After six years, Homeland Security still without 'cybercrisis' plan

December 19, 2008 10:39 AM PST

Posted by Declan McCullagh

http://news.cnet.com/8301-13578_3-10127134-38.html

When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bushsaid when signing the legislation in November 2002.

More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.

Chertoff told a conference in Washington, D.C., that creating such a plan first requires "a clear awareness of exactly what the dimension of the threat was," meaning the ability to detect intrusions in real time, and probably means taking some of the existing plans for physical attacks and "adapt them and some of the basic principles" to electronic threats.

"I do think that we have work to do in figuring out how to tailor something specific for cybersecurity in the same way that we've done it for natural disasters or terrorist attacks or things of that sort," he added.

Because only a few weeks are left in the Bush administration, any further work will be left to the administration of President-elect Barack Obama.

The Bush administration has spent $115 million on DHS's National Cybersecurity Division for the 2008 fiscal year. Totaling the budgets for the previous four years yields approximately $300 million, or approximately $415 million over five years including 2008.

The cybersecurity division has been plagued by a lack of leadership, with industry representatives unsure of who to contact. The revolving door of leadership within the division prompted a cybersecurity commission to recommend that leadership be moved to the White House, something that DHS opposes.

"There's no one place in charge," said Andy Singer, principal of the cybercampaign team for Booz Allen Hamilton, one of the sponsors of Thursday's conference. "Who does Bank of America go to if they're having a problem?"

Even by Washington standards, the turnover of various cybersecurity "czars" has been remarkable: Richard Clarke, a veteran of the Clinton and first Bush administrations, left the post with a lucrative book deal. Clarke was followed in quick succession by Howard Schmidt, then Amit Yoran and Robert Liscouski. Another DHS cybersecurity official, Jerry Dixon said after he left that "nothing is happening" in the department in this area.

Secretary Michael Chertoff

(Credit: Department of Homeland Security)

Along the way, DHS was regularly receiving poor grades--including an F--on computer security report cards released by a congressional oversight committee.

Not helping was what Chertoff once described as "initial concerns" about raising the profile of cybersecurity in a bureaucratic culture that was focused on physical threats, and the decision to leave the top DHS cybersecurity post open for over a year. Greg Garcia got the job in September 2006 and isstill there, as is Undersecretary Robert Jamison, who oversees "infrastructure protection."

Part of the problem for DHS, though, is out of its immediate control. The commercial Internet has been built by private companies, who constantly monitor their systems for attacks and know the status and performance of their networks much better than a Washington bureaucracy ever could. Moreover, monitoring of private networks by government agencies raises serious security and privacy concerns.

This is what Chertoff said on Thursday:

I want to begin by saying that I'm very sensitive to the fact that the culture of the Internet, as well as the actual architecture, is one which does not lend itself to government regulation and mandates... We are willing to provide capability to those who want us to provide that capability, but we don't make you do it. And if someone doesn't want to have the government involved and they want to live outside of any kind of government assistance or cooperation, I don't know that we would necessarily be wise to try to make them do it...

And that's why I'm really emphatic about the need to not make this a mandatory system but rather a system where we create opportunities for people. I actually think most people in the private sector will take those opportunities and will accept our invitation. But I also know if we try to make it something that we push onto people, the backlash we are going to see will dwarf of the controversies that we've seen with respect to what we've done in the communications field over the last eight years...

And then we're behind the eight ball because we're explaining that we're really not Big Brother. A classic example, before my time, was a search engine--I think it was called Carnivore, which the FBI came up with. And I think it made a lot of sense, but the word "Carnivore" was the absolute wrong thing to have in that program.

Chertoff also said that Bush is has been briefed on these topics as recently as the last week--"he's very, very concerned about making sure this vulnerability is adequately reduced and protected"--and said that the next generation of DHS' early-warning system for cyberincidents, called Einstein 3, would go live in the next six months.

Part of the purpose of arranging this week's cyberthreat simulation conference was to help all the relevant parties develop a plan of response in the event in a cyberattack--something that the DHS National Cyber Response Coordination Group has not accomplished.

Booz Allen Hamilton's Singer said it's too early to tell whether DHS will be able to sufficiently manage cybersecurity.

"If you look at some of the constructs in DHS--they have Undersecretary Jameson and the NCSC, the NCSD--it's a pretty tough task to make sure all of those pieces fit together," he said. "Whenever there's people involved, you always have the potential for seams, for things to fall through the cracks. On the first day of the simulation, people were looking for government to solve problems, but by the end of today, people were saying government can't save everything."

CNET's Stephanie Condon contributed to this report

Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan.

Cyber insecurity

The article below has been syndicated all over the world.

http://www.dailytimes.com.pk/default.asp?page=2008\12\21\story_21-12-2008_pg3_6

Governments can hope to deter cyber attacks just as they deter nuclear or other armed attacks. But deterrence requires a credible threat of response against an attacker. And that becomes much more difficult in a world where governments find it hard to tell where cyber attacks come from

In August 2008, Russian troops moved into Georgia. Observers dispute who fired first, but there was a little noticed dimension of the conflict that will have major repercussions for the future.

Computer hackers attacked Georgian government websites in the weeks preceding the outbreak of armed conflict. The Russia-Georgia conflict represents the first significant cyber attacks accompanying armed conflict. Welcome to the twenty-first century.

Cyber threats and potential cyber warfare illustrate the increased vulnerabilities and loss of control in modern societies. Governments have mainly been concerned about hacker attacks on their own bureaucracy's information technology infrastructure, but there are social vulnerabilities well beyond government computers.

In an open letter to the US president in September 2007, American professionals in cyber defence warned that "the critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defence, and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster." In the murky world of the Internet, attackers are difficult to identify.

In today's interconnected world, an unidentified cyber attack on non-governmental infrastructure might be severely damaging. For example, some experts believe that a nation's electric power grid may be particularly susceptible. The control systems that electric power companies use are thought vulnerable to attack, which could shut down cities and regions for days or weeks. Cyber attacks may also interfere with financial markets and cause immense economic loss by closing down commercial websites.

Some scenarios, including an "electronic Pearl Harbour", sound alarmist, but they illustrate the diffusion of power from central governments to individuals. In 1941, the powerful Japanese navy used many resources to create damage thousands of miles away. Today, an individual hacker using malicious software can cause chaos in far-away places at little cost to himself.

Moreover, the information revolution enables individuals to perpetrate sabotage with unprecendented speed and scope. The so-called "love bug virus", launched in the Phillipines in 2000, is estimated to have cost billions of dollars in damage. Terrorists, too, can exploit new vulnerabilities in cyberspace to engage in asymmetrical warfare.

In 1998, when America complained about seven Moscow internet addresses involved in the theft of Pentagon and NASA secrets, the Russian government replied that phone numbers from which the attacks originated were inoperative. The US had no way of knowing whether the Russian government had been involved.

More recently, in 2007, China's government was accused of sponsoring thousands of hacking incidents against German federal government computers and defence and private sector computer systems in the US. But it was difficult to prove the source of the attack, and the Pentagon had to shut down some of its computer systems.

In 2007, when Estonia's government moved a World War II statue commemorating Soviet war dead, hackers retaliated with a costly denial-of-service attack that closed down Estonia's access to the Internet. There was no way to prove whether the Russian government, a spontaneous nationalist response, or both aided this transnational attack.

In January 2008, President George W Bush signed two presidential directives that called for establishing a comprehensive cyber-security plan, and his 2009 budget requested $6 billion to develop a system to protect national cyber security. President-elect Barack Obama is likely to follow suit. In his campaign, Obama called for tough new standards for cyber security and physical resilience of critical infrastructure, and promised to appoint a national cyber adviser who will report directly to him and be responsible for developing policy and coordinating federal agency efforts.

That job will not be easy, because much of the relevant infrastructure is not under direct government control. Just recently, Donald Kerr, the US deputy director of national intelligence, warned that "major losses of information and value for our government programmes typically aren't from spies... In fact, one of the great concerns I have is that so much of the new capabilities that we're all going to depend on aren't any longer developed in government labs under government contract."

Kerr described what he called "supply chain attacks" in which hackers not only steal proprietary information, but go further and insert erroneous data and programmes in communications hardware and software — Trojan horses that can be used to bring down systems. All governments will find themselves exposed to a new type of threat that will be difficult to counter.

Governments can hope to deter cyber attacks just as they deter nuclear or other armed attacks. But deterrence requires a credible threat of response against an attacker. And that becomes much more difficult in a world where governments find it hard to tell where cyber attacks come from, whether from a hostile state or a group of criminals masking as a foreign government.

While an international legal code that defines cyber attacks more clearly, together with cooperation on preventive measures, can help, such arms-control solutions are not likely to be sufficient. Nor will defensive measures like constructing electronic firewalls and creating redundancies in sensitive systems.

Given the enormous uncertainties involved, the new cyber dimensions of security must be high on every government's agenda. —DTPS

Joseph S Nye is a professor at Harvard University and author most recently of The Powers to Lead

Gen Lorenz on leadership: At war in cyberspace

http://www.af.mil/news/story.asp?id=123129337

Commentary by Gen. Stephen R. Lorenz
Air Education and Training Command commander

12/23/2008 - RANDOLPH AIR FORCE BASE, Texas (AFNS) -- "The stark reality is that the bad guys are winning and our nation is at risk." 

That's what retired Air Force Lieutenant General Harry Raduege, Jr., writes in an insightful article about cyberspace titled, "Evolving Cybersecurity Faces a New Dawn." As he describes our many challenges in cyberspace, General Raduege observes that "the list of concerns is growing and endless: rampant cybercrime, increasing identity theft, sophisticated social engineering techniques, relentless intrusions into government networks, and widespread vulnerabilities continuously exploited by a variety of entities ranging from criminal organizations and entrepreneurial hackers to well-resourced espionage actors." 

Over the last few weeks, we have focused on the security of our computer networks, and we have found that we have big challenges. 

The bottom line is that we are at war in cyberspace...today...all the time. 

Our enemies are attacking our network -- the same network you use to send e-mails, share documents and access the internet. They are using stealth and surprise to insert malicious code into our network in order to gain intelligence. What is our enemy's intention? We don't know, but it's not friendly. 

Chief Master Sergeant Rob Tappana, our command chief, said something that caught my attention. He observed that if our front gate was under attack, we would do something about it. We would reinforce the guards with our security forces, convene the battle staff, increase patrols and raise awareness levels throughout the base. Chief Tappana then pointed at the computer on a nearby desk and said, "We must realize that that's our front gate too." 

He is right. We need to think and act like warriors in cyberspace. That's where leadership is essential. 

General Raduege describes four stages in our journey to secure cyberspace. The first stage is ignorance. We don't know what we don't know about cyberspace attacks. We are past that stage now. If you didn't know about our vulnerability in cyberspace, you do now. 

The second stage is awareness. We now realize that we are at war in cyberspace, and we are vulnerable. We no longer take access to the network for granted -- we realize that it can be taken away unless we take steps to defend it. 

The third stage is actualization. We share a sense of urgency that we need to do something about the attacks on our network. We will learn more and more about cybersecurity. We will all work together to reduce our vulnerability and defend the network from attack. 

The final stage is the "cyber mindset," where we think and act as warriors in cyberspace just as we do in air and space. We will train to protect ourselves and our networks from attack. We will all be "on patrol" as we look for new threats. Leaders at all levels will measure our vulnerability and direct defensive actions to counter the enemy. 

To get to the fourth stage, we are going to have to work through a paradigm shift about security in cyberspace. Many of us, including me in the past, have taken the network for granted. We can't do that anymore. Every computer connected to the network is part of the battlespace. Every person that has access to the network is operating in a combat environment. Everyone must act responsibly, or it opens a hole in our defense. 

As I've written before, I believe you are all leaders, because you all have influence over other people in your workplaces, your families and your communities. It's going to take your leadership to help us make this paradigm shift. How do you lead others through change? You work through the stages of change faster than the people around you. 

So, as leaders, I ask that you move from awareness to actualization as quickly as possible. Talk to our experts, beginning with our communication professionals. Set the right example by following the procedures and not taking shortcuts. Learn about and use the tools we have today. I promise that more tools are on the way. 

I am working through the stages as fast as I can. We are improving the security of our computers at our headquarters, and I have directed that no one is exempt from security measures, including me. If my computer has to restart while I'm in the middle of something, so be it. We must be willing to accept a moderate amount of mission degradation to secure ourselves against the enemy "at the gate." 

General Raduege writes that, despite the challenges facing us in cyberspace, he is optimistic that we are "on the verge of a new dawn for cybersecurity." I am optimistic as well, because we are fortunate to have you to help lead us through this change in our mindset. We are at war in cyberspace and we will all need to apply our warrior skills to prevail. Fight's on! 

DARPA Unveils Cyber Warfare Range

http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/DARP12308.xml&headline=DARPA%20Unveils%20Cyber%20Warfare%20Range

By David A. Fulghum/AviationWeek.com Cyber weapon researchers worry that pieces of the digital warfare puzzle are still missing, in particular projection of new threats that foes may throw at the U.S. But U.S. Defense Department researchers may have an answer in the form of a new proving grounds of sorts. "Who's looking at what's coming next?" asks Rance Walleston, director of BAE Systems' Information Operations Initiative. "That's still weak." Already, "we are seeing the threats shifting," says Aaron Penkacik, director of BAE Systems' Collaborative Technology Alliance that works with small companies and universities around the world to create and developed specialized materials and technologies. "As you go into a new theater of operations, you see [advanced communications and new uses for networks] pop-up everywhere. The threat is there, ad-hoc, undefined and asymmetric. So you have to stand up your capability quickly to defend and fight your networks." The BAE executive says the ramifications are already playing out in real ways. "It's changing the way we think about deploying software-defined radios," he says by way of example. "We're using common modules that have software functions that are adaptable in real time as the threat changes." And today, as there are specialized test ranges for all types of radars and weapons, the Defense Advanced Research Projects Agency (DARPA) has funded a new program called the National Cyber Range. So far they've awarded a six-month, paid proposal phase contract to a number of contractors. "They're going to build an environment where we can play around and begin looking at 'anticipated' problems," Walleston says. "What's they're saying is that we need the equivalent of a White Sands [Missile Range] for cyber war. We have bits and pieces of range all over the place, but nothing definitive. This will be [the premier] cyber range where you can bring all your tools and techniques and try them out in an environment that closely resembles the real world." So what are the basic requirements for a cyber warfare range? "We want to change cyber attack from an art to a science," Walleston says. "You need [lots of] real estate, isolation and an infrastructure that can be attacked and that will record precisely the results. Isolation is a big deal because that's the only way you can determine if some software agent you built works. "It's hard to know what you are actually going to get from a test in a laboratory against five computers when the capability you need has to function against five million computers," he continues. "There's nowhere to test that, so DARPA's trying to put together a range with fidelity in many dimensions — such as the number and types of nodes and how they're connected — so that you can accurately determine the effectiveness of some tool. The real trick will be how quickly you can upgrade the range to deal with changing threats."

Cyberwarfare 101: Case Study of a Textbook Attack

If you are tired of reading about the Estonian cyber attacks, then pls don't bother reading this.  The story below is from a blog, but author claims it was originally run by Stratfor.com earlier this year.

Summary

http://blogs.msdn.com/tzink/archive/2008/12/24/cyberwarfare-101-case-study-of-a-textbook-attack-part-1.aspx

One of the most mature instances of a cyberwarfare attack was an assault on Internet networks in Estonia in late April and early May of 2007. The Russian government was suspected of participating in — if not instigating — the attack, which featured some of the key characteristics of cyberwarfare, including decentralization and anonymity.

During the night of April 26-27, 2007, in downtown Tallinn, Estonia, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, despite the protests of some 500 ethnic Russian Estonians. For the Kremlin — and Russians in general — such a move in a former Soviet republic was blasphemy.

It was also just the kind emotional flash point that could spark a "nationalistic" or "rally-around-the-flag" movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Bursts of data were sent to important nodes and servers to determine their maximum capacity — a capacity that the attackers would later exceed with floods of data, crashing servers and clogging connections.

A concerted cyberwarfare attack on Estonia was under way, one that would eventually bring the functioning of government, banks, media and other institutions to a virtual standstill and ultimately involve more than a million computers from some 75 countries (including some of Estonia's NATO allies). Estonia was a uniquely vulnerable target. Extremely wired, despite its recent status as a Soviet republic, Estonian society had grown dependent on the Internet for virtually all the administrative workings of everyday life — communications, financial transactions, news, shopping, restaurant reservations, theater tickets and bill paying. Even parliamentary votes were conducted online. When Estonia's independence from the Soviet Union was restored in 1991, not even telephone connections were reliable or widely available. Today, more than 60 percent of the population owns a cell phone, and Internet usage is already on par with Western European nations. In 2000, Estonia's parliament declared Internet access a basic human right.

Some of the first targets of the attack were the Estonian parliament's e-mail servers and networks. A flood of junk e-mails, messages and data caused the servers to crash, along with several important Web sites. After disabling this primary line of communications among Estonian politicians, some of the hackers hijacked Web sites of the Reform Party, along with sites belonging to several other political groups. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument.

By April 29, 2007, massive data surges were pressing the networks and rapidly approaching the limits of routers and switches across the country. Even though not all individual servers were taken completely offline, the entire Internet system in Estonia became so preoccupied with protecting itself that it could scarcely function.

During the first wave of the assault, network security specialists attempted to erect barriers and firewalls to protect primary targets. As the attacks increased in frequency and force, these barriers began to crumble.

Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team, began calling on contacts from Finland, Germany, Slovenia and other countries to assemble a team of hackers and computer experts to defend the country. Over the next several days, many government ministry and political party Web sites were attacked, resulting either in misinformation being spread or the sites being made partially or completely inaccessible.

After hitting the government and political infrastructure, hackers took aim at other critical institutions. Several denial-of-service attacks forced two major banks to suspend operations and resulted in the loss of millions of dollars (90 percent of all banking transactions in Estonia occur via the Internet). To amplify the disruption caused by the initial operation, hackers turned toward media outlets and began denying reader and viewer access to roughly half the major news organizations in the country. This not only complicated life for Estonians but also denied information to the rest of the world about the ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block access to many of the hackers' targets and restored a degree of stability within the networks.

Then on May 9, the day Russia celebrates victory over Nazi Germany, the cyberwar on Estonia intensified. Many times the size of the previous days' incursions, the attacks may have involved newly recruited cybermercenaries and their bot armies. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries' contracts expired. After May 10, the attacks slowly decreased as Aarelaid managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections.

During the defense of Estonia's Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. What could not be determined was whether these computers were simply "zombies" hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel.

Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign in April and May of 2007 should be understood more as a sign of things to come in the broader developed world. The lessons learned were significant and universal. Any country that relies on the Internet to support many critical, as well as mundane day-to-day, functions can be severely disrupted by a well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its reliance on the Internet, but it will undoubtedly try to develop safeguards to better protect itself (such as filters that restrict internal traffic in a crisis and deny anyone in another country access to domestic servers). Meanwhile, the hacker community will work diligently to figure out a way around the safeguards.

One thing is certain: Cyberattacks like the 2007 assault on Estonia will become more common in an increasingly networked world, which will have to learn — no doubt the hard way — how to reduce vulnerability and more effectively respond to such attacks. Perhaps most significant is the reminder Estonia provides that cyberspace definitely favors offensive operations.

Are 'Cyber-Militias' Attacking Kyrgyzstan?

FEBRUARY 5, 2009, 1:01 PM

By ROBERT MACKEY

http://thelede.blogs.nytimes.com/2009/02/05/are-cyber-militias-attacking-kyrgyzstan/?hp

In The Guardian, Danny Bradbury writes that before Kyrgyzstan made news this week by threatening to evict the United States military from a leased airbase, the country apparently endured a two-week attack on its Internet service by what one Web security expert called a "cyber-militia" based in Russia.

Mr. Bradbury reports that from Jan. 18 until last weekend, Kyrgyzstan, a former Soviet republic, was "pummeled by a massive distributed denial of service attack." In The Wall Street Journal last week, Christopher Rhoads reported that Don Jackson, the director of threat intelligence at an Atlanta-based Internet security firm called SecureWorks, pointed the finger at "Russia's cyber underground." As Mr. Rhoads wrote in The Journal:

The denial-of-service attack — which swamps Web sites with so many hits that they are forced to shut down — has targeted the two main Internet service providers in the country, which account for more than 80 percent of Kyrgyzstan's bandwidth, according to Mr. Jackson. The episode has shut down Web sites and made e-mailing impossible, he said.

On Mr. Jackson's SecureWorks blog, he summed up his findings last week:

The two primary Kyrgyzstan ISPs (www.domain.kg, www.ns.kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space1,2 have essentially knocked most of the small Central Asian republic offline.

Last August, it was widely reported that, as CNET reported, the Georgian government had "accused forces within Russia of launching a coordinated cyberattack against Georgian Web sites, to coincide with military operations in the breakaway region of South Ossetia." On his blog, Mr. Jackson quotes Alexander Denezhkin, from the Russian firm Cybersecurity.ru, who said at the time, "Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare."

(For more background on the August attacks on Georgian ether, see The Times' Mike Nizza's reporting for The Lede, and John Markoff's poston our sibling blog (blogling?) Bits.)

But Mr. Bradbury reports that another Web security expert, Jeffrey Carr, does not share Mr. Jackson's belief that the Russian government is responsible for the attacks. In a post on Mr. Carr's blog — headlined "Why I believe that the Kyrgyzstan Government hired Russian hackers to launch a DDOS attack against itself" — he explains that he thinks this is part of a government crackdown on an opposition party in Kyrgyzstan that uses the Internet to organize. Mr. Carr writes:

The most direct way to discover the motive behind the attacks is to look at what's happening simultaneously WITH the attacks. I created a list here. All but one are related to the formation of the United Popular Movement (UPM), who are calling for the ouster of Bakiyev because of cronyism and his lack of democratic reforms, as well as his inability to fix the ailing economy of the country. Denying the UPM Internet access, along with arresting their leaders, is a classic one-two punch.

Almost this exact scenario happened in 2005 when Bakiyev, then an opposition leader, successfully led a regime change against then President Akayev. Cyber attacks occured then as well, effectively blocking access to opposition Web sites.

Finally, the Kyrgyz government has the ability to combat this threat, and the office responsible has done nothing about it.

"This is not a sophisticated attack, and its being routed through Russian servers," Mr. Carr continued, adding that if the Kyrgyz government wanted to stop the attack, "it would be a relatively easy matter for them to do so."

If the government is indeed using cyber-militias to suppress political opposition, that would be a sad end to the story of the country's president, Kurmanbek Bakiyev, who led the "so-called Tulip Revolution" that forced the previous president out of office in 2005, and who was then elected president himself with nearly 90 percent of the vote. (Doubts about that revolution's true nature were raised within days, though: Craig Smith reported from Kyrgyzstan for The New York Times in 2005 that "the uprising a week ago begins to look less like a democratically inspired revolution and more like a garden-variety coup.")

Whatever the motive behind the attacks, a blogger at HostExploit.com sees describes the attacks on Kyrgyzstan as the drawing of a "Cyber Iron-Curtain" across the Internet as it runs through Russia to other countries that were once part of the Soviet Union.

Cyber Czars, Thumb Drives and Marines

BY BOB BREWIN   02/05/09 06:46 pm ET

http://whatsbrewin.nextgov.com/2009/02/cyber_czars_thumb_drives_and_m.php

I recently had a chat with Dale Meyerrose, former chief information officer for the Director of National Intelligence, and since last month the vice president and general manager of Cyber and Information Assurance for Harris Corp. I want to pass on some of his insights on cyber czars and how clever Marine NCOs can figure out how to do end runs on security policies.

The United States faces so many challenges in cyberspace that Meyerrose believes the Obama administration needs to appoint a cyber czar in the White House to manage all stuff cyber across the entire federal government. He suggested that any new White House cyber chief should have sway over networks and systems used in the public sector, which manage everything from power distribution to online check in for airline flights. Meyerrose called cyberspace "the soft underbelly" of the American economy, and as such, needs attention from the top.

Last November the Defense Departmemt temporarily banned the use of thumb drives and other removable storage devices from its systems. I asked Meyerrose what he thought about the restriction. He said he did not view thumb drives as posing any more of a threat to Defense systems "than anything else that touches the network." He said he considered the ban a result of poor policies on the use of removable media.

Meyerrose said threats to federal systems do not stem from technology, but the policies, practices and procedures that govern how folks use that technology. Meyerrose agreed that clever Marine NCOs (which I used to be) will usually figure rules really don't apply to them and then smartly execute an end run.

To avoid this two step, Meyerrose said Defense needs to develop policies, practices and procedures that garner buy-in throughout the chain of command, not just at the top.

During his intelligence tour, Meyerrose embraced the use of the technology behind social networking sights such as Facebook for use behind the firewall, and said widespread use of such technologies should be spurred by joint Defense and intelligence community e

Circling the wagons

By Alan Joch
Feb 09, 2009
http://fcw.com/articles/2009/02/09/officials-team-up-on-security.aspx

State and local homeland security officials team on projects to counter funding uncertainty

Scott Appleby knows how to do more with less. He has to because, as director of emergency management and homeland security for Bridgeport, Conn., he's seen the federal investment in his community's safety drop dramatically.

Bridgeport got $938,000 in federal homeland security grants in 2004, and only $136,860 in 2006, the most recent year for which figures are available. And Appleby is not alone. After reaching a peak of $2.9 billion in 2004, grants to state and local governments dropped to $1.8 billion last year. 

So local officials have devised new strategies to keep essential services in place. Rather than halt or delay important projects in the face of such cutbacks, Bridgeport joined forces in 2007 with first responders and related agencies from 13 surrounding municipalities. The effort will soon result in a regional communications system that will serve a wide range of public agencies.

"When a response is required, we're the ones that will be sending our men and women into" harm's way, Appleby said, adding that regional planning represents a more effective approach for homeland security. "It's been very positive to focus on where the money is actually needed in our region," he said.

Coastal Connecticut isn't the only area finding strength in numbers for homeland security projects. Agencies elsewhere are joining with surrounding jurisdictions and commercial companies to fund large-scale technology projects, such as interoperable regional radio communications systems, and develop cybersecurity safeguards.

Such collaboration might become the new model for homeland security projects, but it also poses risks. Competing priorities or poorly assigned responsibilities can bog down projects with many partners, so officials who were accustomed to making their decisions must learn new ways to get things done.

"A lack of funds is going to drive agencies to collaborate more with partners to pool what funding they have on a regional basis," said Arnold Bogis, a research fellow at Harvard University's Belfer Center for Science and International Affairs.

Research firm Input recently reported that 37 states and the District of Columbia are now bracing for a combined $31.2 billion in budget shortfalls by midyear. It added that a majority of city and county information technology managers expect their technology budgets will likely remain flat or decrease during the next two years, which will contribute to a decline in $30 billion in cumulative IT spending during the next five years.

When budget cuts hit state and local homeland security efforts, the first victims typically are cutting-edge technologies for first responders, sophisticated tools used in cross-agency fusion centers, or analytical software designed to scour raw data for terrorist plots, said Chris Dixon, Input's manager of state and local industry analysis.

Meanwhile, current and future shortfalls can also dilute the benefits of previous investments.

For example, earlier in this decade, Massachusetts bought custom trailers for mass casualty incidents that house supplies and equipment essential for helping first responders treat victims of a large-scale terrorist attack. But when the inspector general's office recently tested the trailers' effectiveness, investigators uncovered several problems. The problems included basic things, such as knowing who carries the keys to individual trailers to lapses in regular maintenance needed to keep the equipment in working order.

"I wouldn't be shocked to find a similar case elsewhere where specialized equipment has been purchased," Bogis said. "With stresses on budgets, there isn't the manpower to test it, practice with it and do the upkeep."

Coordinated cybersecurity
Pooling resources is becoming an increasingly flexible option to overcoming budgetary stress. And some agencies, such as New York's cybersecurity department, are looking beyond their borders for collaboration opportunities.

A cyberattack in one state could ripple effects into other jurisdictions, said William Pelgrin, director of New York state's Office of Cyber Security and Critical Infrastructure Coordination. "We're so interconnected, let's all pull together and share," he said.

As a result, New York teamed with Michigan and New Jersey on an application that helps local governments perform internal cybersecurity assessments. The application also will collect data — with personal information redacted — from local entities for aggregation and analysis by the state sponsors to identify and track cyberattacks as they unfold.

"This project goes across state lines," Pelgrin said. "It's a very collaborative effort." 

New York also looked for partnering opportunities with the federal government to help meet the state's deadline to encrypt the data stored on all mobile devices by the end of last year. Pelgrin worked with Karen Evans, the recently retired administrator of the Office of E-Government and Information Technology at the Office of Management and Budget, to piggyback on a federal procurement contract for the data-scrambling technology.

Pelgrin's group negotiated a volume discount that saved the state $3 million, he said.

Meanwhile, the 14-town regional approach that Bridgeport belongs to pools DHS funds of about $1 million from the State Homeland Security Program and more than $1 million from the Urban Area Security Initiative, in addition to Bridgeport's port security funding. The smaller communities, with only small grants to contribute, benefit from pooling resources. "They really couldn't do enough with it" alone, Appleby said.

One of the first beneficiaries of regional collaboration was the emerging interoperable communications system, which received $6 million from the Justice Department's Community Oriented Policing Services grants. The original goal was to enhance interoperability among Bridgeport's various departments and then gradually add any outside support agencies that would likely respond if the city needed help. But in 2007, after the city was invited to apply for an additional COPS grant, it earmarked funds to broaden the use of the Fairfield County police frequency.

"The smaller towns may not have had the money to enhance that frequency, so that in itself has been part of the push to show that we are in this together, especially after what we saw [with communications breakdowns] during Katrina and Sept. 11," Appleby said.

The region is now working to ensure that its fire and emergency medial services departments can use the same frequency.

Although regional collaboration makes intuitive sense, Appleby warned that it requires regular involvement by a wide range of officials to succeed. Nearly 75 agencies, including representatives from the area's airports, railroads and ferryboat services, participate in various subgroups that meet at least once a month. It's an admittedly large but necessary coalition, he said.

"You can't have an entire committee filled with police, fire and EMS officials," he said. "We have to prioritize ourselves as a community, as a region, and not just as individual disciplines." 

To iron out conflicting requirements, the committee bases its decisions on a strengths, weaknesses, opportunities and threats analysis, he added. "If we start to diverge from that, it becomes a wish list."

Wide representation can also help uncover new funding sources when federal funding alone falls short. "If a need doesn't get met through [the] Homeland Security [Department], we look for another grant to go after," Appleby said. "And if there isn't a grant out there, but there's an important project, we find ways for the towns to collaborate with $1,000 or $5,000 each to get the project up and running."

Mixed results
As federal funds run dry, some regional groups are looking outside the public sector for aid. One model in this area cultivates increased collaboration among agencies and commercial companies where agencies agree to act as showcases for new installations in exchange for low-cost or no-cost technology and services.

The Piedmont Regional Voice over IP Pilot Project chose that route three years ago. The group is working to bring about interoperable communications among Virginia's Pittsylvania County; Danville and South Boston & Halifax, Va.,; Virginia's state police; Caswell County, N.C.; and North Carolina's highway patrol. Planners wanted a communications system that serves law enforcement along with the public safety agencies and utilities in that area.

So participants partnered with Cisco Systems for communications equipment based on widely used IP standards rather than the proprietary technologies commonly used in older systems. If each entity uses equipment that supports the standard, departments can communicate with one another, even if they have equipment from different vendors.

Cisco offered the equipment and implementation services in return for using the group to show other public-sector agencies how the technology works outside controlled laboratory conditions. Cisco officials were particularly interested in the Piedmont project because participants spanned multiple levels of state, county and municipal agencies. In return for the communications gear and expertise, "we were able to give them a test bed and sweat equity," said Maj. Dean Hairston, an officer with the Danville police and its Services Division commander when the project began.

The project's total cost could have risen to hundreds of thousands of dollars, but because of free technology and services from commercial vendors, the regional consortium expects to pay only a fraction of that when a system comes online later this year.

However, public/private partnerships can be frustrating, even if they save money. "It's not for the faint of heart," Hairston said.

Problems arose when commercial customers took priority over the showcase group's needs. Technical staff members sometimes weren't available to solve implementation problems, which led to scheduling difficulties and unmet milestones. Delays risk waning interest in launching a complex interoperability project when multiple agencies are involved, he said.

As a result, the system hasn't been fully implemented after three years. Up to now, it's been used primarily for demonstrations and nonemergencies. The project coordinators didn't want people to rely with their lives "on a system that wasn't 100 percent," Hairston said.

Are the benefits of a commercial partnership enough to consider the approach? Hairston thinks so, but with some caveats. Instead of relying on a vendor's project manager, he said it's important to designate someone from the public sector in that role, or at a minimum, as a co-manager. This assures a single point of contact, and someone who can focus all of his or her energies on the program.

"You really need someone from the agency who's the driving force to say, 'Here is the schedule. I need this by this date,' " Hairston said.

Before finalizing an agreement, agencies also need to identify hidden costs and negotiate who will be responsible for them. It is much better to resolve those issues in the beginning than risk having them later derail the project.