Tuesday, June 30, 2009

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance (Threat Level)

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance

By Kim Zetter
June 29, 2009 |
6:54 pm

http://www.wired.com/threatlevel/2009/06/deep-packet-inspection/

Following a report last week that Iran is spying on domestic internet users with western-supplied technology, advocacy groups are pressuring federal lawmakers to scrutinize the use of the same technology in the U.S.

The Open Internet Coalition sent a letter to all members of the House and Senate urging them to launch hearings aimed at examining and possibly regulating the so-called deep-packet inspection technology.

Two senators also announced plans to introduce a bill that would bar foreign companies that sell IT technology to Iran from obtaining U.S. government contracts, legislation that is clearly aimed at the two European companies that reportedly sold the equipment to Iran.

The Wall Street Journal reported last week that Nokia Siemens Networks, a joint venture between Germany's Siemens and Finland's Nokia, recently gave Iran deep-packet inspection equipment that would allow the government to spy on internet users.

According to the Journal, Iranian officials have used deep-packet surveillance to snoop on the content of e-mail, VoIP calls and other online communication as well as track users' other online activity, such as uploading videos to YouTube. Iranian officials are said to be using it to monitor activists engaged in protests over the country's recent disputed presidential election, though the Journal said it couldn't confirm whether Iran was using the Nokia Siemens Networks equipment for this purpose or equipment from another maker.

Nokia Siemens has denied that it provided Iran with such technology.

But similar technology is being installed at ISPs in the U.S.

It spurred extensive controversy last year when Charter Communications, one of the country's largest ISPs, announced that it planned to use deep-packet inspection to spy on broadband customers to help advertisers deliver targeted ads.

The plan sparked a backlash and heated congressional hearings. Publicity about the issue died down, however, after Charter retreated from its plan, and Congress moved on to other matters. But deep-packet inspection didn't go away.

ISPs insist they need it to help combat spam and malware. But the technology is ripe for abuse, not only by ISPs but also by the U.S. government, which could force providers to retain and hand over data they collect about users.

In its letter to lawmakers (.pdf) urging them to investigate the technology, the Open Internet Coalition delicately avoided placing the U.S. government in the same category as Iran by not mentioning possible U.S. government abuses of the technology.

"We do not believe U.S. network owners intend to interfere with political communications in the way the Iranian government is doing, but the control technologies they are deploying on the internet carry the same enormous power," the Coalition writes. "And, whether an inspection system is used to disrupt political speech or achieve commercial purposes, both require the same level of total surveillance of all communications between end-users and the internet."

At a House subcommittee hearing this year to examine the technology, Rep. Rick Boucher (D-Virginia) also expressed alarm.

"The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail or attached document is alarming," he said.

With regard to the sale of the technology to Iran, Sens. Charles E. Schumer (D-New York) and Lindsey Graham (R-South Carolina) attempted to address the Nokie Siemens issue with a bill that would prevent foreign companies selling sensitive technology to Iran from either obtaining new government contracts or renewing existing ones, unless they halt their exports to Iran.

According to NextGov, Nokia did more than $10 million in business with the U.S. government between 2000 and 2008; Siemens has nearly 2,000 U.S. government contracts and obtained $250 million in U.S. government contracts this year alone. Nokia Siemens Networks currently has more than $5 million in U.S. government contracts.

Neither Schumer nor Graham mentioned how such a law would be enforced if foreign companies used proxies to sell their products to Iran to circumvent the regulation.

The U.S. government embargo against U.S. companies selling to Iran is one of the tightest. The embargo currently prevents any U.S. individual or company from obtaining a license to sell goods and technologies to Iran that could be used for, among other things, missile proliferation purposes, chemical and biological warfare proliferation, human rights and crime control. The embargo, however, has done little to prevent Iran from obtaining U.S. technology anyway.

In the meantime, consumers called for a boycott of Nokia and Siemens products. And Hands Across the Mideast Support Alliance (HAMSA) has organized a writing campaign urging users to send a protest letter to Nokia. According to the organization's site, nearly 4,000 people have acknowledged sending the letter so far.

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL (Defense Tech)

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL

http://www.defensetech.org/archives/004907.html

Last week Defense Secretary Robert Gatesordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at theWhite House. The historic event took place on Tuesday, June 22nd.

As one could imagine, this is no small task. StratCom has just a little over sixty days to accomplish this mission. The plan to create this new entity operating within the Department of Defense and lead by a 4-star general is due to the Defense Secretary by September 1st. According to Gates' timeline, Cyber Command is expected to be up and operational by October 1, 2009, and fully functional one year later. An internal memo from Gates to senior Pentagon officials stated that he intends to recommend that Lt. Gen. Keith Alexander, the current director of the National Security Agency, take on the role as commander of the Cyber Command with the rank of a four-star general.

What this will actually cost is anyone's guess. Current thinking is that the budget to just establish the new command through year's end could reach as high as $200 million. Longer term, the cost of cyber intelligence, defense and offensive capabilities are estimated to be around $55 billion annually. This will create our offensive cyber forces and capabilities and defend the over 100,000 DoD Networks and 5 million DoD computers against cyber attack. One might say it is just a drop in the bucket of a 2009 DoD budget that topped $515 billion.

The United States is not the only country making this move. The UK defense ministry announced plans to establish an office of cyber attack and defense but gave no hard date when it would be operational. Britain's GCHQ (Government Communications Headquarters, their equivalent of the NSA) seems to be well underway in fully developing their cyber capabilities. In addition, the defense ministry of South Korea has also announced plans to establish a cyber command by 2012.

Internal cooperation is critical for cyber incident investigations and event attribution. As more and more countries establish a focal point for cyber defense, the greater the opportunity to conduct these investigations and accurately identify those behind cyber attacks.

-- Kevin Coleman

StratCom Plows Ahead on Cyber (DoD Buzz)

StratCom Plows Ahead on Cyber

http://www.dodbuzz.com/2009/06/29/stratcom-plows-ahead-on-cyber/

By Colin Clark Monday, June 29th, 2009 11:51 am

You are the commander of Strategic Command, charged with coming up with an implementation plan for the new cyber command within 60 days. But there's going to be a new head of cyber command, a four-star just like you, and Lt. Gen. Keith Alexander has the Big Mo on his side. And Alexander is known as an almost crazily foxy guy who has rebuilt the NSA and will be largely dependent on folks from NSA for most of his capabilities. Air Force Gen. Kevin Chilton is known as one of the brainiest generals around. Hmmm. Who's going to win this bureaucratic game will be great fun to watch.

For some idea of just what may lie ahead, have a look at this April 7 speech by Chilton, which has been quoted by the two cyber warriors with whom I speak. This is not about improving the country's IT capabilities in terms of efficiency and information sharing. This is about life and death on the battlefield.

"It's not a convenience any more, it's a dependency. We need to recognize that we need this domain and we need these systems to conduct our fight today and tomorrow. We need to recognize that we can fight in this domain just as an air-to-air fighter can fight in the air domain; and we can fight through this domain and affect other domains just as an airplane can drop a bomb on a land domain and create affects across a domain. And as commanders we must appreciate the vulnerability of this domain, not just its importance. We have to transition from a culture of convenience to a culture of responsibility. We must recognize vulnerability — the vulnerability that one system can create here on the other side of the world, not just locally," Chilton said. For more on this, have a look at Kevin Coleman's piece below from Defense Tech.

Last week Defense Secretary Robert Gates ordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at the White House. The historic event took place on Tuesday, June 22nd.

Monday, June 29, 2009

Obama and Cyber Defense (WSJ)

Obama and Cyber Defense

Government should protect our e-infrastructure.

http://online.wsj.com/article/SB124623073971766069.html

In a Monty Python skit from 1970, the Vercotti brothers, wearing Mafia suits and dark glasses, approach a colonel in a British military barracks. "You've got a nice army base here, Colonel," says Luigi Vercotti. "We wouldn't want anything to happen to it." Dino explains, "My brother and I have got a little proposition for you, Colonel," and Luigi elaborates, "We can guarantee you that not a single armored division will get done over for 15 bob a week."

If the idea of the military having to pay protection money to the mob seems silly, imagine what Monty Python could do with last week's White House decision on security. It announced a new "Cyber Command" to protect information infrastructure, but stipulated that the military is allowed to protect only itself, not the civilian Internet or other key communications networks. When President Barack Obama announced the plan, he stressed that it "will not -- I repeat -- will not -- include monitoring private-sector networks or Internet traffic." It's like telling the military if there's another 9/11 to protect the Pentagon but not the World Trade Center.

The announcement shows that our political system is still ambivalent about how to defend communications networks such as the Internet. We expect privacy, but we know that intrusive techniques are required to protect the system from cyber attacks. How to balance privacy with preventing attacks that would undermine the system altogether?

It's an open secret that the National Security Agency (NSA) must operate through civilian networks inside the U.S. in order to prevent millions of cyber attacks every year by foreign governments, terror groups and hackers. Likewise, the NSA must follow leads through computer networks that run through innocent countries. "How do you understand sovereignty in the cyber domain?" asked James Cartwright, vice chairman of the Joint Chiefs of Staff, in a recent speech. "It doesn't tend to pay a lot of attention to geographic borders."

The risks are real. Cyber attacks on Estonia and Georgia by Russia in recent years forced government, banking, media and other Web sites offline. In the U.S., the public Web, air-traffic control systems and telecommunications services have all been attacked. Congressional offices have been told that China has broken into their computers. Both China and Russia were caught having infiltrated the U.S. electric-power grid, leaving behind software code to be used to disrupt the system. The risk of attacks to create massive power outages is so serious that the best option could be unplugging the U.S. power grid from the Internet.

The military is far ahead of civilian agencies such as Homeland Security and is now focused on cyber offense as well as defense. Cyberspace, says Gen. Kevin P. Chilton, commander of the U.S. Strategic Command, is the new "domain," joining the traditional domains of air, land and sea. Each is a focus for both defense and attack. The U.S., a decade behind China, is now officially focused on using cyber warfare offensively as well as defensively.

The U.S. is an inventive nation, so we'll get to the right answer on security if we ask the right questions. What if the only way the military can block a cyber attack is to monitor domestic use of the Web, since foreigners use the Web to launch cyber attacks? What is a "reasonable" search in a virtual world such as a global communication network? What's the proper response to cyber attacks?

If cyber war is a new form of war, wouldn't most Americans adjust their expectations of reasonable privacy to permit the Pentagon to intrude to some degree on their communications, if this is necessary to prevent great harm and if rules protecting anonymity can be established? Finally, wouldn't it be better for politicians to encourage a frank discussion about these issues before a significant attack occurs instead of pretending there are no trade-offs?

Only the NSA, which operates within the Defense Department, has the expertise to protect all U.S. networks. It has somehow found ways to mine needed data despite pre-Web rules that restrict its activities domestically. But the question remains: How can the military get enough access to private, domestic networks to protect them while still ensuring as much privacy as possible? One logical approach is for Homeland Security to delegate domestic defense to the NSA, but for the domestic agency to maintain enough responsibility to have political accountability if privacy rights get violated in the process.

We'll look back on the current era, with the military constrained from defending vital domestic interests, as an artifact of an era when it was easy to point to what was foreign and what was domestic. In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.

Google mistakes Michael Jackson searches for cyber attack (

Google mistakes Michael Jackson searches for cyber attack

Author:: Warwick Ashford
Posted:: 14:56 29 Jun 2009

http://www.computerweekly.com/Articles/2009/06/29/236681/google-mistakes-michael-jackson-searches-for-cyber-attack.htm

Google has admitted that it mistook the sudden spike in searches for Michael Jackson last week for an automated cyber attack.

As word spread of Michael Jackson's death there was a "meteoric rise" in related searches.

"Search volume began to increase around 2:00pm (PDT), skyrocketed by 3:00pm, and stabilised by about 8:00pm," Google product manager RJ Pittman said in a blog post.

According to Pittman, last week also saw one of the largest mobile search spikes ever seen, with five of the top 20 searches about Jackson

As a result, for about 25 minutes, when some people searched Google News they saw a "We're sorry" page before finding the articles they were looking for, said Pittman.

The surge in demand for news and information about Michael Jackson hit most US news sites, with many taking more than double the usual time to respond.

Microblogging site Twitter was forced to disable some functionality on the network to keep the service working.

Web Filtering Company Reports Cyber Attack To FBI (Information Week)

Web Filtering Company Reports Cyber Attack To FBI

The U.S.-based company that claims its programming code was unlawfully included in China's Green Dam software reports being targeted by a cyber attack.

By Thomas Claburn, InformationWeek
June 29, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882

Solid Oak Software, the Santa Barbara, Calif.-based maker of Web filtering software called CYBERsitter, on Friday contacted the FBI to investigate a cyber attack on the company that appears to have come from China.

Earlier this month, the company charged that the Green Dam Web filtering software, made by two Chinese companies, contains its proprietary computer code. The Chinese government wants all PCs sold in China to include Green Dam starting on July 1.

Although the U.S. government and trade organizations have asked China to rescind its Web filtering rule, Sony has already begun shipping PCs with Green Dam installed.

Jenna DiPasquale, head of public relations and marketing for Solid Oak, said that following the receipt of suspicious e-mail messages sent recently to company executives and unexplained server problems, a Microsoft representative had volunteered to analyze the suspicious e-mail for malware.

A request for comment from Microsoft, submitted through DiPasquale, was declined.

But DiPasquale confirmed that Microsoft's investigator identified the messages as malicious. "They did determine that the files were infected and that the attack was specifically created for us," she said in an e-mail. "We discovered several one-off emails similar in nature that were caught by our filters. We do not know yet for certain, but it does appear that the e-mails are Chinese in origin."

Green Dam is made by Jinhui Computer System Engineering Co, and its Web filtering black list is provided by Beijing Dazheng Human Language Technology Academy Co.

The senders of the infected messages "used spoof-name Gmail accounts to create the attacks, and the documents sent were meant to appear like a clean e-mail," DiPasquale explained. "The infected documents referenced Jinhui and Green Dam and the attacks were written using Chinese language software. This is how we suspect that they are Chinese in origin. We discovered different types of attacks caught in our defensive gateway, AlliGate."

Solid Oak president Brian Milburn believes the attacks were the work of skilled computer professionals who have knowledge of his company, according to DiPasquale.

Solid Oak, however, is not the only company under attack for its involvement with Green Dam. The English-language China Daily said last week that Jinhui had received more than 1,000 death threats since the government's filtering rule was first reported earlier this month.

After three University of Michigan researchers identified security flaws and copied code in Green Dam, the Chinese government directed the makers of Green Dam to fix the security vulnerabilities, according to a report in the English-language China Daily.

But according to a June 25 report published by Solid Oak, the most recent release of Green Dam (v3.17) still contains four files from CYBERsitter. The copied files are not merely lists of sites to be blocked, the report alleges, they also contain programming code.

"Contrary to statements made by Green Dam's developer that these were just 'lists of international pornographic sites,' the code lines shown above are code snippets that tell CYBERsitter (and Green Dam) how to handle word combinations when found in URLs, search queries, or page content," the report says.

Solid Oak has advised Dell and HP that they face legal liability if they comply with the Chinese government mandate and ship PCs with Green Dam.

The U.S. government last week lodged a formal protest of the Green Dam mandate. Chinese authorities did not respond directly. However, the Chinese Ministry of Health's decision on Friday to issue new anti-pornography rules affecting sex education sites suggests that Chinese authorities intend to resist public pressure.

Sunday, June 28, 2009

Cyber Command: Observers worry about unintended consequences (FCW)

Cyber Command: Observers worry about unintended consequences

http://fcw.com/articles/2009/06/25/cyber-command-dod-nsa.aspx

DOD, NSA offer formidable pairing, experts say

By John S. Monroe
Jun 25, 2009

The Defense Department's new U.S. Cyber Command is now the cybersecurity heavyweight in the government division, according to numerous media accounts.

Defense Secretary Robert Gates and other Defense Department officials have emphasized that the new organization, which will be commanded by the director of the National Security Agency (NSA), would have a clearly defined role: Protecting military networks and conducting offensive cyber operations against hostile forces (read GCN's news story here).

But the sheer size and importance of DOD's military operations have caused some observers to wonder about how big an effect the Cyber Command might have outside its own domain.

The Washington Post quotes analysts who say Gates announced the command in a memo, rather than in a speech, in an "effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation's computer networks."

The Post also offers up this tidbit:

"Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?" said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. "That's a legitimate question, and I think DOD will resist having that happen. But there are issues of authorities that haven't been cleared up. What authorities does DOD have to do things outside the dot-mil space?"

Meanwhile, in Computerworld, Alan Paller, director of research at SANS Institute, wonders if the partnership between DOD and NSA could hamper other cybersecurity initiatives.

It is possible that the new command will "so militarize the Information Assurance Division of NSA" that it could harm the public-private partnerships that are important for security, he says. But otherwise, Paller considers the new command a "spectacular idea."

Other observers are concerned about the diplomatic ramifications of the taking military operations into cyberspace, according to the New York Times.

"I can't reiterate enough that this is not about the militarization of cyber," said Bryan Whitman, a DOD spokesman, in discussing Gates' order on Tuesday.

"This is an internal Department of Defense reorganization," Whitman said. "It is focused only on military networks to better consolidate and streamline Department of Defense capabilities into a single command."

Ex-DHS Cyber Chief Tapped as President of ICANN ((Wahington Post: Security Fix)

Ex-DHS Cyber Chief Tapped as President of ICANN

http://voices.washingtonpost.com/securityfix/2009/06/ex-dhs_cyber_chief_tapped_as_p.html?wprss=securityfix

Former Department of Homeland Security cyber chief Rod A. Beckstrom has been tapped to be the new president of the Internet Corporation for Assigned Names and Numbers (ICANN), the California based non-profit, which oversees the Internet's address system.

Most recently, Beckstrom was director of the National Cyber Security Center -- an organization created to coordinate security efforts across the intelligence community. Beckstromresigned that post in March, citing a lack of funding and authority.

Beckstrom joins ICANN as the Internet governance body faces some of the most complex and contentious proposed changes to the Internet's addressing system in the organization's entire 11-year history. For example:

-- The United States is under considerable pressure to give up control over ICANN and turn it over to international supervision and management. ICANN currently operates under a Joint Project Agreement with the U.S. government, but that agreement is due to expire at the end of September.

-- Currently, there are 21 so-called "generic top-level domains," such as dot-com, dot-net, dot-biz, and dot-org. Under pressure from domain speculators and many businesses, ICANN is in now in the process of radically expanding the number of new gTLDs to include potentially hundreds more, to include things like brand names (e.g., dot-nike or dot-google), places (.e.g., dot-berlin or dot-ohio), or even sports franchises (e.g., dot-yankees). Intellectual property rights lawyers and some business groups have opposed expanding the number of gTLDs without first putting in place a system for addressing disputes over domains that could violate trademark rights.

-- ICANN is moving to implement so-called "internationalized domain names," which will allow the creation and display of domain names written in different alphabets and languages, such as domains featuring Chinese and Russian characters. IDNs are hardly controversial, but they do hold the potential to give scam artists like phishers a whole new way to trick people into visiting scam sites. Consider, for example, that the Cyrillic "a" and the Latin "a" may look alike to humans, but they are interpreted differently by machines. As a result a domain name registered by fraudsters that includes a mix of Cyrillic and Latin letters might look like a familiar brand when presented in a Web link, but lead to a counterfeit version of that brand's Web site designed to steal customer data.

Beckstrom was voted president of ICANN at the group's meeting in Sydney, Australia this week. On Thursday, I had the opportunity to speak via phone with Beckstrom about why he wanted this job, and what he hopes to do with it. Here are some excerpts from that interview:

BK: Congratulations on being picked.

Beckstrom: Thank you. You know, it's funny...I just got an e-mail from a friend who said he thought it would be hard to imagine me finding a more difficult job than running the NCSC [at DHS], but congratulating me on finding something even more impossible than that job [laughs].

BK: Yes. ICANN has a reputation for being difficult to manage and come to a consensus on even seemingly simple issues. Some people have likened it to herding cats. What made you want this job in the first place?

Beckstrom: Well, I've herded cats for a lot of my career. In fact, for 14 years, I ran CATS Software Inc., which had 35 Ph.Ds on the staff and two Nobel Prize winners on the board of directors, and let me tell you having that much brainpower in the shop is seriously like herding cats. So, maybe I have some experience there.

BK: What is your impression of ICANN and this process as you've watched the various communities coalesce down there for this week's meeting?

Beckstrom: I'm a bit overwhelmed by the tremendous complexity of issues on the table. This is perhaps the most complex, multi-stakeholder environment I've ever seen. So I have a great appreciation for that and a fascination with that, but I certainly wouldn't even claim to have a firm grasp on all of this yet. And that's one of the things I'll need to be learning as I grow into this role.

BK: Are there parallels between what you were doing at NCSC and this job?

Beckstrom: The NCSC was focused on developing good collaboration between very disparate parts of the U.S. government, and in terms of getting that human collaboration going, I feel we achieved some success there. At ICANN, there are some similar challenges: We have some very, very passionate stakeholder groups with very different interests. So, as a starfish guy this is kind of appealing.

[With the "starfish" reference, Beckstrom was making a clever plug for the book he co-authored in 2006, called "The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations." In it, Beckstrom and co-author Ori Brafman use the two creatures to illustrate their argument that decentralized organizations -- whether in the marketplace or the battlefield -- are more nimble, creative and resilient than those that operate in a rigid, top-down fashion.]

BK: What will be your top priorities as president of ICANN?

Beckstrom: The first step is to get to know the different communities involved, and after that to start understanding them. Then, I hope to be an effective agent or catalyst in assisting those portions of the communities that would like my involvement.

BK: As I'm sure you're aware, ICANN's decision to move forward on hundreds of new gTLDs has ruffled some feathers, particularly in the business and intellectual property communities. Critics of the current process say it's moving forward too quickly and that the new gTLDs are merely going to create a myriad of costly, legal headaches for brand owners, who will be forced to go out and register variations of their brand name in hundreds of new gTLDs to protect their brands. Are their concerns valid, and are they being addressed well enough?

Beckstrom: Having just spent the week here, I can tell you one of the prominent topics of debate were the intellectual property questions, with various parties proposing solutions. There are still different thoughts in the community: On the one hand, ICANN is receiving a lot of pressure from many companies around the world who want new gTLDs...who want them opened up and available. And others want reasonable mechanisms for some intellectual property review and process.

So, ICANN's role is to try to play a balancing role. ICANN doesn't have a firm position on what the solution is. ICANN is simply asking the global community of IP attorneys and others to develop the best possible solutions they can which can actually be implemented. But one of the solutions is not avoiding the gTLDs, because there's tremendous demand from all over the world to have those, and the number of companies who are opposing them appear to be a minority compared to those who think they should be out there and present.

BK: How would you like to see ICANN evolve over the next few years?

Beckstrom: I don't have any fixed opinions on that. What I hope ICANN will continue to do is to protect the globally unified, free, and open Internet. The Internet continues working as long as ICANN continues its support for the core address and naming functions. ICANN has done a superlative job of that often hidden and unappreciated function, which is vital.

BK: It is becoming clear that a large percentage of domains associated with cyber crime are in fact issued by domain registrars authorized to issue Web site names within so-called country code top-level domains (ccTLDs), such as the dot-cn ccTLD, maintained by China. Obviously, ccTLDs are administered by sovereign nations -- and therefore largely outside the governance of ICANN. But the international community's approach to tackling global malware outbreaks like the Conficker Worm, showed that more cooperation and collaboration is needed by ccTLDs if we are to get a hold on the cyber crime problem. What additional role does ICANN have to play here?

Beckstrom: National governments have a tremendous say about what occurs within their borders, and that's the reality of the world. But we're really pleased that we do have a Government Advisory Council with formal official delegates from 83 different countries. That's one of our most precious stakeholder groups that I know the board of ICANN listens to carefully. And the range of issues that are brought before that important group are likely to increase over time.

But, clearly a growing part of the community is increasingly concerned about security, and Conficker is a great example of a focused way in which ICANN can collaborate with the other community members and add value to solving a critical and timely problem. And I'd like to see a lot more of that to help build the organization so that it can be more effective in doing that knid of thing on many different fronts.

By Brian Krebs | June 26, 2009; 7:30 AM ET

New command at tip of DoD cyber spear, Lt. Gen. Alexander says (Federal News Radio)

New command at tip of DoD cyber spear, Lt. Gen. Alexander says

By Jason Miller
Executive Editor
FederalNewsRadio

http://www.federalnewsradio.com/index.php?nid=35&sid=1705302

With Defense Secretary Robert Gates announcement Tuesday of the new cyber command, senior officials from all four branches reacted with a mixture of relief and expectation.

"There is an awful lot of confusion in this complex environment," says Maj. Gen. Greg Schumacher, assistant to the deputy chief of staff for the Army G-2. "What I'm most looking forward to is having a single voice to articulate definitions, roles, missions and how we will conduct the missions, and that will enable us to be far more efficient and effective than previously to conduct operations."

Maj. Gen. David Senty, the Air Force's acting vice commander of the provisional cyberspace command and commander of network operations, says the DoD-wide office will make policy and procedures more seamless and consistent across the military.

Navy Rear Admiral-select Sean Filipowski, director of computer network operations at the Network Warfare Command, says the new command will provide better command and control for cyberspace, and a single point of accountability to sort out DoD's cyber mission.

And finally Ray Letteer, the chief for the Marine Corps Information Assurance Division, says the cyber command provides a much needed authoritative voice in cyberspace.

"We have trained individuals and we know how to defend the network," he says. "To be able to have a clear delineation of a fire control cell to tell us when we are suppose to go hot and when we are suppose to not [will be good] . We do that with artillery and air power, I'm looking forward to see same type of thing in cyber domain."

These were some of the reactions of the panelists at the AFCEA Cybersecurity conference in Washington Thursday.

Lt. Gen. Keith Alexander, director of the National Security Agency, summed up the plans around the new cyber command, saying this was Gates's way of making cyberspace a priority for all of DoD.

"When you think about what don't we have, if the point of integration for those [cyber] functions is me, we are in a hurt," he says. "Where is the staff that brings it all together? [The command] integrates it seamlessly so that in DoD you can operate smoothly between your network operations, the defense, the exploit and the attack as you need to. And you have the rules of engagement laid out, and where is the staff to do that? We don't have the staff do that. The secretary of Defense is putting its commitment there. To the department, this is hugely important."

Alexander, who likely will be the head of the new subcommand, says the constant attack on DoD networks is overwhelming. He says there are 4,000 terrorist Web sites, and DoD's networks face 32,000 attacks a day from more than 100 countries.

"How do we defend our network?" he asks. "The way we've done it in the past, telling systems administrators to set patches and defense against what do know, but not against what we don't know, is not working."

Alexander says there is no common defense across DoD. The network operations and defense are stovepipes, left to defense themselves without enough capabilities.

"Step one is to put that together and come up with mechanisms to do it," he says. "Set up a real time capability to have tipping and cueing between those sensors that is a global cryptological system that is seeing bad things happen and [telling the] defensive folks who are out there."

He adds that the command's goal is to come up with the techniques and procedures to defend the network in an active way and build mechanisms for the services to plug into.

"We got to give the network operators the right security clearance so they can get the right level of threat," he says. "So they can see what that threat is and they know why they have to defend against them."

He says the services will operate their networks with the cyber command having visibility and ability to direct parts of them.

For this reason, Alexander says the cyber workforce across all of DoD must have the same knowledge and skills.

"We've got to have a common block of training for all people operate in cyberspace-for our defenders, our operators, our exploiters and our attackers," Alexander says. "We have to make sure everyone understands the basics of network operations: how defending, exploiting and attacking works together."

Alexander was clear that getting DoD's networks better secured is the command's foremost mission. He realizes DoD will work with the Homeland Security Department and industry to help secure .gov and .com networks, but the .mil domain needs to be addressed first.

"We are on a journey and this will be difficult because there is a lot we need to do to get these networks together," he says. "I'm optimistic about the future, about where we are going, what we can do, the capabilities we have."

Saturday, June 27, 2009

Activists Use U.S. Tech to Poke Holes in Iran Firewall (Danger Room)

Activists Use U.S. Tech to Poke Holes in Iran Firewall (Updated)

By Noah Shachtman
June 26, 2009 |
10:48 am |
Categories: DarpaWatch, Info War, Rogue States

Tehran's demonstrators rose up by themselves. But the technology that helped them organize — and helped them connect with the rest of the planet — was funded in part by the U.S. government.

Early in the pro-democracy protests, everyone made a big deal out of the State Department's call to Twitter, asking the short-messaging firm to reschedule maintenance so the Iranian opposition movement could keep communicating. In retrospect, that might have been one of least meaningful moves an American agency made on the activists' behalf. More important, it now appears, are the millions of dollars invested over the years in technologies that could pry open the Iranian firewall — and avoid the Supreme Leader's web censors.

"Our goal was to promote freedom of speech for Iranians to communicate with each other and the outside world. We funded and supported innovative technologies to allow them to do this via the Internet, cell phones and other media," former State Department Iran democracy program coordinator David Denehy tells Eli Lake of the Washington Times.

Forget the driven-by-DC mock-populism and the all-too-clever schemes; this is how America should be promoting democracy abroad. Give activists the tools — and then let them decide how and when to use 'em.

The Broadcasting Board of Governors (BBG), which oversees the Voice of America and the Farsi-language Radio Farda, has a three-person anti-censorship team that focuses on China and Iran. "Iran has a growing audience of young activist Internet users and we have repurposed our tools to work in Farsi and make it available to Iranians," BBG's Ken Berman says. "We open up the channels so the Iranian blogosphere is more accessible to Iranians in Iran."

One of those projects: design the Firefox Web browser to embed the TOR network. That's the "onion router" anonymous surfing service, which throws off the Supreme Leader's online goons by "distributing your transactions over several places on the Internet, so no single point can link you to your destination," the project's site explains. "The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going."

"There are plenty of programs political dissidents can use to route their Internet traffic through third parties and escape censorship and avoid monitoring," one know-it-all blogger tells Lake. "But TOR is different because it is an encrypted network of node after node, each one unlocking encryption to the next node. And because of this, it is all but impossible for governments to track Web sites a TOR user is visiting. TOR is a great way to give Ahmadinejad's Web censors headaches."

That onion routing approach was originally developed by the Naval Research Lab and by Darpa, the Pentagon's leading science and technology arm.

UPDATE: Slate's Farhad Manjoo, on the other hand, thinks all this tech has actually made it easier for the regime to repress the activists. "On Wednesday, a reader alerted the Lede to an Iranian government Web site called Gerdab.ir, where authorities had posted pictures of protesters and were asking citizens for help in identifying the activists. That's right—the regime is now using crowd-sourcing, one of the most-hyped aspects of Web 2.0 organizing, against its opponents. If you think about it, that's no surprise. Who said that only the good guys get to use the power of the Web to their advantage?"

U.S. Cyber Command: 404 Error, Mission Not (Yet) Found (Danger Room)

U.S. Cyber Command: 404 Error, Mission Not (Yet) Found

By Noah Shachtman
June 26, 2009 |
4:57 pm |
Categories: Info War, Paper Pushers, Beltway Bandits, Politicians

Earlier this week, Defense Secretary Robert Gates ordered the military to start setting up a new "U.S. Cyber Command." It's a move that's been discussed in defense circles for more than a year. But despite the announcement — and despite the lengthy debate – no one in the military-industrial complex seems all that sure what this new fighting force is supposed to do, exactly.

Officially, the Pentagon still has a few months to figure things out. Gates told his troops in a Tuesday memo that they have until September 1st to come up with an "implementation plan" for the new command. But there's a ton to figure out in the next ten weeks. As Gates notes, that plan will have to "delineate USCYBERCOM's mission, roles and responsibilities," detail the command's "minimum requirements" to get up and running, and sort out its "relationships" with the rest of the military – and the rest of the government.

In other words, just about everything.

Let me paraphrase a series of conversations I've had this week with people working on this new command: Is CYBERCOM supposed to be a new fighting force, a glorified IT department, an intelligence agency, or what? Mmmmm, unclear, to be determined. If it's a fighting force, how much offense or defense will it play? To be determined. And what does cyber defense really mean, these days? TBD. If it's an intelligence agency, how far will the command go to protect civil liberties? To snoop on everyone, in the name of network security? TBD. TBD.

Further complicating matters is that CYBERCOM might significantly reorder how the Pentagon organizes its geek brigades. (Or not. That's TBD, too.) Each of the armed services already employs thousands of people to keep its data and communications networks flowing. The Defense Department already has an in-house shop, dedicated to building and maintaining its networks: the Defense Information Systems Agency, or DISA. It has also has a far-flung group of cybersnoops, counter-snoops, and network attackers; that would be the National Security Agency, or NSA.

How exactly all these agencies will combine — or whether they will combine at all — is one of the many CYBERCOM questions still left unanswered. (Another: what does a recent and classified National Intelligence Estimate on cyber security recommend.) But already, there's tough talk in and around the Pentagon of budgets being defended, and personnel being kept.

When the Air Force tried to establish a cyber command of its own, it touched off an internecine scramble within the service. None of the units wanted to surrender cash or crew to the new agency. A veteran of that fight predicts there will be a similiar fight, surrounding CYBERCOM. "They're gonna to look at the new command as a gigantic beast to be slain – the son of a bitch who's gonna take my money and my people," this former senior military official says. "The new command is gonna look at them and see — food."

One thing that is pretty clear: NSA will be leading this emerging command. Gates is recommending thatNSA Director Lt. Gen. Keith Alexander also become the head of the new network force — and get a fourth star. Gates is also suggests that the command set up its headquarters somewhere mighty convenient for Alexander: Ft. Meade, Marlyand, home of the NSA.

The clandestine agency — renown in the military for its geeky skills, and infamous among civil libertarians for its widespread monitoring of Americans' communications — may also come to dominate the wider government cyber defense effort, as well. Under the president's recently-announced (and also pretty vague) network protection plan, the Department of Homeland Security is theoretically responsible for coordinating the network defense of the civilian government, and of the country's critical infrastructure. But DHS doesn't have nearly the technical brains or the financial brawn of the Defense Department and the NSA. Just look at the two departments' budgets for next year. As the Wall Street Journal notes, the Pentagon is planning to train "more than 200 cyber-security officers annually. By comparison, the Department of Homeland Security has 100 employees dedicated to civilian cyber security, with plans to reach 260 next year."

Which is why Homeland Security chief Janet Napolitano says that "NSA will provide technical assistance, both to DOD [Department of Defense] and to us."

"That is the structure of the cyber policy plan that the president announced, so we absolutely intend to use the technical resources, the substantial ones that NSA has," she tells Danger Room.

Alexander has said explicitly that he does "not want to run cyber security for the United States government." But could that wind up happening away — throwing a cloak of secrecy over all of network defense? TBD.

Cyberwar Journal

Tuesday, June 30, 2009