What is Cybersecurity Maturity Model Certification (CMMC) Compliance

Introduction to Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase trust in the security of the United States Department of Defense's (DoD) supply chain.

The CMMC program was created to assist industry in meeting the adequate security requirements of 32 Code of Federal Regulations Part 2002. The program aims to ensure that all organizations working with the DOD meet the necessary level of security to protect sensitive information.

CMMC compliance is of utmost importance for organizations working with the DOD, as failure to comply with the program's requirements can result in the loss of contracts and significant financial penalties. The CMMC specifies five levels of information security required for all organizations to continue working with the DoD. Compliance with the CMMC program establishes assessment mechanisms to verify defense contractors' compliance, ensuring that they meet the necessary level of security to protect sensitive information. The CMMC program's importance cannot be overstated, as it ensures that organizations working with the DoD are held to a high standard of security and are better equipped to handle cyber threats.

The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices. The program streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted National Institute of Standards and Technology cybersecurity standards. The CMMC framework aligns a set of processes and practices with the type and sensitivity of information to be protected. By doing so, the CMMC program provides a clear and concise roadmap for organizations to follow in order to achieve compliance with the necessary level of cybersecurity.

CMMC Level 1: Basic Cyber Hygiene

The Cybersecurity Maturity Model Certification program is a standard of cybersecurity practices developed by the U.S. Department of Defense for defense contractors. The program is designed to enforce DoD's information security requirements for Defense Industrial Base partners. CMMC streamlines the requirements into three levels of cybersecurity, with each level aligning with well-known and widely accepted NIST cybersecurity standards. Level 1 is the foundational cyber hygiene level and includes 17 practices. This level is the lowest level of security controls required for a defense contractor to earn Cybersecurity Maturity Model Certification.

Access control is one of the practices included in Level 1 compliance. Access control refers to the policies and procedures that govern the access to an organization's systems and data. It includes:

By implementing these access control practices, defense contractors can reduce the risk of unauthorized access to their systems and data, which is a critical component of cybersecurity.

In addition to access control, Level 1 compliance includes other foundational cybersecurity practices, such as: - Regularly backing up data and systems - Ensuring that software and hardware are up to date with security patches and updates - Implementing anti-virus and anti-malware software - Providing cybersecurity awareness training for all employees By implementing these practices, defense contractors can establish a strong foundation for their cybersecurity posture and work towards achieving higher levels of CMMC compliance.

CMMC Level 2: Intermediate Cyber Hygiene

The Cybersecurity Maturity Model Certification program is a certification framework designed to protect sensitive information handled by Defense Industrial Base contractors. The program specifies five levels of information security required for all organizations to continue working with the Department of Defense.

At Level 2 of the CMMC program, contractors and applicable subcontractors are required to demonstrate intermediate cyber hygiene. This means that they must have a baseline of security controls in place to protect sensitive information from cyber threats, including identification and authentication.

Identification and authentication are essential components of Level 2 CMMC compliance. This involves verifying the identity of users and ensuring that they have the appropriate access privileges to sensitive information. To achieve compliance, contractors must implement the following controls:

By implementing these controls, contractors can reduce the risk of unauthorized access to sensitive information and improve their overall cybersecurity posture.

Overall, achieving Level 2 CMMC compliance requires contractors to have a strong foundation of security controls in place. This includes implementing identification and authentication controls, as well as other essential security measures, such as incident response planning and network security monitoring. By meeting the requirements of the CMMC program, contractors can demonstrate their commitment to protecting sensitive information and continue working with the DoD. As cyber threats continue to evolve, maintaining compliance with the CMMC program is critical for ensuring the security and integrity of sensitive information.

CMMC Level 3: Good Cyber Hygiene

CMMC Level 3 compliance is categorized as "Good Cyber Hygiene" and requires organizations to have a comprehensive and documented cybersecurity program. This level of compliance builds upon the requirements of Level 1 and Level 2, which focus on basic cybersecurity hygiene and intermediate cyber hygiene, respectively. At Level 3, organizations are expected to have implemented a more robust set of security controls to protect sensitive unclassified information shared by the Department of Defense with its contractors and subcontractors. This level of compliance is particularly relevant for organizations handling Controlled Unclassified Information and Federal Contract Information.

One of the key requirements for achieving CMMC Level 3 compliance is media protection. This involves the implementation of policies and procedures for protecting information on all forms of media, including paper, digital, and other formats. Organizations must ensure that all media containing CUI and FCI is properly marked, stored, transported, and disposed of to prevent unauthorized access, disclosure, or loss. Additionally, organizations must have controls in place to prevent the introduction of malicious software onto their systems through the use of removable media, such as USB drives.

To achieve CMMC Level 3 compliance, organizations must also implement a range of other security controls, including access control, incident response, and system and communications protection. These controls are designed to prevent unauthorized access to information systems, detect and respond to security incidents, and protect the confidentiality, integrity, and availability of information. By implementing these controls, organizations can demonstrate their commitment to protecting sensitive information and their ability to meet the DoD's cybersecurity requirements.

CMMC Level 4: Proactive

CMMC Level 4 compliance is the Proactive level of the Cybersecurity Maturity Model Certification program. The CMMC program is aligned with the Department of Defense's information security requirements for Defense Industrial Base partners and establishes assessment mechanisms to verify defense contractors' compliance. The CMMC program specifies five levels of information security required for all organizations to continue working with the DoD. Level 4 compliance is the second-highest level of security and requires organizations to have a proactive cybersecurity model.

At Level 4, organizations must have evidence of a mature cybersecurity model that proactively negates Advanced Persistent Threats. APTs are sophisticated cyber-attacks that target specific organizations or individuals with the intention of stealing sensitive information or disrupting operations. To achieve Level 4 compliance, organizations must implement advanced security controls and have a comprehensive understanding of their network's vulnerabilities and potential attack vectors. This level of security requires a proactive approach to cybersecurity, where organizations are continually monitoring and updating their security measures to stay ahead of potential threats.

Level 4 compliance builds on the requirements of Level 3, which is the most advanced level of the CMMC program. At Level 3, organizations must have a mature cybersecurity model that is documented and reviewed regularly. Additionally, Level 3 compliance requires organizations to have a robust security infrastructure that includes access controls, incident response plans, and regular security training for employees. By achieving Level 4 compliance, organizations demonstrate their commitment to maintaining a high level of cybersecurity and protecting sensitive information from APTs and other cyber threats.

CMMC Level 5: Advanced/Progressive

CMMC Level 5 compliance is the highest level of cybersecurity maturity certification in the CMMC program. At this level, an organization must demonstrate advanced/progressive cybersecurity capabilities, including the ability to protect against advanced cyber threats. This level of certification is required for organizations that handle the most sensitive and critical information for the Department of Defense and its supply chain partners. Achieving CMMC Level 5 compliance requires a comprehensive and robust cybersecurity program that meets or exceeds the requirements outlined in the CMMC framework.

At CMMC Level 5, organizations must be equipped to defend against advanced cyber threats. This includes the ability to detect and respond to sophisticated attacks, such as advanced persistent threats , zero-day exploits, and other advanced malware. Organizations must also have the capability to conduct continuous monitoring and analysis of their systems and networks to identify and mitigate potential vulnerabilities. In addition, organizations must have a comprehensive incident response plan in place to ensure a rapid and effective response to any security incidents that may occur.

Achieving CMMC Level 5 compliance requires a significant investment in cybersecurity resources and expertise. Organizations must have a mature and well-established cybersecurity program that includes advanced security technologies, such as intrusion detection and prevention systems, advanced threat intelligence, and security information and event management solutions. Additionally, organizations must have a highly trained and experienced cybersecurity team that can effectively manage and respond to security incidents in real-time. Overall, CMMC Level 5 compliance is a significant achievement that demonstrates an organization's commitment to cybersecurity and its ability to protect sensitive information against the most advanced cyber threats.

Who Needs CMMC Compliance?

The Cybersecurity Maturity Model Certification program is mandatory for all Department of Defense contractors who handle sensitive information. The CMMC compliance is designed to ensure that contractors and subcontractors meet the cybersecurity standards outlined by the DoD. The CMMC is applicable to all organizations that work with the DoD, including those that provide goods, services, or information technology. The CMMC compliance requirements are scalable and vary based on the level of cybersecurity required by the contract.

The CMMC program is specifically targeted towards the Defense Industrial Base partners who handle sensitive unclassified information. The CMMC program is designed to enforce DoD's information security requirements for DIB partners, ensuring that sensitive information is protected from frequent cyber-attacks. The CMMC program has five levels, with each level building on the previous one, and each level has specific requirements that must be met. The CMMC 2.0 program outlines the security controls for all three CMMC security levels and establishes processes for monitoring compliance.

The CMMC program helps the DoD to ensure that its suppliers have adequate security measures in place to safeguard sensitive electronic information. The program outlines the hardware, software, and other controls required to protect sensitive information in relation to the DoD. The CMMC program is designed to reinforce cooperation between the DoD and its contractors and subcontractors, ensuring that all parties are aligned with the same cybersecurity standards. By the end of 2025, the DoD will require all DIB contractors to be CMMC compliant. The CMMC program mandates cybersecurity requirements for companies in the DIB, which includes prime contractors, subcontractors, and suppliers.

How to Achieve CMMC Compliance

The Cybersecurity Maturity Model Certification program is a new compliance process established by the Department of Defense to verify defense contractors' compliance with cybersecurity standards. CMMC compliance is designed to completely overhaul the current system of self-attestation and replace it with a more rigorous third-party assessment process. The program outlines five levels of information security, and contractors must achieve the appropriate level of compliance based on the sensitivity of the information they handle. The program streamlines requirements to three levels of cybersecurity

To achieve CMMC compliance, contractors must undergo a CMMC assessment by a certified third-party assessment organization. The assessment will evaluate the contractor's implementation of the appropriate level of cybersecurity controls and practices. The CMMC Accreditation Body, a nonprofit separate from the DoD, oversees the certification process and maintains a directory of certified C3PAOs. The assessment process will include a review of the contractor's policies, procedures, and practices, as well as an evaluation of their cybersecurity posture.

The CMMC compliance process can be complex and time-consuming, but it is essential for defense contractors to continue working with the DoD. Contractors must ensure that they have the appropriate level of cybersecurity measures in place to protect sensitive information and maintain compliance with DoD regulations. By achieving CMMC compliance, contractors can demonstrate their commitment to cybersecurity and improve their reputation as a trusted partner of the DoD.

Benefits of CMMC Compliance

One of the primary advantages of being CMMC compliant is the increased cybersecurity posture that it provides. The CMMC is a flexible program that allows businesses to boost their maturity level, making them better equipped to deal with any breaches or risks. The program is designed to align with the cybersecurity requirements of their respective contracts, ensuring that it scales alongside DIB organizations. By implementing the necessary hardware, software, and other controls required to safeguard sensitive electronic information, businesses can improve their overall cybersecurity posture and better protect themselves against potential threats.

Another benefit of CMMC compliance is that it can help businesses save money in the long run. While the initial assessment costs may be high, achieving and maintaining compliance can ultimately reduce the risk of costly data breaches or cyber attacks. The CMMC program is specifically designed to assist industry in meeting adequate security requirements, ensuring that businesses are better prepared to handle known threats. By investing in CMMC compliance, businesses can avoid the financial and reputational damage that can result from a cybersecurity incident, ultimately saving money and resources.

CMMC compliance can also help businesses remain competitive in the marketplace. As the DoD continues to prioritize cybersecurity, CMMC certification is becoming increasingly important for DoD contractors and subcontractors. Achieving compliance can demonstrate a business's commitment to cybersecurity and its ability to meet the necessary security requirements outlined in contracts. Additionally, the program's tiered certification scheme can help the DoD assess cybersecurity readiness when seeking suppliers, making CMMC certification a valuable asset for businesses looking to secure DoD contracts. By achieving CMMC compliance, businesses can set themselves apart from competitors and position themselves for long-term success in the defense industry.

CMMC Compliance Challenges

The Cybersecurity Maturity Model Certification program is a framework designed to enforce information security requirements for Department of Defense contractors. Achieving CMMC compliance can be challenging for organizations, particularly those that lack the necessary resources and expertise. One of the primary obstacles to achieving compliance is the cost and resource allocation required to implement the necessary controls and processes. Organizations must invest in cybersecurity measures, which can be a significant financial burden, particularly for small and medium-sized businesses.

Another potential challenge to achieving CMMC compliance is the complexity of the program itself. The CMMC program consists of three levels of cybersecurity, with each level building upon the previous one. The requirements for each level can be extensive and may require significant effort to implement and maintain. Additionally, the program is designed to scale alongside DIB organizations and the cybersecurity requirements of their respective contracts. This means that organizations must continually adapt to new requirements and update their cybersecurity measures to remain compliant.

The CMMC program also requires organizations to verify their compliance with all applicable security requirements outlined in their contracts. This can be a time-consuming and challenging process, particularly for organizations with complex supply chains and subcontractor relationships. The program streamlines requirements into three levels of cybersecurity, but each level still requires a significant investment of time and resources. Additionally, the assessment mechanisms established by the program can be rigorous and may require organizations to undergo regular audits and assessments. Overall, achieving CMMC compliance can be a complex and challenging process that requires significant investment and ongoing effort.

FAQs

Q: What is Cybersecurity Maturity Model Certification?

A: The Cybersecurity Maturity Model Certification is a new standard for implementing cybersecurity across the defense industrial base supply chain. It is designed to enhance the protection of sensitive information and to ensure a robust cybersecurity posture.

Q: Why is CMMC compliance important?

A: CMMC compliance is crucial as it ensures that contractors in the defense industrial base are capable of safeguarding sensitive information and are equipped with adequate cybersecurity measures, thereby reducing the risk of cyber threats and attacks.

Q: Who needs to comply with CMMC?

A: Any organization or contractor that is part of the defense industrial base and handles sensitive government information, including contractors and subcontractors, will need to comply with CMMC requirements.

Q: What are the different levels of CMMC compliance?

A: CMMC compliance is categorized into five levels, each representing an increasing degree of cybersecurity maturity. These levels range from basic cyber hygiene to advanced/progressive security measures, with each level having specific requirements and controls.

Q: What are the potential challenges of achieving CMMC compliance?

A: Some of the challenges associated with achieving CMMC compliance include the allocation of resources, funding for cybersecurity measures, and the complexity of meeting the specific requirements of each compliance level.

Implementing Secure SDLC: Best Coding Practices for a Secure Software Development Life Cycle (SSDLC)

WarGames HD Wallpaper | Background Image | 1920x1080

WarGames by John Badham(1983)

Introduction to SSDLC

With the increasing quantity of cyberattacks and information violations, software application protection has actually become an essential facet of the software development process. In the last few years, there has actually been an expanding focus on Secure Software Development, with programmers looking to integrate security into every phase of the Software Development Life Cycle (SDLC). This focus has actually brought to life the Secure SDLC procedure, or SSDLC, which looks to attend to potential security vulnerabilities as well as issues in the software development process.

Secure SDLC is a procedure that highlights application security as well as looks to incorporate security requirements, factors to consider, and screening into every phase of the SDLC. Secure SDLC intends to lower security risks, stop potential security issues, and decrease the exploitation of security vulnerabilities. Its execution includes best practices and standards that help the development team create safe code and automate security testing.

This article gives a summary of the Secure SDLC procedure and the significance of secure coding methods to ensure secure software development. We will certainly be reviewing the various stages of the SDLC and how to integrate security into each phase. Furthermore, we will certainly likewise highlight the advantages of applying a Secure SDLC procedure and the future of Secure SDLC in attending to contemporary cyber risks.

Understanding the Software Development Lifecycle (SDLC)

The Software Development Life Cycle (SDLC) is the procedure by which software programs are developed, established, evaluated, and released. It is a thorough procedure that includes various stages, each of which adds to the general software development process. The stages of SDLC are:

WarGames by John Badham(1983)

Requirements Gathering and Analysis

This is the phase where the development team recognizes and specifies the demands of the software program to be created. This phase helps lay the structure of the software program and offers the designers the support they require.

Design

This phase includes engineers coupled with developers that interact to come up with a plan for the software application task. The design phase takes into consideration various elements such as software program style, interface layout, and information modeling.

Implementation

The development team begins coding the software application in this phase. This phase of the SDLC consists of various coding methods, such as secure coding methods, as well as best practices that assist in reducing susceptibilities as well as security risks.

Testing

Once the development team is done, coding screening is done to recognize any susceptibilities and security issues presented throughout the advancement phase. The screening phase additionally consists of automated security testing to guarantee that any type of potential security vulnerability is captured.

Deployment

In this phase, the software application is released right into the manufacturing setting. All the essential software program parts are set up, and the software application is set up to satisfy its desired function.

Maintenance

This is the last phase of the SDLC. It consists of maintaining the software program, dealing with any kind of security vulnerability or insect that develops, and also making sure the software application is running efficiently.

Integrating security into every phase of the SDLC is necessary as it assists in preventing potential security risks as well as susceptibilities. Secure SDLC intends to emphasize application security and the relevance of taking safety and security into consideration early in the software development process. Including safety and security right into each phase of the software development process helps to make sure that security issues are determined very early and also dealt with at the appropriate phase of the SDLC.

Secure SDLC looks to set particular standards for the development team on how they can attend to security concerns within each phase of the SDLC. These standards consist of best practices for secure coding, automated security testing, and various other security considerations. Throughout the needs assessment and evaluation phases, it is essential to specify security requirements for the software program. This helps make certain that the development team takes safety and security into consideration throughout the advancement phase.

Integrating safety and security throughout the SDLC procedure is essential given that security vulnerabilities can result in the loss or burglary of delicate information, system accidents, and damage to a company's credibility. By having a secure SDLC in place, companies can cultivate general safety and security awareness and alleviate threats early in the software development process.

Secure Coding Practices for Software Development

Including security activities at every stage of the SDLC is an essential part of structuring safe and secure software applications that can shield against progressively innovative security threats.

Focusing on Security at Every Stage of the SDLC

Developing secure software depends on focusing on security at every stage of the SDLC. To create a secure application, programmers should determine and deal with security issues earlier in the development cycle. Best practices for developing secure software consist of integrating safety right into the coding practices as well as techniques, constructing safety right into each phase of the SDLC as well as the application development process, and also making use of security tools and practices throughout the SDLC.

Implementing a Secure SDLC

Carrying out a secure SDLC involves incorporating safety and security into the development process. Every stage of the SDLC must consist of security activities, particularly the planning phase, requirements phase, design phase, development phase, screening phase, deployment phase, and maintenance phase. To supply secure products, it's necessary to incorporate safety right into the SDLC process.

Secure Coding Practices

Secure coding practices aim to develop software applications that are durable against numerous kinds of attacks. The execution of secure coding guidelines is vital to developing secure software. Secure coding standards, such as the application of coding best practices, and automated security testing, such as making use of automated tools, need to be developed right into the SDLC methodology to guarantee that safety and security are given due significance.

Security Team Involvement

Entailing a security team in the SDLC process is crucial to making certain that programmers and various other employees comprehend security requirements, which are incorporated early in the development process. The security team is accountable for determining security risks in the application, executing security checks, and guaranteeing that security policies are being followed throughout the SDLC process.

Cloud-Native Security

Cloud-native security describes the assimilation of security in the software development phase to guarantee that cloud-based software programs do not endanger safety and security. Cloud-native safety and security entails making use of application security testing devices as well as carrying out the essential protection procedures within the cloud growth atmosphere, such as firewall programs, surveillance, and accessibility controls.

Automated Security Testing

Automated security testing is important for assisting in determining security vulnerabilities in code and decreasing the threat of security threats. Automated tools can identify susceptibilities early in the development process by supplying protection comments and enabling the development team to take proper action to resolve problems. Automating security testing makes certain that security checks are done at every stage of the SDLC.

Ensuring a Secure SDLC

Ensuring a secure SDLC involves incorporating safety right into the software development process. Including security practices and tools at every stage of the SDLC makes certain that software programs are highly secure as well as durable against assaults. It's vital to include security best practices in the development phase and to keep security in mind when preparing for the application development process.

Manual Security Testing

Manual security testing is an additional critical element of the SDLC process. Hands-on screening aids to ensure that the software is examined versus well-known security threats and susceptibilities coupled with threats Hands-on screening helps determine security issues that automated security testing might not have the ability to discover.

Benefits of having a Secure SDLC


Integrating a Secure Software Development Life Cycle (SDLC) procedure right into the software application development cycle makes sure the growth of a secure application that is shielded against security vulnerabilities and dangers. Below are some advantages of carrying out a Secure SDLC process within software application advancement:

Boosted Software Security

Security threats prevail, coupled with the variety of businesses coming down with information violations and security vulnerabilities. By incorporating security practices and treatments at every stage of the SDLC process, you can protect against security risks and susceptibilities from affecting your software. Concentrating on security at every stage of the SDLC process makes sure that highly secure products are provided, decreasing the danger of being a prospective target for cyber threats.

Enhanced Continuous Software Delivery

The SDLC process should be maximized for constant distribution, offering trustworthy as well as prompt software application updates to stay up-to-date with developing market needs. A Secure SDLC involves the assimilation of safety and security procedures plus the fostering of security best practices, making certain that these updates are safe and secure, regular, and do not present brand-new security threats.

Boosted Software Performance as well as Quality

By including security activities and checks within the SDLC, companies can recognize security vulnerabilities and address code issues earlier in the development cycle. The early recognition of security risks assists companies in supplying top-quality software that fulfills efficiency as well as top-quality demands, enhancing the individual experience and boosting client contentment.

Decreased Software Development Costs

Resolving security risks at an early stage, in contrast to later on in the development cycle, can help reduce software program advancement expenses. This is since recognizing and also repairing security issues late in the SDLC process can be lengthy and expensive, which can intensify the expense of software application growth.


Finally, secure software development methods are essential to constructing protection into every phase of the software development life cycle. The Secure SDLC process includes incorporating security into your SDLC, which guarantees your applications are highly secure, reputable, and resistant to security vulnerabilities. The advantages of having a Secure SDLC process consist of boosted software security, constant software application distribution, boosted software application efficiency, high quality, and minimized software program advancement expenses. With the appropriate protection methods, devices, and training, companies can make certain that their software is protected, boosting protection methods as well as reducing cyber risks. Every service must think about applying a Secure SDLC process to remain ahead of hazards and also develop highly secure applications.

Conclusion

The idea of a secure software development life cycle (SSDLC) has actually reinvented the SDLC process, stressing the demand for secure coding practices as well as implementing a secure SDLC for software program advancement. The objective is to guarantee that each stage of the SDLC involves the most effective secure coding practices, including security checks, automated security testing, and including security into your SDLC. The execution of a secure SDLC must concentrate on safety and security at every phase of the development cycle, such as preparation, growth, release, and upkeep, to ensure a safe and secure item.

The methodology that the development and security teams adopt is crucial to the success of a secure SDLC. The security team has to guarantee that safety and security are built into each phase of the SDLC. They must additionally recognize security issues earlier in the development process to deliver more secure products. Secure SDLC provides security policies, devices, and techniques to make it possible for the growth of highly secure software programs.

The future of Secure SDLC depends on cloud-native protection plus automation of protection jobs utilizing automated tools. The release of secure design and coding best practices will certainly ensure that the software is of excellent quality and is safe from security risks left in the code. The application of secure SDLC best practices can help in resolving contemporary cyber hazards by making sure that the software application created fulfills the security requirements.

To conclude, secure coding practices as well as implementing a secure SDLC for software application growth are critical to developing a secure application. Concentrating on security at every stage of the SDLC is essential to ensuring a secure software development process. The fostering of best secure coding practices as well as the assimilation of security tools and practices throughout the SDLC can dramatically minimize security vulnerabilities in code, ensuring the security of the application. As a result, it is important to integrate security into the software development process as well as make certain that safety and security are kept in mind at every stage of the SDLC.

Fan Art by Skynet Wallpapers - Wallpaper Cave

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC or IP issues, please reach out to us.

At Airius, we depend on our friends at A-Lign to provide auditors and experience with the SOC reporting and auditing process. We work closely with companies to get them through it.

Airius and A-Lign

Additionally, Airius is a certified partner (partner, developer, professional services) with Checkmarx.

http://checkmarx.com

License

References and Credits

The Internet is Dead. Long Live the Internet

chinese-poppies

This Week, "ICANN, the US and the Internet: China's New Field of Dreams"

On September 30th , 2016, the United States will surrender guiding influence over the internet. The US has had a long standing arrangement with ICANN, an organization formed specifically administrate the clear vision of the internet and apply governance and control following this vision. The Obama administration has agreed to release ICANN from contractual obligations to the United States, allowing ICANN to manage the DNS, the names used for web sites, unencumbered.

ICANN will be permanently released from the USA’s control. Technologists, cyber-stakeholders and mere mortals who use the internet should be worried that releasing ICANN will release the power of the internet; the power of freedom. Since it’s inception the internet has acted as a window for the world. However, will this freedom persist after being released from NTIA’s heavy hand?

 

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at info@airius.com.

Background

In 1995, our world changed. On April 30, 1995, the Internet as we know it began. The infrastructure was originally established by ARPANET, and then run for a decade by the National Science Foundation as NSFNET before being opened for commercialization and public access, and developed by ARPA indirectly resulting from competition with the Russians as far back as 1958. (https://safeview.com/2016/01/01/the-internet-twenty-years-in-review-1995-2015-adoption-of-the-internet-pt-1/)

“It has been said that something as small as the flutter of a butterfly's wing can ultimately cause a typhoon halfway around the world” 

ICANN or the Internet Corporation for Assigned Name and Numbers , performs the actual technical maintenance work of the central Internet address pools and DNS Root registries pursuant to the Internet Assigned Numbers Authority function contract.

ICANN wants freedom

Obama administration surrendering control over the internet

The internet was a US invention, one that Americans have been custodians to for nearly thirty years. On Sept 30, 2016 at midnight, Obama administration's NTIA will release ICANN from contractual US oversight. ICANN was established in 1988 to administer domain names used by people worldwide to navigate to internet sites without having to remember complicated numerical strings. US government involvement in the operation of ICANN and IANA was intended to be temporary. At the time, the internet had a few thousand users, and the current global industry and infrastructure could not have even been anticipated.  



ICANN and internet future to be decided by board of stakeholders from around the world

Following disclosures by Edward Snowden in 2013 about US government mass surveillance programs, pressure from global stakeholders increased for ICANN to move away from NTIA and US oversight. As a result, in 2014, ICANN submitted a proposal, and President Obama agreed to move forward, pending acceptance of a migration proposal, committing to terminate the current NTIA agreement on the end of September 30, 2016, at Midnight. The agreement puts in place an advisory board, of which the US is now a member, along with major nations of the world. Since the internet has become a global asset, the move away from US as the principal force defining direction will be complete at midnight Sept 30, 2016, and ICANN will move to a global advisory, or multi-stakeholder committee.

What is ICANN?

ICANN or the Internet Corporation for Assigned Name and Numbers. It performs the actual technical maintenance work of the central Internet address pools & DNS Root registries aligned with the Internet Assigned Numbers Authority function contract.

IANA or The Internet Assigned Numbers Authority, is a department of ICANN. It is an nonprofit private American corporation, which oversees global IP address allocation, autonomous system number allocation, zone management & other Internet Protocol-related symbols and numbers.

(https://safeview.com/2016/01/01/the-internet-twenty-years-in-review-1995-2015-adoption-of-the-internet-pt-6/)

History 

Prior to the establishment of ICANN primarily for this purpose in 1998, IANA was administered principally by Jon Postel at the Information Sciences Institute (ISI) of the University of Southern California situated at Marina Del Rey Los Angeles, under a contract USC-ISI had with the United States Department of Defense, until ICANN was created to assume the responsibility under a United States Department of Commerce contract.

 

Founding principles of ICANN

Non profit

At present ICANN is organized formally as a non-profit corporation "for charitable and public purposes" under the California Nonprofit Public Benefit Corporation Law. It is managed by a 16-member Board of Directors composed of eight members selected by a nominating committee on which all the groups of ICANN are represented; six representatives of its Supporting Organizations, sub-groups that deal with specific sections of the policies under ICANN's purview; an At-Large seat filled by an At-Large Organization; and the President / CEO, appointed by the Board.

 7 domain extensions .com, .net, .org, .edu., .mil, .gov, ?

ICANN manages (TLD) or top-level domain is the highest level of domain names in the hierarchical Domain Name System of the Internet or DNS for short. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a fully qualified domain name. In an example for the top-level com; Any website with the extension .com such as safeview.com is part of that top level domain. The original extensions are .com, net, .org, .edu., .mil, .gov, .int., and .nato, which was phased out.

 

Recent changes

Board of directors - some resigned

https://www.icann.org/resources/board-material/secretarys-notice-2013-10-07-en

https://www.icann.org/resources/board-material/secretarys-notice-2014-10-15-en

https://www.icann.org/news/announcement-2015-05-21-en

CEO now Chairman of world Internet Conference - china funded consortium to explore chinese penetration and control of internet worldwide

http://www.chehade.company/about-1/

1000 TLDs

Over the years there have been additions to these top level domains such as .tech, .sucks, soon to be appearing, .gay, as well as over 1000 vanity extensions. This has concerned proponents of copyrights, as these new extensions allow global name dilution with little real control.

https://newgtlds.icann.org/en

Ignores requests from congress, FTC

https://www.ftc.gov/news-events/press-releases/2011/12/ftc-warns-rapid-expansion-internet-domain-name-system-could-leave

Root certificates

Would you let yourself be exposed to millions? Are you the type of person to keep your exploits secret? Do you keep privacy & value personal space. Currently, do you feel that privacy is sacred. If so then you will be concerned with The United States’s Landmark decision of ICANN’s future . This decision will directly impact the vulnerability of your privacy.  

Much like a signature at the end of a legal document or the master key to your car.

A root certificate can give access to much more than is realized. What a root certificate is In cryptography and computer security, a root certificate is an unsigned or a self-signed public key certificate that identifies the root certificate authority ,CA for short. A root certificate is part of a public key infrastructure scheme. Root certificates act much like a key cards. These digital certificates are verified using a chain of trust.

When a person’s signature is given in malice or a car is take for a joy ride by a parking attendant, access is granted to other facets. EzPass, financial documents, garage openers, digital phone books, right to power of attorney. These are things that can be lost in malice, however in the United States we have the legal system to protect us. What happens when entities that are not governed by our control gain access to our proverbial keys ? The opportunity to defend ourselves becomes increasingly limited. When overseas jurisdiction governs the locks & keys, the access root of our privacy, are we safe?

Pro

Freedom

The internet can be a borderless way to communicate in realtime without government control

Advocates for ICANN's independence say that there are a lot of safeguards in place to limit any government intrusion. The organization's global board is made up of business, nonprofit and academic leaders. The rules make it hard for governments to exert that much influence.

And, Harvard's Zittrain says, governments that want to censor the Internet already do so in much more effective ways: "There are so many other paths that the Russians or the Chinese could take and have taken to make sure that their citizens or even people around the world can't see stuff that they don't want them to see."
- NPR

Having the internet guided by a board of stakeholders will more honestly represent the global interests and needs regarding the internet

So, if major respected sources do not see the ICANN transition as a problem should anyone?

Majorities in 32 of 38 countries surveyed by Pew Research Center in 2015 believe that allowing people to use the internet without government censorship is important. And in 20 countries, at least 80% hold this view. The Pro & Con debate of ICANN’s new cumulative control spark controversy & conflict with many.

In the last 20 years censorship of the internet from controlling powers has not gone unnoticed.There is no way to deny the push of sponsored content in outbreaks of crisis and government catastrophes. Based on history & historical trends of humans, computer entities and hacktivists; it does not seem that much will be allowed to be changed.


 Censorship and Freedom

In the last 20 years censorship of the internet from controlling powers has not gone unnoticed.There is no way to deny the push of sponsored content in outbreaks of crisis & government catastrophes. Based on history & historical trends of humans , computer entities & hacktivists such as anonymous; it does not seem that much will be allowed to be changed.

Con

Civil Rights

In the case of civil rights & liberties there is no question that man should have the basic freedom To Speak , Say , & question the world around him. These questions have lead to development , innovation & evolution of the mind , body & soul. Choices made based in the instance that a human felt he or she should create a thought or action & express it in a particular way. Internet freedom & regulation largely is the way humans make these choices in the 21st century. Former US representatives & politicians such as Newt Gingrich are very concerned.


“ Since the Internet now permeates our lives in every possible way, it is disturbing that Obama has relinquished U.S. control over its underlying structure. Control will be turned over to a global panel, which will include totalitarian countries that do not value our First Amendment protection of free speech.”

 US internet population is a fraction of our potential challengers for internet control - countries that do not honor US and global intellectual property rights.

ICANN’s precedent issue was created by an unforeseen turn of events. From the inception of ICANN, the U.S. Government and Internet stakeholders envisioned that the U.S. role in the IANA functions would be temporary. In June of 1998 , the Commerce Department’s Statement of Policy stated that the U.S. Government “is committed to a transition that will allow the private sector to take leadership for DNS management.” ICANN as an organization has matured and taken steps in recent years to improve its accountability, transparency and technical complexity .

The United States Government may not have realize that its action would have shaped the global source of readily available information as currently known. It’s actions lead to the fostering of an infrastructure that is able to foster critical & morale thought.  

Summary 

It is likely that users will not perceive a change on Sept 30, 2016 at midnight. However, while the NSA works hard to collect internet data, and they reluctantly disclose this, once we give control of DNS, root certificates and the internet, Asian countries will routinely collect information about anyone worldwide, all of our devices, worldwide, without any indication of this activity. Personal privacy on the internet will be a forgotten concept on October 1, once lost, it will never be regained.

Since Tim Burners Lee started the internet, it’s freedom has allowed for the greatest innovations & development of our time.In 1999 the internet had 248 million users roughly 4% of the world’s population. In 2008 the internet reached 1.5 billion users on desktop , 262 million users on mobile with the creation of the smartphone. Today the internet has over 3,424,971,237 billion users 46.1 % of the world. If something is not done by this Sunday this freedom may be in jeopardy for our global society. ICANN needs to be consulted & remedied based on the historical trend of the internet. Human beings require this undeniable freedom based on history, civil rights & future development.

We need to find a way to keep our indelible right sacred & intact. As human beings , all Should have a right to be educated & informed so they may make their lives better.Many internet organizations feel the same way many citizens around the global feel about internet privacy & security.In a last-minute lawsuit designed to prevent the handover of critical internet functions at midnight tonight major internet organizations have come to the support of the US government The Internet Association which represent the largest internal tech companies such as Alphabet & Facebook in addition to the numerous like mind individuals have filed an amicus brief in the Texas court on the eve of a hearing seeking a temporary restraining order against the Department of Commerce’s Jurisdiction.

 

Related reading

Apple v FBI - Freedom Isn't Free, Liberty isn't Liberating

This Week, "Freedom isn't free"

Our Consolation must be this, my dear, that Cities may be rebuilt, and a People reduced to Poverty, may acquire fresh Property: But a Constitution of Government once changed from Freedom, can never be restored. Liberty once lost is lost forever. When the People once surrender their share in the Legislature, and their Right of defending the Limitations upon the Government, and of resisting every Encroachment upon them, they can never regain it.

sourced from: http://www.masshist.org/digitaladams/archive/popup?id=L17750707ja&page=L17750707ja_1

Letter from President John Adams to Abigail Adams, 7 July 1775

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at info@airius.com

The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.    President Thomas Jefferson, 1787

 

Background

Read the timeline here.

Since the FBI and San Bernardino County officials reset the password of an iPhone 5c, they have been building a case for the government to claim the right to monitor EVERYTHING.  Encryption is a mechanism used to protect data. We depend on encryption to connect to the internet, do business, check our bank balance, buy things from eBay and listen to music from iTunes.

Encryption is secure by design, and keeps getting more secure each day. Technology forces encryption to stay on the move, slightly ahead of the technology used to decrypt. If encryption is engineered with a weakness, it is rapidly exploited, and such exploit is available to anyone, even commercially.

Numerous companies sell products that can crack  cell phone security and decrypt protections. The commercial solutions are typically a version or two back from current models. Every cell phone - Blackberry, Android and Apple - can be cracked, given enough time and resources. People are the biggest threat to security. Companies adopted encryption and security measures that were within the limitations of the hardware and within the limitations of users.

The FBI did the greatest service to privacy and the willingness of people to use difficult passwords by trying to bypass security by design. People are starting to realize that this has little to do with crime, and everything to do with privacy. Once we surrender our rights for security, we get neither (loosely paraphrased from Ben Franklin). A right surrendered is never returned.

The cell phone, a work phone, in question was likely not used for crime. The suspects had private phones which were destroyed. These were work phones. Verizon provided all the communications - voice, data, text - to the government. There is no reasonable belief that this phone is pivotal to the discovery of terrorist activities, and even if it could, that does not in any way justify giving up the right to protect our privacy from all, our government, and bad guys, included.

What Does The Fourth Amendment Mean?

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.... Fourth Amendment of the US Constitution, September 25, 1789

"The house of every one is to him as his castle and fortress, as well for his defence against injury and violence as for his repose." Sir Edward Coke, Attorney General of England, 1604 in the Semayne's Case (The eminent English jurist; born in Norfolk, 1552; educated at Cambridge; solicitor-general, 1592; attorney-general, 1594; speaker of the House of Commons, 1593; chief-justice of the common pleas, 1606, and of the King’s Bench, 1613, from which he was removed by James I., 1616; opposed the court party from that time until 1628, when he produced his commentary upon Littleton; died 1633.)

The holding of the case can best be summed by Coke's words,

“ In all cases when the King is party, the sheriff may break the party's house, either to arrest him, or to do other execution of the K[ing]'s process, if otherwise he cannot enter. But before he breaks it, he ought to signify the cause of his coming, and to make request to open doors…”

The government wants to protect us by being able to monitor everything, at the cost of our privacy.

The King's local forces in the colonies asserted their rights to unwarranted searches, kicking doors from hinges prior to 1775. No warning was required, no disclosure or supporting evidence. The government could use the threat of a search as extortion, and colonists had no defenses, since the locals were acting supposedly on behalf of the King.

We don't have a king. We have a representative government that should act for us. Is the government acting for us by legislating technology? Are we collectively safer?  The UK government is moving to require encryption keys to be provided to the government. This does not stop encryption. This only gives government the ability to claim encryption keys for those services where the keys are stored by a hosting provider.

Anyone familiar with encryption realizes that this will only affect cloud solutions with cloud provider stored keys. Therefore, new iPhones, new Android devices, OpenPGP encrypted files and email, all unaffected. So, does the government gain anything other than sound bytes and media attention if their real goal is stopping terrorists? Keys that you create are protected by both 4th amendment protection - where the key is a thing, and 5th amendment - where the key is something you know. The government is trying to establish precedence to bypass Constitutional protections afforded to individuals by forcing technology companies to be complicit in mass spying.

Encryption has become the technological concealed weapon. The government doesn't want us to have it. They will use laws to make encryption criminal, and accept no responsibility when data protection is circumvented as a result. Like concealed handguns, encryption laws only influence those that abide to laws in the first place.

Government has not proven that they can keep their information secure. How can they be the custodians of encryption keys and tools that give them backdoor access to every online service (and grant the same access to a criminal) without any trace?

The USA Patriot Act 1 & 2

The USA PATRIOT Act is an Act of Congress that was signed into law by President George W. Bush on October 26, 2001. Its title is a ten-letter backronym (U.S.A. P.A.T.R.I.O.T.) that stands for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001".

On May 26, 2011, President Barack Obama signed the PATRIOT Sunsets Extension Act of 2011, a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of "lone wolves"—individuals suspected of terrorist-related activities not linked to terrorist groups.

Following a lack of Congressional approval, parts of the Patriot Act expired on June 1, 2015. With the passage of theUSA Freedom Act on June 2, 2015 the expired parts were restored and renewed through 2019. However, Section 215 of the law was amended to stop the National Security Agency from continuing its mass phone data collection program. Instead, phone companies will retain the data and the NSA can obtain information about targeted individuals with permission from a federal court.

 

The USA Freedom Act

This is a U.S. law enacted on June 2, 2015 that restored in modified form several provisions of the Patriot Act, which had expired the day before. The act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists. The title of the act originally was a ten-letter backronym (USA FREEDOM) that stood for "Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act.".

The Cybersecurity Information Sharing Act

The Cybersecurity Information Sharing Act (CISA S. 2588 [113th Congress], S. 754 [114th Congress]) is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private business to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

Summary

The King and his representatives meant well. They had the people in mind, but had over centuries pushed the bounds of protections versus privacy too many times. The courts repeatedly defended the rights of individual privacy over the rights of the government to conduct warrantless surveillance. The government wont ask us for our keys, and we wont offer them. The technology industry is actually being asked to redesign security in such a way that back doors are impossible, given current technology. Providers will implement encryption in a way that it is solely in control of the consumer. In the long run, the government is making noise, protecting no one (criminals are not stopped by laws), and getting spin for coming out against encryption. We need encryption if we need to use technology. It is as important to the function of our current technology as electricity.

Immediately, switch to OpenPGP, Mailvelope, Signal for iPhone, Android and Desktop. Take the responsibility for protecting your own information so that technology companies are not pressured by government. They cannot share what they don't have.

https://en.wikipedia.org/wiki/Chelsea_Manning

https://en.wikipedia.org/wiki/Edward_Snowden

https://en.wikipedia.org/wiki/List_of_whistleblowers

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

http://fox6now.com/2016/03/10/u-s-plans-to-publicly-blame-iran-for-dam-cyber-breach/

http://www.cnn.com/2015/12/18/politics/juniper-networks-us-government-security-hack/index.html

https://www.opm.gov/cybersecurity/cybersecurity-incidents/

http://www.cnn.com/2016/02/08/politics/hackers-fbi-employee-info/index.html

 

Apple v FBI - Why this has nothing to do with terrorists

 

 

sourced from: http://notable-quotes.com

https://en.wikipedia.org/wiki/You%27re_either_with_us,_or_against_us

You're either with us, or against us

 

UPDATE

Listings are now in reverse chronology. This will make it easier to keep up to date.

 

 

This Week, "Apple v FBI - Why this has nothing to do with terrorists"

The following is a timeline, as best as I could find, for the salient issues surrounding this critical case. Sources, links, documents are all included where possible. This is an important issue for all of us, and is an example of how the government can erode our rights by attacking vendors with whom we trust our personal information. While we personally can protect our information from unwarranted search and seizure, if the government can ask for root kits and jailbreaks from a vendor, they don't even have to ask anymore.

 

March 10, 2016: The US Government filed in response to Apple's motion to vacate. [FBI response to motion to vacate]

March 7, 2016: US Attorneys filed a request to the court in response to NY Magistrate Orenstein's recent ruling. Their request advises the court to seek outside assistance, and reminds the court of the importance of this issue to the government. These issues were all carefully addressed in the Magistrate's ruling. [Letter to Magistrate Orenstein]

March 6, 2016: Craig Federighi, senior vice president of software engineering at Apple, published an op-ed piece in the Washington Post playing up the security implications of following through with the government’s demands.

March 5, 2016:  San Bernardino County DA filed an Amicus Brief in defense of the US Government. [San Bernardino County District Attorney's Amicus Curiae Brief In Support of the United States Government]

March 3, 2016: A who's who of technology leaders have been filing Amicus briefs in support of Apple, including Amazon, Box, Cisco, Dropbox, Evernote, Facebook, Facebook’s WhatsApp, Google, Google’s Nest, Microsoft, Mozilla, Pinterest, Slack, Snapchat, and Yahoo. Airbnb, Atlassian, Automattic, CloudFlare, eBay, GitHub, Kickstarter, LinkedIn, Mapbox, Medium, Meetup, Reddit, Square, Squarespace, Twilio, Twitter, and Wickr. [Amicus Brief from Airbnb, Atlassian, Automattic, CloudFlare, eBay, GitHub, Kickstarter, LinkedIn, Mapbox, Medium, Meetup, Reddit, Square, Squarespace, Twilio, Twitter and Wickr] [Amicus Brief on behalf of Amazon, Box, Cisco, Dropbox, Evernote, FaceBook, Google, Microsoft, Mozilla, Nest, Pintrest, Slack, Snapchat, WhatsApp and Yahoo]

March 2, 2016: The American Civil Liberties Union filed an Amicus Brief in favor of Apple. [Amicus Brief ED No. CM 16-10 (SP)]

March 1, 2016: Bruce Sewell, General Counsel and Sr. Vice President for Apple testified before a House Judiciary Committee meeting.

 

 

February 25, 2016: Microsoft President and Chief Legal Officer confirms before Congress strong support for Apple, despite Bill Gate's recent statements to the contrary. ( Microsoft supports Apple to Congress)

February 25, 2016: A day before the response date ordered by the court, Apple filed "APPLE INC'S MOTION TO VACATE ORDER COMPELLING APPLE INC TO ASSIST AGENTS IN SEARCH, AND OPPOSITION TO GOVERNMENT'S MOTION TO COMPEL ASSISTANCE" ED No. CM 16-10 (SP).[Apple files to vacate order]

February 24, 2016:  Time Cook, CEO Apple Inc speaks exclusively with David Muir of ABC News.

 

February 24, 2016: Theodore J. Boutrous, attorney for Apple, Inc., plans to challenge the use of the All Writs Act of 1789, and to claim that Apple's 1st Amendment rights were infringed as a result of the court order. He will challenge jurisdiction and venue, arguing that an issue that directly affects the privacy and security of the American citizens is one that belongs in Congress.[Attorney Boutrous on Apple's response strategy]

February 23, 2016: The government has hundreds of iPhones that they want Apple to decrypt. Despite claims to the contrary, a decision in the government's favor will have sweeping, negative and oppressive ramifications on Apple, and subsequently to all technology companies in the US and around the world.[Hundreds of iPhones waiting to be decrypted]

February 23, 2016: Bill Gates, founder, Microsoft, took a defensive position regarding Apple's resistance to comply with court orders.[Bill Gates speaking with CNN]

February 22, 2016: Tim Cook, CEO, Apple, sent an internal email that was leaked to TechCrunch, explaining the company position to staff.[Apple Internal Email]

Subject: Thank you for your support

Team,

Last week we asked our customers and people across the United States to join a public dialogue about important issues facing our country. In the week since that letter, I’ve been grateful for the thought and discussion we’ve heard and read, as well as the outpouring of support we’ve received from across America.

As individuals and as a company, we have no tolerance or sympathy for terrorists. When they commit unspeakable acts like the tragic attacks in San Bernardino, we work to help the authorities pursue justice for the victims. And that’s exactly what we did.

This case is about much more than a single phone or a single investigation, so when we received the government’s order we knew we had to speak out. At stake is the data security of hundreds of millions of law-abiding people, and setting a dangerous precedent that threatens everyone’s civil liberties.

As you know, we use encryption to protect our customers — whose data is under siege. We work hard to improve security with every software release because the threats are becoming more frequent and more sophisticated all the time.

Some advocates of the government’s order want us to roll back data protections to iOS 7, which we released in September 2013. Starting with iOS 8, we began encrypting data in a way that not even the iPhone itself can read without the user’s passcode, so if it is lost or stolen, our personal data, conversations, financial and health information are far more secure. We all know that turning back the clock on that progress would be a terrible idea.

Our fellow citizens know it, too. Over the past week I’ve received messages from thousands of people in all 50 states, and the overwhelming majority are writing to voice their strong support. One email was from a 13-year-old app developer who thanked us for standing up for “all future generations.” And a 30-year Army veteran told me, “Like my freedom, I will always consider my privacy as a treasure.”

I’ve also heard from many of you and I am especially grateful for your support.

Many people still have questions about the case and we want to make sure they understand the facts. So today we are posting answers on apple.com/customer-letter/answers/ to provide more information on this issue. I encourage you to read them.

Apple is a uniquely American company. It does not feel right to be on the opposite side of the government in a case centering on the freedoms and liberties that government is meant to protect.

Our country has always been strongest when we come together. We feel the best way forward would be for the government to withdraw its demands under the All Writs Act and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms. Apple would gladly participate in such an effort.

People trust Apple to keep their data safe, and that data is an increasingly important part of everyone’s lives. You do an incredible job protecting them with the features we design into our products. Thank you.

Tim

February 22, 2016: France 24 published a questionable story about Apple revealing security information (insinuating source code) to the Chinese government. [Apple and China on France 24]

http://qz.com/332059/apple-is-reportedly-giving-the-chinese-government-access-to-its-devices-for-a-security-assessment/

Beijing Times Story

 

 

February 21, 2016: Attorney Stephen Larson, representing a group of family members of the attack victims, will file a motion to compel Apple to cooperate in March. [Stephen Larson's statement to Reuters]

February 21, 2016: Richard Hu, CEO, Huawei, offered support for Apple, Inc. in a statement to Bloomberg [Richard Hu statement to Bloomberg]

February 21, 2016: James Comey, Director, FBI, posted a blog in defense of the government's position against Apple.[James Comey on Lawfare]

February 20, 2016: Apple confirms that the icloud password was reset within 48hrs of seizure of the device, thereby eliminating the possibility of an icloud device backup. [San Bernardino county reset password]

February 20, 2016: The FBI came forward and admitted — in a statement it emailed to Ars Technica writer Cyrus Farivar — that “the FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data.” [FBI icloud reset letter]

 

February 19, 2016: Apple confirms that the icloud password was reset within 48hrs of seizure of the device, thereby eliminating the possibility of an icloud device backup. [San Bernardino county reset password]

 

February 19, 2016: The San Bernadino County Twitter feed was updated with this post.

 

February 19, 2016: "Boycott Apple until such time as they give that security number," Trump said at a campaign event in Pawleys Island, South Carolina. "It just occurred to me."

 

February 18, 2016: Jack Dorsey, CEO, Twitter, provided a statement of support.

 

February 17, 2016: Reform Government Surveillance (AOL, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo) published a statement affirming that “technology companies should not be required to build in backdoors to the technologies that keep their users’ information secure.”[Reform Government Surveillance Statement]

 

https://www.tumblr.com/reformgs/139513553507/reform-government-surveillance-statement

February 17, 2016: Sundar Pichai, CEO Google, publicly offered support and a position statement.

Here is his five-tweet comment:

 

February 17, 2016: Senator Ron Wyden defended the position taken by Apple.

 

February 17, 2016: Senator Tom Cotton accused Apple (of) chos(ing) to protect a dead ISIS terrorist's p‎rivacy over the security of the American people. [Statement by Senator Tom Cotton]

February 17, 2016: Gen. Michael Hayden, former director of the CIA and NSA, says he disagrees with FBI Director James Comey that the government should have backdoor access to encrypted files.

February 16, 2016: "Answers to your questions about Apple and security" from Tim Cook, CEO, Apple, Inc. [Answers to your questions about Apple and security]

February 16, 2016: "A Message To Our Customers" from Tim Cook, CEO, Apple, Inc. [A Message To Our Customers]

February 16, 2016: "ORDER COMPELLING APPLE INC TO ASSIST AGENTS IN SEARCH" signed by US Magistrate Judge Sheri Pym. Case No. ED 15-CR-0451M. [Order Compelling Apple to Assist]

February 16, 2016: United States of America filed "Government’s Ex Parte Application for Order Compelling Apple Inc to Assist Agents in Search”  Case No. ED 15-CR-0451M. [US Ex Parte Application for Order]

December 3, 2015: US Magistrate Judge David Bristow signs the search warrant for a black Lexus iS300. Attachment A2 references the procedures for collecting and handling of digital evidence. Case No. ED 15-CR-0451M. [Search and Seizure WarrantAttachment A: Search and Seizure Warrant]

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. Airius Internet Solutions manages SafeView data and provides strategic, tactical and emergency risk management consulting. If you have any technology risk issues, please contact Airius with your questions at info@airius.com

 

 

Passcode Lock (IOS HACKER)

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.  Tim Cook, CEO Apple

 

Summary

Apple's attorney is correct when he asserts that this matter belongs in Congress. A country is polarized more on this issue than the presidential candidates. Everyone has an opinion, and it affects all of us. Let our representatives act on our behalf to protect us first. Safety, security, catching the bad guys - all critically important. However, we cannot give away our liberties, we will never get them back.

Benjamin Franklin for the Pennsylvania Assembly in its Reply to the Governor (11 Nov. 1755)

 

 

 

 

 

Related reading . . .

https://en.wikipedia.org/wiki/Crypto_Wars

https://stratechery.com/2016/apple-versus-the-fbi-understanding-iphone-encryption-the-risks-for-apple-and-encryption/

 

https://www.eff.org/deeplinks/2016/02/technical-perspective-apple-iphone-case

http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/#PZHhTf9dv8qf