WEIS conference review

By Fer O’Neila Knowledgebase Technical Writer at a security software company and a Ph.D. student.

Why every cyber security professional needs to know about the Workshop on the Economics of Information Security (WEIS) conference

In the final week of June, the Rady School of Management at UC San Diego hosted the 16th annual Workshop on the Economics of Information Security (WEIS) conference. Over the course of two full days, seasoned researchers presented and discussed the tools, processes, and methodologies that inform cyber security technologies as well as national and international cyber security policy.

As a first time attendee, I will share my perspective of the sessions and the conference as a whole.

What is WEIS—Why haven’t I heard of this?

WEIS is the leading forum for interdisciplinary scholarship on information security and privacy,
combining expertise from the fields of economics, social science, business, law, policy, and computer science. From the WEIS website, the conference pages describe how its unique expertise in interdisciplinary fields contributes to information security and privacy, as both continue to grow in
importance, with threats proliferating, privacy eroding, and attackers finding new sources of value.

Themes and highlights from the sessions

Nearly all of the presentations were empirical research studies that used economic statistical models to look at correlation and causation of behaviors and events applied to cyber security topics. This type of research is important because of the constantly changing information security landscape. I thought that the presentation by Hasan Cavusoglu An Empirical Investigation of the Antecedents and Consequences of Privacy Uncertainty in the Context of Mobile Apps elucidated nicely how uncertainty in economics relates to cyber technology applications, marketing efforts, and information security systems. That is, uncertainty is the consequence of incomplete information, and this relates to the models and frameworks for how people make decisions with incomplete information and the outcomes as a result (for instance, consequences or benefits).

If one were able to combine all of the information from all sessions, you would have a tremendous ability to predict levels of security vulnerability based on intrinsic and extrinsic factors such as market share, competition, lack of security patching etc. For example, Sam Ransbotham investigated the The Effects of Security Management on Security Events to determine whether a security event at a competitor affects a firm’s security management practices. He found that breaches do increase active port management (observable activity), and that firms respond to breaches at other firms in their industry.

There were 25 presentations and there was so much information shared that I can only encourage others to look at the session topics and read the abstracts to the papers that interest you—and also note that the WEIS website does an excellent job posting links to every paper presented at all WEIS conferences since 2005.

Practical applications from robust research

When I posted that I was attending WEIS this year, several people in the cyber security industry commented that the sessions looked “academic,” but I didn’t quite understand what that meant. The conference presenters were a mix of pioneering and influential information security researchers, top government security directors, leading security and privacy lawyers, and prominent security think tank researchers, among others too many to list. The conference was full of strategy and policy information for how cybersecurity risk should be managed and business decisions made based on empirical evidence.

Next year’s conference will be held in Innsbruck, Austria, mid-June. I encourage you to review the papers on the conference website for the topics that are relevant to your industry to see the most current research available related to cyber and information security.

For a comprehensive overview of every session, one of the founding members of the conference, Ross Anderson (a pioneer and world leader in security engineering), liveblogged the entire conference, which you can view on his website: https://www.lightbluetouchpaper.org/2017/06/26/weis-2017-liveblog/

Selected examples of some predictive results from the sessions

For industry professionals that question what benefit they would receive by attending WEIS, I have compiled a selected list of presentations that provide applied research for various cyber security topics.

    • Inferring Security Performance of Providers from Noisy and Heterogenous Abuse Datasets Concentration metrics reveal attacker and defender economics, such as how attackers can gain advantage by scaling their operations, and this in turn can be used to study the effectiveness of
      countermeasures. For example, this research shows that the size of provider, popularity, and price leads to exposure and incidents. Therefore, better security procedures leads to less security incidents.

 

    • An Analysis of Pay-per-Install Economics Using Entity Graphs Platon Kotzias presented an economic analysis of Potential Unwanted Programs (PUP) operations of commercial pay-per-install services used to distribute PUP. Most of the major PUP are properly signed by Microsoft. In 2014, there was a sharp decrease in the number of PUP samples. The research found that 5% of unique IPs accessing Google have injected
      advertisements and that three times the number of malware are PUP warnings, according to Google’s safe browsing report (USENIX 2016). This means that PUP defenses implemented in 2014 from Google, Microsoft, and Symantec, have affected the pay-per-install market:

 

    • Impact of Security Events and Fraudulent Transactions on Customer Loyalty:
      A Field Study Sriram Somanchi found that customers are likely to end relationship with a bank with an adverse security event, but these models are affected by a bank’s dominance in a market and by the length of time after the event. This research is important to understand customer behavior
      related to fraud and can be used to help predict which customers are more likely to leave a bank for certain adverse security events (and when).

 

    • Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning
      This was Interesting research that attempted to determine the most effective way to notify domain owners about a vulnerability. For example, they created a demonstration video of the vulnerability and sent a link to the site owner. However, using traditional communication channels and methods (for instance, email), most notifications bounced. Even when the resource owners were reached, they would not remediate the vulnerabilities, some of them don’t read the notification or understand them (the vulnerability remediation). Their research proposed some recommendations: Move away from email; use alternative information sharing mechanisms such as Api (but have to opt-in), “nudges” with threatened legal action, and hosting
      remediation advice at trusted sites.

 

    • Standardisation and Certification of the `Internet of Things’
      Ross Anderson’s paper reports a project for the European Commission and demonstrated that maintaining critical software, such as medical devices, vehicles, and power grids is going to continue to be a big problem. Ross discussed the strategic educational challenges as safety and security become intertwined where safety engineers will have to learn adversarial thinking while security engineers will have to think more about usability and maintainability. He outlined his current teaching at Cambridge for first-year undergraduates, when they get an introductory course in `Software and security engineering’ where security and safety are taught as two aspects of the same mission: designing systems to mitigate harm, whether caused by adversaries or not.

 

  • Security Breaches in the U.S. Federal Government
    Min-Seok Pang found that for every 1% increase in cyber spending, there was a 5% decrease in security incidents (phishing, malicious code, social engineering, policy violation etc.). Further, the more dispersed (not concentrated) offices are, the fewer security incidents it encountered.
    Not surprising was that legacy systems were more likely to experience security incidents, but a very useful finding found that more cloud spending resulted in fewer DDoS attacks

Interview with Darin Andersen on KPBS

“Midday Edition”
Interview with Darin Andersen, Chairman/Founder
March 8, 2017 

Topic: WikiLeaks releases what it calls CIA trove of cyber-espionage documents
Maureen Cavanagh (host): Joining me is Darin Andersen. He’s a member of California’s Task Force on Cybersecurity, chairman of CyberCalifornia and chairman/founder of a cybersecurity company. Darin, welcome.

Q: The cybersecurity world wasn’t really surprised by the information in this leak, was it?

A: Not really. We’ve seen some WikiLeaks for quite a while now, starting with the Chelsea Manning documents, for example. So it wasn’t too big of a surprise.

Q: You talk about “depth of scrubbing” – that area being somewhat of a revelation in this WikiLeaks stuff. What does “depth of scrubbing” mean?

A: Well, what I mean is, the level at which you scrub depends on the level at which you see a threat occurring. As the threat level goes up, you may dig a little deeper into the data. And I think that’s what may have happened here. It may have triggered these latest dominoes. The CIA is looking more actively and harder than ever – because the threat level for the nation is increased.

Q: Is there anything in this information that indicates that the CIA is using this technology on Americans, here in the U.S.?

A: What you have in this latest set of WikiLeaks is the expose of the CIA’s “cookbook” for how they actually hack into accounts. What they do is they have a series of tactics and techniques that they use to break into different kinds of accounts, be it smart phones – they’ve been able to exploit both Apple and android phones – traditional laptops and servers, as well as some new devices, the “Internet of Things,” what I like to call the “live-ables,” “wear-ables” and “drive-ables.” What’s new about the information is there’s definitely information being gathered on American citizens. How that information is used, foreign and domestic, is what’s in question.

Q: Are there laws that prevent the government from snooping on average U.S. citizens?

A: There are privacy laws that do exist, and historically, Americans have had an expectation of privacy that’s somewhat unique to the Western world. Europe values privacy more strongly. Americans, I would argue, give away our privacy by clicking that checkbook to get the latest application. But in the Far Eastern countries, there’s really not an expectation of privacy. So yes, there are laws that do protect U.S. citizens and our privacy rights. A lot of that comes through the SEC and credit reporting agencies that have to lay out their ability to look into our personal information. And the government has guidelines, as well.

Q: I’ve read that the espionage hacks described in the WikiLeaks dump are things a lot of hackers might be able to do. You wouldn’t need the CIA to come up with it.

A: You know, we’ve seen tactics and techniques that are familiar to us. Don’t forget that we are battling with foreign adversaries, nation-states that are well-funded, extremely motivated to take our intellectual property, steal our national security security secrets and compromise our defense. So the CIA would – and does — rationalize this kind of activity as defensive, or in some cases, an offensive response. Typically, only the U.S. government employs and deploys what I would call “offensive” cybersecurity tactics, which is what’s described in this WikiLeaks “cookbook.”

Q: What’s the difference?

A: Well, typically, we play a lot of defense in this country. I call it the “100 Door Problem.” We’re trying to defend 100 doors, while nation-state adversaries and hacktivists are trying to find that one open door, that one way to exploit and find a way in. The offensive is the opposite of that – where you’re actually looking at your adversaries’ systems that are trying to break into your systems. So you’re playing defense to protect, and playing offense to go on a more aggressive tact.

Q: So far, the CIA has not responded at all to this latest WikiLeaks information. How much credibility does WikiLeaks have in the cybersecurity world?

A: I think it’s a love/hate relationship. Again, they expose tactics and techniques that are pretty familiar to us in the business. We are aware of their capabilities. As you may recall, it was a private company, an Israeli company, that was brought aboard to broke into the iPhone in the San Bernardino massacre. Again, the private world is familiar with many of these tactics and techniques. But I think what’s novel here is that it’s another big display of information to the general public, that the government is watching.

Q: Since ordinary hackers can already breach security on some phones, TVs and computers systems and so forth, what can people do to protect themselves?

A: I like to propose and suggest what I call practicing good cyber hygiene. It’s the simple things of changing your password regularly, don’t share your password to the Internet with your friends. Out-run the person who’s hopefully behind you with the bear behind him. You’re what I call the “hard target” and others are the “soft target.” So if you outfit yourself by keeping your passwords updated, by updating your software to make sure that any security holes are being patched, you’ll have a much better chance that hackers will move on to somebody else who’s more vulnerable.

Interview with Darin Andersen on KOGO News Radio

March 7, 2017

INTERVIEW WITH DARIN ANDERSEN

Host: Ernie Brown

Topic: WikiLeaks’ massive release of highly sensitive documents that allegedly reveal the CIA’s covert, global use of software designed to hack smartphones, computers and internet TVs around the world. The release is regarded as a serious setback for U.S. intelligence agencies, which use cyber- hacking to carry out espionage against foreign targets.

Q: We’re joined by Darin Andersen, chairman/founder of CyberTECH, a San Diego-based coalition of tech-inspired companies. Darin, do you think we should be surprised about all this?

A: Well, it’s true that the involvement of the CIA, the NSC and other government agencies in such covert actions has been well-known for a long time. But I’d say the extent, the depth, may be surprising to some.

Q: Do you think this will cause damage to the intelligence community?

A: I would say that probably among the public, this has some impact on their comfort level with the government in general, especially with the Intelligence community. I think we all have to look across government now and suggest that there are certainly questions about our government’s ability to prevent leaks. But in particular with the Intelligence community, there’s definitely some loss of confidence. This isn’t the first time this kind of information has come out. For many people, this reinforces the fears they may have about our government.

Q: Where did they get this information?

A:  That’s hard to say. It may have been  through a physical breach, but I suspect that you had a leak here by somebody who’s an insider that’s passing along sensitive information. Alternatively, they might have broken into government systems, which is not unprecedented, but in this version seems unlikely. If you look at any of the information provided by WikiLeaks, a good deal of it comes from insiders. Bradley Manning would be a good example of that – the leak of tens of thousands of classified documents to WikiLeaks.

Q: Is it possible anymore to keep secrets at the governmental level?

A: Within the government, ironically, is where a lot of secrets are kept, because they have a very strict system about how they information- and knowledge-share within their organizations. What we’re seeing more and more of, is people because they consider themselves to be conscientious objectors, they’re starting to leak this information out to watchdog organizations like WikiLeaks. You’re always going to have those activists that put this information into the public domain, and actually think they’re doing the right thing by doing that.

Q: Is there a way to stop that from happening?

A: Yes, there’s a way to stop it, of course. You could, for example, make penalties for sharing that kind of information very stringent. You could put them in the brig. You could put very harsh consequences into law. But the reality is, there is forces in government who regard this as part of our democracy to leak out this kind of information. Then there’s another school of thought inside our own government that thinks this type of information needs to be protected and that it can damage our own personnel and our own national economic well-being.

Q: I know we’ve seen so many businesses get hacked, Sony, famously, was hacked a couple of years ago. Are people now taking this more seriously, that no matter what your security systems are, there may be a way to get that information out?

A: I think people are taking things more seriously, but I put a caveat on that. I think people feel somewhat helpless to do much about it. So while it’s closer to the middle of their radar, it’s not necessarily something they think they can do much about. And I think, historically, we believe in government as being the “fix” for this, if not their employer. I think people are understanding more and more that, if they want to protect their own identity, that they have to take matters into their own hands. By that, I don’t mean any vigilantism. I just mean that people need to start to protect their own security, by practicing good cyber hygiene, by doing things to protect themselves, things that make them more strongly protected than the person next to them.

Q: It’s interesting that the government would be looked at as the answer to all of this, when you consider that the Pentagon was hacked, the State Department was hacked, the White House, the IRS – all the government agencies, to some extent.

A: Yes, I would say that historically, there’s the belief that government could do anything, right? The government could take us to the Moon. The government could defend our borders. The government could protect our power overseas. But I would say, more and more, that confidence in our government maybe has eroded and our personal security has followed suit.

Q: Does the CIA need to start over again and come up with new ideas, now that this information is out there?

A: Well, that’s not going to happen. So really, we have the deck of cards and the hand that we’ve been dealt here. What we need is a reform movement within the CIA. But the biggest change needs to occur at the macro level: What is our expectation for security and privacy as citizens? Do we have the right to expect that our government, our employer, other institutions, will actually look after our security? Or is it something that we have to take care of ourselves? Like preventing forest fires. Fastening our safety belts. These are public-social issues that individuals have to contribute to — for the well-being of our society.

Q: What can we do as individuals? What should we do?

A: Well, we can practice our own good cyber hygiene. What I mean is, it’s like out-running the bear that’s chasing you. And there’s somebody that’s slower than you between you and that bear. What I mean is, by changing your passwords, by not giving your passwords away, by making sure your data is not at-risk, that you’re careful about what on-line services you use. That you’re attentive to what emails that you answer, so you’re not getting phished or scammed in some way. There are all things we can do as individuals to protect ourselves. The new area of threat is the Internet of Things – what I like to call the “wear-ables, live-ables, drive-ables” – all those things are connected to the Internet and to our lives. The things we’re driving, the things we’re living inside of. Those things have serious security vectors. We’ve heard recently about cameras that are home-based that have been hacked, about baby monitors, the smart vehicles that we drive all have vulnerabilities, even our medical devices. So we have to demand from our leadership that there’s a public-safety expectation that should come along with that – that my car shouldn’t be able to be driven off the road and into a ditch. And that the manufacturers of these products have some obligation in that.

Q: Would you take a lot of these products off-line?

A: I don’t think that’s possible. We’re part of a global economy now. We don’t product all the innovative products in the world. We have competition in Europe, especially in Asia. And those products are innovative because they’re connected up to the Internet. And we’re creating, let’s say a smarter infrastructure of devices – things again that we live, wear and drive –  are becoming more knowledgeable, smarter, and more customized to what we use. It’s really hard to put the genie back into the bottle. Now, we have to be more attentive to how we build our own security posture and also how we protect those devices and make good personal choices.

Q: Who’s winning this battle these days? The hackers? Or the people trying to protect themselves from the hackers?

A: Clearly, they hackers are in the lead right now. They’re highly motivated. In some cases, they’re highly funded. There are many hacker “types” – whether they be state-organized and government-funded adversaries. Or it could be “hacktivists” who have some political agenda that they want to settle with the West, that they want to  change our way of life. And you have just plain criminals – they’re either funding the first two activities or they’re trying to create financial gain for themselves. So they are highly motivated and highly skilled – they have busted out of the shadows and it’s now a global industry. And we should expect a great deal of hacking activity from our adversaries, foreign and domestic.

Q: Speaking of adversaries, is WikiLeaks in bed with the Russians?

A: I think you would have two or three different arguments about that. Nobody really seems to know. If you look at (Julian) Assange’s past, to his situation of not being locked up in an American jail, that you could argue that the Russians have some hand in that. Whether it’s the Russians or the Chinese, that gave him some shelter in a time of need. Maybe there is a kind of  allegiance, some sort of alignment, with the policies of those governments.

Q: I suppose that the person who leaked this information from the CIA knew that once it got out there, that the Russians would pick it up at that point. What do you think their motivation would be?

A: Well, the Russians are extremely sophisticated hackers. In some ways, I consider them more technically adept than our Chinese adversaries. And their motivations, which go back now many generations and decades, are about de-stabilizing our way of life in order that their way of life could actually predominate and have a larger impact on the planet. It’s about changing the balance of power, realigning the global vision – from one that looks decidedly West to one that looks decidedly East.

 

                                                                       ###

A New Administrations and Cyber Security

The recent presidential election has brought the issue of cyber security to the front page of most new sites and newspapers. It appears that Russia hacked into the Democratic National Committee headquarters and that China hacked into federal employee records at the Office of Personnel Management. Foreign governments are looking at our nation’s private information. So what action should the US take? And what happens if we don’t do anything?

Cyber security is unlike most other forms of science. For example, medical research is very expensive and requires tremendous technology for progress. There aren’t too many teens in their parent’s basements pushing the boundaries of medical research. That’s untrue for cyber security. A sole individual with a good computer and a keen mind can make tremendous headway in the creating or destroying security systems. 
 
In short, cyber security in the US will progress – with or without assistance from the White House. 
 
There are some benefits of staying out of the way. Big institutions tend to add bureaucracy, slowing progress to a crawl. Left alone to evolve, programmers might generate insightful and innovative solutions that would have been crushed under the weight of over-management. Sadly, capturing those wild-west developments becomes incredibly difficult if not under the watchful eye of a federal program.
 
Generally, privately funded research will keep pace with the worldwide race of building and breaking security. But private companies might simply sell their secrets to the highest bidder.
 
The solution is difficult to define: allow progress in an organic, creative way while trapping the results and keeping solutions inside our borders. The players are even more difficult to wrangle: renegade programmers, educational institutions, private firms, and federal offices. They aren’t going to play well with others.
 
The good news is that cyber security may not necessarily need federal funds to progress. The bad news is that without those funds, progress might simply land in the hands of the foreign players who already have their hands in our private affairs. 

What Cyber Security Will Mean in 2017

First, let’s dispel the myth of hackers sitting on a couch or slamming espresso shots in a 24-hour café. At some point in the past, there may have been enough one-off hackers to comprise some measurable percentage of cyber threats. But those days are over. Hacking is big business. And these businesses are operating inside and outside of the US. They are looking at standard big-business issues like supply and demand, market competition, and industry trends. And yes, there will always be independent hackers. But the real threat now comes in the form of highly organized teams with strategic initiatives.

Ransoms are an increasingly popular tool for the black hat players. In some ways, the transactions are quick and easy. The ransom amounts are fairly easy to calculate: the cost of data recovery (hiring a tech specialist) plus the cost of recovering brand image. In short, your standard ransom demand isn’t going be less than $25,000 (or so) going forward. And that’s just the floor. Plus a good black hat hacker will make sure he gets paid on both sides of the equation – wear the mask during the ransom and the white hat during the repair.

While breaching big companies is always a splashy way to make headlines (think: Yahoo, Target, and Yahoo again), the big companies have vast financial resources to stay ahead of the hacking curve. Thus the future of hacking is in the mid-level company. The perfect target: on-line grocery retail and delivery. They have enough money to pay big ransoms, but they aren’t invested enough in the tech industry to keep on top of client login and payment data.

The truly sophisticated hackers can’t be bothered with PII anymore. They want to play the markets. And by sneaking in the back door of major corporations, they can gain access to the kinds of corporate intelligence that an inside trader can only dream about. And not only can they play the market, they can manipulate the markets by releasing information to the media strategically.

The face of cyber security changes daily. The players are in every corner of the world, rolling the dice in a game against each other, major corporations, and every government on the planet.

The Human Factor

Cyber security isn’t all zeros and ones. In fact, the greatest threat to cyber security may be sitting under the mousepad at the reception desk. Or in an unlocked office. Or in your company’s training manuals.

The human factor is the generally the weak link in any cyber security system. Humans simply don’t have the kind of built-in encryption system necessary to keep out intruders. Humans can be trusting and lazy. And those are the exact behaviors a good hacker will leverage to gain access to your systems.

Keep in mind, it only takes a tiny crack in the security system for a hacker to get into your system. And with all the focus on overseas hackers, your data is still unsecure from physical intrusion. Passwords taped to the computer screen are the easiest way for someone to gain access to your internal software. No one will notice a “maintenance man” checking the lights in an office. Once hackers are working from the inside, it’s easier to maneuver around the limited, internal security measures.

Email remains one of the easiest ways to gain remote access to a system. And because we access email through multiple platforms, hackers can easily dupe unsuspecting users. If you only use one device to review your email (for example, through Google on your desktop), then you are very familiar with the way your email messages look. But email messages look slightly different depending on the device (phone, tablet, laptop, tv, etc), so you have less of a filter. Strange-looking emails don’t stand out. So when a hacker creates an email to appear as if it’s coming from a friend, you’re more likely to open, read, and download.

Finally, if you are a manager or executive, you are sensitive to data security. Your front desk receptionist is not. The receptionist is worried about opening paper mail, answering phone, and keeping guests comfortable. A sly email from a hacker could easily be opened in the haze of busy day.

If you house sensitive data of any kind, you are going to be the target of a hack. The best cyber security expert can’t account for all human activity. Consider a company-wide training on a quarterly basis to ensure everyone in your company is aware of new and emerging issues.

,

Cylance® Proves Voting Machine Vulnerabilities

Cylance® Inc, a CyberTECH member, has announced the successful exploitation of critical vulnerabilities in a common model of voting machine. The exploitation of these vulnerabilities was previously thought to only be theoretical in nature prior to this revelation by Cylance researchers

The compromise techniques are relatively simple to undertake, but do require physical access to the voting machine.

To help understand the risk to election integrity, Cylance produced a demonstration video of the techniques used to compromise the Sequoia AVC Edge Mk1 voting machine.

The video shows how Cylance researchers were able to re-flash the firmware with a PCMCIA card, directly manipulate the voting tallies in memory, and cause a vote for one candidate to be credited to another by altering elements of the device’s screen display.

For mitigation in the long term, Cylance recommends phasing out and replacing deprecated, insecure machines — namely those without robust, hardware-based firmware and data verification mechanisms.

Also, additional due diligence of polling place volunteers, workers, officers may help mitigate possible collusion for tampering by these groups.

The units in question were known to be in use in hundreds of thousands of polling locations across the country in the recent election.

SOURCE: CYLANCE INC.

,

What if the Internet crashed for one day … or longer?

During a one-day outage we would see dramatic slowdown – possibly a total breakdown – of our ability to communicate with one another.

Many of us will be trapped in our homes without the ability to operate our electronic devices and so many other conveniences we take for granted.

What if? We’d be virtually helpless.

If the cyber attack is aimed at power supplies, many of us won’t be able to open our garage doors. Smart phones will be dead, iPads useless. Phone lines will be down. No media coverage. Accurate information about what has happened – and why — will be extremely limited at this point.

If people did manage toget out of their homes and into their cars,traffic control systems will be dark. First responders will start to mobilize, with law enforcement becoming increasingly visible as the day progresses.

Businesses of all kinds –banks, supermarkets, gas stations, the stock market — with cease. Everything will be “cash only” — but ATMs will be inoperable. Supply chains of all sorts will be disrupted. Most companies wouldn’t be able to remain open.

In a word, chaos.

Bottom line: In a society where disenfranchised members begin betting against the regime, cyber strikes to disrupt the political system and infrastructure are a powerful 1-2 punch to create widespread panic and civil unrest.

The “fallout” from one day will last for months, likely years. Cracks in our everyday lives – indeed, our very way of life — will be severely threatened.

Armageddon? Maybe.

Those are my thoughts. I welcome yours.

By Darin Andersen

,

China Approves Cybersecurity Law

Lawmakers described the law as necessary to bolster its online security at a time of multiplying threats

BEIJING—China’s government approved a broad new cybersecurity law aimed at further tightening and centralizing state control over the internet, including the role foreign companies play in Chinese cyberspace.

The law, passed by the standing committee of China’s legislature and issued publicly on Nov. 5, tasks agencies and enterprises with improving their ability to defend against network intrusions while demanding security reviews for equipment and data in strategic sectors.

The law includes provisions such as a requirement that internet operators provide unspecified “technical assistance” to authorities in cases involving national security. It also requires security checks for equipment used for “critical infrastructure,” which is defined as including information services, energy, transportation, finance and other important sectors.

During the drafting, the law was criticized by some foreign business groups and technology experts as a blueprint for further walling off China’s already isolated internet. China’s lawmakers described the law as necessary to bolster its online security at a time of multiplying threats.

China, which is often accused of supporting cyberattacks on other countries but which says it is a frequent victim of hacking, has moved aggressively to bolster cybersecurity since Chinese President Xi Jinping took office four years ago.

SOURCE: THE WALL STREET JOURNAL, Nov. 6, 2016