Russian hackers are targeting routers and other network infrastructure at power grids and military installations.

Here are the wait-and-sees

To my knowledge, there hasn’t yet been any concrete evidence of hackers weaponizing artificial intelligence, which I forecast, but plenty of cybersecurity companies are on the lookout for it. And it’s too early to tell whether there’ll be a concerted effort to hack election infrastructure, particularly in America, parts of which are still vulnerable to cyberattack. The real test will come during the US midterm elections later this year.

And here’s that embarrassing miss

No sooner had the digital ink dried on my forecast than news emerged of serious security flaws in some semiconductors made by companies like Intel and AMD. Dubbed Meltdown and Spectre, these affected billions of chipsand effectively made it possible for hackers who’d already compromised computers to get access to secure portions of processors, where they could install malware or steal encryption keys.

There’s since been a massive, and ongoing, effort to address the problem through software fixes and planned hardware changes, though new variants of the flaws keep popping up. Apologies for not seeing this scenario in our crystal ball. It’s a humbling reminder that when it comes to cybersecurity, the risks don’t just lurk in code.

Keep up with the latest in cybersecurity at EmTech MIT.
Discover where tech, business, and culture converge.

September 11-14, 2018
MIT Media Lab

Register now

This content was originally published here.

Management

Apr.23

New Homeland Security Secretary Kirstjen Nielsen brings her cybersecurity focus to domestic defense

After a Senate vote on Tuesday, Kirstjen Nielsen has been confirmed as John Kelly’s replacement to lead the Department of Homeland Security. The top position at the DHS has remained open since Kelly left to join the White House as chief of staff in late July. Nielsen, a close colleague of Kelly’s, previously served on the Homeland Security Council in the George W. Bush administration and developed domestic policy with the TSA.

As CyberScoop reported last month, Nielsen was intended for a role as the undersecretary of the National Protection and Programs Directorate (NPPD). The NPPD’s stated goal is to “protect and enhance the resilience of the nation’s physical and cyber infrastructure” by specializing in cybersecurity threats the same way that an agency like FEMA specializes in disaster relief and preparedness.

While Nielsen reportedly “waffled,” ultimately not leaving her post as the DHS chief of staff at the time, the role would have effectively made her the head of cyber operations for the agency. Nielsen later followed Kelly to the White House to become his deputy chief of staff.

Given the ever-expanding nature of cyber threats, particularly those against U.S. critical infrastructure, Nielsen’s specialization in cybersecurity could prove timely. We’ll be following Nielsen as she takes on the new role and shapes policy at DHS moving forward.

“I will do my utmost to ensure that the Department meets the threats of today and tomorrow, and to ensure our frontline personnel have the tools and resources to accomplish their vital missions,” Nielsen said of her confirmation.

“I look forward to continuing this Administration’s work to raise the standards for the security of our homeland in all areas – including securing our borders, protecting Americans from terrorist threats, and securing our cyber networks.”

Featured Image: Tom Williams/Getty Images

This content was originally published here.

Management

Apr.23

Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison

A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men — a former Russian cyber intelligence official and an executive at Russian security firm Kaspersky Lab — were reportedly prosecuted for their part in an investigation into Pavel Vrublevsky, a convicted cybercriminal who ran one of the world’s biggest spam networks and was a major focus of my 2014 book, Spam Nation.

Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit, was sentenced today to 22 years in prison. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial.

Following their dramatic arrests in 2016, many news media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee. The case against Fomchenkov and Dokuchaev has not yet gone to trial.

What exactly was revealed during the trial of Mikhailov and Stoyanov is not clear, as the details surrounding it were classified. But according to information first reported by KrebsOnSecurity in January 2017, the most likely explanation for their prosecution stemmed from a long-running grudge held by Pavel Vrublevsky, a Russian businessman who ran a payment firm called ChronoPay and for years paid most of the world’s top spammers and virus writers to pump malware and hundreds of billions of junk emails into U.S. inboxes.

In 2013, Vrublevsky was convicted of hiring his most-trusted spammer and malware writer to launch a crippling distributed denial-of-service (DDoS) attack against one of his company’s chief competitors.

Prior to Vrublevsky’s conviction, massive amounts of files and emails were taken from Vrublevsky’s company and shared with this author. Those included spreadsheets chock full of bank account details tied to some of the world’s most active cybercriminals, and to a vast network of shell corporations created by Vrublevsky and his co-workers to help launder the proceeds from their various online pharmacy, spam and fake antivirus operations.

In a telephone interview with this author in 2011, Vrublevsky said he was convinced that Mikhailov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies. Vrublevsky told me then that if ever he could prove for certain Mikhailov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

An email that Vrublevsky wrote to a ChronoPay employee in 2010 eerily presages the arrests of Mikhailov and Stoyanov, voicing Vrublevsky’s suspicion that the two were closely involved in leaking ChronoPay emails and documents that were seized by Mikhailov’s own division. A copy of that email is shown in Russian in the screen shot below. A translated version of the message text is available here (PDF).

A copy of an email Vrublevsky sent to a ChronoPay co-worker about his suspicions that Mikhailov and Stoyanov were leaking government secrets.

Predictably, Vrublevsky has taken to gloating on Facebook about today’s prison’s sentences, calling them “good news.” He told the Associated Press that Mikhailov had abused his position at the FSB to go after Internet entrepreneurs like him and “turn them into cybercriminals,” thus “whipping up cyber hysteria around the world.”

This is a rather rich quote, as Vrublevsky was already a well-known and established cybercriminal long before Mikhailov came into his life. Also, I would not put it past Vrublevsky to have somehow greased the wheels of this prosecution.

As I noted in Spam Nation, emails leaked from ChronoPay suggest that Vrublevsky funneled as much as $1 million to corrupt Russian political leaders for the purpose of initiating a criminal investigation into Igor Gusev, a former co-founder of ChronoPay who went on to create a pharmacy spam operation that closely rivaled Vrublevsky’s own pharmacy spam operation — Rx Promotion.

Vrublevsky crowing on Facebook about the sentencing of Mikhailov (left) and Stoyanov.

This content was originally published here.

Management

Apr.22

The SEC says companies must disclose more information about cybersecurity risks

The U.S. Securities and Exchange Commission issued new guidance calling on public companies to be more forthcoming when disclosing cybersecurity risks, even before a breach or attack happens. The statement, which expands on previous guidance issued in 2011, also warns that corporate insiders must not trade shares when they have information about cybersecurity issues that isn’t public yet.

While the commission’s five members voted unanimously to approve the guidance, both of its Democratic commissioners said it needs to take more action (the SEC as a group is non-partisan, with no more than three out of its five commissioners allowed to belong to the same party).

The guidance was issued as an “interpretive release,” which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. In it, the commission urged companies to develop policies that allow them to quickly assess cybersecurity risks and decide when to tell the public, and also prevent executives, board members and other corporate insiders from trading shares when they have important information that hasn’t been released yet.

Back in 2011, the SEC’s Division of Corporation Finance first published guidance about disclosing cybersecurity risks and incidents, which was necessary at the time because there were no existing disclosure requirements that specifically addressed cybersecurity issues.

Over the past seven years, however, cybersecurity breaches have become increasingly commonplace, so the SEC decided to expand on its 2011 guidance.

“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the SEC said.

The SEC’s new guidance doesn’t mention specific incidents, but it comes about five months after the massive Equifax data breach, which compromised the personal information of about 145.5 million people. The credit bureau was criticized for taking too long to inform users about the incident and the Justice Department is also reportedly investigating large sales of shares by executives between when the company learned of the breach and when it became public.

The SEC added that even though companies are not required to reveal sensitive information that could compromise their cybersecurity measures, they also cannot use internal or law enforcement investigations as an excuse for not informing the public.

“We also recognize that it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident. However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident,” the guidance stated.

In a statement published with the guidance, SEC chairman Jay Clayton, a political independent, said “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”

The two Democrats on the SEC, however, said the guidance doesn’t go far enough. In a statement, SEC commissioner Kara Stein said many public companies still provide disclosures about cybersecurity risks that are “far from robust” and that she is “disappointed with the Commission’s limited action.”

“In effect, we could have helped companies formulate more meaningful disclosure for investors. Instead, yesterday’s guidance provides only modest chnages to the 2011 staff guidance,” she wrote. Instead of just issuing guidance, Stein believes that the SEC needs to consider issuing rules that would require companies to develop and implement stronger cybersecurity-related policies and procedures.

In his statement, commissioner Robert J. Jackson, the other Democrat on the SEC, wrote, “I reluctantly support today’s guidance in the hope that it is just the first step toward defeating those who would use technology to threaten our economy. The guidance essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.”

The two Republicans on the commission, Michael Piwowar and Hester Peirce, did not issue separate statements about the guidance.

Featured Image: Pgiam/Getty Images

This content was originally published here.

Management

Apr.22

The state of Israel’s cybersecurity market

The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.

Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups, with dozens of companies being formed, breaking fundraising records and producing solid exits. The 2017 data also suggest that the Israeli cybersecurity industry is maturing, as we see a shift in funding towards later stage companies.

More Capital, Fewer Startups

In 2017 we witnessed 60 newly founded cybersecurity startups emerge in Israel, a 28% decrease from the 83 companies founded in 2016. Conversely, the average 2017 seed round increased 16% YoY, growing from $2.85 million to $3.3 million. This is Israel’s fourth consecutive year of increasing round sizes at the seed stage – a trend that we are observing and contributing to as we write larger checks to invest in great cybersecurity entrepreneurs.

One might think that the decrease in the number of cybersecurity startups is an alarming signal, warning of an industry in decline. Our view is that this is a positive indicator of a maturing industry. Cybersecurity is a crowded space, in which thousands of companies operate. CISOs are bombarded with dozens of solutions every day, each of which promises to stop the next big attack. Given this dynamic, it is getting harder for “me too” cybersecurity companies to receive funding, as investors are looking for more differentiated and broader solutions that address the increasingly complex needs of customers.

Those who do manage to raise money tend to convey a grander vision, while aiming to build robust products that require more capital. The result is fewer startups being funded by more capital. This is a positive development for the entrepreneurs who want to build sustainable companies, the investors backing those ideas, and the customers who need more sophisticated solutions.

Younger Teams and More Female Founders

The 2017 data show a steep increase in the percentage of female founders. While still a predominantly male field, 15% of newly established cybersecurity teams in 2017 had a female founder, an increase from 5% the previous year.

As in 2016, there was a nearly even split between startups founded by experienced teams (those with more than a decade of executive or entrepreneurial experience) and companies founded by less seasoned entrepreneurs. We did witness a slight increase in teams led by IDF graduates, founders that leverage their relevant military experience to build cybersecurity companies soon after being discharged. One such example is Axonius, which was founded by three graduates of 8200, the IDF’s elite intelligence unit, who are building a visibility and control platform to secure assets on enterprises’ networks.

More Funding, Fewer Rounds

Looking at 2017 Israeli cybersecurity fundraising, we see a familiar trend of fewer companies raising larger amounts of capital. Israeli cybersecurity companies across all stages raised over $847 million this year, representing a 23% increase from the $689 million raised in 2016.

Breaking it down further, overall funding in seed and A rounds decreased 14% and 46% respectively, while funding at the later stages has increased significantly, with a 218% increase in B rounds and 165% increase in Growth. In addition, the number of investment rounds in Israeli cybersecurity companies decreased from 72 in 2016 to 63 rounds in 2017.

The decrease in the number of funding rounds and the distribution of capital across stages is in line with a global trend in venture capital funding, as previously reported here in TechCrunch. The volume of venture deals in tech companies has decreased over the last few years. The majority of the decline is explained by a drop in early stage investments, with funding and volume levels in later rounds remaining significant.

This is driven, in part, by VC firms investing in late-stage opportunities and aggressively following-on in companies with the potential to lead their markets. We believe that the same dynamic is present in the Israeli cybersecurity ecosystem, with companies like Deep Instinct, Demisto, PerimeterX, Twistlock, and Karamba Security raising large B rounds, and companies like SentinelOne and Cybereason raising significant amounts of growth capital this year.

2017 Cybersecurity Trends

The most funded cybersecurity fields of 2017 include traditional IT categories like network security, mobile security and vulnerability & risk management. Another prominent category was IoT security which saw investments across all stages, as new companies emerged and mature ones gained momentum.

The proliferation of smart devices into everyday life has sprouted a growing ecosystem of IoT security companies, creating sub categories within the sector, focused on specific use cases like smart home protection, securing connected and autonomous vehicles, and dedicated solutions for medical devices. Medical device protection is a newly emerged category this year, and we have seen several startups, including Medigate, that are focused on helping healthcare organizations secure themselves from the growing number of targeted attacks.

Cybersecurity Exits in 2017

Israeli cybersecurity companies exited for approximately $1.3 billion in 2017 (not including IPOs), with an average exit valuation of $130 million. The average amount of capital raised by 2017 exited cybersecurity companies was just above $17 million, and it took 5.5 years on average for a company to be acquired. Comparing these figures to those of the Israeli enterprise software companies that exited this year, cybersecurity companies performed better in every category – they raised less capital, achieved higher valuations, and exited quicker.

While 2017 certainly saw a healthy M&A exit market, it also worth mentioning that ForeScout went public at over $800 million, a meaningful evidence of the Israeli ecosystem’s ability to produce large standalone cybersecurity companies.

The Continuing Growth of the Israeli Cybersecurity Ecosystem

The global cybersecurity incursions of 2017 illuminate the continuing role that innovation plays in information security and defense. Looking forward to 2018, we believe Israeli startups will continue to leverage the immense pool of local talent to build comprehensive solutions addressing global markets.

As the local industry matures, we anticipate that recent trends will continue in 2018, with fewer startups forming, while large amounts of capital pour into later rounds to fuel growth and expansion.

The continued maturation and evolution of the Israeli cybersecurity startup ecosystem will soon be on full display at Cybertech Israel, the largest annual conference of cyber technologies outside the United States, taking place this January in Tel Aviv.

Disclosure: Yoav Leitersdorf, the founding partner of YL Ventures, contributed to this report. 

YL Ventures is an investor in Axonius, Twistlock, Karamba Security, and Medigate.

Featured Image: ipopba/Getty Images

This content was originally published here.

Management

Apr.21

Apr.21

Europe is prepared to rule over 5G cybersecurity

The European Commission’s digital commissioner has warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers.

The Commission is considering a defacto ban on kit made by Chinese companies including Huawei in the face of security and espionage concerns, per Reuters.

Appearing on stage at the Mobile World Congress tradeshow in Barcelona today, Mariya Gabriel, European commissioner for digital economy and society, flagged network “cybersecurity” during her scheduled keynote, warning delegates it’s stating the obvious for her to say that “when 5G services become mission critical 5G networks need to be secure”.

Geopolitical concerns between the West and China are being accelerated and pushed to the fore as the era of 5G network upgrades approach, as well as by ongoing tensions between the U.S. and China over trade.

“I’m well away of the unrest among all of you key actors in the telecoms sectors caused by the ongoing discussions around the cybersecurity of 5G,” Gabriel continued, fleshing out the Commission’s current thinking. “Let me reassure you: The Commission takes your view very seriously. Because you need to run these systems everyday. Nobody is helped by premature decisions based on partial analysis of the facts.

“However it is also clear that Europe has to have a common approach to this challenge. And we need to bring it on the table soon. Otherwise there is a risk that fragmentation rises because of diverging decisions taken by Member States trying to protect themselves.”

“We all know that this fragmentation damages the digital single market. So therefore we are working on this important matter with priority. And to the Commission we will take steps soon,” she added.

The theme of this year’s show is “intelligent connectivity”; the notion that the incoming 5G networks will not only create links between people and (many, many more) things but understand the connections they’re making at a greater depth and resolution than has been possible before, leveraging the big data generated by many more connections to power automated decision-making in near real time, with low latency another touted 5G benefit (as well as many more connections per cell).

Futuristic scenarios being floated include connected cars neatly pulling to the sides of the road ahead of an ambulance rushing a patient to hospital — or indeed medical operations being aided and even directed remotely in real-time via 5G networks supporting high resolution real-time video streaming.

But for every touted benefit there are easy to envisage risks to network technology that’s being designed to connect everything all of the time — thereby creating a new and more powerful layer of critical infrastructure society will be relying upon.

Last fall the Australia government issued new security guidelines for 5G networks that essential block Chinese companies such as Huawei and ZTE from providing equipment to operators — justifying the move by saying that differences in the way 5G operates compared to previous network generations introduces new risks to national security.

New Zealand followed suit shortly after, saying kit from the Chinese companies posed a significant risk to national security.

While in the U.S. President Trump has made 5G network security a national security priority since 2017, and a bill was passed last fall banning Chinese companies from supplying certain components and services to government agencies.

The ban is due to take effect over two years but lawmakers have been pressuring to local carriers to drop 5G collaborations with companies such as Huawei.

In Europe the picture is so far more mixed. A UK government report last summer investigating Huawei’s broadband and mobile infrastructure raised further doubts, and last month Germany was reported to be mulling a 5G ban on the Chinese kit maker.

But more recently the two EU Member States have been reported to no longer be leaning towards a total ban — apparently believing any risk can be managed and mitigated by oversight and/or partial restrictions.

It remains to be seen how the Commission could step in to try to harmonize security actions taken by Member States around nascent 5G networks. But it appears prepared to set rules.

That said, Gabriel gave no hint of its thinking today, beyond repeating the Commission’s preferred position of less fragmentation, more harmonization to avoid collateral damage to its overarching Digital Single Market initiative — i.e. if Member States start fragmenting into a patchwork based on varying security concerns.

We’ve reached out to the Commission for further comment and will update this story with any additional context.

During the keynote she was careful to talk up the transformative potential of 5G connectivity while also saying innovation must work in lock-step with European “values”.

“Europe has to keep pace with other regions and early movers while making sure that its citizens and businesses benefit swiftly from the new infrastructures and the many applications that will be built on top of them,” she said.

“Digital is helping us and we need to reap its opportunities, mitigate its risks and make sure it is respectful of our values as much as driven by innovation. Innovation and values. Two key words. That is the vision we have delivered in terms of the defence for our citizens in Europe. Together we have decided to construct a Digital Single Market that reflects the values and principles upon which the European Union has been built.”

Her speech also focused on AI, with the commissioner highlighting various EC initiatives to invest in and support private sector investment in artificial intelligence — saying it’s targeting €20BN in “AI-directed investment” across the private and public sector by 2020, with the goal for the next decade being “to reach the same amount as an annual average” — and calling on the private sector to “contribute to ensure that Europe reaches the level of investment needed for it to become a world stage leader also in AI”.

But again she stressed the need for technology developments to be thoughtfully managed so they reflect the underlying society rather than negatively disrupting it. The goal should be what she dubbed “human-centric AI”.

“When we talk about AI and new technologies development for us Europeans it is not only about investing. It is mainly about shaping AI in a way that reflects our European values and principles. An ethical approach to AI is key to enable competitiveness — it will generate user trust and help facilitate its uptake,” she said.

“Trust is the key word. There is no other way. It is only by ensuring trustworthiness that Europe will position itself as a leader in cutting edge, secure and ethical AI. And that European citizens will enjoy AI’s benefits.”

This content was originally published here.

Management

Apr.20

Apr.20

Thailand passes controversial cybersecurity law that could enable government surveillance

Thailand’s government passed a controversial cybersecurity bill today that has been criticized for vagueness and the potential to enable sweeping access internet user data.

The bill (available in Thai) was amended late last year following criticism over potential data access, but it passed the country’s parliament with 133 positives votes and no rejections although there were 16 absentees.

There are concerns around a number of clauses, chiefly the potential for the government — which came to power via a military coup in 2014 — to search and seize data and equipment in cases that are deemed issues of national emergency. That could enable internet traffic monitoring and access to private data, including communications, without a court order.

The balance of power beyond enforcement has also been questioned. Critics have highlighted the role of the National Cybersecurity Committee, which is headed by the Prime Minister and holds considerable weight in carrying out the law. The Committee has been called upon to include representation from the industry and civic groups to give it greater oversight and balance.

Added together, there’s a fear that the law could be weaponized by the government to silence critics. Thailand already has powerful lese majeste laws, which make it illegal to criticize the monarchy and have been used to jail citizens for comments left on social media and websites. The country has also censored websites in the past, including the Daily Mail and, for a nearly six-month period in 2007, YouTube.

“The Asia Internet Coalition is deeply disappointed that Thailand’s National Assembly has voted in favor of a Cybersecurity Law that overemphasizes a loosely-defined national security agenda, instead of its intended objective of guarding against cyber risks,” read a statement from Jeff Paine, managing director of Asia Internet Coalition — an alliance of international tech firms that include Facebook, Google and Apple.

“Protecting online security is a top priority, however the Law’s ambiguously defined scope, vague language and lack of safeguards raises serious privacy concerns for both individuals and businesses, especially provisions that allow overreaching authority to search and seize data and electronic equipment without proper legal oversight. This would give the regime sweeping powers to monitor online traffic in the name of an emergency or as a preventive measure, potentially compromising private and corporate data,” Paine added.

Reaction to the law has seen a hashtag (#พรบไซเบอร์) trend on Twitter in Thailand, while other groups have spoken out on the potential implications.

Thailand isn’t alone in introducing controversial internet laws. New regulations, passed last summer, came into force in near-neighbor Vietnam on January 1 and sparked similar concerns around free speech online.

That Vietnamese law broadly forbids internet users from organizing with, or training, others for anti-state purposes, spreading false information, and undermining the nation state’s achievements or solidarity. It also requires foreign internet companies to operate a local office and store user information on Vietnamese soil. That’s something neither Google nor Facebook has complied with, despite the Vietnamese government’s recent claim that the former is investigating a local office launch.

This content was originally published here.

Management