As part of the new system, developers building software for Apple’s devices will be able to opt for users’ information to have no encryption, single-key encryption, or multi-key encryption “with per-file keys for file data and a separate key for sensitive metadata” – comparable to leaving a door unlocked, using one key, or using two keys.
In its documentation of APFS, Apple explains that full disk encryption has been available on OS X since version 10.7 Lion. APFS differs in that it encrypts files individually rather than as a one unit, similar to other encryption mechanisms Apple introduced to its iOS platform in 2010. It also encrypts related metadata – the basic summary attached to each file – and will keen data secure even when the device has been physically hacked.
Since its battle with the FBI, Apple has made a number of important changes to increase security and tighten encryption. Apple itself couldn’t decrypt information the agency demanded, but the company did have the keys to access information stored in the shooter’s iCloud account. The company is now reportedly considering a system that wouldn’t allow it to access iCloud data.
The Department of Homeland Security is likely to expand its role and profile as the lead agency in the federal government for cybersecurity. A bill approved by the House Homeland Security Committee could create a new DHS cyber defense agency that would be called the Cybersecurity and Infrastructure Protection Agency. The transformation would reorganize and optimize key cybersecurity roles and functions currently in DHS’s National Protection and Programs Directorate. The change may take place as early as 2017 as it has strong bi-partisan support.
The prospective agency would replace NPPD and put a stronger focus on DHS’s integral role in cyber preparedness, response and resilience. More importantly, it would reorganize the agency into an operational role to help protect against targeted cyber intrusions of the nation’s critical infrastructure, such as financial systems, chemical plants, water and electric utilities, hospitals, communication networks, commercial and critical manufacturing, pipelines, shipping, dams, bridges, highways and buildings.
NATO’s Designation of Cyber as an Operational Domain of Conflict offers some new and interesting possibilities in need of considering from the collective defense perspective:
Indeed, the designation of cyber as a domain of conflict is significant, and the ability to invoke Article 5 in response to a cyberattack (not all cyberattacks, just some of them. On this particular point, Stolenberg said that “a cyber attack can trigger Article 5, meaning that a cyber attack can trigger collective defence, because we regard cyber attacks as something that can cause a lot of damage and can be very dangerous. . . . but the same time I think it’s also important to understand that cyber is not something that always triggers Article 5.”
But one additional important aspect of designating cyber as a domain of conflict—for the most part, not mentioned in the news articles above—is that it opens the door for NATO to consider the role that offensive cyber operations might play in collective defense. In response to a direct question on this point from a Der Spiegel report who asked “does NATO need to develop also offensive cyber capabilities to possibly attack other, well, any attackers who try to do any harm to NATO countries?”, the official transcript shows that Stolenberg was silent on this matter.
DISA has finally realized everyone is responsible for DoD cyber security rather than just the professionals:
As the pace of connectivity spurs forward, the job of protecting the networks has also expanded, often beyond the resources of the people meant to protect them. DISA Chief Technology Officer David Mihelcic said that because of the speed and adaptability of bad actors, cybersecurity has now moved to a kind of horizontal altruism that affects multiple elements of the information technology industry.
“Security cannot be the sole domain of cybersecurity specialists,” he said. “It has to be owned by everyone, to include the program managers and engineers who are developing and acquiring the system, the system administrators charged with operating the systems.
“We are going to have specialists. We’re going to have the CPTs — the cyber protection teams. We’re going to have offensive information and our cybersecurity forces as well, but cybersecurity cannot be the sole domain. We, the developers, the technologists and you, our mission partners, need to ensure that the [whole thing] is secure.”