National security

Improve public and private cybersecurity partnerships, says Hathaway

Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, spoke of the need for better public-private cooperation at a cybersecurity panel in Washington last week.

Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.

Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.

Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.

Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”

“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”

Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”

Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”

New rules for cyberwar being defined as cybersecurity risks grow

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, soberly assessed the risks to national security that lie ahead in cyberspace. “It’s primarily an espionage problem,” he said. “This is the easiest way to be a spy that has ever been invented … there’s zero chance of being caught and prosecuted if you’re smart about it.”

Lewis made that observation speaking on a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

Citing cyberattacks on Estonia, Lewis, the project director for the Commission on Cybersecurity for President Obama, said he anticipated more advanced attacks in future cyberwars, either by militaries or by non-state entities in the distant future.“All advanced militaries now include cyberattack capabilities.” As he put it, “you can send missiles, commando teams — or you can send hackers. And hackers are much cheaper.”

Lewis believes that those “attacks are not what we have to worry about,” however – it’s “those that disrupt critical infrastructure” that keep him up at night. “The challenge is that the Internet was built for scientists,” he said, which meant that it was built to assume trust. The U.S. has “built an exceptionally insecure environment that our military and economy now depend on.” As a result, Lewis said, “the U.S. is more vulnerable than any other country” because it has put the Internet to the best use for its economy, politics, research and military.

A central challenge in this new operational environment is that “the old Cold War notion of deterrence doesn’t work,” Lewis said. “We’ve put a lot of effort into the offensive side, but it hasn’t helped us on the cybersecurity side.” Moving forward with improving the nation’s exposure to cybersecurity risks is also challenging because of the traditional approaches to solving problems on a national scale in the U.S. “Do we wait for the market or wait for something that has a larger role for government,” asked Lewis. It’s difficult to discuss, he said, because “our ideology is to talk about a market solution, but we’re facing competitors who aren’t bound by that.”

There are also legal boundaries that must be considered in the context of new threat vectors and technologies. “The laws that we have to protect civil liberties and privacy were written 20 to 30 years ago,” said Lewis. “In the old days, you couldn’t look at traffic without understanding the content.”

Now, as he observed, the question is “How do you involve DHS? Or NSA? Some of this leads back to the FISA debate. To really defend cyberspace, you need better situational awareness. What we need to know for cybersecurity, you need to look at all the traffic coming into the U.S.” When Lewis, however, asked how many in the audience supported such a move from DHS, few hands went up, reflecting the complexity of such electronic filtering.

White House releases cybersecurity report on cyberspace policy

Earlier today, the White House released a long-awaited cybersecurity report, including a video (below) featuring commentary and perspective from officials and experts:

Melissa Hathaway, cybersecurity chief at the National Security Council, wrote the following “Securing Our Digital Future” entry on the White House blog:

“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security.  The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine.  And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure.  These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.

The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”

We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.

[If you followed @ITCompliance on Twitter, by the way, you already knew all that.-Ed.]

At RSA: Cyberwar, compliance, virtualization and cloud security

What’s been the buzz at the RSA Conference? Constant and loud, to be sure, but perhaps a dull roar compared with past years. Seasoned analysts, vendors and delegates all note that attendance is down, no doubt due to a decrease in travel budgets mandated by the recession. For those here, of course, the number of sessions, keynotes and peer-to-peer meetings meant it’s impossible to see and do everything.

Even so, amidst the hubbub several trends emerged. As you’d expect at a security conference, vulnerabilities in software, hardware and infrastructure have gathered attention, especially for CISOs who are navigating the thicket of regulatory guidance emerging from Washington and statehouses.

Everyone is looking for ways to use software to easy the burdens of compliance. As I’ll argue in a forthcoming article, however, there is an emerging sea change in the way that government agencies, defense contractors and enterprises are approaching compliance that is not rooted in the current suites of compliance software or frameworks.

As my colleague Neil Roiter at SearchSecurity.com reports, secure software development starts before coding begins. Experts here are emphasizing the importance of baking security into software from the beginning, especially for Web applications.

The need for more effective security couldn’t have been made more clear when breaking news came out of The Wall Street Journal about a data breach at the U.S. Joint Strike Fighter program. When news that computer spies had breached the fighter-jet project filtered on to the floor, the NSA booth and the keynote from the director of the NSA, Lt. Gen. Keith Alexander, instantly gained mass attention. According to the story, the intruders copied and removed terabytes of data related to the design and electronics systems of the aircraft. As reported in the story, breaches also compromised the Air Force’s air-traffic-control system. The story follows on the reported penetration of the U.S. electrical grid.

News that Russian and Chinese cyberspies have been probing critical U.S. infrastructure has forced the issue of cybersecurity to the forefront of conversation. Speculation is rampant in the security blogger community that leaks of the compromised systems are helping to build consensus behind the proposed cybersecurity bill before Congress, and in getting more federal dollars for the affected agencies.

As Rob Westervelt reports, “a panel of experts from the Department of Defense, National Security Agency and the Department of Homeland Security agreed that drastic measures are needed to shore up defenses of critical infrastructure and ensure a plan is in place for critical communications in the event of a national emergency.” Read more about the U.S. government needs a plan to limit Web usage during a security crisis.

Commentary around the data breach and the issues that the NSA chief identified has been swirling, online and off. Just track the #cyberwar hashtag on Twitter to get a sense of the flow.

Security for cloud computing and in virtualized environments continues to be of great interest to attendees as well. The Cloud Security Alliance released a white paper identifying key best practices for secure adoption of cloud computing, many of which have sparked deep discussion in sessions and on the floor. Security for citizens is on the table as well, as panels discussing potential national privacy laws and the impact of new legislation (like the MA data protection law) has shown.

What’s coming from SearchCompliance.com? Look for podcasts with Kodak’s CISO and other security professional and analysts; an interview with Alan Paller, director of research at SANS; a video with Verizon’s senior vice president of innovation and technology on the company’s data breach research; interviews with CA’s Dave Hansen and McAfee’s Kunz; and a feature on compliance in the cloud.

Make sure to follow @ITCompliance (and, if you like, @digiphile) to get updates directly from the floor at RSA from the past week. As you can see below, there’s plenty of humor and fun to be found here as well. Peace, love and cybersecurity from San Franciso.

Cybersecurity is ‘a critical national interest,’ says Hathaway

“It is the fundamental responsibility of our government to secure cyberspace for its citizens and the world.”

– Melissa Hathaway

Melissa Hathaway’s keynote at RSA kicked off with the Mission Impossible theme. The acting director of cyberspace security will need it to summon all of Ethan Hunt’s ingenuity to master the task before her. You can watch the archived livestream of Hathaway’s keynote to the RSA Conference on uStream.com.(Disclaimer: Video is from the side and sound is suboptimal.) Alternately, watch a high-quality version of Hathaway’s keynote from RSA itself.

Notable quotes from Hathaway’s speech:

“The president identified cybersecurity as one of the top priorities for his administration.”

“Our global infrastructure is not secure enough nor resilient enough to support our current and future needs.”

“Humor aside, the U.S. is at a crossroads. Cyberspace underpins almost every part of our nation’s critical infrastructure.”

“The public and private sector interests are intertwined when it comes to cybersecurity.”

As she finished her cybersecurity address, Hathaway cited Edgar Allen Poe, Ralph Waldo Emerson and Wallace Stegner’s Angle of Repose. Those references added an unusually literate tone to this highly technical conference.

Who is cyberspace director Melissa Hathaway, and why should we care?

April 17 is the deadline for Melissa Hathaway to put on the president’s desk the comprehensive 60-day U.S. cybersecurity review Obama mandated on Feb. 8. That was the day he also invented her current title, “Acting Senior Director for Cyberspace” for the National Security and Homeland Security councils.

Hathaway is a person about whom we will be hearing a lot more, due to the seriousness with which the Oval office is taking cybersecurity threats. We care because, in addition to new requirements stemming from the soon-to-be-released report, her policies could influence the implementation of the new Massachusetts data protection law and existing data breach regulation. Both may have significant compliance effects on your business. A former consultant with Booz Allen Hamilton, Hathaway has a reputation for concern about privacy. That was not a popular position under the Bush administration, where she had been working until Inauguration Day. Greater concern for privacy is good news, in general. How far she goes in mandating controls over data to ensure privacy will be the big question for organizations that must implement those controls.

Within the Bush administration, she was senior advisor to the director of National Intelligence and cyber coordination executive. She chairs the National Cyber Study Group, a senior-level interagency body that was instrumental in developing the Comprehensive National Cybersecurity Initiative (CNCI), aimed at improving the ability of the country to secure and defend its cyber infrastructure. In January 2008, Hathaway was appointed the director of the Joint Interagency Cyber Task Force, which coordinates and monitors the implementation of the broad portfolio of activities and programs that comprise the CNCI.