Zoom’s Encryption Is “Not Suited for Secrets”

Zoom’s Encryption Is “Not Suited for Secrets” (The Intercept)

MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Zoom's security has been hammered since last week. First, Zoom was caught sending user meta-data to Facebook, then deception around end-to-end encryption, and now this: Unfortunately, this is the software that most colleges and K-12 schools are using to provide remote instruction to students.

Continue Reading

Addressing the Cybersecurity Skills Gap

Are More Defined Parameters the Key to Addressing the Cybersecurity Skills Gap? (Security Intelligence)

...the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.

What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.

However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.

Is an inability to define security the main cause of the cybersecurity skills gap? If we can't truly define what security is, how can organizations design the right cybersecurity jobs for their needs?

Continue Reading

The security implications of China’s AI Strategy

Understanding China's AI Strategy by Gregory C. Allen (cnas.org)

In the second half of 2018, I traveled to China on four separate trips to attend major diplomatic, military, and private-sector conferences focusing on Artificial Intelligence (AI). During these trips, I participated in a series of meetings with high-ranking Chinese officials in China’s Ministry of Foreign Affairs, leaders of China’s military AI research organizations, government think tank experts, and corporate executives at Chinese AI companies. From these discussions – as well as my ongoing work analyzing China’s AI industry, policies, reports, and programs – I have arrived at a number of key judgments about Chinese leadership’s views, strategies, and prospects for AI as it applies to China’s economy and national security. Of course, China’s leadership in this area is a large population with diversity in its views, and any effort to generalize is inherently presumptuous and essentially guaranteed to oversimplify. However, the distance is large between prevailing views in American commentary on China’s AI efforts and what I have come to believe are the facts. I hope by stating my takeaways directly, this report will advance the assessment of this issue and be of benefit to the wider U.S. policymaking community.

Gregory C. Allen at the Center for a New American Security has produced a report with analysis and insights into China's AI strategy with national and cyber-security implications for the commercial, government, and military sectors.

Continue Reading