White House

Nov 9 2009   10:10PM GMT

60 Minutes covers cybersecurity threats, federal data breach

Posted by: Alexander Howard
CBS News, United States Central Command, Melissa Hathaway, United States Department of Defense, White House, cybersecurity, cybersecurity threats, compliance, FISMA, ICE Act, cyberwar, cyberterrorism

Yesterday, CBS News’ 60 Minutes devoted its opening story to cybersecurity threats to critical infrastructure in the United States, including the power grid, financial systems and military information systems. Threatpost, the information security blog associated with Kaspersky Labs, has embedded the 60 Minutes segment on cyberterrorism.

In an interview with correspondent Steve Kroft, cybersecurity expert Jim Lewis calls a federal data breach in 2007 “our electronic Pearl Harbor.” In the transcript of the segment, available at CBSNews.com, Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high-tech agencies, all of the military agencies, and downloaded terabytes of information.”

Lewis also spoke about the penetration of U.S. military networks, specifically the United States Central Command (CENTCOM). Lewis believes the data breach was accomplished by foreign spies leaving corrupted thumbnail drives in locations where U.S. military personnel would be likely to pick them up. When a drive was inserted into a CENTCOM computer, a malicious application on the drive opened a back door for hackers to access the system. According to Lewis, the Pentagon has now banned thumbnail drives. (David Mortman offered advice last year about whether enterprises should also ban USB drives.)

60 Minutes has also posted several short video interviews online that offer more time with Lewis, including “Hacking the ATMs,” “Hacking the DOD” and “The Holy Grail,” where Lewis talks about the security of the financial system. In “Online Jihad,” Shawn Henry, assistant director of the FBI’s Cyber Division, discusses potential cybersecurity threats from Islamic fundamentalism.

The report from 60 Minutes coincides with our own coverage. Growing cybersecurity threats to critical infrastructure and the electric grid have put a new focus on NERC regulations, as well as FISMA, warned NERC’s chief security officer, Michael Assante. Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, also spoke of the need for better public-private cooperation at the same cybersecurity panel in Washington that Assante spoke at last month. And Lewis says that new rules for cyberwar are being defined as the risks grow.

IT security pros and analysts alike know that intrusions, breaches and a growing cybersecurity threat aren’t anything new. Dave Lewis, a veteran security practitioner and blogger, commented that “the overwhelming FUD was troublesome.” Dan Kennedy, CISO at the Praetorian Group, wished that “the FBI would knock off the cloak-and-dagger routine when they’re asked a follow up question.”

Regardless of where you stand on the 60 Minutes report, one fact remains clear: The White House still hasn’t appointed a cybersecurity coordinator.

As Marc Ambinder observed at TheAtlantic.com, “last night’s 60 Minutes feature on cybersecurity may add a sense of political urgency to the debate” about a cybersecurity coordinator.

Shane Harris, also writing about the broadcast of the segment on cybersecurity, also put the 60 Minutes report in perspective. “Although the piece didn’t make much news, it was news to most Americans. Full disclosure, I know the producer, Graham Messick, and while I don’t have any special insights into how he approached the subject, I think it’s fair to say that his work will change the cyber security debate in some fundamental ways.”

Harris wonders if the report could have an effect on legislation and subsequent regulatory compliance, like FISMA reform associated with further iterations of the ICE Act. “There are a number of bills pending in Congress that threaten to set requirements on companies to disclose the holes in their networks,” he wrote. “Those bills just got a major push last night. All in all, while 60 Minutes didn’t exactly blow the lid off anything last night, they have elevated the attention of this issue to new heights. That alters the political dynamics significantly.”

UPDATE: Wired Magazine has reported that the blackouts in Brazil in 2007 were “actually the result of a utility company’s negligent maintenance of high voltage-insulators on two transmission lines,” not computer hackers. 60 Minutes relied upon “unnamed sources” in claiming that the two-day outage described by Kroft in the Atlantic state of Espirito Santo “was triggered by hackers targeting a utility company’s control systems.”

Now, Wired reports the following:

The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”

Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.

Nov 2 2009   9:30PM GMT

Improve public and private cybersecurity partnerships, says Hathaway

Posted by: Alexander Howard
United States, White House, Melissa Hathaway, Federal Emergency Management Agency, National security, cybersecurity, cybersecurity threats, Security, identity theft, DDoS, cyberwar

Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, spoke of the need for better public-private cooperation at a cybersecurity panel in Washington last week.

Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.

Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.

Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.

Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”

“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”

Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”

Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”

Jul 29 2009   9:59PM GMT

Government bodies’ dueling legislative answers to data protection laws

Posted by: Sarah Cortes
compliance, HR 2221, encryption, MA 201 CMR 17, Cyberspace, cybersecurity, White House

When it comes to data security legislation, do you prefer the perspective of the White House, Capitol Hill or Beacon Hill? This is not a trick question.

While the White House refined its philosophy in the Cyberspace Policy Review (CPR) released in May, legislators in Washington had already introduced draft legislation in April embodying different approaches to data security.

The House of Representatives’ version, H.R. 2221, also known as the Data Accountability and Trust Act, appears to be a vehicle with which the executive and legislative branches of government will debate their differing cybersecurity philosophies. How those approaches differ could have a big impact on state laws.

The Cyberspace Policy Review focuses on long-term security policy and strategy rather than immediate solutions. We recently wrote about several significant recommendations from the report, which include:

• A proposal to consider federal issuance of national authentication credentials, similar to a passport.
• Increasing liability for failing to implement level-playing-field security controls.
• A recommendation to align federal and state laws to eliminate confusion and contradiction.

The White House report, overseen by Melissa Hathaway, states that government legislation has been “focused on the particular issue or technology of the day” and that current law and policy is a “complex patchwork,” while recommending an “integrated approach that combines … flexibility … and the protection of civil liberties.”

Proscribing specific technical approaches and technologies such as encryption has already generated controversy in data privacy and security laws, including Massachusetts’ 201 CMR 17.

One aspect that makes Massachusetts regulations in their current form the most onerous or far-reaching in the U.S., depending on your point of view, is mandated 128-bit encryption. However, mandating specific methods and technologies could prove inflexible and, rapidly, obsolete.

The White House report did not take a hard and fast position one way or the other, but its position is revealed in the CPR: “Privacy enhancing technologies such as encryption or controlled access authentication could ameliorate some risks in sharing information.”

Meanwhile, HR 2221 defines encryption as:

“data in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.”

What are your views and concerns about state data protection laws vs. federal legislation or polices from the executive branch? Do you think encryption should be included? If so, what kind? I’d like to hear. Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

Jun 22 2009   6:54PM GMT

Key cyberspace policy issues await incoming cybersecurity czar

Posted by: Sarah Cortes
National Security Council, White House, United States Computer Emergency Readiness Team, United States Department of Homeland Security, Washington D.C., Melissa Hathaway, Symantec Government Symposium, Symantec, White House Cybersecurity Policy Review, Security, cybersecurity, Enrique Salem, US-CERT, Homeland Security Committee, HSC, CSIS, Securing Cyberspace for the 44th Presidency, U.S. Senate Select Committee on Intelligence, SSCI, privacy, cybersecurity awareness, Department of Defense Cyber Crime Center, National Institute of Standards and Technology, NIST

Melissa Hathaway spoke to a crowd of over 1,000 at a lunchtime address during the Symantec Government Symposium last week in Washington, D.C. President Obama appointed Hathaway on Feb. 9 as White House Acting Senior Director for Cyberspace for the National Security Council (NSC), and, until it was merged out of its painful existence on May 26, the Homeland Security Council (HSC), a Bush-era creation.

Obama directed Hathaway to conduct a comprehensive 60-day Cyberspace Policy Review, which was released on May 29. Obama is expected to name a permanent “cybersecurity czar” to implement the report’s recommendations.

The White House quelled turf speculation over the reporting structure for the impending U.S. cybersecurity position by quietly “merging” the HSC into the NSC on May 26, just three days before releasing the cybersecurity policy review.

The CSIS cyberspace review group, which was commissioned in August 2007 during the Bush presidency, delayed publication of the review until immediately after the 2008 presidential election. As readers of the document know, it contains significant criticism of the Bush-era DHS.

Hathaway’s report had been critical of the Homeland Security Council, again echoing the December 2008 CSIS report, which, among many others, was critical of the DHS. The HSC, with a staff of 250 mirroring NSA’s “twin” staff of about 250, produced almost identical “directives,” and seemed to many a duplicative and redundant Bush-era institution.

In her remarks, Hathaway raised several key issues with the audience, including:

• Private-sector data sharing: Although required to effectively detect and combat cybercrime, this can be wrongly, in her view, seen as an antitrust violation.
• Whether, when an organization puts its data in the cloud, it gives up its fourth amendment privacy rights.
• The unfinished legislative review work cited in a footnote in the 60-day cybersecurity review and the need for comprehensive legislative reform, which can be interpreted as a signal to backers of evolving state and federal legislation that their initiatives may be superseded.
• A national ad campaign on cybersecurity awareness, like the Smokey the Bear campaign.
• In terms of immediate priorities, that a national incident response plan is to be completed by end of year.
• That government also needs to work with the international cybersecurity community.

Hathaway, a top contender for the permanent White House post, confirmed that she is currently “in the interview process” for that position, which, she stated in an interview Tuesday, she hopes “will conclude in the next few weeks … and be resolved favorably.”

The daylong symposium consisted of 20 separate breakout sessions instructed by over 100 panelists, a veritable “who’s who” of highly influential cybersecurity-related officeholders in the current administration or Congress, plus a few luminaries in the world of IT security.

As a measure of industry optimism regarding future government spending on cybersecurity, Enrique Salem, CEO of Symantec’s $5 billion business, was among the symposium speakers, who also included:

• Steven Shirley, executive director, Department of Defense Cyber Crime Center
• Eran Feigenbaum, director of security, Google Apps
• Mischel Kwon, director, United States Computer Emergency Readiness Team (US-CERT), National Cybersecurity Division, Department of Homeland Security
• Jeremy Warren, chief technology officer, Department of Justice
• Peter Mell, senior computer scientist, National Institute of Standards and Technology
• Jacob Olcott, subcommittee director, U.S. House of Representatives Homeland Security Committee
• Jim Jaeger, director, cyber defense and forensics, General Dynamics

Other panels included key contributors to the highly influential December 2008 CSIS report on securing cyberspace. Hathaway’s White House Cyberspace Policy Review footnotes the CSIS report eight times, more than any other source listed among the document’s 67 total footnotes. On June 1, CSIS released a comparison of its 25 original recommendations with Hathaway’s report, noting that 17 of the 25 were adopted by the White House report.

When questioned Tuesday at the Symantec symposium, former CSIS commission members smiled knowingly and declined to name any of the other individuals currently under consideration for the permanent White House post besides Hathaway.

These panelists, cited in the CSIS report as contributors, included:

• Sameer Bhalotra, a career professional staff member of the U.S. Senate Select Committee on Intelligence who leads the SSCI cyber study team.
• Dan Chenok, senior vice president, Pragmatics and former OMB security policy executive.
• Bruce McConnell, former NSA senior executive, director of $100 million ArcSight and of Sun Microsystems’ federal subsidiary.
• Amit Yoran, CEO, NetWitness Corp., and former director, National Cybersecurity Division, DHS, and US-CERT.

May 29 2009   4:21PM GMT

White House releases cybersecurity report on cyberspace policy

Posted by: Alexander Howard
Melissa Hathaway, White House, United States Department of Homeland Security, Government, Technology, National security, cybersecurity

Earlier today, the White House released a long-awaited cybersecurity report, including a video (below) featuring commentary and perspective from officials and experts:

Melissa Hathaway, cybersecurity chief at the National Security Council, wrote the following “Securing Our Digital Future” entry on the White House blog:

“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security.  The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine.  And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure.  These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.

The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”

We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.

[If you followed @ITCompliance on Twitter, by the way, you already knew all that.-Ed.]