cybersecurity

Nov 20 2009   4:15PM GMT

Former cyber czar describes cybersecurity policy-making, faults FISMA

Posted by: Alexander Howard
Greg Garcia, United States, United States Department of Homeland Security, Security, Computer security, Electrical grid, Government, compliance, FISMA, DHS, cyber security, cybersecurity, cyberwar

How did the first U.S. “cyber czar” describe his time as the nation’s assistant secretary for Cybersecurity and Communications (CS&C)? Quoting Mark Twain, Greg Garcia observed that “a man who carries a cat by a tail learns something he can learn in no other way.”

It was “like a paintball fight in an Escher painting” at the Department of Homeland Security (DHS), Garcia described, “with great affection.”

Jokes aside, Garcia, who spoke at the CA IT Government Expo this week in Washington, was clear in describing what it was like in the crucible of the DHS making cybersecurity policy. “Our adversaries right now are better organized and better motivated than we are,” he said. “We, as a nation, are at an inflection point in this national cybersecurity challenge. We have a foundation for organizational structure in the private sector. We need to build a trust framework. If you don’t have an affirmation of trust, even with the same team, you’re not going to be able to get to an effective real-time response.”

Garcia, who served as assistant secretary for CS&C from 2006 to 2008, broke down the components of the Comprehensive National Cyber Security Initiative (CNCI) that President Bush signed in January 2008. The CNCI consists of 12 elements aimed at improving cybersecurity on federal networks. “We were seeing terabytes of data flowing out of .gov networks,” said Garcia.

CNCI components include intrusion detection and prevention, research and development into so-called “leap ahead” technologies and better situational awareness, coordinated through the National Cybersecurity Center.

Garcia advocated for better counterintelligence for cybersecurity, “classified network security,” perhaps referring to the Einstein monitoring tool and improved cybereducation and training.

Echoing the NERC CSO’s remarks last month, Garcia has had to think through how deterrence strategy changes in cyberwar, especially when other nation states are in the electric grid or government networks. “What point does a cyberattack become an act of war?” he asked. “How do you make it more dangerous for our adversaries to attack us? A lot of it has to do with attribution.”

Garcia affirmed the need for a Federal Information Security Management Act (FISMA) for ISPs, but said that “it needs to be market-driven, at least for now, until we can determine if there’s market failure. Every infrastructure sector has different business models and risk models.” Garcia provided what may be a controversial example: an initiative where major investment banks came together and “designed their own FISMA, if you will,” with auditors to assess financial network security.

When it came to the utility of FISMA in assessing cybersecurity readiness, however, Garcia had few kind words. “FISMA has not been successful, primarily because it has been a box-checking exercise,” he said. “It is not evaluating security. That’s a very hard thing to do, because you have different threat models and vulnerability environments.”

Nov 17 2009   10:55PM GMT

Study links outsourcing, mobile workforce and cyberterrorism threats

Posted by: Alexander Howard
Government, Federal Information Security Management Act of 2002, Security, United States Department of Health and Human Services, United States, Government agency, Application security, Critical infrastructure, FISMA, cybersecurity, compliance, CA, Ponemon Institute, research

A new study of top government IT executives conducted by the Ponemon Institute identified outsourcing, cyberterrorism and an increasingly mobile workforce as significant threats to data, government systems and the nation’s critical infrastructure.

IT executives from the Departments of Defense, Justice, Homeland Security and Health and Human Services represented the largest proportion of respondents to the study, which was sponsored by CA Inc.

The study found that 63 percent of respondents perceived the increasingly mobile workforce “as contributing significantly to endpoint security risks as a result of insecure mobile data-bearing devices that are susceptible to malware infections as well as insecure wireless connectivity.”

[Image by Getty Images via Daylife]

Perhaps reflecting the current zeitgeist around the “Government 2.0” movement and compliance concerns around enterprise 2.0 tools, the study showed that 79% of respondents see increased use of collaboration tools as a significant risk to data protection.

Specifically, the use of social computing platforms is increasing the storage of unstructured data that could contain sensitive information in a repository that is not effectively secured. Fifty-two percent of respondents identified the use of Web 2.0 applications as a vector for increased risk for sensitive data loss, including social networking, social messaging and wikis.

Unstructured data and outsourcing were viewed as the top two root causes creating increased cybersecurity risks for insecure sensitive and confidential information among respondents. This concern is reflected at the Department for Homeland Security, where application security has been referenced as both a supply chain risk and a cyberterrorism threat.

As reported by the study, 38% of respondents were unsure if there had been cybercrime on the network in the past year. What’s perhaps more significant is the 2% to 5% of people who know that it had happened. And that may not reflect the true total.

“I do feel the numbers are underreported,” said David Hansen, CA’s corporate vice president and general manager of the company’s security management unit. “In the past, cybercrime incidents have tended to be brushed under the carpet. More pressure on disclosure has forced some changes to happen and is helpful for awareness.”

Data breaches, by way of contrast, must be published or reported, and 34% of respondents said that their agency had experienced two to five data breaches in the past year. Overall, 75% of respondents said that their agency had experienced a data breach in the last year. Respondents overwhelming chose wireless networks as the primary threat vector, followed by endpoints and networks.

Finally, 48 % of respondents said their organization isn’t taking appropriate steps to comply with the Federal Information Security Management Act (FISMA) and 55% don’t have adequate security technologies to protect information assets and critical infrastructure.

“When I talk to government agencies, they look at FISMA compliance as a necessary evil,” said Hansen. “I think they might have to either redefine it to address new threats and create a lower common denominator or push for accountability.”

The question now, as bills like the ICE Act or the Cybersecurity Act work their way through Congress, is whether FISMA reform will adequately address the vulnerabilities that government IT executives are worried about.

“The problem is that, in many cases, government doesn’t have a lot of control of a lot of critical infrastructure, like manufacturing, power plants or private networks,” said Hansen. “Part of cybersecurity is about critical infrastructure and things that are not covered by FISMA. Most of those systems have no viruses or malware protection. That hasn’t been an issue because those systems weren’t connected to the Internet. Now, systems are being connected and are creating massive exposures that just weren’t there before.”

The Ponemon Institute’s “Cybersecurity Mega Trends” study is available for download from CA.com as a PDF.

Nov 9 2009   10:10PM GMT

60 Minutes covers cybersecurity threats, federal data breach

Posted by: Alexander Howard
CBS News, United States Central Command, Melissa Hathaway, United States Department of Defense, White House, cybersecurity, cybersecurity threats, compliance, FISMA, ICE Act, cyberwar, cyberterrorism

Yesterday, CBS News’ 60 Minutes devoted its opening story to cybersecurity threats to critical infrastructure in the United States, including the power grid, financial systems and military information systems. Threatpost, the information security blog associated with Kaspersky Labs, has embedded the 60 Minutes segment on cyberterrorism.

In an interview with correspondent Steve Kroft, cybersecurity expert Jim Lewis calls a federal data breach in 2007 “our electronic Pearl Harbor.” In the transcript of the segment, available at CBSNews.com, Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high-tech agencies, all of the military agencies, and downloaded terabytes of information.”

Lewis also spoke about the penetration of U.S. military networks, specifically the United States Central Command (CENTCOM). Lewis believes the data breach was accomplished by foreign spies leaving corrupted thumbnail drives in locations where U.S. military personnel would be likely to pick them up. When a drive was inserted into a CENTCOM computer, a malicious application on the drive opened a back door for hackers to access the system. According to Lewis, the Pentagon has now banned thumbnail drives. (David Mortman offered advice last year about whether enterprises should also ban USB drives.)

60 Minutes has also posted several short video interviews online that offer more time with Lewis, including “Hacking the ATMs,” “Hacking the DOD” and “The Holy Grail,” where Lewis talks about the security of the financial system. In “Online Jihad,” Shawn Henry, assistant director of the FBI’s Cyber Division, discusses potential cybersecurity threats from Islamic fundamentalism.

The report from 60 Minutes coincides with our own coverage. Growing cybersecurity threats to critical infrastructure and the electric grid have put a new focus on NERC regulations, as well as FISMA, warned NERC’s chief security officer, Michael Assante. Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, also spoke of the need for better public-private cooperation at the same cybersecurity panel in Washington that Assante spoke at last month. And Lewis says that new rules for cyberwar are being defined as the risks grow.

IT security pros and analysts alike know that intrusions, breaches and a growing cybersecurity threat aren’t anything new. Dave Lewis, a veteran security practitioner and blogger, commented that “the overwhelming FUD was troublesome.” Dan Kennedy, CISO at the Praetorian Group, wished that “the FBI would knock off the cloak-and-dagger routine when they’re asked a follow up question.”

Regardless of where you stand on the 60 Minutes report, one fact remains clear: The White House still hasn’t appointed a cybersecurity coordinator.

As Marc Ambinder observed at TheAtlantic.com, “last night’s 60 Minutes feature on cybersecurity may add a sense of political urgency to the debate” about a cybersecurity coordinator.

Shane Harris, also writing about the broadcast of the segment on cybersecurity, also put the 60 Minutes report in perspective. “Although the piece didn’t make much news, it was news to most Americans. Full disclosure, I know the producer, Graham Messick, and while I don’t have any special insights into how he approached the subject, I think it’s fair to say that his work will change the cyber security debate in some fundamental ways.”

Harris wonders if the report could have an effect on legislation and subsequent regulatory compliance, like FISMA reform associated with further iterations of the ICE Act. “There are a number of bills pending in Congress that threaten to set requirements on companies to disclose the holes in their networks,” he wrote. “Those bills just got a major push last night. All in all, while 60 Minutes didn’t exactly blow the lid off anything last night, they have elevated the attention of this issue to new heights. That alters the political dynamics significantly.”

UPDATE: Wired Magazine has reported that the blackouts in Brazil in 2007 were “actually the result of a utility company’s negligent maintenance of high voltage-insulators on two transmission lines,” not computer hackers. 60 Minutes relied upon “unnamed sources” in claiming that the two-day outage described by Kroft in the Atlantic state of Espirito Santo “was triggered by hackers targeting a utility company’s control systems.”

Now, Wired reports the following:

The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”

Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.

Nov 6 2009   10:10PM GMT

U.S. CIO Kundra bets on SOA, cloud computing, agile, data-based policy

Posted by: Alexander Howard
CIO, U.S. CIO Vivek Kundra, Google, Federal government of the United States, American Recovery and Reinvestment Act of 2009, Data.gov, cybersecurity, gov2.0, FISMA, compliance

U.S. CIO Vivek Kundra, appearing Friday as the keynote speaker at the University of Maryland’s CIO Forum, touched on a number of topics affecting both public- and private-sector CIOs. Some of his comments follow:

“We found that the role of CIOs in the federal government is very much focused on data centers, networking and technology, not on how we can transform the function of the public sector itself.” He explained that he wants to “leverage tech to fundamentally change the way the public sector operates.” Now, as the federal government works to account for each of the $787 billion in spending from the American Recovery and Reinvestment Act of 2009 and publishes more data from its agencies, Kundra said, “we’re shifting away from democratizing data to thinking about how public policy can be powered by that information.”

Cloud computing, SOA and agile development

In tracing the path of technology from agrarian to industrial to the current information revolution, Kundra noted the transformative effect of both cell phones and social networking platforms like Facebook, YouTube and Twitter. “We’re seeing the impact that Twitter has on the geopolitical climate of the world,” he said. “Information is far more liquid than it has been in the history of civilization.” The disruptive effects of the online revolution in user-generated content are steadily filtering into government. The “Darwinian pressures” exerted upon real estate, real estate, consumer products and the automotive industry haven’t hit government yet, Kundra observed. “It’s easy to go online and compare consumer products, but it’s very difficult, if not impossible, to get information to make intelligent decisions.” In launching the contest Apps for Democracy, in fact, Kundra found a way to introduce an element of competition and innovation into an government IT ecosystem that was underserved in both areas.

Kundra has been a proponent of cloud computing for years, going back to his position as the CTO of the District of Columbia, where he signed a contract with Google for business services. Today, he emphasized the need for security, interoperability and data portability in federal government use of cloud computing. “As we make the shift towards cloud computing, security threats need to be addressed. Solutions cannot be bolted on afterwards. Data portability is central, so that as we move from Vendor A to Vendor B we architect this with interoperability and standards so that we don’t spend billions later.”

Questioned on whether service-oriented architecture still is an emphasis in a federal cloud computing paradigm, Kundra said SOA “absolutely” still matters. “Look at the Social Security Administration and what it’s done with SOA and local government,” he said. “They can build lightweight applications to interact with databases elsewhere.” That embrace of modern development practices extends beyond just SOA or upgrading programmers’ skills from COBOL. “How do we move towards an agile procurement or agile development methodology?” asked Kundra.

In some areas, the government is moving to make systems more interoperable. Kundra pointed to what what’s happening between the IRS and Department of Education in student aid. “Before, if you wanted to apply and get aid, you had to fill out a FAFSA,” said Kundra. “That form is more complex than a 1040.” Starting in January, there will be a brand new online way to fill out a Free Application for Student Aid, according to Kundra, which will eliminate 70 questions and 20 Web screens. “Students will be able to get IRS data and autopopulate it in the form for student aid.”

Government 2.0 and data-driven policy

As he grows into the U.S. CIO role, Kundra has continued to add to the areas where government IT spending and management has been and where he’d like it to go. IT systems were “not invested where they should be, which is at the intersection of the American people and government,” he said. As he put it, it’s a “simple change in default setting to being that of secretive, opaque and closed to transparent, open and participatory.”

The old mode involved the management of $70 billion of federal IT investments through a “closed, opaque, checklist-driven process,” Kundra said. Now USAspending.gov, the federal IT dashboard, tracks spending. The website has received more than 56 million hits since launch, according to Kundra. In the old way of thinking, there was a “presumption that the government has a monopoly on the best ideas,” said Kundra. Now, Data.gov provides machine-readable data for developers to mash up. Historically, there’s been a “complex, time-consuming, paper-based acquisition process,” said Kundra. Now, there’s Apps.gov.

Cybersecurity and FISMA reform

Kundra sees the same transition toward more flexible systems in cybersecurity. “We’re moving from a manual, reporting-based, compliance-focused approach to a real-time measurement of actual cybersecurity,” said Kundra, referring to the new “Cyberscope” system for online reporting of cybersecurity threats that launched in October. “You cannot address real-time threats with a solution that’s focused on reporting requirements on a quarterly basis.”

Nov 2 2009   9:30PM GMT

Improve public and private cybersecurity partnerships, says Hathaway

Posted by: Alexander Howard
United States, White House, Melissa Hathaway, Federal Emergency Management Agency, National security, cybersecurity, cybersecurity threats, Security, identity theft, DDoS, cyberwar

Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, spoke of the need for better public-private cooperation at a cybersecurity panel in Washington last week.

Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.

Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.

Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.

Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”

“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”

Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”

Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”

Nov 2 2009   9:26PM GMT

New rules for cyberwar being defined as cybersecurity risks grow

Posted by: Alexander Howard
United States, International Spy Museum, National security, Center for Strategic and International Studies, cybersecurity, DHS, FISA, Security

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, soberly assessed the risks to national security that lie ahead in cyberspace. “It’s primarily an espionage problem,” he said. “This is the easiest way to be a spy that has ever been invented … there’s zero chance of being caught and prosecuted if you’re smart about it.”

Lewis made that observation speaking on a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

Citing cyberattacks on Estonia, Lewis, the project director for the Commission on Cybersecurity for President Obama, said he anticipated more advanced attacks in future cyberwars, either by militaries or by non-state entities in the distant future.“All advanced militaries now include cyberattack capabilities.” As he put it, “you can send missiles, commando teams — or you can send hackers. And hackers are much cheaper.”

Lewis believes that those “attacks are not what we have to worry about,” however – it’s “those that disrupt critical infrastructure” that keep him up at night. “The challenge is that the Internet was built for scientists,” he said, which meant that it was built to assume trust. The U.S. has “built an exceptionally insecure environment that our military and economy now depend on.” As a result, Lewis said, “the U.S. is more vulnerable than any other country” because it has put the Internet to the best use for its economy, politics, research and military.

A central challenge in this new operational environment is that “the old Cold War notion of deterrence doesn’t work,” Lewis said. “We’ve put a lot of effort into the offensive side, but it hasn’t helped us on the cybersecurity side.” Moving forward with improving the nation’s exposure to cybersecurity risks is also challenging because of the traditional approaches to solving problems on a national scale in the U.S. “Do we wait for the market or wait for something that has a larger role for government,” asked Lewis. It’s difficult to discuss, he said, because “our ideology is to talk about a market solution, but we’re facing competitors who aren’t bound by that.”

There are also legal boundaries that must be considered in the context of new threat vectors and technologies. “The laws that we have to protect civil liberties and privacy were written 20 to 30 years ago,” said Lewis. “In the old days, you couldn’t look at traffic without understanding the content.”

Now, as he observed, the question is “How do you involve DHS? Or NSA? Some of this leads back to the FISA debate. To really defend cyberspace, you need better situational awareness. What we need to know for cybersecurity, you need to look at all the traffic coming into the U.S.” When Lewis, however, asked how many in the audience supported such a move from DHS, few hands went up, reflecting the complexity of such electronic filtering.

Oct 2 2009   7:21PM GMT

NIST, smart grid privacy and social networking for security pros

Posted by: Alexander Howard
Smart Grid, Twitter, National Institute of Standards and Technology, Google, Personally identifiable information, identity theft, smart grid privacy, privacy, Security, Google Docs, cybersecurity

Last month, the National Institutes of Standards and Technology (NIST) outlined a framework for building more intelligence and interoperability into the electrical system of the United States. Such a system is generally known as the “smart grid.” Commerce Secretary Gary Locke released a plan for smart grid interoperability that’s meant to lead to a “secure, more efficient and environmentally friendly” system. A draft of the report from NIST is available for download as a PDF: “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0″

Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.

These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”

As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:

1. Identity theft.
2. Determining personal behavior patterns.
3. Determining specific appliances used.
4. Performing real-time surveillance.
5. Revealing activities through residual data.
6. Targeted home invasions.
7. Providing accidental invasions.
8. Activity censorship.
9. Decisions and actions based upon inaccurate data.
10. Revealing activities when used with data from other utilities.

Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.

Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:

1. Enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions.
2. State utility commissions currently lack formal privacy policies or standards related to the smart grid.
3. The lack of consistent and comprehensive privacy policies throughout the entities that will be involved with the smart grid creates a privacy risk.
4. Comprehensive and consistent definitions of personally identifiable information do not typically exist.

The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).

Social networking and distributed collaboration sped up report writing for infosec team

One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:

1. Ensuring adequate input from each of the 50 state NARUC energy commissions and other sources in a very short time frame.
2. Aligning recommendations with the plethora of existing laws.
3. Documenting concrete privacy risks.
4. Separating privacy risks from security and other risks.

According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.

“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.

Cortes also said NIST involved Twitter users from the start.

UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”

“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.

”All meetings were organized by conference call, and drafts of the Smart Grid Privacy policy documents and project plans were exchanged by email. In between meetings, members interacted informally on Twitter, similar to running into colleagues in the hall when everyone works physically in the same building. These informal Twitter dialogues facilitated relationship-building among the team and problem-solving between meetings.”

According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:

1. If you’re in IT and you’re not comfortable with Twitter, you are lacking a basic technical skill.
2. Twitter enables members of the IT community to check out each other’s static Web pages and credentials, but then get to know members of their own industry over time through their communications streams. How professional and informative is this person, over a period of time? How respected are they by other well-respected professionals, apparent through the interlocking web of followers? How many others respect this person, apparent from absolute numbers of followers, quality of followers, and mentions by others?
3. Twitter communication allows personality to come through and thus enables people to feel comfortable with each other much more quickly than other mediums.
4. It allows for a combination of private and public messages, allowing swift reaction to breaking industry developments.
5. It allows professionals to get a quick response to a technical question.
6. It enables professionals to know at a glance whether they are up to date on developments on our field or out to lunch, a constant problem in this field. What are other respected IT professionals talking about each day? What are they not talking about?”

If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.

Sep 3 2009   8:16PM GMT

Evaluating the cybersecurity plan and the role of a federal CISO

Posted by: Alexander Howard
United States Department of Homeland Security, U.S. Department of Homeland Security, Security, Government, cybersecurity, compliance, IT compliance, FISMA, strategy, CISO

In this episode of the IT Compliance Advisor, Associate Editor Alexander B. Howard interviews Patricia Titus about the Obama Administration’s cybersecurity plan, the creation of a federal CISO and where policy might move in the coming months. Titus was formerly chief information security officer at the Transportation Security Administration within the U.S. Department of Homeland Security.

When you listen to the podcast, you’ll hear Titus’ views on:

• What’s new in the cybersecurity plan?
• Why is it taking a while to name a cybersecurity coordinator?
• Where is the U.S. CISO?
• What would be the top challenges of a U.S. CISO, should one be appointed?
• What are the elemental needs for implementing cybersecurity across government agencies?
• How do the Rockefeller-Snowe Bill (S.773) and ICE Act fit into cybersecurity strategy?
• What would ramping up the nation’s offensive capabilities in cyberwar mean?
• What do compliance officers and CISOs need to think about this fall?

Note: Our colleague Mike Mimoso also interviewed Titus about the Obama cybersecurity plan in June for Security Wire Weekly, when the strategy was first released. The episode also features security luminary Howard Schmidt and Paul Kocher, chief scientist of Cryptography Research.

Jul 29 2009   9:59PM GMT

Government bodies’ dueling legislative answers to data protection laws

Posted by: Sarah Cortes
compliance, HR 2221, encryption, MA 201 CMR 17, Cyberspace, cybersecurity, White House

When it comes to data security legislation, do you prefer the perspective of the White House, Capitol Hill or Beacon Hill? This is not a trick question.

While the White House refined its philosophy in the Cyberspace Policy Review (CPR) released in May, legislators in Washington had already introduced draft legislation in April embodying different approaches to data security.

The House of Representatives’ version, H.R. 2221, also known as the Data Accountability and Trust Act, appears to be a vehicle with which the executive and legislative branches of government will debate their differing cybersecurity philosophies. How those approaches differ could have a big impact on state laws.

The Cyberspace Policy Review focuses on long-term security policy and strategy rather than immediate solutions. We recently wrote about several significant recommendations from the report, which include:

• A proposal to consider federal issuance of national authentication credentials, similar to a passport.
• Increasing liability for failing to implement level-playing-field security controls.
• A recommendation to align federal and state laws to eliminate confusion and contradiction.

The White House report, overseen by Melissa Hathaway, states that government legislation has been “focused on the particular issue or technology of the day” and that current law and policy is a “complex patchwork,” while recommending an “integrated approach that combines … flexibility … and the protection of civil liberties.”

Proscribing specific technical approaches and technologies such as encryption has already generated controversy in data privacy and security laws, including Massachusetts’ 201 CMR 17.

One aspect that makes Massachusetts regulations in their current form the most onerous or far-reaching in the U.S., depending on your point of view, is mandated 128-bit encryption. However, mandating specific methods and technologies could prove inflexible and, rapidly, obsolete.

The White House report did not take a hard and fast position one way or the other, but its position is revealed in the CPR: “Privacy enhancing technologies such as encryption or controlled access authentication could ameliorate some risks in sharing information.”

Meanwhile, HR 2221 defines encryption as:

“data in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.”

What are your views and concerns about state data protection laws vs. federal legislation or polices from the executive branch? Do you think encryption should be included? If so, what kind? I’d like to hear. Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

Jun 22 2009   6:54PM GMT

Key cyberspace policy issues await incoming cybersecurity czar

Posted by: Sarah Cortes
National Security Council, White House, United States Computer Emergency Readiness Team, United States Department of Homeland Security, Washington D.C., Melissa Hathaway, Symantec Government Symposium, Symantec, White House Cybersecurity Policy Review, Security, cybersecurity, Enrique Salem, US-CERT, Homeland Security Committee, HSC, CSIS, Securing Cyberspace for the 44th Presidency, U.S. Senate Select Committee on Intelligence, SSCI, privacy, cybersecurity awareness, Department of Defense Cyber Crime Center, National Institute of Standards and Technology, NIST

Melissa Hathaway spoke to a crowd of over 1,000 at a lunchtime address during the Symantec Government Symposium last week in Washington, D.C. President Obama appointed Hathaway on Feb. 9 as White House Acting Senior Director for Cyberspace for the National Security Council (NSC), and, until it was merged out of its painful existence on May 26, the Homeland Security Council (HSC), a Bush-era creation.

Obama directed Hathaway to conduct a comprehensive 60-day Cyberspace Policy Review, which was released on May 29. Obama is expected to name a permanent “cybersecurity czar” to implement the report’s recommendations.

The White House quelled turf speculation over the reporting structure for the impending U.S. cybersecurity position by quietly “merging” the HSC into the NSC on May 26, just three days before releasing the cybersecurity policy review.

The CSIS cyberspace review group, which was commissioned in August 2007 during the Bush presidency, delayed publication of the review until immediately after the 2008 presidential election. As readers of the document know, it contains significant criticism of the Bush-era DHS.

Hathaway’s report had been critical of the Homeland Security Council, again echoing the December 2008 CSIS report, which, among many others, was critical of the DHS. The HSC, with a staff of 250 mirroring NSA’s “twin” staff of about 250, produced almost identical “directives,” and seemed to many a duplicative and redundant Bush-era institution.

In her remarks, Hathaway raised several key issues with the audience, including:

• Private-sector data sharing: Although required to effectively detect and combat cybercrime, this can be wrongly, in her view, seen as an antitrust violation.
• Whether, when an organization puts its data in the cloud, it gives up its fourth amendment privacy rights.
• The unfinished legislative review work cited in a footnote in the 60-day cybersecurity review and the need for comprehensive legislative reform, which can be interpreted as a signal to backers of evolving state and federal legislation that their initiatives may be superseded.
• A national ad campaign on cybersecurity awareness, like the Smokey the Bear campaign.
• In terms of immediate priorities, that a national incident response plan is to be completed by end of year.
• That government also needs to work with the international cybersecurity community.

Hathaway, a top contender for the permanent White House post, confirmed that she is currently “in the interview process” for that position, which, she stated in an interview Tuesday, she hopes “will conclude in the next few weeks … and be resolved favorably.”

The daylong symposium consisted of 20 separate breakout sessions instructed by over 100 panelists, a veritable “who’s who” of highly influential cybersecurity-related officeholders in the current administration or Congress, plus a few luminaries in the world of IT security.

As a measure of industry optimism regarding future government spending on cybersecurity, Enrique Salem, CEO of Symantec’s $5 billion business, was among the symposium speakers, who also included:

• Steven Shirley, executive director, Department of Defense Cyber Crime Center
• Eran Feigenbaum, director of security, Google Apps
• Mischel Kwon, director, United States Computer Emergency Readiness Team (US-CERT), National Cybersecurity Division, Department of Homeland Security
• Jeremy Warren, chief technology officer, Department of Justice
• Peter Mell, senior computer scientist, National Institute of Standards and Technology
• Jacob Olcott, subcommittee director, U.S. House of Representatives Homeland Security Committee
• Jim Jaeger, director, cyber defense and forensics, General Dynamics

Other panels included key contributors to the highly influential December 2008 CSIS report on securing cyberspace. Hathaway’s White House Cyberspace Policy Review footnotes the CSIS report eight times, more than any other source listed among the document’s 67 total footnotes. On June 1, CSIS released a comparison of its 25 original recommendations with Hathaway’s report, noting that 17 of the 25 were adopted by the White House report.

When questioned Tuesday at the Symantec symposium, former CSIS commission members smiled knowingly and declined to name any of the other individuals currently under consideration for the permanent White House post besides Hathaway.

These panelists, cited in the CSIS report as contributors, included:

• Sameer Bhalotra, a career professional staff member of the U.S. Senate Select Committee on Intelligence who leads the SSCI cyber study team.
• Dan Chenok, senior vice president, Pragmatics and former OMB security policy executive.
• Bruce McConnell, former NSA senior executive, director of $100 million ArcSight and of Sun Microsystems’ federal subsidiary.
• Amit Yoran, CEO, NetWitness Corp., and former director, National Cybersecurity Division, DHS, and US-CERT.