Thursday, March 4, 2010

Cyber Security Act

Feds weigh expansion of Internet monitoring
by Declan McCullagh

SAN FRANCISCO--Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future.

The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks.

Greg Schaffer, assistant secretary for cybersecurity and communications, said in an interview that the department is evaluating whether Einstein "makes sense for expansion to critical infrastructure spaces" over time.

Not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly "vague" because of "excessive classification." The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.

Greater federal involvement in privately operated networks may spark privacy or surveillance concerns, not least because of the NSA's central involvement in the Bush administration's warrantless wiretapping scandal. Earlier reports have said that Einstein 3 has the ability to read the content of emails and other messages, and that AT&T has been asked to test the system.

(The Obama administration says the "contents" of communications are not shared with the NSA.)

"I don't think you have to be Big Brother in order to provide a level of protection either for federal government systems or otherwise," Schaffer said. "As a practical matter, you're looking at data that's relevant to malicious activity, and that's the data that you're focused on. It's not necessary to go into a space where someone will say you're acting like Big Brother. It can be done without crossing over into a space that's problematic from a privacy perspective."

If Einstein 3 does perform as well as Homeland Security hopes, it could help less-prepared companies fend off cyberattacks, including worms sent through e-mail, phishing attempts, and even denial of service attacks.

On the other hand, civil libertarians are sure to raise questions about privacy, access, and how Einstein could be used in the future. If it can perform deep packet inspection to prevent botnets from accessing certain Web pages, for instance, could it also be used to prevent a human from accessing illegal pornography, copyright-infringing music, or offshore gambling sites?

"It's one thing for the government to monitor its own systems for malicious code and intrusions," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. "It's quite another for the government to monitor private networks for those intrusions. We'd be concerned about any notion that a governmental monitoring system like Einstein would be extended to private networks."

AT&T did not respond to a request for comment on Wednesday.

Cooperation, or a loss of control?

At the RSA Conference here on Wednesday, Homeland Security Secretary Janet Napolitano stressed the need for more cooperation between the government and the private sector on cybersecurity, saying that "we need to have a system that works together."

During a House appropriations hearing on February 26, Napolitano refused to discuss Einstein 3 unless the hearing were closed to the public. "I don't want to comment publicly on Einstein 3, per se, here in an unclassified setting," she said. "What I would suggest, perhaps, is a classified briefing for members of the subcommittee who are interested."

Some privacy concerns about Einstein have popped up before. An American Bar Association panel said this about Einstein 3 in a September 2009 report: "Because government communications are commingled with the private communications of non-governmental actors who use the same system, great caution will be necessary to insure that privacy and civil liberties concerns are adequately considered."

Jacob Appelbaum, a security researcher and programmer for the Tor anonymity project, said that expanding Einstein 3 to the private sector would amount to a partial outsourcing of security. "It's clearly a win for people without the security know-how to protect their own networks," Appelbaum said. "It's also a clear loss of control. And anyone with access to that monitoring system, legitimate or otherwise, would be able to monitor amazing amounts of traffic."
Einstein grew out of a still-classified executive order, called National Security Presidential Directive 54, that President Bush signed in 2008.

While little information is available, former Homeland Security Secretary Michael Chertoff once likened it to a new "Manhattan Project," and the Washington Post reported that the accompanying cybersecurity initiative represented the "single largest request for funds" in last year's classified intelligence budget. The Electronic Privacy Information Center has filed a lawsuit (PDF) to obtain the text of the order.

Homeland Security has published (PDF) a privacy impact assessment for a less capable system called Einstein 2--which aimed to do intrusion detection and not prevention--but has not done so for Einstein 3.

The department did, however, prepare a general set of guidelines (PDF) for privacy and civil liberties in June 2009. In addition, the Bush Justice Department wrote a memo (PDF) saying Einstein 2 "complies with" the U.S. Constitution and federal wiretap laws.
That justification for Einstein 2 "turned on the consent of employees in the government that are being communicated with, and on the notion that a person who communicates with the government can't then complain that the government read the communication," said CDT's Nojeim. "How does that legal justification work should Einstein be extended to the private sector?"

********

A New Age for US Cybersecurity
By Richard Adhikari
TechNewsWorld
03/03/10 9:53 AM PT

U.S. cybersecurity efforts must be multifaceted, emphasized White House Cybersecurity Coordinator Howard Schmidt in a speech at RSA 2010 on Tuesday. "In order to be successful against today's cybersecurity threats, we need to seek out new and innovative partnerships -- not only between business and government, but also academia."

In the wake of repeated warnings by former top-level government cybersecurity experts that the United States is ill-prepared for a cyberwar, White House Cybersecurity Coordinator Howard Schmidt disclosed Tuesday the Obama administration's plans to prepare for the cybersecurity needs of the future.

The administration is taking a multifaceted approach to cybersecurity, Schmidt said at the RSA Conference 2010 in San Francisco.

"Security is not a binary thing we do -- our cybersecurity policies have to be well aligned, so we're looking at digital networks to make sure they're resilient and robust," he said. "We also need to reach out; we don't want to do things that hamper innovation."

Part of reaching out is working with the National Economic Council, Schmidt said. Another part is having the national security staff, which consists of representatives from various government agencies and departments, pull together a holistic picture of how the economy and cybersecurity are intertwined.

A 360-Degree View

Schmidt also spoke about the Cybersecurity Policy Review commissioned by President Obama, which calls for changes in the United States' approach to cybersecurity.

The U.S. needs to have a handle on the ever-changing state of cybersecurity, he said. It also needs to look at its cybersecurity policies in terms of current requirements and make sure they are updated as needed.

In order to achieve these goals, the national security staff keeps President Obama and his key advisers informed about the comprehensive picture it puts together of cybersecurity and the economy, Schmidt said.

That support at the highest levels is critical.

"One of the key issues of governance is you have to have leadership from the top," Schmidt said. "Many of us have spent our careers pushing upwards from the bottom, and market prices and other factors have been an impediment in the past. They're no longer an impediment."

The Cybersecurity Policy Review also calls for addressing international cooperation in the cybersecurity field, developing an instant response plan for cyberemergencies, and transparency in government.

Our Overseas Friends

One of the worst problems cybersecurity professionals face is that they're restricted by regional, local and national boundaries, while cybercriminals are not.

Local, state and federal law enforcement agencies in the U.S. don't cooperate much, and cooperation with international law enforcement is even worse. Meanwhile, cybercriminals operate in gangs that cross national borders, making it difficult to arrest and prosecute them.

In some countries, well-connected cybercriminals are protected by their national governments.

The National Cybersecurity Policy seeks to address these problems.

"We'll start looking at international cybersecurity policy," Schmidt said. "We need to make sure our policy and framework are addressing the international field."

Who're You Gonna Call?

The Cybersecurity Policy Review also calls for the establishment of an instant response plan.

"There should never be a question as to where the private sector needs to go during an incident," Schmidt explained. "There should never be a question about whether the private sector needs to coordinate what needs to be done. The Department of Homeland Security is doing a great job of pulling this together."

An instant response plan is critical. The U.S. is the most vulnerable country in a cyberwar because it's the most connected, Mitch McConnell, former director of national intelligence, has testified before the Senate.

Both McConnell and current Director of National Intelligence Dennis Blair are among the cybersecurity experts who have testified before Congress about the need for stronger cooperation between the private and public sectors on security.

Peekaboo! I See You!

Private-public sector cooperation alone is not enough; the American people also have to be involved, Schmidt said.

"In order to be successful against today's cybersecurity threats, we need to seek out new and innovative partnerships -- not only between business and government, but also academia," he explained.

In order for that to happen, government needs greater transparency.

"Transparency and partnerships are concepts that have to go hand in hand," said Schmidt. "We can't ask industry to help government, or government to step in, unless we have transparency."

In line with that policy of transparency, the government on Tuesday declassified part of its Comprehensive National Cybersecurity Initiative (CNCI), publishing details of the US$40 billion cybersecurity plan on the Internet Tuesday, Schmidt announced.

Transparency has been a key requirement of the Obama administration all along, Schmidt said. "The foundation aspects of the government's cybersecurity policy are transparency and accountability."

******

Sens. Push for Government Cybersecurity Authority
By Kenneth Corbin
February 24, 2010

WASHINGTON -- The senators backing sweeping and controversial legislation to overhaul U.S. cybersecurity policy pressed their cause Tuesday, signaling in a hearing that they have no intention of backing down from a dramatic expansion of executive authority to respond to an attack on the nation's digital infrastructure.

"This hearing is a next step in examining the important action we should be taking, right now -- as a government and as a national economy -- to harden our defenses and safeguard critical infrastructure against a major cyber attack," said Commerce Committee Chairman John Rockefeller (D-WV).

Rockefeller, along with Olympia Snowe (R-ME), jointly introduced the Cybersecurity Act of 2009 last April, legislation that drew immediate protests from groups that warned against provisions in the bill that could supersede privacy laws in the event of a cyber attack and give the president authority to take temporary control over private networks.

But Rockefeller and Snowe Tuesday indicated that they remain committed to the executive authority provisions in the bill, which they hope to push through the senate this year.

"We've got to give the president the right to intervene," Rockefeller said. "That's controversial. That'll always be controversial."

The senators said that they and their staffers had held more than a hundred meetings with members of the private sector and other stakeholders and that the bill has been substantially revised at least four times.

Cyber security warnings
At Tuesday's hearing, the witnesses offered dire warnings about the vulnerabilities of U.S. digital networks, which are largely owned and operated by firms in the private sector.

"If the nation went to war today in a cyber war, we would lose," said retired Adm. Michael McConnell, the former director of the National Security Agency who currently serves as executive vice president of Booz Allen Hamilton's National Security Business. "We're the most vulnerable. We're the most connected. We've got the most to lose."

McConnell praised the Rockefeller-Snowe bill as a good first step, but in his dark view, policymakers won't be spurred to take the dramatic action he sees necessary until the nation is hit with a crippling attack.

"We will not mitigate this risk," he said. "As a consequence of not mitigating this risk, we're going to have a catastrophic event."

Cyber attack response
The expanded government role in cybersecurity is at the heart of the Rockefeller-Snowe bill, which would elevate the cyber coordinator position President Obama created last year to Cabinet-level status, reporting directly to the president and requiring confirmation by the senate.

Snowe also suggested that the government could take steps toward establishing more rigid standards, such as shielding companies that adhered to baseline security standards from liability in the event of an attack.

She also called for government agencies to make security a higher priority when making procurement decisions, using the considerable federal purchasing power to move the market toward more secure systems.

But the bill comes out of a concern that the stakes are too high to allow market forces to set the standard for cybersecurity.

"Since this is a network and everything is interconnected, if 10 percent don't do the right thing then 100 percent would be vulnerable," said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, the group that delivered a cybersecurity report to then-President-elect Obama in December 2008. The Rockefeller-Snowe bill draws extensively from the CSIS report.

Considerable opposition
Not surprisingly, the prospect of increased government role in private networks has stoked considerable opposition to the proposed legislation.

"Companies tended to resist the idea of the government sort of getting in the way of what they were already doing, which they felt to be adequate," Rockefeller said of his meetings with industry representatives.

Some of that opposition was on display today, with Mary Ann Davidson, Oracle's chief security officer, telling the panel that the real shortfall is in the university system, where security is given short shrift in computer science programs.

"We have to train all computer science graduates in how to write secure code because they weren't taught this in universities," Davidson said.

She suggested that the government slow the push to move critical systems like the electrical grid to IP-enabled networks before implementing standards to secure the millions of devices that would be operating as clients.

In the area of standards, she suggested that a government agency, such as the National Institute of Standards and Technology could take the lead. Similarly, she urged the senators to focus their attention on the transparency of software development, noting that organizations commonly purchase and deploy software today with little -- if any -- insight into the development process, including the ability to withstand an attack.

In addition to setting standards, she suggested that the government's role would properly be limited to using its purchasing power to nudge the market toward higher security and transparency standards.

*********

The ‘war on cyber terrorism’
February 27, 2010 at 11:04 pm


Until now, the Internet has been a mostly unregulated, user-created technology; giving rise to an unprecedented expansion of free speech. However, that may soon be changing.

According to a Washington Post article on Wednesday, the federal government is looking for ways to regulate both federal and private industry in an effort to increase cyber security.

Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) are drafting legislation to protect the nation from a massive cyber security attack. Rockefeller described such an attack as an “enormous threat” and justified the controversial legislation.

“Too much is at stake for us to pretend that today’s outdated cybersecurity policies are up to the task of protecting our nation and economic infrastructure,” Rockefeller said. “We have to do better and that means it will take a level of coordination and sophistication to outmatch our adversaries.”

According to an article in The Hill, the power to regulate and, if need be, control the Internet would be vested in one man, the President of the United States:

“The president would then have the ability to initiate those network contingency plans to ensure key federal or private services did not go offline during a cyberattack of unprecedented scope”

The threat posed by cyber attacks is real. Google recently fell victim to an attack it claims originated in China. Even the Joplin Globe blogs, including Redheaded Politics, were shut down in January 2009 by hackers opposed to U.S. and Israeli policy in Gaza.

But the threat of giving the executive branch sweeping powers of regulation and “protection” in case of a national emergency are far more unsettling. If the federal government wishes to increase the security of its own networks let it do so. The ramifications of it controlling and monitoring the private sector, aka me and you, could be dreadful.

No comments:

Post a Comment