http://voices.washingtonpost.com/securityfix/2008/08/georgian_web_sites_under_attac.html?nav=rss_blog
by: Brian Krebs
As Russian bombs rained down on towns in separatist towns of the former Soviet republic of Georgia, hackers mounted a digital assault on the nation's top Web properties this week, knocking government Web sites offline and defacing others.
According to reports from security experts who have been monitoring the ongoing cyber attacks, the Web site for the office of Georgia Foreign Affairs (mfa.gov.ge) was hacked, and its homepage was replaced with images depicting Georgia's president as a Nazi. That site is currently offline.
Other Georgian Web properties, such as the Caucasus Network Tbilisi -- key Georgian commercial Internet servers -- remain under sustained attack from thousands of compromised PCs aimed at flooding the sites with so much junk Web traffic that they can no longer accommodate legitimate visitors.
Security Blogger Jart Armin has been tracking the attacks by conducting Internet traces and lookups at key Georgian Web properties.
The apparently coordinated cyber attacks are reminiscent of recent cyber wars waged against other former Soviet republics that have attracted the ire of the Russian government for various political reasons. Last month, a similar assault targeted important Lithuanian government Web sites. In April 2007, the ultra-wired country suffered major disruptions in much of its information infrastructure, thanks largely to Russian hackers who were upset over the removal of a Soviet World War II memorial from the center of Tallinn, the capital of Estonia.
Sunday, August 10, 2008
Chertoff: I'm Listening to the Internet (Not in a Bad Way)
By Ryan Singel August 06, 2008 8:28:51 PM
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
http://blog.wired.com/27bstroke6/2008/08/chertoff.html
Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists.
Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret.
Wired.com: There have been quite a few security czars over the years, but sometime last year, cybersecurity became important. What changed?
Homeland Security Secretary Michael Chertoff: I'm going to give credit to Mike McConnell, the director of national intelligence. When I came on board and we looked at the entire department three-and-a-half years ago, one of the issues we saw was that we didn't have a very mature cybersecurity program. We have US-CERT, which does good work, but we didn't have a program much beyond that.
Frankly, it was hard to get people to explain what they thought our value-add to the program would be. It's not like we are inventing software or firewalls or are competing with McAfee or companies like that.
We could talk about creating a forum where the cyber community could come together and share information, but that seemed like pretty weak tea.
But last year, Mike McConnell and I sat down … and really began talking through what do we do to deal with this issue -- the problem is getting greater.
We have had intrusions. We have had the theft of information over the internet. We are concerned about denial-of-service attacks. We saw the attacks in Estonia.
The sense was we couldn't not deal with the problem because it was hard.
And as I became better acquainted with some of the tools other parts of the government use in terms of capabilities for cybersecurity, that we have used for [the Department of Defense and] for the intelligence community, for example, I was persuaded -- it didn't take a lot of persuasion -- that there ought to be a way to translate this into civilian domains.
And there are two parts to this. One, we have to protect our own civilian assets -- meaning the dot-gov assets.
And there what is involved is getting a hold on the number of access points between .gov domains and the internet, and finding a way to progress from our current Einstein model [DHS's Intrusion Detection Software], which is the passive detection-after-the-fact model, into a real-time detection tool and possibly even a defensive capability with respect to our networks connecting to the internet.
And just getting a handle on that would be a huge benefit in terms of protecting our assets against espionage and also against the possibility of an attack.
The larger challenge -- and frankly one that is further out -- is to find a way to partner with the private sector to enable and encourage them with some to the capabilities that we have to increase their defensive capacities, but on a voluntary basis, meaning not making them do it or regulating them into doing it. But instead offering them the opportunity -- much the same in the non-cyber-world, we go to people who run power plants and dams and we share information and best practices that they can use to defend their own assets.
Wired.com: When you hear talk of cyberwar, people start talking about power plants going down and you get cascading problems. Do we need legislation to give DHS the power to regulate those who run critical infrastructure?
Chertoff: I'd be hesitant to go there with private sector. With the Federal Aviation Administration or other government agencies, I think it is different. I think with the private sector the model is the cooperative model. They have a very strong interest in protecting their assets. But they also have to make a choice about how much they want to partner with the government.
The one thing we don't want to do, because the culture of the internet is opposed to anything that smacks of government clumsy heavy-handedness, is that we don't want to be sitting on the internet, like certain other countries do, where people suspect we are limiting what people can see. We don't want to force people to do what they don't want to do. We don't want them to think we are intruding into their private space.
There is an interdependence on the internet that puts a premium on being a responsible citizen. If you fail to protect your own assets, it doesn't just affect your assets, it affects the assets of everyone linked up to you. So pretty soon, someone who doesn't do a responsible job is going to find themselves ostracized.
The business community is pretty good at understanding that, when they have a threat, and there is capability to defend against the threats, if you don't exhaust every reasonable means, pretty soon you will end up being sued and you will be in bankruptcy court. They have a natural incentive to protect their assets.
Wired.com: What is your threat model? Is the threat level that high?
Chertoff: There are nation states and non-nation states that have the ability to penetrate and filch information and there are certainly other countries in that area as sophisticated as we are -- or close to it -- so naturally you worry about that.
I think you worry about intrusions that steal valuable intellectual property, and you worry to an even greater degree about corruption or disruption of processes.
By corruption, I mean someone enters the financial sector and you begin to corrupt how the system works and it becomes unreliable, people begin to find out they have lost money from their bank account.
The reliability of the system becomes compromised.
There is no question in terms of espionage: It has already materialized. There is a huge amount of penetration of certain government systems that we have had to contend with. Now we are able to defend against a lot of this, but some of it has not been defended against and some of this is out in public
We had the Estonian experience in terms of an attack actually on a system.
If we wait till someone tries this the first time, its going to be a really unhappy circumstance.
Just ask [Treasury Secretary] Hank Paulson. If someone takes out a bank, and all of a sudden you don't know any more if your money is safe, that imperils the entire banking system.
There are some people who believe the current generation of terrorists wants a big visible bang. But you know, the next generation may not want a big visible bang. They might take a quiet satisfaction in watching the entire financial system shutter.
Wired.com: Could we talk about laptops and the borders? (ed. note: The government reserves the right to look through any laptop or electronic device crossing the border, saying it is no different from any other luggage. DHS published the official policy on its website just weeks ago.)
Chertoff: This is something that has been done since there were laptops ... It is not a new program. It is a program that affects only a small number of people. And contrary to what the ACLU says, it is constitutional, because the courts say it is constitutional, including the 9th Circuit most recently.
The only thing that happened recently is that I ordered the policy to be put online in the interests of openness and transparency. We get about 80 million people a year coming to our airports, and a very small number are put into secondary inspection and that's based on some suspicion that the inspector has about the person.
It is that pool of people in secondary that have their things gone through, they can have their luggage and documents gone through. And nowadays because you can bring contraband through on a laptop, they can have their laptop looked at.
You are looking for material that is contraband itself, such as child pornography or information about how to set up remote control IEDs. Or if they are non-Americans, you are looking for information on the laptop about why they should not be admitted.
In many cases, we open the laptop and look at it right there. There are some cases where it is encrypted or it is difficult to assess, we may hold on to laptop for purpose of having someone more expert look at it.
If it turns out there's nothing there of criminal nature or significant in terms of national security or admission to the country, we return the laptop and expunge the information and it evaporates.
If it turns out there is significant information, we may return the laptop and keep the info, or if the laptop is itself evidence of a crime, then once we have PC [probable cause] determination we keep it.
One thing I am thinking of doing is creating a better tracking system so if we do take a laptop off the premises, we find a way to let them track it and after a certain number of days they can inquire about when it going to be returned or what the situation is.
Wired.com: Wouldn't it allay the suspicions of the business community if you had a policy that says we only search through laptops if we have a good reason to do so?
Chertoff: That's exactly why I put it up on the internet. It is on the web to say, 'We only do it when we put you into secondary and we only put you into secondary when there is a suspicion, when there is a reason to suspect something.'
We were trying to say we don't take everyone's laptop and suck it up into a giant vacuum cleaner.
There is some basis for suspicion the inspectors use, and they are the same they have used for decades.
We posted [about the policy] on the Leadership blog and we got a lot of comments. So I said, 'Let's look at all the comments and if there is something we can clarify in the policy because there is a persistent issue, we will do it.'
I am willing to treat this as a bit of an experiment in interactive policy-making. For example, it seemed to bother people, from what I was told, when a laptop is taken elsewhere. So that's where I came up with idea of finding a way to assure people they won't lose their laptop. We are going to track it and make sure we can account for when it is and when they will get it back. So I am willing to do this back and forth in interactive way.
Wired.com: Since people could simply store things on servers or use Gmail, doesn't the program just get at low-hanging fruit?
Chertoff: I'm going to tell you a story from real life. When I was a prosecutor we had had wiretaps for criminal cases for years -- it was a well-known thing. But time and again I would hear the following on a wiretap: "I hope no one is listening in because if they are we are going to jail."
The truth is it is very hard to perfectly avoid being captured if you are doing something wrong simply by saying, 'I'm not going to put it on my laptop. I will put it somewhere else.' They are going to have to be worrying that the other place they are keeping it, the cloud, is being penetrated
Now is it impossible? No, a perfect terrorist could find a way to circumvent this. But if I can reduce the risk by getting rid of 99 percent, I am way ahead of the game.
Wired.com: If you have an encrypted laptop and you are an American citizen and you come back to the border and you get pulled aside for secondary, they want to look through the laptop and you don't want to give the password, what happens?
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.[In response to a follow-up e-mail, spokesman Russ Knocke clarified.
"Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
Wired.com: Almost seven years after 9/11, there are still reports of problems with the government's watch lists. Most recently, Jim Robinson, a former assistant attorney general, says he is stuck on the list.
Chertoff: In the airport environments, supposing there is a terrorist Jim Smith and that person should be on the watch list, the question is how do you distinguish them from the other Jim Smiths and the answer is you need an additional bit of data, such as a birthday.
That would override or eliminate most false positives. In order to allow people to do this, [beginning] about two or three months ago, people who are selectees can give their frequent flier number or birthday, the airline can enter it in system and they can enter that at the kiosk or at home and they can get their boarding pass and it won't be an issue.
One airline has done that very well. There are some airlines that have not done that. They don't want to reconfigure their software, it's not an issue of customer service they care about, and if there are false positives they can blame the government.
We would like to reconfigure in the next year ... so we do the checking. Some of the airlines don't want to do that because they would have to reconfigure their software.
So that's why there was a discussion recently about whether we should fine airlines that don't correct this problem. There is a system for correcting this and which is adding another data point, but the people running the system have to be willing to reconfigure the system. If they don't care, then the problem is going to continue.
Wired.com: But there is no mechanism for me to say I'm not doing what you think I am doing?
Chertoff: There is a redress program. The easiest thing to resolve is that you are not the person we are worried about. The hardest thing to resolve is that you are worried about me, but you shouldn't be -- because, to be honest, there are people who are dangerous who lie about being dangerous.
And if you tell why you have them on list, they will reconfigure or readjust their behavior to not leave the traces that are a problem.
There may be people for whom it is inconvenient to be patted down or asked a few questions. The downside is that if we don't do that except if we have proof someone is an actual terrorist, you are going to have a Mohammed Atta getting on an airplane or crossing the border and that's going to raise the risk.
Wired.com: At what point do stops by law enforcement and four-hour holdups at the airport become a punishment that you can actually protest?
Chertoff: Particularly with respect to Americans, the number of people that are on the list that are not false positives are not that large a number. And if they do raise an issue, we will take a look at what the basis is. And sometimes we will make adjustments.
But if you are asking if we would do a court process where we litigate it, I mean, that effectively would shut it down.
And then I guarantee what would happen is this: If you stopped using the watch list and basically anybody could get on a plane without knowing their identity, sooner or later something would happen -- and people would lose their lives, and then there would be another 9/11 Commission and we'd hear about how you had this system and you would have kept them off and these people lost their loved ones on a plane.
I don't know if they do it anymore, but when I was a kid we all had polio shots, and after a while, you just don't know anyone with polio. And the question was raised was, why are we taking these shots? There's not that much polio around. And one of the reasons there's not that much polio around is that everyone is getting inoculated.
Wired.com: You are talking about sharing information and this being an open process, but so much of the Comprehensive National Cybersecurity Initiative is secret. Homeland Security Presidential Directive 23 -- which authorized the program -- there's still not an unclassified version of it. You can talk about Einstein, but there are other things you can't talk about. There's reportedly $20 billion in the classified intelligence budget for cyber-security. From the outside, it's hard to know what's going on.With that much secrecy, it sounds like security through obscurity.
Chertoff: I think secrecy is one of the hard issues. That's because the culture of the internet is an open culture and I would like to see us be as open as possible. It's obvious that some things can't be open because they compromise things that, if known to others, would diminish our ability to do certain things, whether that be acquire information or take certain stepsWe will have to figure out how to be open to the extent we can while recognizing you live in a world where openness can be a problem too.
It is my fervent hope that more and more of the strategy will be public and only things that really have to be kept secret will be kept secret. But once something is out it is out -- so there is hesitancy and deliberativeness about making things public. But in this case we tried to make public early we were thinking about this.
Wired.com: How do people know this isn't a program about sitting on the internet and monitoring everything?Chertoff: That's why I think the easy part is the government piece, because clearly with government domains, you have a right to protect your own domain.And that's why I emphasize the voluntariness. I think the key to the approach is one where the government offers to work with the private sector. But it has to be consent-based. If you don't want any part of it, then you can walk away.
Beckstrom on cybersecurity
By William Jackson
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
http://www.gcn.com/online/vol1_no1/46849-1.html
LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.
Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.
"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.
Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.
"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."
Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."
To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.
"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."
Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.
Collaborative Process Guides Military’s Cyber-electronic Future
http://www.defenselink.mil/news/newsarticle.aspx?id=50714
By Tim Kilbride
Special to American Forces Press Service
WASHINGTON, Aug. 6, 2008 – Faced with a rapidly evolving and borderless technological landscape, the U.S. military is reaching out to government, academia and industry for help in developing capabilities for protecting the nation’s cyber infrastructure, an Army electronic warfare expert said yesterday.
Col. Wayne A. Parks outlined for military bloggers the broad effort under way to keep up with technological change and the resultant emerging threats to the United States’ defense.
Parks is Electronic Warfare Proponent director of computer network operations and Training and Doctrine Command capabilities manager for at the Combined Arms Center, Fort Leavenworth, Kan.
The challenge is immense, Parks said, and research partnerships have been critical in framing the mission.
“Our understanding of the science of cyber-electronics is relatively immature at this point,” Parks said. “It includes the study of both the physical and the virtual.”
Part of the task is to ensure that the Army works through these concepts carefully and defines them in a way that doesn't limit intellectual exploration of potential and emerging concepts or capabilities, he said.
In that exploration, the Army must balance evolving how the military thinks about cyber-electronics with continuing to develop capabilities for the operational front, he added.
“There's been some tremendous things going on, especially in [Iraq and Afghanistan], where electronic warfare has helped in the operations and in limiting and reducing … the deaths in theater,” he said.
Operational requirements in Iraq and Afghanistan, especially the need to defeat roadside bombs, spurred the Army to speed development of near-term solutions, Parks explained.
Simultaneous research and development has continued on mid- to long-term electronic warfare capabilities, he said, with the goal of keeping pace on both the tactical and strategic levels.
“Cyber-electronics could include or have distinct relationships between things that we call network operations, network warfare, computer network operations, space superiority, electronic warfare and the electromagnetic spectrum operations,” Parks said. “Each represents a different slice of the cyber-electronic continuum within which different capabilities must exist.”
At the strategic level, the Army’s two main responsibilities are maintaining its internal capabilities and networks to be able to deploy around the world and defending the United States’ borders and inside its borders, Parks explained.
But cyberspace has no distinct, physical borders, Parks said. “There is no nation-state border where we're talking now,” he explained.
“There are nation-state sponsors, and we have to look at it in terms of nation-state sponsors, as well as those who are not nation-state sponsors -- I might call them cyber-state sponsors -- who are really developing on their own out there.”
The military is working with interagency partners to officially define its way ahead with regard to defending areas of the financial, travel and related industries that operate across nation-state and cyber-state boundaries, Parks said. The same collaborative approach applies to fielding technologies, he said, and the Army has developed the mind set of “go work with your sister services as they get things approved.”
One potential technology is what Parks described as “self-healing networks,” virtual worlds wherein the system can isolate a weak point and regenerate or repair itself without human intervention. These types of networks could stand up to cyber attacks, he said.
(Tim Kilbride works in the New Media directorate of the Defense Media Activity.)
By Tim Kilbride
Special to American Forces Press Service
WASHINGTON, Aug. 6, 2008 – Faced with a rapidly evolving and borderless technological landscape, the U.S. military is reaching out to government, academia and industry for help in developing capabilities for protecting the nation’s cyber infrastructure, an Army electronic warfare expert said yesterday.
Col. Wayne A. Parks outlined for military bloggers the broad effort under way to keep up with technological change and the resultant emerging threats to the United States’ defense.
Parks is Electronic Warfare Proponent director of computer network operations and Training and Doctrine Command capabilities manager for at the Combined Arms Center, Fort Leavenworth, Kan.
The challenge is immense, Parks said, and research partnerships have been critical in framing the mission.
“Our understanding of the science of cyber-electronics is relatively immature at this point,” Parks said. “It includes the study of both the physical and the virtual.”
Part of the task is to ensure that the Army works through these concepts carefully and defines them in a way that doesn't limit intellectual exploration of potential and emerging concepts or capabilities, he said.
In that exploration, the Army must balance evolving how the military thinks about cyber-electronics with continuing to develop capabilities for the operational front, he added.
“There's been some tremendous things going on, especially in [Iraq and Afghanistan], where electronic warfare has helped in the operations and in limiting and reducing … the deaths in theater,” he said.
Operational requirements in Iraq and Afghanistan, especially the need to defeat roadside bombs, spurred the Army to speed development of near-term solutions, Parks explained.
Simultaneous research and development has continued on mid- to long-term electronic warfare capabilities, he said, with the goal of keeping pace on both the tactical and strategic levels.
“Cyber-electronics could include or have distinct relationships between things that we call network operations, network warfare, computer network operations, space superiority, electronic warfare and the electromagnetic spectrum operations,” Parks said. “Each represents a different slice of the cyber-electronic continuum within which different capabilities must exist.”
At the strategic level, the Army’s two main responsibilities are maintaining its internal capabilities and networks to be able to deploy around the world and defending the United States’ borders and inside its borders, Parks explained.
But cyberspace has no distinct, physical borders, Parks said. “There is no nation-state border where we're talking now,” he explained.
“There are nation-state sponsors, and we have to look at it in terms of nation-state sponsors, as well as those who are not nation-state sponsors -- I might call them cyber-state sponsors -- who are really developing on their own out there.”
The military is working with interagency partners to officially define its way ahead with regard to defending areas of the financial, travel and related industries that operate across nation-state and cyber-state boundaries, Parks said. The same collaborative approach applies to fielding technologies, he said, and the Army has developed the mind set of “go work with your sister services as they get things approved.”
One potential technology is what Parks described as “self-healing networks,” virtual worlds wherein the system can isolate a weak point and regenerate or repair itself without human intervention. These types of networks could stand up to cyber attacks, he said.
(Tim Kilbride works in the New Media directorate of the Defense Media Activity.)
DHS stays mum on new 'Cyber Security' center
CNet News had a good article a couple of days back on DHS' new National Cyber Security Center that I've pasted below.
Though the article focuses on just a few aspects of the NCSC (its security classification, privacy and budget), the links to the memo from Senators Lieberman and Collins and the resonse from Michael Chertoff are worth reading. Both provide considerable amount of recent history and behind the scenes work on the DHS' cyber security initiatives.
I'd be interested to know what others thought about the story and the memos. What has struck me when reading these documents is the continuing struggle to balance individual privacy, societal security, private/public partnership and security classification. The National Strategy to Secure Cyberspace, released in 2003, outlines the issues fairly well, but never settles any of the debates other than noting that yes, it is a balancing act which must be conducted by public and private entities in partnership.
I noticed in Mr Chertoff's response that he slips in a gentle reminder to the Senators that the government does not have much power currently to force the private sector to follow government security guidelines. Here is the quote from page 6 of memo:
===============
Posted by Stephanie Condon
http://news.cnet.com/8301-13578_3-10004266-38.htm
The Bush administration's newly created National Cyber Security Center remains shrouded in secrecy, with officials refusing to release information about its budget, what contractors will run it, and how its mission relates to Internet surveillance.
In correspondence with the U.S. Senate posted on Thursday, the Bush administration said it would not provide that information publicly. An 18-page, partially redacted letter from DHS said that disclosure could affect "the conduct of federal programs, or other programs or operations essential to the interests of our nation."
The censored letter--a nonredacted, "For Official Use Only" version was provided to senators--came in response to queries from the top Democratic and Republican members of the Senate's Homeland Security committee.
Sen. Susan Collins, a Maine Republican, indicated that the nonredacted version satisfied her, at least for now. "Increased information sharing will benefit the department, Congress and the public, as well as the private-sector, which controls the vast majority of the nation's cyber infrastructure," Collins said in e-mail to CNET News. "It is my hope that the release of this information will assist in improving security in both the public and private sectors."
Sen. Joe Lieberman, an independent from Connecticut who caucuses with Democrats, did not respond to our queries on Thursday.
In March, DHS announced that Rod Beckström, 47, would be appointed as director of the National Cyber Security Center. Secretary Michael Chertoff said at the time that Beckström would "implement cyber security strategies in a cohesive way" and contribute to the "protection of federal networks and the security of our homeland."
Oddly, DHS seemed to change its mind about whether even the mere existence of the National Cyber Security Center was classified or not.
"On March 20th, you announced that Rod Beckstrom would be the director of the new National Cyber Security Center within DHS," Lieberman and Collins said in a letter (PDF) to DHS in May. "Prior to this announcement, committee staff had been instructed that the existence of the NCSC was itself classified."
Their letter to DHS in May asked for a detailed account of the department's role in the Comprehensive National Cyber Security Initiative, noting a lack of information from the department, in spite of the fact that the administration had claimed that cybersecurity was one of Chertoff's "top four priorities for '08."
The DHS has requested an additional $83 million for National Cyber Security Center for fiscal year 2009 (which begins in October 2009); including the $115 million awarded for the initiative in 2008, that would increase its budget by $200 million, tripling the amount the DHS has spent on cyber security since 2007.
The department's new National Cyber Security Center is taking the lead on the CNCI, a "multi-agency, multi-year plan to secure the federal government's cyber networks" that was established in January by a directive signed by President Bush. In the letter made public on Thursday, DHS described the center as a way to "coordinate and integrate information necessary to help secure U.S. cyber networks and systems and help foster collaboration among federal cyber groups," and serve as a "single location for all-source situational awareness about cyber activity and security status of the U.S. networks and systems."
Though just made public Thursday, the letter was initially sent to the senators on June 2. The subsequent redacted version eliminated the department's response to questions such as: "Why was the determination made that the contract will be for a 10-month period?" and "How will the DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?"
One question left unanswered is how the National Cyber Security Center will interact with DHS's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. (Not much about Einstein is public, but a privacy impact assessment offers some details.)
A Homeland Security spokeswoman told us in April that the primary focus of Einstein at the time was protecting federal-government networks--not monitoring the privately operated Internet, a move that would raise unique legal, technical, and privacy challenges.
The DHS letter refused to divulge any information about Einstein. It said: "Technological upgrades and planning activities are classified. DHS will be happy to provide the committee with a briefing in the appropriate (classified) setting."
CNET News' Declan McCullagh contributed to this report
Though the article focuses on just a few aspects of the NCSC (its security classification, privacy and budget), the links to the memo from Senators Lieberman and Collins and the resonse from Michael Chertoff are worth reading. Both provide considerable amount of recent history and behind the scenes work on the DHS' cyber security initiatives.
I'd be interested to know what others thought about the story and the memos. What has struck me when reading these documents is the continuing struggle to balance individual privacy, societal security, private/public partnership and security classification. The National Strategy to Secure Cyberspace, released in 2003, outlines the issues fairly well, but never settles any of the debates other than noting that yes, it is a balancing act which must be conducted by public and private entities in partnership.
I noticed in Mr Chertoff's response that he slips in a gentle reminder to the Senators that the government does not have much power currently to force the private sector to follow government security guidelines. Here is the quote from page 6 of memo:
"The Federal Government can provide incentives and in some
cases exert regulatroy authority to compel the private sector to act."
===============
Posted by Stephanie Condon
http://news.cnet.com/8301-13578_3-10004266-38.htm
The Bush administration's newly created National Cyber Security Center remains shrouded in secrecy, with officials refusing to release information about its budget, what contractors will run it, and how its mission relates to Internet surveillance.
In correspondence with the U.S. Senate posted on Thursday, the Bush administration said it would not provide that information publicly. An 18-page, partially redacted letter from DHS said that disclosure could affect "the conduct of federal programs, or other programs or operations essential to the interests of our nation."
The censored letter--a nonredacted, "For Official Use Only" version was provided to senators--came in response to queries from the top Democratic and Republican members of the Senate's Homeland Security committee.
Sen. Susan Collins, a Maine Republican, indicated that the nonredacted version satisfied her, at least for now. "Increased information sharing will benefit the department, Congress and the public, as well as the private-sector, which controls the vast majority of the nation's cyber infrastructure," Collins said in e-mail to CNET News. "It is my hope that the release of this information will assist in improving security in both the public and private sectors."
Sen. Joe Lieberman, an independent from Connecticut who caucuses with Democrats, did not respond to our queries on Thursday.
In March, DHS announced that Rod Beckström, 47, would be appointed as director of the National Cyber Security Center. Secretary Michael Chertoff said at the time that Beckström would "implement cyber security strategies in a cohesive way" and contribute to the "protection of federal networks and the security of our homeland."
Oddly, DHS seemed to change its mind about whether even the mere existence of the National Cyber Security Center was classified or not.
"On March 20th, you announced that Rod Beckstrom would be the director of the new National Cyber Security Center within DHS," Lieberman and Collins said in a letter (PDF) to DHS in May. "Prior to this announcement, committee staff had been instructed that the existence of the NCSC was itself classified."
Their letter to DHS in May asked for a detailed account of the department's role in the Comprehensive National Cyber Security Initiative, noting a lack of information from the department, in spite of the fact that the administration had claimed that cybersecurity was one of Chertoff's "top four priorities for '08."
The DHS has requested an additional $83 million for National Cyber Security Center for fiscal year 2009 (which begins in October 2009); including the $115 million awarded for the initiative in 2008, that would increase its budget by $200 million, tripling the amount the DHS has spent on cyber security since 2007.
The department's new National Cyber Security Center is taking the lead on the CNCI, a "multi-agency, multi-year plan to secure the federal government's cyber networks" that was established in January by a directive signed by President Bush. In the letter made public on Thursday, DHS described the center as a way to "coordinate and integrate information necessary to help secure U.S. cyber networks and systems and help foster collaboration among federal cyber groups," and serve as a "single location for all-source situational awareness about cyber activity and security status of the U.S. networks and systems."
Though just made public Thursday, the letter was initially sent to the senators on June 2. The subsequent redacted version eliminated the department's response to questions such as: "Why was the determination made that the contract will be for a 10-month period?" and "How will the DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?"
One question left unanswered is how the National Cyber Security Center will interact with DHS's so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. (Not much about Einstein is public, but a privacy impact assessment offers some details.)
A Homeland Security spokeswoman told us in April that the primary focus of Einstein at the time was protecting federal-government networks--not monitoring the privately operated Internet, a move that would raise unique legal, technical, and privacy challenges.
The DHS letter refused to divulge any information about Einstein. It said: "Technological upgrades and planning activities are classified. DHS will be happy to provide the committee with a briefing in the appropriate (classified) setting."
CNET News' Declan McCullagh contributed to this report
'Casual Games' to School Airmen on Cyber Threats
I think the cyber community's use of simulations for training is at its infancy. Pilots, tank drivers/operators, air traffic controllers, etc., are using simulations extensively to train. I don't think we can say the same for our cyber operators. Yes, there are some simulations available, but I can't even begin to count how many network/computer outages I've seen that are caused by folks who are doing on-the-job training since no widely available simulation environment exists.
The issue I have with the AF solicitation reported by Wired.com is that good money is being wasted on developing this "training game" to teach troops not to click on things they should not be clicking on.
If you read the original news story that prompted this solicitation, only 0.16% (409 people) in the ad-hoc experiment clicked on the offending banner. To me that seems like an incredibly small percentage. The experiment was not demographically contained, meaning these were not necessarily military personnel.
I'd be more interested to know how many military personnel clicked on the ad before spending military dollars to address this issue. Are we spending good money to develop training solutions to fix stupidity?
I'm not saying that there isn't value in trying to find innovative ways to teach our young (and old) troops, but the justification for this project is on shaky grounds. Funding innovative network/cyber simulators may be a better use of our limited resources.
==================
By Noah Shachtman July 31, 2008 10:33:00 AM
http://blog.wired.com/defense/2008/07/airmen-will-cli.html
The Air Force is sick of getting pwn3d. So the service wants to develop a little game or two, to teach its airmen not to click on every on-line come-on -- and infect their networks, in the process.
"The fact that 409 people clicked on an ad that offered infection for those with virus-free personal computers proves people will click on just about anything," the Air Force complains. "Yet computer users are still individually held responsible for the operational security of their systems." And cyber security training just doesn't grab the average airman.
So the service wants "to use casual gaming technology to promote warfighter knowledge and awareness of cyber threats and malicious exploits." A request for research proposals notes, "Retention of critical information concerning frequently used exploits (phishing, viruses, worms, spyware, key loggers, etc.), information assurance tools (patches, digital signatures, Common Access Cards, boundary management, firewalls, password protector), and how they affect computers and networks is more likely to occur if the user is engaged."
"Casual games can be very effective in engaging the learner, imparting important information in a timely manner, and aiding in retention of information," the request adds. "The simplicity of micro games gives the user the ability to focus on content, rather than learning the intricacies of the game. "
Some sage observers see cyberwar as akin to the ancient game of Go. The Air Force wants something a little more like Jewel Quest. To grab its airmen, the service thinks these new games should last anywhere from five to 20 minutes, and include "appealing music and stimulating graphics," be able to run on everything from PCs to cell phones. "Innovative and creative approaches to addressing technical goals are invited."
The issue I have with the AF solicitation reported by Wired.com is that good money is being wasted on developing this "training game" to teach troops not to click on things they should not be clicking on.
If you read the original news story that prompted this solicitation, only 0.16% (409 people) in the ad-hoc experiment clicked on the offending banner. To me that seems like an incredibly small percentage. The experiment was not demographically contained, meaning these were not necessarily military personnel.
I'd be more interested to know how many military personnel clicked on the ad before spending military dollars to address this issue. Are we spending good money to develop training solutions to fix stupidity?
I'm not saying that there isn't value in trying to find innovative ways to teach our young (and old) troops, but the justification for this project is on shaky grounds. Funding innovative network/cyber simulators may be a better use of our limited resources.
==================
By Noah Shachtman July 31, 2008 10:33:00 AM
http://blog.wired.com/defense/2008/07/airmen-will-cli.html
The Air Force is sick of getting pwn3d. So the service wants to develop a little game or two, to teach its airmen not to click on every on-line come-on -- and infect their networks, in the process.
"The fact that 409 people clicked on an ad that offered infection for those with virus-free personal computers proves people will click on just about anything," the Air Force complains. "Yet computer users are still individually held responsible for the operational security of their systems." And cyber security training just doesn't grab the average airman.
So the service wants "to use casual gaming technology to promote warfighter knowledge and awareness of cyber threats and malicious exploits." A request for research proposals notes, "Retention of critical information concerning frequently used exploits (phishing, viruses, worms, spyware, key loggers, etc.), information assurance tools (patches, digital signatures, Common Access Cards, boundary management, firewalls, password protector), and how they affect computers and networks is more likely to occur if the user is engaged."
"Casual games can be very effective in engaging the learner, imparting important information in a timely manner, and aiding in retention of information," the request adds. "The simplicity of micro games gives the user the ability to focus on content, rather than learning the intricacies of the game. "
Some sage observers see cyberwar as akin to the ancient game of Go. The Air Force wants something a little more like Jewel Quest. To grab its airmen, the service thinks these new games should last anywhere from five to 20 minutes, and include "appealing music and stimulating graphics," be able to run on everything from PCs to cell phones. "Innovative and creative approaches to addressing technical goals are invited."
OPEC 2.0
Intriguing Op-ed in today's New York Times by Tim Wu, co-author of Who Controls the Internet?
==========
July 30, 2008
Op-Ed Contributor
By TIM WU
http://www.nytimes.com/2008/07/30/opinion/30wu.html?_r=1&ref=opinion&oref=slogin
AMERICANS today spend almost as much on bandwidth — the capacity to move information — as we do on energy. A family of four likely spends several hundred dollars a month on cellphones, cable television and Internet connections, which is about what we spend on gas and heating oil.
Just as the industrial revolution depended on oil and other energy sources, the information revolution is fueled by bandwidth. If we aren't careful, we're going to repeat the history of the oil industry by creating a bandwidth cartel.
Like energy, bandwidth is an essential economic input. You can't run an engine without gas, or a cellphone without bandwidth. Both are also resources controlled by a tight group of producers, whether oil companies and Middle Eastern nations or communications companies like AT&T, Comcast and Vodafone. That's why, as with energy, we need to develop alternative sources of bandwidth.
Wired connections to the home — cable and telephone lines — are the major way that Americans move information. In the United States and in most of the world, a monopoly or duopoly controls the pipes that supply homes with information. These companies, primarily phone and cable companies, have a natural interest in controlling supply to maintain price levels and extract maximum profit from their investments — similar to how OPEC sets production quotas to guarantee high prices.
But just as with oil, there are alternatives. Amsterdam and some cities in Utah have deployed their own fiber to carry bandwidth as a public utility. A future possibility is to buy your own fiber, the way you might buy a solar panel for your home.
Encouraging competition is another path, though not an easy one: most of the much-hyped competitors from earlier this decade, like businesses that would provide broadband Internet over power lines, are dead or moribund. But alternatives are important. Relying on monopoly producers for the transmission of information is a dangerous path.
After physical wires, the other major way to move information is through the airwaves, a natural resource with enormous potential. But that potential is untapped because of a false scarcity created by bad government policy.
Our current approach is a command and control system dating from the 1920s. The federal government dictates exactly what licensees of the airwaves may do with their part of the spectrum. These Soviet-style rules create waste that is worthy of Brezhnev.
Many "owners" of spectrum either hardly use the stuff or use it in highly inefficient ways. At any given moment, more than 90 percent of the nation's airwaves are empty.
The solution is to relax the overregulation of the airwaves and allow use of the wasted spaces. Anyone, so long as he or she complies with a few basic rules to avoid interference, could try to build a better Wi-Fi and become a broadband billionaire. These wireless entrepreneurs could one day liberate us from wires, cables and rising prices.
Such technologies would not work perfectly right away, but over time clever entrepreneurs would find a way, if we gave them the chance. The Federal Communications Commission promised this kind of reform nearly a decade ago, but it continues to drag its heels.
In an information economy, the supply and price of bandwidth matters, in the way that oil prices matter: not just for gas stations, but for the whole economy.
And that's why there is a pressing need to explore all alternative supplies of bandwidth before it is too late. Americans are as addicted to bandwidth as they are to oil. The first step is facing the problem.
Tim Wu is a professor at Columbia Law School and the co-author of "Who Controls the Internet?"
Big bucks for cyber security
Foreign Policy magazine commented in their blog today on Walter Pincus' story in Washington Post regarding cyber security funding. CSIS's James Lewis notes the perennial issue surrounding cyber security...who exactly is in charge.
================
by: Alex Ely
Mon, 07/21/2008 - 4:31pm
Walter Pincus reports today on a surprisingly large allocation of U.S. federal funds for cyber security:
"A highly classified, multiyear, multibillion-dollar project, CNCI -- or "Cyber
Initiative" -- is designed to develop a plan to secure government computer
systems against foreign and domestic intruders and prepare for future threats.
Any initial plan can later be expanded to cover sensitive civilian systems to
protect financial, commercial and other vital infrastructure data."
The cyber security issue is a tricky one. For lack of a better option, the job of protecting government computer systems has fallen to the Department of Homeland Security (DHS), although the Air Force is an active player. The Navy and the Army also have their own programs.
I called James Lewis, an expert at the Center for Strategic and International Studies, to get some insight. He told me that the White House was becoming concerned because "DHS hasn't really done anything" on the issue of cyber security. "Some of it's internal squabbling" he says, "but they just can't seem to get their act together. You hear [Defense Secretary Robert] Gates and [Director of National Intelligence Mike] McConnell talking about it, but you never hear anything from [DHS Secrtary Michael] Chertoff."
So far, CNCI has been criticized for being too secretive, though the initiative is a step forward overall. In fact, it's good news that someone is finally starting to take this seriously. Both presidential candidates have expressed a committment to improving cyber security. Senator Obama has said he will appoint a "national cyber advisor" and will make the issue "the top priority that it should be in the 21st century." Senator McCain has pointed to a need to "invest far more in the federal task of cyber security" in order to protect strategic interests at home.
Knowing just who is supposed to be in charge of cyber security would be a good start. As Lewis points out, "It's not something you can do on an ad hoc basis like we've been doing for the past several years," adding, "We need to be better organized and better at assigning responsibilities."
Symposium gets to core of Air Force's role in cyberspace
http://www.af.mil/news/story.asp?id=123107290
by Scott Knuteson
Air University Public Affairs
7/18/2008 - MAXWELL AIR FORCE BASE, Ala. (AFPN) -- In an effort to bring together minds and ideas from across the cyberspace community, Air University officials hosted a week-long cyberspace symposium here recently. Some 250 professional civilian and military information experts gathered to discuss the implications of cyberspace, especially with regard to the Air Force and national defense.
Officials from the United States Strategic Command, 8th Air Force and the provisional Air Force Cyber Command helped host the symposium.
"Airmen must implement their warfighting traditions in the cyberspace domain," said Dr. Rebecca Grant, founder and president of IRIS Independent Research. "I think we need the Air Force to truly embrace and understand this and excel in cyberspace, as they have in the domain of air and space.
"If there was ever a domain that needed an 'air-minded' look, [cyberspace] is it," she said, after comparing the current development in the cyber realm to that of Brig. Gen. William "Billy" Mitchell's approach to airpower.
Trust is the foundation for a working cyberspace realm, said Lt. Gen. Robert Elder, commander of 8th Air Force and joint functional component commander for global strike and integration at U.S. Strategic Command.
"How do you put the trust relationship back in?" he asked. "It's not by establishing a hierarchical organization. It's by establishing a body of law [which mandates conformance as a prerequisite to connection]. Defense of a network requires everyone's involvement."
During his remarks, General Elder focused on defining cyberspace and discussed how cyberspace relates to national security operations and the Air Force.
And, he noted, adaptation cannot come too quickly in the protection of such an amorphous domain.
"We are not changing fast enough," he said. "This is a national problem, not just a military one. You have to approach [cyberspace] from a network standpoint."
Currently, 8th Air Force serves as the air component headquarters to U.S. Strategic Command for cyberspace operations, among other things, and personnel in the command are responsible for the security and defense of the Air Force's global computer enterprise network.
"Every military service provides cyber forces," General Elder said. "We're trying to provide forces that can provide support for joint cyber warfare operations."
He correlated cyberspace adaptation with airpower, and noted that this relatively new domain is unlike any other. But, the general said, it must be defended.
"We have a physical, logical, wireless and social network to defend," he said. "The bottom line is that there is an attack vector that goes against each facet. We have to protect each one."
Air Force officials have taken on a role in cyberspace protection and plans are underway to select the host base for the newly formed, provisional Air Force Cyber Command. In a memo to attendees, General Elder said the symposium, "will allow discussion on the vital topic of the Air Force's role in protecting the cyberspace domain."
Following midday working group sessions, conferees heard remarks from Dr. Grant. She focused on policy decisions and the philosophical nature of cyberspace as a "domain," in contrast to the traditional "domains" of air, land, and sea.
"I think it's really exciting that we're able to watch a new domain emerge," she said, comparing cyberspace to the emergence of air as a domain for technology propagated by the Wright Brothers and airpower icons such as General Mitchell.
Dr. Grant compared the relatively new domain to ancient Socratic thought and the dilemma of what is real and what is not.
"Cyberspace is not land, the sea, or the air. It is, in large part, a cognitive domain," Dr. Grant said. "That is partly why it gives us trouble as we think of policies for how we will act in this domain."
Dr. Grant also approached the issue of nation-state sovereignty in a domain which knows no bounds.
"Our objective is to safeguard the commons," she said. "But where are the new sovereign boundaries? If it's not a geographic line, is it somewhere in that technical transport structure that creates the Internet?"
Conferees were treated to briefings such as these, which addressed a broad range of cyberspace topics. They were also able to choose from three focused learning tracks which were "Cyberspace Doctrine and Concepts of Operations," "Cyberspace Policy and Law" and "USAF Cyber: Supporting National Security."
"It is fitting that we have this symposium at Maxwell," Lt. Gen. Allen Peck, Air University commander, said during his remarks. "This is the intellectual and leadership center of our Air Force. Seventy years ago, the Air Corps Tactical School moved to Maxwell Field, and was instrumental in developing our understanding of the potential for exploiting the air domain for warfighters. Today we are exploring another relatively new domain and the implications it has for the Air Force and our nation."
by Scott Knuteson
Air University Public Affairs
7/18/2008 - MAXWELL AIR FORCE BASE, Ala. (AFPN) -- In an effort to bring together minds and ideas from across the cyberspace community, Air University officials hosted a week-long cyberspace symposium here recently. Some 250 professional civilian and military information experts gathered to discuss the implications of cyberspace, especially with regard to the Air Force and national defense.
Officials from the United States Strategic Command, 8th Air Force and the provisional Air Force Cyber Command helped host the symposium.
"Airmen must implement their warfighting traditions in the cyberspace domain," said Dr. Rebecca Grant, founder and president of IRIS Independent Research. "I think we need the Air Force to truly embrace and understand this and excel in cyberspace, as they have in the domain of air and space.
"If there was ever a domain that needed an 'air-minded' look, [cyberspace] is it," she said, after comparing the current development in the cyber realm to that of Brig. Gen. William "Billy" Mitchell's approach to airpower.
Trust is the foundation for a working cyberspace realm, said Lt. Gen. Robert Elder, commander of 8th Air Force and joint functional component commander for global strike and integration at U.S. Strategic Command.
"How do you put the trust relationship back in?" he asked. "It's not by establishing a hierarchical organization. It's by establishing a body of law [which mandates conformance as a prerequisite to connection]. Defense of a network requires everyone's involvement."
During his remarks, General Elder focused on defining cyberspace and discussed how cyberspace relates to national security operations and the Air Force.
And, he noted, adaptation cannot come too quickly in the protection of such an amorphous domain.
"We are not changing fast enough," he said. "This is a national problem, not just a military one. You have to approach [cyberspace] from a network standpoint."
Currently, 8th Air Force serves as the air component headquarters to U.S. Strategic Command for cyberspace operations, among other things, and personnel in the command are responsible for the security and defense of the Air Force's global computer enterprise network.
"Every military service provides cyber forces," General Elder said. "We're trying to provide forces that can provide support for joint cyber warfare operations."
He correlated cyberspace adaptation with airpower, and noted that this relatively new domain is unlike any other. But, the general said, it must be defended.
"We have a physical, logical, wireless and social network to defend," he said. "The bottom line is that there is an attack vector that goes against each facet. We have to protect each one."
Air Force officials have taken on a role in cyberspace protection and plans are underway to select the host base for the newly formed, provisional Air Force Cyber Command. In a memo to attendees, General Elder said the symposium, "will allow discussion on the vital topic of the Air Force's role in protecting the cyberspace domain."
Following midday working group sessions, conferees heard remarks from Dr. Grant. She focused on policy decisions and the philosophical nature of cyberspace as a "domain," in contrast to the traditional "domains" of air, land, and sea.
"I think it's really exciting that we're able to watch a new domain emerge," she said, comparing cyberspace to the emergence of air as a domain for technology propagated by the Wright Brothers and airpower icons such as General Mitchell.
Dr. Grant compared the relatively new domain to ancient Socratic thought and the dilemma of what is real and what is not.
"Cyberspace is not land, the sea, or the air. It is, in large part, a cognitive domain," Dr. Grant said. "That is partly why it gives us trouble as we think of policies for how we will act in this domain."
Dr. Grant also approached the issue of nation-state sovereignty in a domain which knows no bounds.
"Our objective is to safeguard the commons," she said. "But where are the new sovereign boundaries? If it's not a geographic line, is it somewhere in that technical transport structure that creates the Internet?"
Conferees were treated to briefings such as these, which addressed a broad range of cyberspace topics. They were also able to choose from three focused learning tracks which were "Cyberspace Doctrine and Concepts of Operations," "Cyberspace Policy and Law" and "USAF Cyber: Supporting National Security."
"It is fitting that we have this symposium at Maxwell," Lt. Gen. Allen Peck, Air University commander, said during his remarks. "This is the intellectual and leadership center of our Air Force. Seventy years ago, the Air Corps Tactical School moved to Maxwell Field, and was instrumental in developing our understanding of the potential for exploiting the air domain for warfighters. Today we are exploring another relatively new domain and the implications it has for the Air Force and our nation."
U.S. Fears Threat of Cyberspying at Olympics
It's timely that we are having a discussion about China and their threats of cyberwarfare. The piece below from the Wall Street Journal talks about the cyber espionage threats folks will be facing in China.
==================
By SIOBHAN GORMANJuly 17, 2008; Page A6
WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.
According to government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
Barack Obama became the first major presidential candidate to propose new cybersecurity policies Wednesday when he unveiled his cybersecurity strategy, which includes combating corporate espionage, shielding the country's Internet infrastructure and establishing a national cybersecurity adviser.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public.
The spy tactics include copying information contained in laptop computers at airport checkpoints or hotel rooms, wirelessly inserting spyware on BlackBerry devices, and a new technique dubbed "slurping" that uses Bluetooth technology to steal data from electronic devices.
In addition to cybersecurity threats in other countries, "so many people are going to the Olympics and are going to get electronically undressed," said Joel Brenner, the government's top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.
Mr. Brenner says he doesn't take a laptop to China and uses disposable cellphones while there.
Asked about potential electronic surveillance during the Olympics, a spokesman for China's Ministry of Foreign Affairs said: "Allegations that China supports hacker attacks against U.S. computer networks ... are entirely fabricated, and seriously misleading."
Some companies are taking steps to increase security. General Electric Co. encourages traveling employees to leave laptops behind or use a stripped-down travel laptop and encrypted hard drives, said spokesman Jeff DeMarrais. Pfizer Inc. is evaluating a policy that would require employees to take travel laptops to a number of countries, including China, said spokesman Chris Loder.
Despite the risks, many government and corporate officials are leery of discussing the security risks and singling out countries, such as China, for fear of damaging diplomatic and business relationships. One member of a task force at the Office of the Director of National Intelligence, the U.S.'s top spy agency, said the prospect of an Olympics warning comes up repeatedly, but is never resolved, with technology experts advocating a warning and government officials arguing against it.
One credit-card company executive said many in his industry "are becoming almost afraid of the security issue." Lawyers at credit-card companies have advised against taking some security measures, fearing the company could be liable if they fail, this person said.
Western companies' responses to the problem have ranged from "very concerned to positively ostrich-like," said Mr. Brenner.
The government has no established system for telling travelers about cybersecurity risks. The State Department issues alerts for terrorism and health risks, but not for cybersecurity. That's inconsistent with the government's position on terrorism alerts, says Paul Kurtz, a former National Security Council official who is now a cybersecurity consultant. The government is prohibited from withholding terrorist threats from the public, but that's effectively what it's doing with cyberthreats, he says.
The State Department men tions Chinese cyberthreats briefly on its Web site, noting that computers in hotel rooms may be searched. That information "is basically the extent of any concerns," a department official said.
Mr. Kurtz suggests that the government develop a warning system assigning countries a threat level. Intelligence agencies already produce an annual classified country-by-country report on cyberspying abilities.
Homeland Security's nonpublic assessment, issued last month, doesn't single out any countries. It was issued less than two months before the Olympics and shortly after reports that a U.S. government laptop may have been hacked during a December trip to China by the U.S. Commerce secretary.
This unclassified document wasn't made public. Department spokesman Russ Knocke said the assessment was shared with the department's "state, local, and private-sector partners" but not with the public because such notices are usually the State Department's responsibility and the assessment didn't point to a specific threat. The department tries to avoid inundating the public with nonspecific information, he said.
==================
By SIOBHAN GORMANJuly 17, 2008; Page A6
WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.
According to government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
Barack Obama became the first major presidential candidate to propose new cybersecurity policies Wednesday when he unveiled his cybersecurity strategy, which includes combating corporate espionage, shielding the country's Internet infrastructure and establishing a national cybersecurity adviser.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public.
The spy tactics include copying information contained in laptop computers at airport checkpoints or hotel rooms, wirelessly inserting spyware on BlackBerry devices, and a new technique dubbed "slurping" that uses Bluetooth technology to steal data from electronic devices.
In addition to cybersecurity threats in other countries, "so many people are going to the Olympics and are going to get electronically undressed," said Joel Brenner, the government's top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.
Mr. Brenner says he doesn't take a laptop to China and uses disposable cellphones while there.
Asked about potential electronic surveillance during the Olympics, a spokesman for China's Ministry of Foreign Affairs said: "Allegations that China supports hacker attacks against U.S. computer networks ... are entirely fabricated, and seriously misleading."
Some companies are taking steps to increase security. General Electric Co. encourages traveling employees to leave laptops behind or use a stripped-down travel laptop and encrypted hard drives, said spokesman Jeff DeMarrais. Pfizer Inc. is evaluating a policy that would require employees to take travel laptops to a number of countries, including China, said spokesman Chris Loder.
Despite the risks, many government and corporate officials are leery of discussing the security risks and singling out countries, such as China, for fear of damaging diplomatic and business relationships. One member of a task force at the Office of the Director of National Intelligence, the U.S.'s top spy agency, said the prospect of an Olympics warning comes up repeatedly, but is never resolved, with technology experts advocating a warning and government officials arguing against it.
One credit-card company executive said many in his industry "are becoming almost afraid of the security issue." Lawyers at credit-card companies have advised against taking some security measures, fearing the company could be liable if they fail, this person said.
Western companies' responses to the problem have ranged from "very concerned to positively ostrich-like," said Mr. Brenner.
The government has no established system for telling travelers about cybersecurity risks. The State Department issues alerts for terrorism and health risks, but not for cybersecurity. That's inconsistent with the government's position on terrorism alerts, says Paul Kurtz, a former National Security Council official who is now a cybersecurity consultant. The government is prohibited from withholding terrorist threats from the public, but that's effectively what it's doing with cyberthreats, he says.
The State Department men tions Chinese cyberthreats briefly on its Web site, noting that computers in hotel rooms may be searched. That information "is basically the extent of any concerns," a department official said.
Mr. Kurtz suggests that the government develop a warning system assigning countries a threat level. Intelligence agencies already produce an annual classified country-by-country report on cyberspying abilities.
Homeland Security's nonpublic assessment, issued last month, doesn't single out any countries. It was issued less than two months before the Olympics and shortly after reports that a U.S. government laptop may have been hacked during a December trip to China by the U.S. Commerce secretary.
This unclassified document wasn't made public. Department spokesman Russ Knocke said the assessment was shared with the department's "state, local, and private-sector partners" but not with the public because such notices are usually the State Department's responsibility and the assessment didn't point to a specific threat. The department tries to avoid inundating the public with nonspecific information, he said.
China Threatens Olympics Cyber Attacks
I don't think I am as alarmed as the writer of the defensetech.com story regarding China's intentions.
First, I believe this story is aimed at the internal Chinese audience. The link in the story takes you to a Chinese language web page with no English translation button. If the Chinese government was serious about putting the world on alert, I would guess that they would publish the ultimatum in English and other languages. Piracy is a big issue for Chinese who have not done a very good job about curtailing piracy or enforcing intellectual property rights.
Fareed Zakaria, in his new book, The Post American World, devotes considerable space to how China views its place in the world and what actions would be required to make China abide by international norms. Zakaria makes a compelling case that we cannot view China's actions based on a Western mind-set. He argues that China's actions are based on individual and formal relationship, not on the pure balance of power equation. I believe China's sudden concerned about piracy of Olympics broadcasts probably has more to do with their relationship with the Intl Olympic Committee, those who have been awarded the broadcast rights and China's perceived place in the world than it has to do with them laying down the guantlet against international pirates.
Second, I'm not sure China is challenging the soverignity of other nations with their press release. China's long-standing policy has been to respect the sovereignty of other nations. They are not concerned about what nations do within their borders as long as they remain on friendly terms with China. We've seen this stand recently regarding The Sudan and Zimbabwe. If they are so adamant about respecting the territorial soverignty of other nations, why would they abandon this policy in the cyber domain to engage in cyber warfare/police action on web sites controlled by other nations?
Yes, according to press reports, China has been engaging in mapping/attempted penetration of a variety of networks around the world. But is this any different that what many nations, including allies, around the world do to each other...espionage? China is probably just very sloppy about it.
Third, I wonder how well tied the Chinese Copyright Management Division is to the PLA. Would an ultimatum from the Copyright Management Division bureaucrats cause the PLA generals to engage in military action on the cyber front? Does this bureaucrat really have have the power to put the cyberwar legions in the PLA on the war-path to shut down foreign web sites? I don't know enough about the inner workings of the Chinese government and PLA to be able to answer that. But knowing bureaucracies in general, I'm not convinced that the Copyright Management Division is speaking for the senior leadership of China. If the Chinese leadership was really serious about challenging the world on copyright infringement through cyberwarfare, the press release would have come from a much more senior person and most likely worked though diplomatic channels as well.
=======================
by Kevin Coleman
http://www.defensetech.org/archives/004300.html
Multiple sources have confirmed that China has openly threatened anyone who reuses or rebroadcasts the Beijing Olympics. Chinese officials publicly stated they will “punish” Internet Web sites, Re-broadcasters and other “new media” that replay the 2008 Olympic Games and related events without the authorization of state-run China Central Television.
Xu Chao, deputy director of the Copyright Management Division in the State Copyright Bureau said “during the Olympic Games, many unauthorized broadcasts will flood into the market. We should initiate an “attack” against broadcast piracy.” Xu went on to discuss some of their anti-piracy measures including a public hotline for reporting illegal broadcasting through the State Copyright Bureau website or by dialing the "12390" anti-piracy hotline to collaborate with the government. People involved will be rewarded for the reports once the report is found to be true.
The International Olympic Committee granted CCTV the new media broadcast rights for the summer games exclusively. We were unable to obtain their exact definition of “new media broadcast.” However, in a statement by the State Administration of Radio, Film and Television, the National Copyright Administration and the Ministry of Industry and Information Technology, they said Web sites and mobile platforms using Olympic broadcast signals without getting permission from the CCTV will be punished.
They went on to say that “Web sites may be shut down if they carry the events illegally.” Olympics coverage is big business. The 2008 Summer Games in Beijing will mark the arrival of streaming content as a viable alternative to the Olympics’ television broadcast. Online video streaming is attracting an increasing share of ad spending and many believe is the future of advertising. NBCOlympics.com will offer 4,400 hours of on-demand streaming content plus 2,200 hours of live programming, making the Beijing Olympics the largest streaming media project to date. There is little doubt that carbon copies of the streamed media will be available from numerous sources on the web and in the physical world. So it appears China has a big challenge ahead.
Are they really threatening cyber attacks on public companies, private industry and individuals? That is the way one Cyber Security Expert we spoke to interpreted it. Only time will tell. What if a company in the United States, or any other country, is attacked? How will the government respond? One thing for sure, this is a sign of things to come.
Facts:
The Olympics have become a very, very big business. Worldwide media rights to the 2008 Summer Olympics in Beijing sold for $1.7 billion, with NBC Universal paying $894 million for the U.S. media rights alone.
China Central Television (CCTV) said that “Web sites may be “shut down” if they carry the events illegally.” In addition, a Chinese Government spokesperson said “Any individual without authorization who uploads recorded Olympic events or pirated Olympics video broadcasting websites will face up to 100,000 RMB in penalties.”The statement in its entirety can be found here.
First, I believe this story is aimed at the internal Chinese audience. The link in the story takes you to a Chinese language web page with no English translation button. If the Chinese government was serious about putting the world on alert, I would guess that they would publish the ultimatum in English and other languages. Piracy is a big issue for Chinese who have not done a very good job about curtailing piracy or enforcing intellectual property rights.
Fareed Zakaria, in his new book, The Post American World, devotes considerable space to how China views its place in the world and what actions would be required to make China abide by international norms. Zakaria makes a compelling case that we cannot view China's actions based on a Western mind-set. He argues that China's actions are based on individual and formal relationship, not on the pure balance of power equation. I believe China's sudden concerned about piracy of Olympics broadcasts probably has more to do with their relationship with the Intl Olympic Committee, those who have been awarded the broadcast rights and China's perceived place in the world than it has to do with them laying down the guantlet against international pirates.
Second, I'm not sure China is challenging the soverignity of other nations with their press release. China's long-standing policy has been to respect the sovereignty of other nations. They are not concerned about what nations do within their borders as long as they remain on friendly terms with China. We've seen this stand recently regarding The Sudan and Zimbabwe. If they are so adamant about respecting the territorial soverignty of other nations, why would they abandon this policy in the cyber domain to engage in cyber warfare/police action on web sites controlled by other nations?
Yes, according to press reports, China has been engaging in mapping/attempted penetration of a variety of networks around the world. But is this any different that what many nations, including allies, around the world do to each other...espionage? China is probably just very sloppy about it.
Third, I wonder how well tied the Chinese Copyright Management Division is to the PLA. Would an ultimatum from the Copyright Management Division bureaucrats cause the PLA generals to engage in military action on the cyber front? Does this bureaucrat really have have the power to put the cyberwar legions in the PLA on the war-path to shut down foreign web sites? I don't know enough about the inner workings of the Chinese government and PLA to be able to answer that. But knowing bureaucracies in general, I'm not convinced that the Copyright Management Division is speaking for the senior leadership of China. If the Chinese leadership was really serious about challenging the world on copyright infringement through cyberwarfare, the press release would have come from a much more senior person and most likely worked though diplomatic channels as well.
=======================
by Kevin Coleman
http://www.defensetech.org/archives/004300.html
Multiple sources have confirmed that China has openly threatened anyone who reuses or rebroadcasts the Beijing Olympics. Chinese officials publicly stated they will “punish” Internet Web sites, Re-broadcasters and other “new media” that replay the 2008 Olympic Games and related events without the authorization of state-run China Central Television.
Xu Chao, deputy director of the Copyright Management Division in the State Copyright Bureau said “during the Olympic Games, many unauthorized broadcasts will flood into the market. We should initiate an “attack” against broadcast piracy.” Xu went on to discuss some of their anti-piracy measures including a public hotline for reporting illegal broadcasting through the State Copyright Bureau website or by dialing the "12390" anti-piracy hotline to collaborate with the government. People involved will be rewarded for the reports once the report is found to be true.
The International Olympic Committee granted CCTV the new media broadcast rights for the summer games exclusively. We were unable to obtain their exact definition of “new media broadcast.” However, in a statement by the State Administration of Radio, Film and Television, the National Copyright Administration and the Ministry of Industry and Information Technology, they said Web sites and mobile platforms using Olympic broadcast signals without getting permission from the CCTV will be punished.
They went on to say that “Web sites may be shut down if they carry the events illegally.” Olympics coverage is big business. The 2008 Summer Games in Beijing will mark the arrival of streaming content as a viable alternative to the Olympics’ television broadcast. Online video streaming is attracting an increasing share of ad spending and many believe is the future of advertising. NBCOlympics.com will offer 4,400 hours of on-demand streaming content plus 2,200 hours of live programming, making the Beijing Olympics the largest streaming media project to date. There is little doubt that carbon copies of the streamed media will be available from numerous sources on the web and in the physical world. So it appears China has a big challenge ahead.
Are they really threatening cyber attacks on public companies, private industry and individuals? That is the way one Cyber Security Expert we spoke to interpreted it. Only time will tell. What if a company in the United States, or any other country, is attacked? How will the government respond? One thing for sure, this is a sign of things to come.
Facts:
The Olympics have become a very, very big business. Worldwide media rights to the 2008 Summer Olympics in Beijing sold for $1.7 billion, with NBC Universal paying $894 million for the U.S. media rights alone.
China Central Television (CCTV) said that “Web sites may be “shut down” if they carry the events illegally.” In addition, a Chinese Government spokesperson said “Any individual without authorization who uploads recorded Olympic events or pirated Olympics video broadcasting websites will face up to 100,000 RMB in penalties.”The statement in its entirety can be found here.
Q&A with Lt. Gen. Michael Peterson
This interview from The Hill was carried by the AF's Aim Points daily news service. Lt Gen Peterson is the Senior Communications Officer in the US Air Force.
========
BY: Roxana Tiron, The Hill07/9/2008
http://thehill.com/the-executive/qa-with-lt.-gen.-michael-peterson-2008-07-09.html
Air Force Lt. Gen. Michael Peterson has a fancy title: Chief of Warfighting Integration and Chief Information Officer. But he calls himself the "tech guy on the operations team." Peterson is the guy who talks about bits and bytes, cyber security, radars and satellites. He also is the one who keeps tabs on all the Air Force's assets and how they can best be used to be effective in the fight. Peterson manages a more than $17 billion portfolio for communication, intelligence, surveillance and reconnaissance assets.
Q: What are some of the biggest concerns of your job?
The biggest concern is that we can't go to war without the Internet. That is how we travel, that is how we move, that is how we are re-supplied, that is how we reach out and get help from vendors and the industry. The Internet is unclassified, literally unprotected. We can add our classified networks directly to the Internet and there is some degree of protection, but that is not good enough. So what keeps me up at night is having a potential adversary deny us the use of that network to make it much more difficult for us to go to war.
Q: Are cyber attacks getting more sophisticated? How is the Air Force staying ahead of those threats?
We get probed hundreds of thousands of times. "Probed" means that someone is coming in and finding out what protocols are available to come into the system. Tens of thousands [of probes] are looking for chinks in the firewall so that they can exploit a vulnerability. When we have not configured systems properly, probes sometimes work because we have not closed all of the ports. Or they come inside the network through a port we want them to use, but then they have attacked a piece of equipment inside the network and that opens up other vulnerabilities.
The problem remains that this moves along so quickly, and as vulnerabilities are found immediately we want to go and patch them. Eighteen months ago it took 57 days to patch computers because it was all manual. You had to go out and touch every single machine. Today, because we have put standard configurations in place and you can do it remotely, we can do it in a day and a half. The goal is going to be minutes.
Q: How do you stay a step ahead with the technology and hacking methods always evolving?
As soon as a new version of software, as soon as a new version of a chip is delivered to us, we have teams that are working with the national computer emergency teams to do analysis and find vulnerabilities. We immediately go to work if we find vulnerabilities.
Q: Has the headquarters for the new Cyber Command been chosen yet? The new command received a lot of congressional attention as several districts and states expressed interest in housing the new endeavor.
No, and we will not be able to do that soon. Very aggressively, we thought we could. I did not know how complex it was to find the right location to stand up a new mission. [About 18 states showed interest in housing the command.] We asked governors for their input and they are coming back now. We will narrow down the decision to a few places before Christmas. Then some really hard work goes in. We will send our engineers out to do the environmental impact work. Probably in summer of 2009 we would be able to tell people where it is going to be.
Q: Defense Secretary Robert Gates has talked so much about strengthening the intelligence, surveillance and reconnaissance (ISR) capability and created a task force. What are the Air Force's priorities as part of that task force? Any new ideas or capabilities?
Our priorities are Secretary Gates's priorities. What we did is we took an end-to-end look at what we could provide and what we can deliver in terms of ISR. The highlight of that is the importance of full-motion video to the ground force. Today most of that is done with the Predator [unmanned aerial vehicle (UAV)]. Global Hawk [UAV] has still images, but we also moved on with a few aircraft called Reaper [UAV], which is the follow-on generation to the Predator.
We did the experimentation for reach-back through satellite and fiber optic networks, so today the bulk of our Predators are flown from Creech Air Force Base in Nevada. The crews are there. They do not deploy forward and that way they can be in the fight 365 days a year. That allowed us to put 88 percent of our Predators forward [into theaters of war]. The other 12 percent are training new crews and doing test and evaluation for new capabilities. By December, we will have 31 [Predator] orbits. That means 24/7, 365 days there is a Predator on board supporting you in 31 separate locations in the theater. Our stated objective is to have 50 orbits available. We will need them to be Reaper, principally because they can carry more payload for ISR.
Q: Do you still think there should be an executive agency for unmanned vehicles?
That question got answered, and the deputy secretary of Defense does not think we need an executive agent. He is insistent that we work closely together to develop those common technical standards. That is our intent and that is what we are going to push towards.
Q: The whole issue with the nuclear parts mishaps — what do you think happened there, and what do you think could strengthen the information sharing about assets and how they are being employed?
[The secretary and chief of staff of the Air Force were forced to resign over two flaps involving nuclear parts. Last August, a B-52 bomber flew from North Dakota to Louisiana with nuclear weapons and earlier this year, the Pentagon discovered that four nuclear warhead fuses were accidentally shipped to Taiwan in 2006.]
We have some important work to do on our legacy logistics system. Any time a person is in the loop, there is the potential of typing something incorrectly. So in my lane we have been working with the logistics personnel so that we have the best tools available and that we modernize those systems. That would be an absolute priority on my part.
========
BY: Roxana Tiron, The Hill07/9/2008
http://thehill.com/the-executive/qa-with-lt.-gen.-michael-peterson-2008-07-09.html
Air Force Lt. Gen. Michael Peterson has a fancy title: Chief of Warfighting Integration and Chief Information Officer. But he calls himself the "tech guy on the operations team." Peterson is the guy who talks about bits and bytes, cyber security, radars and satellites. He also is the one who keeps tabs on all the Air Force's assets and how they can best be used to be effective in the fight. Peterson manages a more than $17 billion portfolio for communication, intelligence, surveillance and reconnaissance assets.
Q: What are some of the biggest concerns of your job?
The biggest concern is that we can't go to war without the Internet. That is how we travel, that is how we move, that is how we are re-supplied, that is how we reach out and get help from vendors and the industry. The Internet is unclassified, literally unprotected. We can add our classified networks directly to the Internet and there is some degree of protection, but that is not good enough. So what keeps me up at night is having a potential adversary deny us the use of that network to make it much more difficult for us to go to war.
Q: Are cyber attacks getting more sophisticated? How is the Air Force staying ahead of those threats?
We get probed hundreds of thousands of times. "Probed" means that someone is coming in and finding out what protocols are available to come into the system. Tens of thousands [of probes] are looking for chinks in the firewall so that they can exploit a vulnerability. When we have not configured systems properly, probes sometimes work because we have not closed all of the ports. Or they come inside the network through a port we want them to use, but then they have attacked a piece of equipment inside the network and that opens up other vulnerabilities.
The problem remains that this moves along so quickly, and as vulnerabilities are found immediately we want to go and patch them. Eighteen months ago it took 57 days to patch computers because it was all manual. You had to go out and touch every single machine. Today, because we have put standard configurations in place and you can do it remotely, we can do it in a day and a half. The goal is going to be minutes.
Q: How do you stay a step ahead with the technology and hacking methods always evolving?
As soon as a new version of software, as soon as a new version of a chip is delivered to us, we have teams that are working with the national computer emergency teams to do analysis and find vulnerabilities. We immediately go to work if we find vulnerabilities.
Q: Has the headquarters for the new Cyber Command been chosen yet? The new command received a lot of congressional attention as several districts and states expressed interest in housing the new endeavor.
No, and we will not be able to do that soon. Very aggressively, we thought we could. I did not know how complex it was to find the right location to stand up a new mission. [About 18 states showed interest in housing the command.] We asked governors for their input and they are coming back now. We will narrow down the decision to a few places before Christmas. Then some really hard work goes in. We will send our engineers out to do the environmental impact work. Probably in summer of 2009 we would be able to tell people where it is going to be.
Q: Defense Secretary Robert Gates has talked so much about strengthening the intelligence, surveillance and reconnaissance (ISR) capability and created a task force. What are the Air Force's priorities as part of that task force? Any new ideas or capabilities?
Our priorities are Secretary Gates's priorities. What we did is we took an end-to-end look at what we could provide and what we can deliver in terms of ISR. The highlight of that is the importance of full-motion video to the ground force. Today most of that is done with the Predator [unmanned aerial vehicle (UAV)]. Global Hawk [UAV] has still images, but we also moved on with a few aircraft called Reaper [UAV], which is the follow-on generation to the Predator.
We did the experimentation for reach-back through satellite and fiber optic networks, so today the bulk of our Predators are flown from Creech Air Force Base in Nevada. The crews are there. They do not deploy forward and that way they can be in the fight 365 days a year. That allowed us to put 88 percent of our Predators forward [into theaters of war]. The other 12 percent are training new crews and doing test and evaluation for new capabilities. By December, we will have 31 [Predator] orbits. That means 24/7, 365 days there is a Predator on board supporting you in 31 separate locations in the theater. Our stated objective is to have 50 orbits available. We will need them to be Reaper, principally because they can carry more payload for ISR.
Q: Do you still think there should be an executive agency for unmanned vehicles?
That question got answered, and the deputy secretary of Defense does not think we need an executive agent. He is insistent that we work closely together to develop those common technical standards. That is our intent and that is what we are going to push towards.
Q: The whole issue with the nuclear parts mishaps — what do you think happened there, and what do you think could strengthen the information sharing about assets and how they are being employed?
[The secretary and chief of staff of the Air Force were forced to resign over two flaps involving nuclear parts. Last August, a B-52 bomber flew from North Dakota to Louisiana with nuclear weapons and earlier this year, the Pentagon discovered that four nuclear warhead fuses were accidentally shipped to Taiwan in 2006.]
We have some important work to do on our legacy logistics system. Any time a person is in the loop, there is the potential of typing something incorrectly. So in my lane we have been working with the logistics personnel so that we have the best tools available and that we modernize those systems. That would be an absolute priority on my part.
Subscribe to:
Posts (Atom)
Posts
