Cyberwar Journal

Coordinator in chief (C4ISR Journal)

2009-07-03T00:19:00.002-04:00

Coordinator in chief

What experts say Obama's cybercoordinator must do to succeed

By Ben Iannotta
July 01, 2009

http://www.c4isrjournal.com/story.php?F=4119078

When America's first national cybersecurity coordinator arrives at the White House, he or she will have to settle long-standing questions about the precise roles of the military, private companies and federal regulators in protecting the country's electrical systems, water supplies and other services from a hacker's computer keystrokes.

President Barack Obama said he would personally choose and meet regularly with the coordinator, a position he announced in a May 29 speech at the White House. He said this person will have an office and staff in the White House, and will draft a "comprehensive" national cyberstrategy in "partnership" with the U.S. computer industry and government agencies. The coordinator — White House officials are not using the term "czar" — would work closely with White House budget officials on spending decisions and coordinate U.S. responses in the event of a cyberattack, he said.

Obama spoke in the East Room before a cast of 120 mostly civilian VIPs, an exception being Marine Corps Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, whose job is to set the military's buying priorities. Also in the East Room were corporate CEOs and independent analysts who participated in the administration's "Cyberspace Policy Review," a fact-finding mission led by Melissa Hathaway, a former Bush administration intelligence official and now the top cyberofficial at the National Security Council. Hathaway and her staff met with networking companies, independent analysts and defense officials over the course of 60 days.

By placing responsibility for cybersecurity within the White House, and announcing a partnership with the industry, Obama set the U.S. on a different path than that of the Bush administration, which had relied on a combination of free market forces, presidential directives and the leadership of the Department of Homeland Security (DHS) to protect the private infrastructure. Instead of DHS leading the way, a White House official would be in charge, and this official would have a direct line to the White House Office of Management and Budget (OMB), which assembles spending requests from U.S. agencies into the annual budget requests to Congress. "It's going to be very important for the coordinator to work with OMB to ensure cybersecurity is adequately funded," said an OMB official in the East Room.

Neither Obama nor the 38-page Hathaway report spelled out precisely what actions the new spending authority and partnership with the industry would produce.

Would the government work with computer and software companies to draft regulations defining the security standards for the software underlying the U.S. infrastructure? Electrical hubs, for example, now have Internet Protocol addresses, which helps managers run electrical grids more efficiently, but also makes them vulnerable. Would better cybersecurity at such sites remain voluntary, as was the case under the Bush administration? Would the government cover the costs of beefed up cybersecurity in the private sector? For its part, the Hathaway report called for refining "government procurement strategies" and improving "market incentives" as the answer, but it did not define those steps any further. Would the coordinator's decisions affect the 2010 budget, which is currently before Congress, or wait until 2011 for impact?

Obama also did not discuss the controversial issue of America's offensive cyberattack planning, nor the precise role of the intelligence community and military in securing the U.S. private-sector infrastructure.

Military efforts

In recent months, military officials have been engaged in their own effort to reorganize themselves for cybersecurity. In May, for example, the U.S. Air Force announced it would establish a 400-person cyberheadquarters and operations center at Lackland Air Force Base, Texas, to coordinate cyberdefense with other services and, when necessary, launch offensive cyberactions. Originally, the Air Force planned on establishing its own cybercommand but backed away when critics said the service should focus on working with the other services instead of trying to lead in the cyberdefense domain.

Air Force Maj. Gen. William Lord, the service's top cybercommander, said "six verbs" would govern the work of the new 24th Air Force, the group focused on cyberspace: "establish, operate and maintain, defend, and exploit and attack." He spoke in late March at the National Space Symposium, before the service announced the location of the cyberheadquarters and operations center.

Lord said U.S. offensive cyberactions could turn out to be critical in future wars: "If you think about not warfare today, but warfare maybe 20 or 50 years from now, maybe it's not about the kinetic destruction of people or facilities. Maybe it's about so confusing a technologically advanced force by scrambling their technology that they don't have the ability to conduct warfare."

Part of the Obama strategy is likely to focus on technologies for identifying cyberattackers without violating the privacy of Internet users, something defense officials said would not be technically easy. "Two years ago in April, a million computers from 75 different nations attacked Estonia. Who do you go to war with?" he said. "Most of that attack came from [unknown people in] the United States. We're friends with Estonia," he said. "So figuring out: One, who the enemy is, and second, what's the intent of an enemy, in this domain, is very, very challenging."

Lord said the Air Force advised the Hathaway panel indirectly about the Air Force's plans and views on major cyberissues through the Pentagon's Joint Staff and the Office of the Secretary of Defense. Lord said reacting quickly to a cyberattack would be one of the great challenges confronting the country.

"What happens when you track back an IP address to you-name-the-country? How do you get law enforcement to that address, that physical address and using the laws of that country say, 'Stop that stuff?' That process takes weeks today. And we've got figure out how to make it occur more quickly," he said.

As far as military management of cyberdefense, Lord said defense officials were discussing the possibility of establishing a "sub-unified command" under U.S. Strategic Command to coordinate cyberwork among all the services. At about the time of Obama's announcement, The New York Times and The Associated Press reported that the U.S. was on the verge of establishing a new Cyber Command.

Though much is left to be sorted out, industry officials, by and large, said they were pleased that the White House had set a tone of partnership and will establish a high-level authority to define the national cyberstrategy under which the government, in all likelihood, would spend billions of dollars to improve security.

"It's encouraging to watch the United States and President Obama take the lead here in trying to innovate," said David DeWalt, CEO and president of McAfee, the computer security giant. DeWalt was one of those invited to gather in the East Room.

He said the importance of the word partnership, meaning with the industry and government, should not be discounted. "We believe the lack of partnership in the past has actually enabled the criminal behavior and terrorist behavior to emerge quicker, and with more force than had we had this interlock," he said.

Gregory Q. Brown, president and CEO of Motorola, also was in the East Room. "My team has met with [Hathaway], and we're very supportive," he said. He said Motorola is ready to help advise the government about how to keep networks secure, particular during emergency responses.

Budget link

Obama's most significant move, several attendees said, might have been when he underscored the cybercoordinator's relationship with the White House Office of Management and Budget.

"The way you get anyone to do anything is through the budget," said Alan Paller, director of research and defense at the SANS Institute, which researches information security technology. "That's what was wrong before. DHS didn't have any leverage" over spending at other agencies involved in cybersecurity, he said. "DHS could say anything they wanted and everyone could ignore them because there were no consequences."

Agencies have to listen to OMB or risk losing spending for other priorities, he said. "If you ignore OMB, the consequences are very sharp," he said.

Obama said he will designate cybersecurity one of "my key management priorities" and that the office of the cybercoordinator would set cyberpriorities and work "closely" with OMB "to ensure agency budgets reflect those priorities."

How much time the government should take before spending money under the new plan could emerge as an area of disagreement between the government and the industry. The Hathaway review describes refinement of government procurement strategies and establishment of market incentives as "Mid-Term" actions. Even at that, they are listed in line No. 14 of a table showing 14 mid-term actions.

Even so, Paller predicted the Obama administration would begin using the procurement process, in particular the defense process, in the near term "because it's the lever. It's the one you can move."

Also unclear in the Obama announcement was whether the emerging cyberstrategy would affect spending in the 2010 budget, which the administration sent to Capitol Hill three weeks before Hathaway's finding were made public and Obama announced the cybercoordinator office.

DeWalt of McAfee said it would be unwise to wait until the 2011 budget request to start applying funds under the administration's emerging cyberpolicy. "My opinion is, every day that we wait is another day that we're completely vulnerable. And I think, again, this activity [in the White House East Room] was a step in the right direction," he said.

DeWalt said the government already has billions of dollars of cyberdefense money in play because of the Bush administration's cyberinitiative. In 2008, with attempts to penetrate U.S. networks on the rise, the Bush administration launched the largely-classified Comprehensive National Cyber Security Initiative, which was defined by two executive directives, Presidential Directive 54 and Homeland Security Directive 23.

Former-Homeland Security Director Michael Chertoff announced the initiative and his agency oversaw the effort. Observers expect the Obama team to rework much of the Internet monitoring and intelligence-gathering policies contained within the Bush initiative. Obama, for example, said this cyberoffice "will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people."

The differences in philosophy are huge, but the money and momentum remain. "This isn't starting from scratch with nothing," DeWalt said. "There is been some budget laid out from the previous administration. There is some opportunity to leverage that into the new programs," he added.

Industry officials said they expect the Obama strategy to focus less on spying on individual Internet users and more on securing private-sector networks related to critical infrastructures, and improving early-warnings of attempts to spread viruses and computer worms.

Federal regulations

One of the great debates among industry officials and analysts has been about the appropriate role for federal regulations, and whether it would be wise for an administration and Congress to create a new regulatory law that would require certain security software and procedures for private-sector networks. Such an act could be patterned after the U.S. Sarbanes-Oxley law that defines the kind of records financial institutions must make public, DeWalt said.

The topic of regulations was a hotly contested one during a series of meetings in 2007 through 2008 organized by the Center for Strategic and International Studies (CSIS), a think tank based in Washington. CSIS officials wanted to recommend a cyberstrategy for the incoming president. The experts met periodically over the course of more than a year, and in December, the group released its report, "Securing Cyberpspace for the 44th Presidency."

"We deliberated for about 14 months on that issue," said Phyllis Schneck, McAfee's director of threat intelligence for the Americas, and a member of the CSIS panel.

In the end, the CSIS panel was not shy about recommending federal cyber-regulations. The panel blasted the Bush administration's 2003 National Strategy to Secure Cyberspace for relying on market forces and ruling out federal regulation as a major player.

"In pursuing the laudable goal of avoiding overregulation, the strategy essentially abandoned cyber defense to ad hoc market forces. We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit, to survive, to supply this public good in adequate amounts," the CSIS panel said.

Obama stopped well short of embracing the CSIS wording: "My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity," he said.

Schneck said the Obama administration will need to find incentives. "How do we take a private-sector company that at the end does need to make money, and enable them to not only protect their infrastructure, but do things in the public good, and still remain profitable?" she said.

In the coming months, those in the East Room said one passage in Obama's 16-minute speech makes them certain that cybersecurity will remain a priority for the administration. Obama said that between August and October 2008 — the final stretch of the U.S. election campaign — "hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans." He said his campaign hired security consultants and met with the FBI and the Secret Service.

"It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities," he said.

Cyberactions plan (C4ISR Journal)

2009-07-03T00:17:00.002-04:00

Cyberactions plan

July 01, 2009

http://www.c4isrjournal.com/story.php?F=4117007

The "Cyberspace Policy Review" developed a 10-point "near-term action plan" for U.S. cybersecurity efforts:

• Appoint a cybersecurity policy official responsible for coordinating the nation's cybersecurity policies and activities; establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council, to coordinate interagency development of cybersecurity-related strategy and policy.

• Prepare for the president's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities.

• Designate cybersecurity as one of the president's key management priorities and establish performance metrics.

• Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

• Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities and the application of agency authorities for cybersecurity-related activities across the federal government.

• Initiate a national public awareness and education campaign.

• Develop U.S. government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies and opportunities associated with cybersecurity.

• Prepare a cybersecurity incident response plan; initiate a dialogue to enhance public-private partnerships with an eye toward streamlining, aligning and providing resources to optimize their contribution and engagement.

• Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories and identifying solutions.

• Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

Defend America, One Laptop at a Time (NY Times)

2009-07-02T20:49:00.002-04:00

Defend America, One Laptop at a Time

By JACK GOLDSMITH

Cambridge, Mass.

http://www.nytimes.com/2009/07/02/opinion/02goldsmith.html

OUR economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks. These networks are poorly defended and vulnerable to theft, disruption or destruction by foreign states, criminal organizations, individual hackers and, potentially, terrorists. In the last few months it has been reported that Chinese network operations have found their way into American electricity grids, and computer spies have broken into the Pentagon's Joint Strike Fighter project.

Acknowledging such threats, President Obama recently declared that digital infrastructure is a "strategic national asset," the protection of which is a national security priority.

One of many hurdles to meeting this goal is that the private sector owns and controls most of the networks the government must protect. In addition to banks, energy suppliers and telecommunication companies, military and intelligence agencies use these private networks. This is a dangerous state of affairs, because the firms that build and run computer and communications networks focus on increasing profits, not protecting national security. They invest in levels of safety that satisfy their own purposes, and tend not to worry when they contribute to insecure networks that jeopardize national security.

This is a classic market failure that only government leadership can correct. The tricky task is for the government to fix the problem in ways that do not stifle innovation or unduly hamper civil liberties.

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

The government should also use legal liability or tax breaks to motivate manufacturers — especially makers of operating systems — to improve vulnerability-filled software that infects the entire network. It should mandate disclosure of data theft and other digital attacks — to trusted private parties, if not to the public or the government — so that firms can share information about common weapons and best defenses, and so the public can better assess which firms' computer systems are secure. Increased information production and sharing will also help create insurance markets that can elevate best security practices.

But the private sector cannot protect these networks by itself any more than it can protect the land, air or water channels through which foreign adversaries or criminal organizations might attack us. The government must be prepared to monitor and, if necessary, intervene to secure channels of cyberattack as well.

The Obama administration recently announced that it would set up a Pentagon cybercommand to defend military networks. Some in the administration want to use Cybercom to help the Department of Homeland Security protect the domestic components of private networks that are under attack or being used for attacks. Along similar lines, a Senate bill introduced in April would give the executive branch broad emergency authority to limit or halt private Internet traffic related to "critical infrastructure information systems."

President Obama has tried to soothe civil liberties groups' understandable worries about these proposals. In the speech that outlined the national security implications of our weak digital defenses, the president said the government would not monitor private sector networks or Internet traffic, and pledged to "preserve and protect the personal privacy and civil liberties we cherish as Americans."

But the president is less than candid about the tradeoffs the nation faces. The government must be given wider latitude than in the past to monitor private networks and respond to the most serious computer threats.

These new powers should be strictly defined and regularly vetted to ensure legal compliance and effectiveness. Last year's amendments to the nation's secret wiretapping regime are a useful model. They expanded the president's secret wiretapping powers, but also required quasi-independent inspectors general in the Department of Justice and the intelligence community to review effectiveness and legal compliance and report to Congress regularly.

Many will balk at this proposal because of the excesses and mistakes associated with the secret wiretapping regime in the Bush administration. These legitimate concerns can be addressed with improved systems of review.

But they should not prevent us from empowering the government to meet the cyber threats that jeopardize our national defense and economic security. If they do, then privacy could suffer much more when the government reacts to a catastrophic computer attack that it failed to prevent.

Jack Goldsmith, a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004, is writing a book on cyberwar.

U.S. Official: Cybersecurity Plans Not Just Talk (internetnews.com)

2009-07-01T20:08:00.002-04:00

U.S. Official: Cybersecurity Plans Not Just Talk
By Kenneth Corbin
July 1, 2009

http://www.internetnews.com/government/article.php/3827936/US+Official+Cybersecurity+Plans+Not+Just+Talk.htm

NATIONAL HARBOR, Md. -- Amid all the recent talk in Washington about getting serious about cybersecurity, some skeptics have expressed concern that it might be just that -- all talk, followed by little action.

But a senior White House official this morning official promised an audience of security professionals that unlike past federal reviews, which have been criticized for making promises that policymakers didn't keep, this time is different.

Speaking at research firm Gartner's annual Information Security Summit, Christopher Painter, the National Cybersecurity Council's director of cybersecurity, outlined the steps the Obama administration is taking to move ahead with the recommendations of a 60-day review the president commissioned earlier this year.

In a speech accompanying the release of the review in May, Obama outlined a multi-prong plan to tighten up the nation's cyber defenses, including the formation of a new position to coordinate cybersecurity policy across the agencies, Congress and the private sector.

But despite Obama's assurance that the cybersecurity coordinator would have his full support and regular access to the Oval Office, critics have speculated that the position is too far down the bureaucratic pecking order to have any real clout. In practice, they warn, the role might end up little more than a glorified cheerleader.

Painter promised otherwise.

"The cyber coordinator is going to be more than just a figurehead," he said. "We really have to deliver on the action plan."

The previous two administrations have made noise about cybersecurity, including a policy review President Bush ordered in 2001, which resulted in a strategy directive two years later. But Painter noted that those efforts didn't come with the mandate of a White House address, a jump-off point that he said elevated the issue to a chief policy priority.

"That's really a watershed event," Painter said of Obama's speech. "That really sets the tone, not only in this country, but around the world."

He added, "We had a strategy in 2003, but you didn't have the president coming out and giving a speech on this, and that's really, really important."

In that address, Obama made the case that defending critical infrastructure against online threats is as much an economic priority as it is a security issue.

That was reflected in the structuring of the cybersecurity coordinator position, which will serve on both the National Security Council and the National Economic Council. He has yet to fill the position.

Obama's efforts to bring cybersecurity into the mainstream fit with many of his other policy initiatives, where he is trying to apply technology solutions to areas like energy and health care. The idea of connecting the power grid to an interoperable network, while alluring for the energy savings it could yield, could have disastrous results if hackers were able to infiltrate the system and knock it offline. Similarly, the grand vision of an IT-based health care system where patients' records are digitized and doctors can provide treatment to patients in remote areas through robust networks could quickly unravel if the technology were compromised.

"It's really important to have security baked in from the beginning," Painter said.

That goes for government, too. Other members of Obama's tech team, particularly Aneesh Chopra and Vivek Kundra, who respectively fill the new positions of federal CTO and CIO, have been talking loudly about bringing new technologies to the federal computing apparatus to make it more efficient and collaborative.

[cob:Special_Report]As Chopra, Kundra and others tinker with new Web 2.0 technologies and moving the federal IT infrastructure to the cloud, Painter said they will work closely with the new cybersecurity coordinator to ensure that the government is leading by example.

"The cybersecurity coordinator is going to work very closely with [Obama's] CTO and CIO," he said. "The idea is, when we're thinking about these new technologies, we're thinking about security."

Painter stressed the need to partner with foreign countries to develop a coordinated approach to combat cyber threats. He spoke of the "weakest-link problem," where hackers will scour the globe to find a nation with lax cyber defenses, and route their attacks through servers in that nation to reach their ultimate target.

"It is clear that given the ubiquitous borderless nature of computer systems and computer networks that it doesn't matter if we do everything right" if other nations aren't on board, he said. "We need to have a dialogue with other countries."

He also spoke of the delicate balance of protecting privacy while maintaining a reasonable level of security in networks that are under continuous threat. Obama has said he will appoint a privacy official to the National Security Council's cybersecurity directorate to help ensure that the government's cyber policing efforts don't run roughshod over Americans' civil liberties.

The two aren't mutually exclusive, Painter said, pointing out that properly securing the systems that house personal information such as health records will keep people's sensitive data private.

"It's not a zero-sum game," he said. "If we're doing this right, we're enhancing privacy."

A Bustling Week for Cyber Justice (Washington Post: Security Fix)

2009-07-01T20:06:00.002-04:00

A Bustling Week for Cyber Justice

http://voices.washingtonpost.com/securityfix/2009/07/a_bustling_week_for_cyber_just.html?wprss=securityfix

This past week has been a bustling one for cyber justice. The Federal Trade Commission announced a settlement in its ongoing case against scareware purveyors; a notorious hacker admitted stealing roughly two million credit card numbers; the Justice Department has charged a software developer from Arkansas with launching a series of debilitating online attacks against several online news sites that carried embarrassing stories about him. Finally, a federal appeals court decision gives security vendors added protection against spurious lawsuits by adware companies.

-- Last week, the FTC said it had settled with James Reno and his company ByteHosting Internet Services LLC. Both were named in the commission's broad sweep last year against purveyors of "scareware," programs that uses bogus security alerts to frighten people into paying for worthless security software.

The settlement imposes a judgment of $1.9 million against Reno and Bytehosting, yet the court overseeing the case suspended all but $116,697 of that fine, "based on the defendants' inability to pay the full amount."

Six other defendants allegedly involved in the scareware scams face pending charges from the FTC. One of the defendants, a San Francisco man named Sam Jain, is currently the subject of a federal criminal prosecution in California. According to Jain's attorneys, federal prosecutors in Illinois also are preparing to indict him on computer fraud charges related to the scareware distributed by his company, Innovative Marketing. Jain is currently a fugitive from justice.

-- From Wired.com's Kevin Poulsen comes what may be thepenultimate chapter in the prosecution of so-called superhacker Max Ray Butler, also of San Francisco. Butler, 36, faces up to 60 years in prison after pleading guilty to federal wire fraud charges that "he stole roughly two million credit card numbers from banks, businesses and other hackers, which were used to rack up $86 million in fraudulent charges."

Poulsen's story on Butler in Wired Magazine from December 2008 is a page-turner that chronicle's the hacker's successful bid to hack into, take over and ultimately consolidate several online forums dedicated to the theft and sale of stolen credit card numbers. One of the forums he hacked, called "Darkmarket," turned out to be a full-blown undercover sting operation set up by the FBI.

-- In a criminal complaint unsealed yesterday in a New Jersey federal court, the Justice Department charges a software developer from Arkansas with using botnets -- armies of hacked PCs -- to flood several targeted Web sites with so much data that they were at least temporarily unable to accommodate legitimate visitors.

The government alleges that between July 2007 and March 2008,Bruce Raisley launched a series of denial-of-service attacks against Rollingstone.com, and several other Web sites. Among those attacked was perverted-justice.com, a site dedicated to publicly exposing and shaming men who solicit sex from underage boys and girls online. Perverted-justice.com is perhaps best known for its connection to the Dateline NBC show "To Catch a Predator."

Charging documents note that Raisley apparently targeted those two sites and seven others for their publication of stories that retold an embarrassing chapter of his life. According to a July 2007 Rolling Stone article about perverted-justice.com founder Xavier Von Erck, Raisley himself was a former volunteer who helped perverted-justice members ensnare new targets.

At some point, the Rolling Stone article says, Raisley had a falling out with perverted-justice, and launched his own online campaign to depict the site's members as an out-of-control vigilante group. According to the Rolling Stone article, Von Erck "exacted a particularly sadistic form of revenge against" Raisley:

Posing as a woman named Holly, Von Erck began an online flirtation with Raisley, who was smitten enough to leave his wife and rent a new apartment. On the day Raisley went to pick up Holly at the airport, Von Erck sent a friend to snap his photo and posted it with a warning: "Tonight, Bruce Raisley stood around at an airport, flowers in hand, waiting for a woman that turned out to be a man. . . . He has no one. He has no more secrets. . . . Perverted-Justice.com will only tolerate so much in the way of threats and attacks upon us."

Raisley's court-appointed attorney could not be immediately reached for comment.

-- On Friday, the U.S. Ninth Circuit Court of Appeals in Seattle upheld a decision to dismiss a case brought in 2007 by Bellvue, Wash., based adware maker Zango. The company had sued anti-virus makerKaspersky, charging that Kaspersky interfered with its business by removing Zango's adware without first alerting the user.

The appeals court affirmed that Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable.

Eric Howes, director of malware research at computer security firmSunbelt Software, said admittedly, this decision is not nearly as consequential for anti-malware providers as it would have been three or four years ago, when adware vendors such as Zango and Direct Revenue were regularly threatening anti-spyware providers with legal action and peppering them with cease-and-desist letters on a weekly basis.

"It's a been a while since we received any serious legal threats, although we do still get the occasional protest from software developers whose apps we target as 'low risk,' potentially unwanted programs or tools," Howes wrote on the company's blog. "Nonetheless, the decision is a welcome one, as it extends to Sunbelt and other anti-malware providers the kind of legal cover we need in order to provide our customers and users with strong protection against unwanted, malicious software."

By Brian Krebs | July 1, 2009; 7:00 AM ET

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance (Threat Level)

2009-06-30T21:10:00.002-04:00

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance

By Kim Zetter
June 29, 2009 |
6:54 pm

http://www.wired.com/threatlevel/2009/06/deep-packet-inspection/

Following a report last week that Iran is spying on domestic internet users with western-supplied technology, advocacy groups are pressuring federal lawmakers to scrutinize the use of the same technology in the U.S.

The Open Internet Coalition sent a letter to all members of the House and Senate urging them to launch hearings aimed at examining and possibly regulating the so-called deep-packet inspection technology.

Two senators also announced plans to introduce a bill that would bar foreign companies that sell IT technology to Iran from obtaining U.S. government contracts, legislation that is clearly aimed at the two European companies that reportedly sold the equipment to Iran.

The Wall Street Journal reported last week that Nokia Siemens Networks, a joint venture between Germany's Siemens and Finland's Nokia, recently gave Iran deep-packet inspection equipment that would allow the government to spy on internet users.

According to the Journal, Iranian officials have used deep-packet surveillance to snoop on the content of e-mail, VoIP calls and other online communication as well as track users' other online activity, such as uploading videos to YouTube. Iranian officials are said to be using it to monitor activists engaged in protests over the country's recent disputed presidential election, though the Journal said it couldn't confirm whether Iran was using the Nokia Siemens Networks equipment for this purpose or equipment from another maker.

Nokia Siemens has denied that it provided Iran with such technology.

But similar technology is being installed at ISPs in the U.S.

It spurred extensive controversy last year when Charter Communications, one of the country's largest ISPs, announced that it planned to use deep-packet inspection to spy on broadband customers to help advertisers deliver targeted ads.

The plan sparked a backlash and heated congressional hearings. Publicity about the issue died down, however, after Charter retreated from its plan, and Congress moved on to other matters. But deep-packet inspection didn't go away.

ISPs insist they need it to help combat spam and malware. But the technology is ripe for abuse, not only by ISPs but also by the U.S. government, which could force providers to retain and hand over data they collect about users.

In its letter to lawmakers (.pdf) urging them to investigate the technology, the Open Internet Coalition delicately avoided placing the U.S. government in the same category as Iran by not mentioning possible U.S. government abuses of the technology.

"We do not believe U.S. network owners intend to interfere with political communications in the way the Iranian government is doing, but the control technologies they are deploying on the internet carry the same enormous power," the Coalition writes. "And, whether an inspection system is used to disrupt political speech or achieve commercial purposes, both require the same level of total surveillance of all communications between end-users and the internet."

At a House subcommittee hearing this year to examine the technology, Rep. Rick Boucher (D-Virginia) also expressed alarm.

"The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail or attached document is alarming," he said.

With regard to the sale of the technology to Iran, Sens. Charles E. Schumer (D-New York) and Lindsey Graham (R-South Carolina) attempted to address the Nokie Siemens issue with a bill that would prevent foreign companies selling sensitive technology to Iran from either obtaining new government contracts or renewing existing ones, unless they halt their exports to Iran.

According to NextGov, Nokia did more than $10 million in business with the U.S. government between 2000 and 2008; Siemens has nearly 2,000 U.S. government contracts and obtained $250 million in U.S. government contracts this year alone. Nokia Siemens Networks currently has more than $5 million in U.S. government contracts.

Neither Schumer nor Graham mentioned how such a law would be enforced if foreign companies used proxies to sell their products to Iran to circumvent the regulation.

The U.S. government embargo against U.S. companies selling to Iran is one of the tightest. The embargo currently prevents any U.S. individual or company from obtaining a license to sell goods and technologies to Iran that could be used for, among other things, missile proliferation purposes, chemical and biological warfare proliferation, human rights and crime control. The embargo, however, has done little to prevent Iran from obtaining U.S. technology anyway.

In the meantime, consumers called for a boycott of Nokia and Siemens products. And Hands Across the Mideast Support Alliance (HAMSA) has organized a writing campaign urging users to send a protest letter to Nokia. According to the organization's site, nearly 4,000 people have acknowledged sending the letter so far.

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL (Defense Tech)

2009-06-30T20:55:00.002-04:00

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL

http://www.defensetech.org/archives/004907.html

Last week Defense Secretary Robert Gatesordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at theWhite House. The historic event took place on Tuesday, June 22nd.

As one could imagine, this is no small task. StratCom has just a little over sixty days to accomplish this mission. The plan to create this new entity operating within the Department of Defense and lead by a 4-star general is due to the Defense Secretary by September 1st. According to Gates' timeline, Cyber Command is expected to be up and operational by October 1, 2009, and fully functional one year later. An internal memo from Gates to senior Pentagon officials stated that he intends to recommend that Lt. Gen. Keith Alexander, the current director of the National Security Agency, take on the role as commander of the Cyber Command with the rank of a four-star general.

What this will actually cost is anyone's guess. Current thinking is that the budget to just establish the new command through year's end could reach as high as $200 million. Longer term, the cost of cyber intelligence, defense and offensive capabilities are estimated to be around $55 billion annually. This will create our offensive cyber forces and capabilities and defend the over 100,000 DoD Networks and 5 million DoD computers against cyber attack. One might say it is just a drop in the bucket of a 2009 DoD budget that topped $515 billion.

The United States is not the only country making this move. The UK defense ministry announced plans to establish an office of cyber attack and defense but gave no hard date when it would be operational. Britain's GCHQ (Government Communications Headquarters, their equivalent of the NSA) seems to be well underway in fully developing their cyber capabilities. In addition, the defense ministry of South Korea has also announced plans to establish a cyber command by 2012.

Internal cooperation is critical for cyber incident investigations and event attribution. As more and more countries establish a focal point for cyber defense, the greater the opportunity to conduct these investigations and accurately identify those behind cyber attacks.

-- Kevin Coleman

StratCom Plows Ahead on Cyber (DoD Buzz)

2009-06-30T17:50:00.002-04:00

StratCom Plows Ahead on Cyber

http://www.dodbuzz.com/2009/06/29/stratcom-plows-ahead-on-cyber/

By Colin Clark Monday, June 29th, 2009 11:51 am

You are the commander of Strategic Command, charged with coming up with an implementation plan for the new cyber command within 60 days. But there's going to be a new head of cyber command, a four-star just like you, and Lt. Gen. Keith Alexander has the Big Mo on his side. And Alexander is known as an almost crazily foxy guy who has rebuilt the NSA and will be largely dependent on folks from NSA for most of his capabilities. Air Force Gen. Kevin Chilton is known as one of the brainiest generals around. Hmmm. Who's going to win this bureaucratic game will be great fun to watch.

For some idea of just what may lie ahead, have a look at this April 7 speech by Chilton, which has been quoted by the two cyber warriors with whom I speak. This is not about improving the country's IT capabilities in terms of efficiency and information sharing. This is about life and death on the battlefield.

"It's not a convenience any more, it's a dependency. We need to recognize that we need this domain and we need these systems to conduct our fight today and tomorrow. We need to recognize that we can fight in this domain just as an air-to-air fighter can fight in the air domain; and we can fight through this domain and affect other domains just as an airplane can drop a bomb on a land domain and create affects across a domain. And as commanders we must appreciate the vulnerability of this domain, not just its importance. We have to transition from a culture of convenience to a culture of responsibility. We must recognize vulnerability — the vulnerability that one system can create here on the other side of the world, not just locally," Chilton said. For more on this, have a look at Kevin Coleman's piece below from Defense Tech.

Last week Defense Secretary Robert Gates ordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at the White House. The historic event took place on Tuesday, June 22nd.

Obama and Cyber Defense (WSJ)

2009-06-29T20:50:00.002-04:00

Obama and Cyber Defense

Government should protect our e-infrastructure.

http://online.wsj.com/article/SB124623073971766069.html

In a Monty Python skit from 1970, the Vercotti brothers, wearing Mafia suits and dark glasses, approach a colonel in a British military barracks. "You've got a nice army base here, Colonel," says Luigi Vercotti. "We wouldn't want anything to happen to it." Dino explains, "My brother and I have got a little proposition for you, Colonel," and Luigi elaborates, "We can guarantee you that not a single armored division will get done over for 15 bob a week."

If the idea of the military having to pay protection money to the mob seems silly, imagine what Monty Python could do with last week's White House decision on security. It announced a new "Cyber Command" to protect information infrastructure, but stipulated that the military is allowed to protect only itself, not the civilian Internet or other key communications networks. When President Barack Obama announced the plan, he stressed that it "will not -- I repeat -- will not -- include monitoring private-sector networks or Internet traffic." It's like telling the military if there's another 9/11 to protect the Pentagon but not the World Trade Center.

The announcement shows that our political system is still ambivalent about how to defend communications networks such as the Internet. We expect privacy, but we know that intrusive techniques are required to protect the system from cyber attacks. How to balance privacy with preventing attacks that would undermine the system altogether?

It's an open secret that the National Security Agency (NSA) must operate through civilian networks inside the U.S. in order to prevent millions of cyber attacks every year by foreign governments, terror groups and hackers. Likewise, the NSA must follow leads through computer networks that run through innocent countries. "How do you understand sovereignty in the cyber domain?" asked James Cartwright, vice chairman of the Joint Chiefs of Staff, in a recent speech. "It doesn't tend to pay a lot of attention to geographic borders."

The risks are real. Cyber attacks on Estonia and Georgia by Russia in recent years forced government, banking, media and other Web sites offline. In the U.S., the public Web, air-traffic control systems and telecommunications services have all been attacked. Congressional offices have been told that China has broken into their computers. Both China and Russia were caught having infiltrated the U.S. electric-power grid, leaving behind software code to be used to disrupt the system. The risk of attacks to create massive power outages is so serious that the best option could be unplugging the U.S. power grid from the Internet.

The military is far ahead of civilian agencies such as Homeland Security and is now focused on cyber offense as well as defense. Cyberspace, says Gen. Kevin P. Chilton, commander of the U.S. Strategic Command, is the new "domain," joining the traditional domains of air, land and sea. Each is a focus for both defense and attack. The U.S., a decade behind China, is now officially focused on using cyber warfare offensively as well as defensively.

The U.S. is an inventive nation, so we'll get to the right answer on security if we ask the right questions. What if the only way the military can block a cyber attack is to monitor domestic use of the Web, since foreigners use the Web to launch cyber attacks? What is a "reasonable" search in a virtual world such as a global communication network? What's the proper response to cyber attacks?

If cyber war is a new form of war, wouldn't most Americans adjust their expectations of reasonable privacy to permit the Pentagon to intrude to some degree on their communications, if this is necessary to prevent great harm and if rules protecting anonymity can be established? Finally, wouldn't it be better for politicians to encourage a frank discussion about these issues before a significant attack occurs instead of pretending there are no trade-offs?

Only the NSA, which operates within the Defense Department, has the expertise to protect all U.S. networks. It has somehow found ways to mine needed data despite pre-Web rules that restrict its activities domestically. But the question remains: How can the military get enough access to private, domestic networks to protect them while still ensuring as much privacy as possible? One logical approach is for Homeland Security to delegate domestic defense to the NSA, but for the domestic agency to maintain enough responsibility to have political accountability if privacy rights get violated in the process.

We'll look back on the current era, with the military constrained from defending vital domestic interests, as an artifact of an era when it was easy to point to what was foreign and what was domestic. In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.

Google mistakes Michael Jackson searches for cyber attack (

2009-06-29T20:46:00.002-04:00

Google mistakes Michael Jackson searches for cyber attack

Author:: Warwick Ashford
Posted:: 14:56 29 Jun 2009

http://www.computerweekly.com/Articles/2009/06/29/236681/google-mistakes-michael-jackson-searches-for-cyber-attack.htm

Google has admitted that it mistook the sudden spike in searches for Michael Jackson last week for an automated cyber attack.

As word spread of Michael Jackson's death there was a "meteoric rise" in related searches.

"Search volume began to increase around 2:00pm (PDT), skyrocketed by 3:00pm, and stabilised by about 8:00pm," Google product manager RJ Pittman said in a blog post.

According to Pittman, last week also saw one of the largest mobile search spikes ever seen, with five of the top 20 searches about Jackson

As a result, for about 25 minutes, when some people searched Google News they saw a "We're sorry" page before finding the articles they were looking for, said Pittman.

The surge in demand for news and information about Michael Jackson hit most US news sites, with many taking more than double the usual time to respond.

Microblogging site Twitter was forced to disable some functionality on the network to keep the service working.

Web Filtering Company Reports Cyber Attack To FBI (Information Week)

2009-06-29T20:44:00.002-04:00

Web Filtering Company Reports Cyber Attack To FBI

The U.S.-based company that claims its programming code was unlawfully included in China's Green Dam software reports being targeted by a cyber attack.

By Thomas Claburn, InformationWeek
June 29, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882

Solid Oak Software, the Santa Barbara, Calif.-based maker of Web filtering software called CYBERsitter, on Friday contacted the FBI to investigate a cyber attack on the company that appears to have come from China.

Earlier this month, the company charged that the Green Dam Web filtering software, made by two Chinese companies, contains its proprietary computer code. The Chinese government wants all PCs sold in China to include Green Dam starting on July 1.

Although the U.S. government and trade organizations have asked China to rescind its Web filtering rule, Sony has already begun shipping PCs with Green Dam installed.

Jenna DiPasquale, head of public relations and marketing for Solid Oak, said that following the receipt of suspicious e-mail messages sent recently to company executives and unexplained server problems, a Microsoft representative had volunteered to analyze the suspicious e-mail for malware.

A request for comment from Microsoft, submitted through DiPasquale, was declined.

But DiPasquale confirmed that Microsoft's investigator identified the messages as malicious. "They did determine that the files were infected and that the attack was specifically created for us," she said in an e-mail. "We discovered several one-off emails similar in nature that were caught by our filters. We do not know yet for certain, but it does appear that the e-mails are Chinese in origin."

Green Dam is made by Jinhui Computer System Engineering Co, and its Web filtering black list is provided by Beijing Dazheng Human Language Technology Academy Co.

The senders of the infected messages "used spoof-name Gmail accounts to create the attacks, and the documents sent were meant to appear like a clean e-mail," DiPasquale explained. "The infected documents referenced Jinhui and Green Dam and the attacks were written using Chinese language software. This is how we suspect that they are Chinese in origin. We discovered different types of attacks caught in our defensive gateway, AlliGate."

Solid Oak president Brian Milburn believes the attacks were the work of skilled computer professionals who have knowledge of his company, according to DiPasquale.

Solid Oak, however, is not the only company under attack for its involvement with Green Dam. The English-language China Daily said last week that Jinhui had received more than 1,000 death threats since the government's filtering rule was first reported earlier this month.

After three University of Michigan researchers identified security flaws and copied code in Green Dam, the Chinese government directed the makers of Green Dam to fix the security vulnerabilities, according to a report in the English-language China Daily.

But according to a June 25 report published by Solid Oak, the most recent release of Green Dam (v3.17) still contains four files from CYBERsitter. The copied files are not merely lists of sites to be blocked, the report alleges, they also contain programming code.

"Contrary to statements made by Green Dam's developer that these were just 'lists of international pornographic sites,' the code lines shown above are code snippets that tell CYBERsitter (and Green Dam) how to handle word combinations when found in URLs, search queries, or page content," the report says.

Solid Oak has advised Dell and HP that they face legal liability if they comply with the Chinese government mandate and ship PCs with Green Dam.

The U.S. government last week lodged a formal protest of the Green Dam mandate. Chinese authorities did not respond directly. However, the Chinese Ministry of Health's decision on Friday to issue new anti-pornography rules affecting sex education sites suggests that Chinese authorities intend to resist public pressure.

Cyber Command: Observers worry about unintended consequences (FCW)

2009-06-28T15:58:00.002-04:00

Cyber Command: Observers worry about unintended consequences

http://fcw.com/articles/2009/06/25/cyber-command-dod-nsa.aspx

DOD, NSA offer formidable pairing, experts say

By John S. Monroe
Jun 25, 2009

The Defense Department's new U.S. Cyber Command is now the cybersecurity heavyweight in the government division, according to numerous media accounts.

Defense Secretary Robert Gates and other Defense Department officials have emphasized that the new organization, which will be commanded by the director of the National Security Agency (NSA), would have a clearly defined role: Protecting military networks and conducting offensive cyber operations against hostile forces (read GCN's news story here).

But the sheer size and importance of DOD's military operations have caused some observers to wonder about how big an effect the Cyber Command might have outside its own domain.

The Washington Post quotes analysts who say Gates announced the command in a memo, rather than in a speech, in an "effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation's computer networks."

The Post also offers up this tidbit:

"Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?" said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. "That's a legitimate question, and I think DOD will resist having that happen. But there are issues of authorities that haven't been cleared up. What authorities does DOD have to do things outside the dot-mil space?"

Meanwhile, in Computerworld, Alan Paller, director of research at SANS Institute, wonders if the partnership between DOD and NSA could hamper other cybersecurity initiatives.

It is possible that the new command will "so militarize the Information Assurance Division of NSA" that it could harm the public-private partnerships that are important for security, he says. But otherwise, Paller considers the new command a "spectacular idea."

Other observers are concerned about the diplomatic ramifications of the taking military operations into cyberspace, according to the New York Times.

"I can't reiterate enough that this is not about the militarization of cyber," said Bryan Whitman, a DOD spokesman, in discussing Gates' order on Tuesday.

"This is an internal Department of Defense reorganization," Whitman said. "It is focused only on military networks to better consolidate and streamline Department of Defense capabilities into a single command."

Ex-DHS Cyber Chief Tapped as President of ICANN ((Wahington Post: Security Fix)

2009-06-28T15:53:00.002-04:00

Ex-DHS Cyber Chief Tapped as President of ICANN

http://voices.washingtonpost.com/securityfix/2009/06/ex-dhs_cyber_chief_tapped_as_p.html?wprss=securityfix

Former Department of Homeland Security cyber chief Rod A. Beckstrom has been tapped to be the new president of the Internet Corporation for Assigned Names and Numbers (ICANN), the California based non-profit, which oversees the Internet's address system.

Most recently, Beckstrom was director of the National Cyber Security Center -- an organization created to coordinate security efforts across the intelligence community. Beckstromresigned that post in March, citing a lack of funding and authority.

Beckstrom joins ICANN as the Internet governance body faces some of the most complex and contentious proposed changes to the Internet's addressing system in the organization's entire 11-year history. For example:

-- The United States is under considerable pressure to give up control over ICANN and turn it over to international supervision and management. ICANN currently operates under a Joint Project Agreement with the U.S. government, but that agreement is due to expire at the end of September.

-- Currently, there are 21 so-called "generic top-level domains," such as dot-com, dot-net, dot-biz, and dot-org. Under pressure from domain speculators and many businesses, ICANN is in now in the process of radically expanding the number of new gTLDs to include potentially hundreds more, to include things like brand names (e.g., dot-nike or dot-google), places (.e.g., dot-berlin or dot-ohio), or even sports franchises (e.g., dot-yankees). Intellectual property rights lawyers and some business groups have opposed expanding the number of gTLDs without first putting in place a system for addressing disputes over domains that could violate trademark rights.

-- ICANN is moving to implement so-called "internationalized domain names," which will allow the creation and display of domain names written in different alphabets and languages, such as domains featuring Chinese and Russian characters. IDNs are hardly controversial, but they do hold the potential to give scam artists like phishers a whole new way to trick people into visiting scam sites. Consider, for example, that the Cyrillic "a" and the Latin "a" may look alike to humans, but they are interpreted differently by machines. As a result a domain name registered by fraudsters that includes a mix of Cyrillic and Latin letters might look like a familiar brand when presented in a Web link, but lead to a counterfeit version of that brand's Web site designed to steal customer data.

Beckstrom was voted president of ICANN at the group's meeting in Sydney, Australia this week. On Thursday, I had the opportunity to speak via phone with Beckstrom about why he wanted this job, and what he hopes to do with it. Here are some excerpts from that interview:

BK: Congratulations on being picked.

Beckstrom: Thank you. You know, it's funny...I just got an e-mail from a friend who said he thought it would be hard to imagine me finding a more difficult job than running the NCSC [at DHS], but congratulating me on finding something even more impossible than that job [laughs].

BK: Yes. ICANN has a reputation for being difficult to manage and come to a consensus on even seemingly simple issues. Some people have likened it to herding cats. What made you want this job in the first place?

Beckstrom: Well, I've herded cats for a lot of my career. In fact, for 14 years, I ran CATS Software Inc., which had 35 Ph.Ds on the staff and two Nobel Prize winners on the board of directors, and let me tell you having that much brainpower in the shop is seriously like herding cats. So, maybe I have some experience there.

BK: What is your impression of ICANN and this process as you've watched the various communities coalesce down there for this week's meeting?

Beckstrom: I'm a bit overwhelmed by the tremendous complexity of issues on the table. This is perhaps the most complex, multi-stakeholder environment I've ever seen. So I have a great appreciation for that and a fascination with that, but I certainly wouldn't even claim to have a firm grasp on all of this yet. And that's one of the things I'll need to be learning as I grow into this role.

BK: Are there parallels between what you were doing at NCSC and this job?

Beckstrom: The NCSC was focused on developing good collaboration between very disparate parts of the U.S. government, and in terms of getting that human collaboration going, I feel we achieved some success there. At ICANN, there are some similar challenges: We have some very, very passionate stakeholder groups with very different interests. So, as a starfish guy this is kind of appealing.

[With the "starfish" reference, Beckstrom was making a clever plug for the book he co-authored in 2006, called "The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations." In it, Beckstrom and co-author Ori Brafman use the two creatures to illustrate their argument that decentralized organizations -- whether in the marketplace or the battlefield -- are more nimble, creative and resilient than those that operate in a rigid, top-down fashion.]

BK: What will be your top priorities as president of ICANN?

Beckstrom: The first step is to get to know the different communities involved, and after that to start understanding them. Then, I hope to be an effective agent or catalyst in assisting those portions of the communities that would like my involvement.

BK: As I'm sure you're aware, ICANN's decision to move forward on hundreds of new gTLDs has ruffled some feathers, particularly in the business and intellectual property communities. Critics of the current process say it's moving forward too quickly and that the new gTLDs are merely going to create a myriad of costly, legal headaches for brand owners, who will be forced to go out and register variations of their brand name in hundreds of new gTLDs to protect their brands. Are their concerns valid, and are they being addressed well enough?

Beckstrom: Having just spent the week here, I can tell you one of the prominent topics of debate were the intellectual property questions, with various parties proposing solutions. There are still different thoughts in the community: On the one hand, ICANN is receiving a lot of pressure from many companies around the world who want new gTLDs...who want them opened up and available. And others want reasonable mechanisms for some intellectual property review and process.

So, ICANN's role is to try to play a balancing role. ICANN doesn't have a firm position on what the solution is. ICANN is simply asking the global community of IP attorneys and others to develop the best possible solutions they can which can actually be implemented. But one of the solutions is not avoiding the gTLDs, because there's tremendous demand from all over the world to have those, and the number of companies who are opposing them appear to be a minority compared to those who think they should be out there and present.

BK: How would you like to see ICANN evolve over the next few years?

Beckstrom: I don't have any fixed opinions on that. What I hope ICANN will continue to do is to protect the globally unified, free, and open Internet. The Internet continues working as long as ICANN continues its support for the core address and naming functions. ICANN has done a superlative job of that often hidden and unappreciated function, which is vital.

BK: It is becoming clear that a large percentage of domains associated with cyber crime are in fact issued by domain registrars authorized to issue Web site names within so-called country code top-level domains (ccTLDs), such as the dot-cn ccTLD, maintained by China. Obviously, ccTLDs are administered by sovereign nations -- and therefore largely outside the governance of ICANN. But the international community's approach to tackling global malware outbreaks like the Conficker Worm, showed that more cooperation and collaboration is needed by ccTLDs if we are to get a hold on the cyber crime problem. What additional role does ICANN have to play here?

Beckstrom: National governments have a tremendous say about what occurs within their borders, and that's the reality of the world. But we're really pleased that we do have a Government Advisory Council with formal official delegates from 83 different countries. That's one of our most precious stakeholder groups that I know the board of ICANN listens to carefully. And the range of issues that are brought before that important group are likely to increase over time.

But, clearly a growing part of the community is increasingly concerned about security, and Conficker is a great example of a focused way in which ICANN can collaborate with the other community members and add value to solving a critical and timely problem. And I'd like to see a lot more of that to help build the organization so that it can be more effective in doing that knid of thing on many different fronts.

By Brian Krebs | June 26, 2009; 7:30 AM ET

New command at tip of DoD cyber spear, Lt. Gen. Alexander says (Federal News Radio)

2009-06-28T15:49:00.003-04:00

New command at tip of DoD cyber spear, Lt. Gen. Alexander says

By Jason Miller
Executive Editor
FederalNewsRadio

http://www.federalnewsradio.com/index.php?nid=35&sid=1705302

With Defense Secretary Robert Gates announcement Tuesday of the new cyber command, senior officials from all four branches reacted with a mixture of relief and expectation.

"There is an awful lot of confusion in this complex environment," says Maj. Gen. Greg Schumacher, assistant to the deputy chief of staff for the Army G-2. "What I'm most looking forward to is having a single voice to articulate definitions, roles, missions and how we will conduct the missions, and that will enable us to be far more efficient and effective than previously to conduct operations."

Maj. Gen. David Senty, the Air Force's acting vice commander of the provisional cyberspace command and commander of network operations, says the DoD-wide office will make policy and procedures more seamless and consistent across the military.

Navy Rear Admiral-select Sean Filipowski, director of computer network operations at the Network Warfare Command, says the new command will provide better command and control for cyberspace, and a single point of accountability to sort out DoD's cyber mission.

And finally Ray Letteer, the chief for the Marine Corps Information Assurance Division, says the cyber command provides a much needed authoritative voice in cyberspace.

"We have trained individuals and we know how to defend the network," he says. "To be able to have a clear delineation of a fire control cell to tell us when we are suppose to go hot and when we are suppose to not [will be good] . We do that with artillery and air power, I'm looking forward to see same type of thing in cyber domain."

These were some of the reactions of the panelists at the AFCEA Cybersecurity conference in Washington Thursday.

Lt. Gen. Keith Alexander, director of the National Security Agency, summed up the plans around the new cyber command, saying this was Gates's way of making cyberspace a priority for all of DoD.

"When you think about what don't we have, if the point of integration for those [cyber] functions is me, we are in a hurt," he says. "Where is the staff that brings it all together? [The command] integrates it seamlessly so that in DoD you can operate smoothly between your network operations, the defense, the exploit and the attack as you need to. And you have the rules of engagement laid out, and where is the staff to do that? We don't have the staff do that. The secretary of Defense is putting its commitment there. To the department, this is hugely important."

Alexander, who likely will be the head of the new subcommand, says the constant attack on DoD networks is overwhelming. He says there are 4,000 terrorist Web sites, and DoD's networks face 32,000 attacks a day from more than 100 countries.

"How do we defend our network?" he asks. "The way we've done it in the past, telling systems administrators to set patches and defense against what do know, but not against what we don't know, is not working."

Alexander says there is no common defense across DoD. The network operations and defense are stovepipes, left to defense themselves without enough capabilities.

"Step one is to put that together and come up with mechanisms to do it," he says. "Set up a real time capability to have tipping and cueing between those sensors that is a global cryptological system that is seeing bad things happen and [telling the] defensive folks who are out there."

He adds that the command's goal is to come up with the techniques and procedures to defend the network in an active way and build mechanisms for the services to plug into.

"We got to give the network operators the right security clearance so they can get the right level of threat," he says. "So they can see what that threat is and they know why they have to defend against them."

He says the services will operate their networks with the cyber command having visibility and ability to direct parts of them.

For this reason, Alexander says the cyber workforce across all of DoD must have the same knowledge and skills.

"We've got to have a common block of training for all people operate in cyberspace-for our defenders, our operators, our exploiters and our attackers," Alexander says. "We have to make sure everyone understands the basics of network operations: how defending, exploiting and attacking works together."

Alexander was clear that getting DoD's networks better secured is the command's foremost mission. He realizes DoD will work with the Homeland Security Department and industry to help secure .gov and .com networks, but the .mil domain needs to be addressed first.

"We are on a journey and this will be difficult because there is a lot we need to do to get these networks together," he says. "I'm optimistic about the future, about where we are going, what we can do, the capabilities we have."

Activists Use U.S. Tech to Poke Holes in Iran Firewall (Danger Room)

2009-06-27T19:19:00.002-04:00

Activists Use U.S. Tech to Poke Holes in Iran Firewall (Updated)

By Noah Shachtman
June 26, 2009 |
10:48 am |
Categories: DarpaWatch, Info War, Rogue States

Tehran's demonstrators rose up by themselves. But the technology that helped them organize — and helped them connect with the rest of the planet — was funded in part by the U.S. government.

Early in the pro-democracy protests, everyone made a big deal out of the State Department's call to Twitter, asking the short-messaging firm to reschedule maintenance so the Iranian opposition movement could keep communicating. In retrospect, that might have been one of least meaningful moves an American agency made on the activists' behalf. More important, it now appears, are the millions of dollars invested over the years in technologies that could pry open the Iranian firewall — and avoid the Supreme Leader's web censors.

"Our goal was to promote freedom of speech for Iranians to communicate with each other and the outside world. We funded and supported innovative technologies to allow them to do this via the Internet, cell phones and other media," former State Department Iran democracy program coordinator David Denehy tells Eli Lake of the Washington Times.

Forget the driven-by-DC mock-populism and the all-too-clever schemes; this is how America should be promoting democracy abroad. Give activists the tools — and then let them decide how and when to use 'em.

The Broadcasting Board of Governors (BBG), which oversees the Voice of America and the Farsi-language Radio Farda, has a three-person anti-censorship team that focuses on China and Iran. "Iran has a growing audience of young activist Internet users and we have repurposed our tools to work in Farsi and make it available to Iranians," BBG's Ken Berman says. "We open up the channels so the Iranian blogosphere is more accessible to Iranians in Iran."

One of those projects: design the Firefox Web browser to embed the TOR network. That's the "onion router" anonymous surfing service, which throws off the Supreme Leader's online goons by "distributing your transactions over several places on the Internet, so no single point can link you to your destination," the project's site explains. "The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going."

"There are plenty of programs political dissidents can use to route their Internet traffic through third parties and escape censorship and avoid monitoring," one know-it-all blogger tells Lake. "But TOR is different because it is an encrypted network of node after node, each one unlocking encryption to the next node. And because of this, it is all but impossible for governments to track Web sites a TOR user is visiting. TOR is a great way to give Ahmadinejad's Web censors headaches."

That onion routing approach was originally developed by the Naval Research Lab and by Darpa, the Pentagon's leading science and technology arm.

UPDATE: Slate's Farhad Manjoo, on the other hand, thinks all this tech has actually made it easier for the regime to repress the activists. "On Wednesday, a reader alerted the Lede to an Iranian government Web site called Gerdab.ir, where authorities had posted pictures of protesters and were asking citizens for help in identifying the activists. That's right—the regime is now using crowd-sourcing, one of the most-hyped aspects of Web 2.0 organizing, against its opponents. If you think about it, that's no surprise. Who said that only the good guys get to use the power of the Web to their advantage?"

U.S. Cyber Command: 404 Error, Mission Not (Yet) Found (Danger Room)

2009-06-27T19:15:00.002-04:00

U.S. Cyber Command: 404 Error, Mission Not (Yet) Found

By Noah Shachtman
June 26, 2009 |
4:57 pm |
Categories: Info War, Paper Pushers, Beltway Bandits, Politicians

Earlier this week, Defense Secretary Robert Gates ordered the military to start setting up a new "U.S. Cyber Command." It's a move that's been discussed in defense circles for more than a year. But despite the announcement — and despite the lengthy debate – no one in the military-industrial complex seems all that sure what this new fighting force is supposed to do, exactly.

Officially, the Pentagon still has a few months to figure things out. Gates told his troops in a Tuesday memo that they have until September 1st to come up with an "implementation plan" for the new command. But there's a ton to figure out in the next ten weeks. As Gates notes, that plan will have to "delineate USCYBERCOM's mission, roles and responsibilities," detail the command's "minimum requirements" to get up and running, and sort out its "relationships" with the rest of the military – and the rest of the government.

In other words, just about everything.

Let me paraphrase a series of conversations I've had this week with people working on this new command: Is CYBERCOM supposed to be a new fighting force, a glorified IT department, an intelligence agency, or what? Mmmmm, unclear, to be determined. If it's a fighting force, how much offense or defense will it play? To be determined. And what does cyber defense really mean, these days? TBD. If it's an intelligence agency, how far will the command go to protect civil liberties? To snoop on everyone, in the name of network security? TBD. TBD.

Further complicating matters is that CYBERCOM might significantly reorder how the Pentagon organizes its geek brigades. (Or not. That's TBD, too.) Each of the armed services already employs thousands of people to keep its data and communications networks flowing. The Defense Department already has an in-house shop, dedicated to building and maintaining its networks: the Defense Information Systems Agency, or DISA. It has also has a far-flung group of cybersnoops, counter-snoops, and network attackers; that would be the National Security Agency, or NSA.

How exactly all these agencies will combine — or whether they will combine at all — is one of the many CYBERCOM questions still left unanswered. (Another: what does a recent and classified National Intelligence Estimate on cyber security recommend.) But already, there's tough talk in and around the Pentagon of budgets being defended, and personnel being kept.

When the Air Force tried to establish a cyber command of its own, it touched off an internecine scramble within the service. None of the units wanted to surrender cash or crew to the new agency. A veteran of that fight predicts there will be a similiar fight, surrounding CYBERCOM. "They're gonna to look at the new command as a gigantic beast to be slain – the son of a bitch who's gonna take my money and my people," this former senior military official says. "The new command is gonna look at them and see — food."

One thing that is pretty clear: NSA will be leading this emerging command. Gates is recommending thatNSA Director Lt. Gen. Keith Alexander also become the head of the new network force — and get a fourth star. Gates is also suggests that the command set up its headquarters somewhere mighty convenient for Alexander: Ft. Meade, Marlyand, home of the NSA.

The clandestine agency — renown in the military for its geeky skills, and infamous among civil libertarians for its widespread monitoring of Americans' communications — may also come to dominate the wider government cyber defense effort, as well. Under the president's recently-announced (and also pretty vague) network protection plan, the Department of Homeland Security is theoretically responsible for coordinating the network defense of the civilian government, and of the country's critical infrastructure. But DHS doesn't have nearly the technical brains or the financial brawn of the Defense Department and the NSA. Just look at the two departments' budgets for next year. As the Wall Street Journal notes, the Pentagon is planning to train "more than 200 cyber-security officers annually. By comparison, the Department of Homeland Security has 100 employees dedicated to civilian cyber security, with plans to reach 260 next year."

Which is why Homeland Security chief Janet Napolitano says that "NSA will provide technical assistance, both to DOD [Department of Defense] and to us."

"That is the structure of the cyber policy plan that the president announced, so we absolutely intend to use the technical resources, the substantial ones that NSA has," she tells Danger Room.

Alexander has said explicitly that he does "not want to run cyber security for the United States government." But could that wind up happening away — throwing a cloak of secrecy over all of network defense? TBD.

Harris Corp. expert panel: Cyber-czar faces bureaucracy, other big obstacles ahead (Orlando Sentinel)

2009-06-25T20:46:00.002-04:00

Harris Corp. expert panel: Cyber-czar faces bureaucracy, other big obstacles ahead

By Richard Burnett

Sentinel Staff Writer

http://www.orlandosentinel.com/business/orl-biz-harris.cyberczar-062509,0,2955086.story

The nation's new federal "cyber-czar" will face serious obstacles to solving the nation's information technology problems, but the Obama administration is making a smart move in creating that position, experts said this week at a national press forum sponsored by Melbourne-based Harris Corp.

Entrenched bureaucracy, unclear authority and the fast pace of change in technology are just a few of the challenges ahead for the new top-level cyber-administrator, an expert panel told reporters at the National Press Club in Washington, D.C.

"I think the administration has taken the appropriate first step," said Dale Meyerrose, Harris Corp.'s top cyberspace executive and a former senior intelligence technology officer for the federal government. "They have acknowledged that the status quo is unacceptable and are setting priorities."

But it could take years to overcome the government's entrenched bureaucracy and get a real handle on problems that have developed over the years, the experts agreed.

"There are a lot of competing interests," said former Congressman Tom Davis, now director of federal government affairs for the Deloitte LLP consulting firm. "Key questions will be how much authority the coordinator has and how they will deal with the stovepipes and with getting legislative initiatives through Congress, where everyone will want to have a say."

One of the biggest issues for the cyber-czar will be the relative lack of authority that any "rookie" bureaucrat faces, said James Bamford, a journalist and author of books on cyberspace. As currently defined, the position has no real power or budget, which could make the cyber-czar subordinate to the director of the National Security Agency, who heads the Pentagon's new cyber-command, Bamford said.

"That would present quite a dilemma in terms of public civil liberties," he said. "I'd be much happier to see a very powerful person in charge of the cyber activity with a deputy from the civil liberties side of the spectrum. I also worry about the hype factor regarding vulnerabilities and would like to see the danger rhetoric toned down a bit."

Melbourne-based Harris Corp. sponsored the event as part of its cyber-security business development. The company recently expanded its security technology business by acquiring Crucial Security Inc., a key player in cyberspace solutions for law enforcement and intelligence agencies.

Cyber-security strategy launched (BBC)

2009-06-25T09:33:00.002-04:00

Cyber-security strategy launched

By Gordon Corera
BBC Security Correspondent

http://news.bbc.co.uk/2/hi/uk_news/politics/8118348.stm

Britons face a growing online threat from criminals, terrorists and hostile states, according to the UK's first cyber security strategy.

Businesses, government and ordinary people are all at risk, it says.

The strategy has been published alongside an updated, wider National Security Strategy.

Its publication is a sign of the growing recognition within government of the need to bolster defences against a growing threat.

In line with a wider focus within the National Security Strategy on not just protecting the state but also citizens, the cyber-strategy encompasses protecting individuals from forms of fraud, identity theft and e-crime committed using technology as well as defending government secrets and businesses.

'Attack capability'

Launching the strategy, cyber security minister Lord West said: "We know that various state actors are very interested in cyber warfare. The terrorist aspect of this is the least (concern), but it is developing."

He warned that future targets could include key businesses, the national power grid, financial markets and Whitehall departments.

He said: "We know terrorists use the internet for radicalisation and things like that at the moment, but there is a fear they will move down that path (of cyber attacks).

"As their ability to use the web and the net grows, there will be more opportunity for these attacks."

He confirmed that the UK government has already faced cyber attacks from foreign states such as Russia and China.

But he denied that hackers had successfully broken into government systems and stolen secret information.

He also said he could not deny that the government had its own online attack capability, but he refused to say whether it had ever been used.

"It would be silly to say that we don't have any capability to do offensive work from Cheltenham, and I don't think I should say any more than that."

'Missed opportunity'

Among those the government has turned to for help on cyber crime are former illegal hackers, Lord West added.

He said the government listening post GCHQ at Cheltenham had not employed any "ultra, ultra criminals" but needed the expertise of former "naughty boys" he said.

"You need youngsters who are deep into this stuff... If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys," he said.

Dame Pauline Neville-Jones, for the Conservatives, called the strategy was a "missed opportunity".

"It is impossible to know how significant these announcements are because we do not know what funding will be made available to enhance our ability to tackle cyber threats. It is also not clear how these new cyber security structures fit into the existing national security machinery."

Her colleague in the Commons, Crispin Blunt, called it a "pale imitation" of an initiative launched by US President Barack Obama.

Lib Dem home affairs spokesman Tom Brake said: "This new cyber security strategy could lead to an extension of the Government's invasive counter-terrorism powers which already pose significant threats to our civil liberties.

"The cyber security strategy uses broad, undefined terms that risk creating panic among the public and a demand for further government powers. We must not retreat into a Cold War mentality."

'Forensics'

Officials said e-crime crime is estimated to costs the UK several billion pounds a year.

Two new bodies will be established in the coming months as part of the strategy.

A dedicated Office of Cyber Security in the Cabinet Office will co-ordinate policy across government and look at legal and ethical issues as well as relations with other countries.

The second body will be a new Cyber Security Operations Centre (CSOC) based at GCHQ.

This will bring people together from across government and from outside to get a better handle on cyber security issues and work out how to better protect the country, providing advice and information about the risks.

"CSOC's aim will be to identify in real time what type of cyber attacks are taking place, where they come from and what can be done to stop them", according to a Whitehall security official.

Experts say the "forensics" of detecting who is behind a cyber attack and attributing responsibility remains extremely difficult.

Officials said it would require input from those who had their own expertise in hackers. "We need youngsters," an official said.

The range of potentially hostile cyber activity - from other states seeking to carry out espionage through criminal gangs to terrorists - is daunting.

Critical information

At one end of the spectrum, military operations - such as Russia's conflict with Georgia last year - are now accompanied by attacks on computer systems.

The UK's critical national infrastructure is also more reliant on technology than it was even five years ago and terrorists who have used the internet for fundraising and propaganda are also believed to have the intent - if not yet the capability- to carry out their own cyber-attacks.

Officials declined to give a figure of how many attacks on government computer networks take place each day.

In a speech in 2007, the head of MI5, Jonathan Evans, explicitly mentioned Russia and China in the context of a warning that that "a number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks."

Officials said they were not aware of any "key pieces of information" that had gone missing yet but said that British companies had lost critical information.

The new Cyber Security Operations Centre will work closely with the designated parts of the critical national infrastructure and wider industry and officials say that business are keen for the government to take a lead but also share as much information as possible.

US President Barack Obama has been carrying out a similar re-organisation for defending US computer networks and British officials said the two countries were co-ordinating closely not least because of the intimate relationship between GCHQ and its US equivalent.

British officials believe that their government systems may also have fewer vulnerabilities than their US counterparts partly because they moved online later and have fewer connections between the internal government system and the rest of cyberspace to monitor.

Officials in the US and UK are also thought to be working on forms of offensive cyber-warfare capability but officials are unwilling to go into any details of what this might involve.

Gates approves creation of new cyber command (AF Times)

2009-06-24T15:05:00.002-04:00

Gates approves creation of new cyber command

Air Force Times, 23 June 2009

Lolita C. Baldor

WASHINGTON — Defense Secretary Robert Gates formally ordered the creation Tuesday of a new military cyber command that will coordinate the Pentagon's efforts to defend its networks and conduct cyberwarfare.

A three-page memo signed by Gates orders U.S. Strategic Command to begin plans to set up a subcommand and be prepared to provide an implementation plan by Sept. 1, and begin initial operation no later than October.

Officials have said the new command would be located at Fort Meade in Maryland, just north of Washington, and would be fully ready to go by the end of next year. Gates said in his memo that he is recommending that the director of the National Security Agency, currently Lt. Gen. Keith Alexander, be tapped to lead the command, in a dual role with his current responsibilities. That job would be upgraded to a four-star general slot.

"Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security," Gates said in the memo, which was obtained by The Associated Press.

He added that the new command "must be capable of synchronizing war fighting effects across the global security environment as well as providing support to civil authorities and international partners."

While the reorganization is just beginning, one senior defense official said the command is not expected to be very large. It would likely involve hundreds, rather than thousands of employees, the official said, speaking on condition of anonymity to discuss internal decisions.

The low-key launch of the new military unit reflects the Pentagon's fear that the military might be seen as taking control over the nation's computer networks.

Creation of the command, said Deputy Defense Secretary William Lynn at a recent meeting of cyber experts, "will not represent the militarization of cyberspace."

Lynn said the focus of the command will be on the military's 15,000 networks and its 7 million computers, noting that commanders depend on those systems in battle. The military, he said, needs to be able to respond to any intrusion or attack "at network speed."

Rep. Howard "Buck" McKeon, ranking Republican on the House of Representatives Armed Services Committee, said he was pleased with the move to increase the military's capabilities in cyberspace, and he urged the Pentagon to work with lawmakers as plans progress. House and Senate members have been working on legislation aimed at bolstering the nation's cyber coordination.

Pentagon officials have stressed in recent weeks that the cyber command will not infringe on the Department of Homeland Security, which is the lead agency for other federal digital systems.

President Barack Obama has announced plans to name a cyber coordinator for the White House, in order to coordinate better the nation's efforts to protect critical computer networks and work more closely with private industry, which owns or controls key financial, electrical and other systems.

The United States, Obama said this month, is not as prepared as it should be to face threats of cyber espionage or other attacks.

Government and military officials have acknowledged that U.S. computer networks are constantly assailed by attacks and scans, ranging from nuisance hacking to more nefarious probes and attacks. Some suggest that the actions at times are a form of cyber espionage from other nations, among them China.

Officials disclosed this year an attack against the electrical grid, and computers at the Pentagon were infected by a virus.

Gates Creates Cyber-Defense Command (Washington Post)

2009-06-24T15:02:00.002-04:00

Gates Creates Cyber-Defense Command

Washington Post, 24 June 2009

Ellen Nakashima

Defense Secretary Robert M. Gates issued an order yesterday establishing a command that will defend military networks against computer attacks and develop offensive cyber-weapons, but he also directed that the structure be ready to help safeguard civilian systems.

In a memo to senior military leaders, Gates said he will recommend that President Obama designate that the new command be led by the director of the National Security Agency, the world's largest electronic intelligence-gathering agency. The current NSA director, Lt. Gen. Keith B. Alexander, is expected to be awarded a fourth star and to lead the cyber-command.

Gates or his deputy had been expected to announce the command in a speech a week ago. Analysts said making the announcement by memo is in keeping with the Pentagon's effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation's computer networks.

"Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?" said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. "That's a legitimate question, and I think DoD will resist having that happen. But there are issues of authorities that haven't been cleared up. What authorities does DoD have to do things outside the dot-mil space?"

The command will be set up as part of the U.S. Strategic Command, which is responsible for commanding operations in nuclear and computer warfare. Gates directed that the command be launched by this October and be fully operational by October 2010.

In a speech last week, Deputy Defense Secretary William Lynn stressed that the command's mission would be to defend military networks. However, he said, "it would be inefficient -- indeed, irresponsible -- to not somehow leverage the unrivaled technical expertise and talent that resides at the National Security Agency" to protect the federal civilian networks, as long as it is done in a way that protects civil liberties.

Military Command Is Created For Cyber Security (Wall Street Journal)

2009-06-24T15:00:00.002-04:00

Military Command Is Created For Cyber Security

Wall Street Journal, 24 June 2009

Siobhan Gorman and Yochi Dreazen

WASHINGTON -- Defense Secretary Robert Gates created a new military command dedicated to cyber security on Tuesday, reflecting the Obama administration's plans to centralize and elevate computer security as a major national-security issue.

In a memo to senior Pentagon officials, Mr. Gates said he intends to recommend that Lt. Gen. Keith Alexander, director of the National Security Agency, take on the additional role as commander of the Cyber Command with the rank of a four-star general.

The decision follows President Barack Obama's announcement last month that he will establish a new cyber-security office at the White House, whose chief will coordinate all government efforts to protect computer networks. The Pentagon initiative will reshape the military's efforts to protect networks from attacks by hackers, especially those from China and Russia. It also consolidates the largest concentration of cyber warriors and investigators in the government under one military command, exacerbating concerns of some experts who worry about military control of civilian computer systems.

The new command will at least initially be part of the Pentagon's Strategic Command, which is responsible for computer-network security and other missions. The command is meant to begin working by October and to be fully operating by October 2010.

In announcing its creation, defense officials took pains to stress it would focus solely on military networks. The Pentagon has been defending against outside suggestions that military personnel could be monitoring civilian computer networks.

"This is an internal reorganization," said Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman. "It's about the department improving its focus on military networks to better consolidate and streamline [Pentagon] cyber capabilities into a single command."

The Pentagon, which is already receiving the vast majority of new government spending on cybersecurity, has thousands of cyber warriors, many of whom are expected to be housed under the new command, which is likely to be next door to the NSA's Ft. Mead, Md., campus, according to Mr. Gates's memo. Mr. Gates's 2010 budget envisions training and graduating more than 200 cyber-security officers annually.

By comparison, the Department of Homeland Security has 100 employees dedicated to civilian cyber security, with plans to reach 260 next year.

Rod Beckstrom, former chief of the National Cyber Security Center, which is charged with coordinating cyber-security activities across the U.S. government, quit in March, warning in his resignation letter that the growing reliance on the NSA was a "bad strategy" that poses "threats to our democratic processes."

Homeland Security officials said they are still responsible for protecting all civilian networks, though a department spokeswoman declined to speak specifically about the Cyber Command.

"It is the view in the White House that the Department of Homeland Security will continue to play an absolutely essential role in the protection of America's cyber infrastructure," said Rand Beers, who was nominated to be Homeland Security's undersecretary overseeing cybersecurity, at his confirmation hearing this month.

Maren Leed, a cyber-security expert at the Center for Strategic and International Studies, said the military's closed computer networks could make it easier for the new command to focus solely on Pentagon systems.

Ms. Leed, a Pentagon special assistant on cyber operations from 2005 to 2008, said the narrow focus could leave vital national networks still vulnerable to outside attacks and intrusions.

"The question is whether the DoD protecting its own networks is sufficient to protect our national-security imperatives, and I would say no," she said. "The overwhelming majority of cyber traffic isn't on government networks."

Iranian Traffic Engineering (Arbor Networks)

2009-06-23T20:24:00.003-04:00

Iranian Traffic Engineering

by Craig Labovitz

http://asert.arbornetworks.com/2009/06/iranian-traffic-engineering/

The outcome of the Iranian elections now hangs in the balance and perhaps, also on the availability of the Internet (or at least Twitter and Facebook according to the US State Department).

Based on significant Internet engineering changes over the last week, the Iranian government seems to agree…
While other countries (e.g. Burma in 2007) completely unplugged the country during political unrest, Iran has taken a decidedly different tact.

Before going further, I should note that we have no direct insight into Iranian political machinations nor telecommunications policy. But the 100 ISPs participating in the Internet Observatory provide some interesting hints on how the Iranian government may hope to control Internet access.

The state owned Data communication Company of Iran (or DCI) acts as the gateway for all Internet traffic entering or leaving the country. Historically, Iranian Internet access has enjoyed some level of freedom despite government filtering and monitoring of web sites.

In normal times, DCI carries roughly 5 Gbps of traffic (with a reported capacity of 12 Gbps) through 6 upstream regional and global Internet providers. For the region, this represents an average level of Internet infrastructure (for purposes of perspective, a mid size ISP in Michigan carries roughly the same level of traffic).

Then the Iranian Internet stopped.
One the day after the elections on June 13th at 1:30pm GMT (9:30am EDT and 6:00pm Tehran / IRDT), Iran dropped off the Internet. All six regional and global providers connecting Iran to the rest of the world saw a near complete loss of traffic.

The below graph shows Iranian Internet traffic through Iran's six upstream providers.

`Note: All data comes from analysis of Internet Observatory anonymous ASPath traffic statistics from which we infer upstream ISP traffic. Also a few caveats — Iranian traffic is such a small part of global Internet traffic levels that the Observatory data is fairly noisy. We used a number of standard statistical approaches to normalize the sampled dataset.`

As noted earlier, Iran normally sees around 5 Gbps of traffic with typical diurnal and weekly curves (though Iran sees dips both on Iranian weekend of Thurs / Friday as well as during western Sat / Sun weekends). From the view of the Observatory, most Internet traffic to Iran goes through Reliance (formerly Flag) Telecom, the major Asia Pacific region underseas cable operator. Singtel, a major pan-Asian provider and Türk Telekom also provide significant transit.

Initially, DCI severed most of the major transit connections into Iran. Within a few hours, a trickle of traffic returned across TeliaSonera, Reliance and SignTel — all well under 1 Gbps.
The below graph shows a zoomed in view of the outage and earlier graph.

As of 6:30am GMT June 16, traffic levels returned to roughly 70% of normal with Reliance traffic climbing by more than a Gigabit.

So what is happening to Iranian traffic?
I can only speculate. But DCI's Internet changes suggest piecemeal migration of traffic flows. Typically off the shelf / inexpensive Internet proxy and filtering appliances can support 1 Gbps or lower. If DCI needed to support higher throughput (say, all Iranian Internet traffic), then redirecting subsets of traffic as the filtering infrastructure comes online would make sense.

Unlike Burma, Iran has significant commercial and technological relationships with the rest of the world. In other words, the government cannot turn off the Internet without impacting business and perhaps generating further social unrest. In all, this represents a delicate balance for the Iranian government and a test case for the Internet to impact democratic change.

Events are still unfolding in Iran, but some reports are saying the Internet has already won.

Tom Davis Doesn't Want Cyber Czar Job (National Journal)

2009-06-23T20:17:00.002-04:00

TUESDAY, JUNE 23, 2009

Tom Davis Doesn't Want Cyber Czar Job

http://techdailydose.nationaljournal.com/2009/06/tom-davis-doesnt-want-cyber-cz.php

Former Rep. Tom Davis, R-Va., said Tuesday that he does not want the job of President Obama's cybersecurity coordinator despite recent rumblings that he was one of the top contenders for the position. "If I'd wanted to stay in government, I would have stayed in Congress," he said at a National Press Club briefing. "I don't have any real interest in going back." Davis joined the federal services team of consulting firm Deloitte last year after serving as chairman and ranking member of the House Government Reform Committee where he took the lead on legislation aimed at improving e-government, information security and critical infrastructure. When pressed further by reporters, Davis said he was "not a candidate for anything... [but] you never say never." He has maintained his departure from public service is only a sabbatical.

His main concern with the cyber czar position, which Obama described on the campaign trail and formally announced last month in conjunction with a wide-sweeping report that examined the federal cybersecurity posture, is the job description remains vague. Davis said it is unclear what the position would entail and how much authority the individual, who would report jointly to the National Security Council and National Economic Council, would have. "For this job to work you'd better get some understandings up front," he said. Davis lauded Obama for recognizing the need for a strong cybersecurity leader but said he thinks the administration has brought on too many czars. Melissa Hathaway, a senior adviser to Director of National Intelligence Dennis Blair, is potential candidate. Former Microsoft security chief Howard Schmidt's name has also come up.

Author James Bamford, who has written extensively about intelligence agencies, said he thinks the cyber coordinator is too low-level a post under Obama's plan and he finds it hard to believe the individual will have the president's ear. A former congressman would the perfect candidate for the job because he or she could "break through bureaucracy" but a powerful figure would not be keen on being so far down the chain of command. Retired Air Force Maj. Gen. Dale Meyerrose, now a vice president at Harris Corp., said the most encouraging aspect of the White House cyber report and Obama's remarks is that both made clear the status quo is unacceptable. The paper has 45 major implied tasks in nearly a half-dozen categories but Meyerrose warned: "You can't have 45 priority number ones."

Gates approves creation of new cyber command (Businessweek)

2009-06-23T20:12:00.002-04:00

Gates approves creation of new cyber command

By LOLITA C. BALDOR

http://www.businessweek.com/ap/financialnews/D990IJJG1.htm

WASHINGTON

Defense Secretary Robert Gates has formally ordered the creation of a new military cyber command that will coordinate the Pentagon's efforts to defend its networks and conduct cyberwarfare.

A memo signed by Gates on Tuesday asks that U.S. Strategic Command begin plans to set up a subcommand and be prepared to provide a proposal by the fall.

Officials have said the new command would be located at Fort Meade in Maryland, and would be ready to go by the end of next year.

The low-key launch of the new military unit reflects the Pentagon's worry that the military not be seen as taking control over the nation's computer networks.

Cyber Security Czar Front-Runner No Friend of Privacy (Threat Level)

2009-06-23T20:09:00.002-04:00

Cyber Security Czar Front-Runner No Friend of Privacy

By Ryan Singel
June 22, 2009 |
7:57 pm

http://www.wired.com/threatlevel/2009/06/cyber_privacy/

Former Republican Congressman Tom Davis, reportedly President Barack Obama's top candidate for cyber security czar, voted repeatedly to expand the government's internet wiretapping powers, and helped author the now-troubled national identification law known as REAL ID.

Citing White House sources, Time magazineon Friday identified the the former head of the Government Reform Committee as the president's number one candidate for the new position. Davis' reputation as a tech-smart moderate who knows his way around D.C. makes him an attractive pick for the administration, the magazine reported.

But an examination of Davis' record in Congress shows that he's been on the wrong side of key privacy issues, including the controversial REAL ID Act, which aims to turn state driver's licenses into a de facto national identification card linked by shared databases and strict federal authentication standards.

"Given his role in REAL ID, Tom Davis would not be a good choice for privacy, which is something that President Obama specifically promised to protect in his remarks on the cyber security strategy," says Jim Harper, the director of information policy studies at the libertarian Cato Institute. "Many cyber security planners refer obliquely to 'authentication' and 'identity management' programs that would devastate privacy, anonymity and civil liberties. Davis would probably work to roll past these issues rather than solve them."

The creation of a federal "identity management" program is one recommendation in the broad cyber security report published by the White House last month, although the report makes no specific proposals on implementing an internet I.D. card.

If picked as cyber security czar, Davis would be given the difficult and sensitive task of coordinating a government-wide strategy to secure the government's computer networks — as well as help secure the wider internet. That's a job fraught with perils ranging from inter-agency disputes over territory, and significant issues about what the government's role should be in improving security on the internet at large.

Davis, who served seven terms representing Virginia's high tech district, was known as an outspoken moderate in an increasingly base-oriented Republican party. He declined to run for re-election in 2008.

In announcing the creation of the new position last month, Obama stressed that privacy was key to the government's cyber security efforts. But Davis' most notable action on privacy was his failed attempt to undo a measure that put a chief privacy officer in every major government agency.

The ACLU's legislative scorecard on Davis shows he disagrees with that group on many privacy matters.

For instance, he voted consistently to give the government wide latitude to wiretap the internet and spy on Americans' communications. That program, including the NSA's massive database of emails known as "Pinwale," made news recently again when The New York Times reported that the NSA examined Americans' domestic e-mails without authority.

That track record would not put Davis out of the running with Obama, who, after winning his party's nomination, embraced expanded government wiretapping powers, and voted to extend retroactive legal immunity to the telecom companies that helped the Bush's administration's secret spying.

Last summer, Davis joined with then-senator Obama, a wide swath of centrist Democrats, to legalize the Bush program, granting the NSA the right to gather billions of communications records of foreigners and Americans, and read Americans' international communications without warrants. The law includes the caveat that if a particular U.S. person is targeted, the government must get court approval.

But Davis could excel in a new role as cyber security czar, says Marc Rotenberg, who heads the Electronic Privacy Information Center.

"He's a good pick," Rotenberg says.

Davis gets things done, supports bipartisanship, and comes from a civilian and industry background, rather than from the shady intelligence world, according to Rotenberg.

"[It's] much easier for a former House chairman to stand up to the Director of National Intelligence and the NSA than some of the other candidates," Rotenberg says.

That will be important going forward. Bush went through a succession of so-called cyber-security czars, who found they were either powerless or stuck in bureaucratic battles they could not win.

But Rotenberg's organization has not always been a fan of Davis.

After 9/11, Davis pushed for changes to open government laws that created an even larger shield for information that private companies gave to the government. Specifically, Davis won protections for companies that run critical infrastructure — such as railroads and chemical plants — allowing them to tell the Department of Homeland Security about dangerous practices without the fear that the public could petition to see the information.

David Sobel, a Freedom of Information Act attorney, testified against that provision in 2002, when he worked for Rotenberg at EPIC.

"We are discussing the desire of private companies to keep secret potentially embarrassing information at a time when the disclosure practices of many in the business world are being scrutinized," Sobel said, referring to the overstated corporate profits that were being discovered in 2002. "If a company is willing to fudge its financial numbers to maintain its stock price, what assurance would we have that it was not hiding behind a 'critical infrastructure' FOIA exemption in order to conceal gross negligence in its maintenance and operation of a chemical plant or a transportation system?"

Davis did not return a call to his office at the consulting firm Deloite.

A White House spokesman declined to comment on Davis, saying only that "no decision has been made yet, so any reporting of anyone being offered the job is not accurate."

Cyber-Scare (Boston Review)

2009-06-23T16:14:00.002-04:00

Evgeny runs the net.effect blog at Foreign Policy.

Cyber-Scare

The exaggerated fears over digital warfare

Evgeny Morozov

http://www.bostonreview.net/BR34.4/morozov.php

The age of cyber-warfare has arrived. That, at any rate, is the message we are now hearing from a broad range of journalists, policy analysts, and government officials. Introducing a comprehensive White House report on cyber-security released at the end of May, President Obama called cyber-security "one of the most serious economic and national security challenges we face as a nation." His words echo a flurry of gloomy think-tank reports. The Defense Science Board, a federal advisory group, recently warned that "cyber-warfare is here to stay," and that it will "encompass not only military attacks but also civilian commercial systems." And "Securing Cyberspace for the 44th President," prepared by the Center for Strategic and International Studies, suggests that cyber-security is as great a concern as "weapons of mass destruction or global jihad."

Unfortunately, these reports are usually richer in vivid metaphor—with fears of "digital Pearl Harbors" and "cyber-Katrinas"—than in factual foundation.

Consider a frequently quoted CIA claim about using the Internet to cause widespread power outages. It derives from a public presentation by a senior CIA cyber-security analyst in early 2008. Here is what he said:

We have information, from multiple regions outside the United States, of cyber-intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber-attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.

So "there is information" that cyber-attacks "have been used." When? Why? By whom? And have the attacks caused any power outages? The CIA may have some classified information, but very little that is unclassified suggests that such cyber-intrusions have occurred.

Or consider an April 2009 Wall Street Journal article entitled "Electricity Grid in U.S. Penetrated By Spies." The article quotes no attributable sources for its starkest claims about cyber-spying, names no utility companies as victims of intrusions, and mentions just one real cyber-attack, which occurred in Australia in 2000 and was conducted by a disgruntled employee rather than an external hacker.

It is alarming that so many people have accepted the White House's assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration's claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

Cyber-security fears have had, it should be said, one unambiguous effect: they have fueled a growing cyber-security market, which, according to some projections, will¬†grow twice as fast as the rest of the IT industry. Boeing, Raytheon, and Lockheed Martin, among others, have formed new business units to tap increased spending to protect U.S. government computers from cyber-attacks. Moreover, many former government officials have made smooth transitions from national cyber-security policy to the lucrative worlds of consulting and punditry. Speaking at a recent conference in Washington, D.C., Amit Yoran—a former cyber-security czar in the Bush administration and currently the C.E.O. of NetWitness, a cyber-security start-up—has called hacking a national security threat, adding that "cyber-9/11 has happened over the last ten years, but it's happened slowly, so we don't see it." One way for the government to protect itself from this cyber-9/11 may be to purchase NetWitness's numerous software applications, aimed at addressing both "state and non-state sponsored cyber threats."

From a national security perspective, cyber-attacks matter in two ways. First, because the back-end infrastructure underlying our economy (national and global) is now digitized, it is subject to new risks. Fifty years ago it would have been hard—perhaps impossible, short of nuclear attack—to destroy a significant chunk of the U.S. economy in a matter of seconds; today all it takes is figuring out a way to briefly disable the computer systems that run Visa, MasterCard, and American Express. Fortunately, such massive disruption is unlikely to happen anytime soon. Of course there is already plenty of petty cyber-crime, some of it involving stolen credit card numbers. Much of it, however, is due to low cyber-security awareness by end-users (you and me), rather than banks or credit card companies.

Second, a great deal of internal government communication flows across computer networks, and hostile and not-so-hostile parties are understandably interested in what is being said. Moreover, data that are just sitting on one's computer are fair game, too, as long as the computer has a network connection or a USB port. Despite the "cyber" prefix, however, the basic risks are strikingly similar to those of the analog age. Espionage has been around for centuries, and there is very little we can do to protect ourselves beyond using stronger encryption techniques and exercising more caution in our choices of passwords and Wi-Fi connections.

To be sure, there is a war-related caveat here: if the military relies on its own email system or other internal electronic communications, it is essential to preserve this capability in wartime. Once more, however, the concern is not entirely novel; when radio was the primary means of communication, radio-jamming was also a serious military concern; worries about radio go back as far as the Russo-Japanese War of 1904-1905.

Before accepting the demands of government agencies for new and increased powers, we should look more closely at well-defined dangers.

The ultimate doomsday scenario—think Live Free or Die Hard—could involve a simultaneous attack on economic e-infrastructure and e-communications: imagine al Qaeda disabling banks, destroying financial data, disrupting networks, and driving the American economy back to the nineteenth century. This certainly sounds scary—almost as scary as raptors in Central Park or a giant asteroid heading toward the White House. The latter two are not, however, being presented as "national security risks" yet.

There are certainly genuine security concerns associated with the Internet. But before accepting the demands of government agencies for new and increased powers to fight threats in cyberspace and prepare for cyber-warfare, we should look more closely at well-defined dangers and ask just where existing technological means and legal norms fall short. Because the technologies are changing so quickly, we cannot expect definitive answers. But cyber-skeptics—who argue that cyber-warfare is still more of an urban legend than a credible hazard—appear to be onto something important.

One kind of cyber-security problem grows out of resource scarcity. A network has only so much bandwidth; a server can serve only so much data at one time. So if you want to disable (or simply slow down) the computer backbone of a national economy, for example, you need to figure out how to reach its upper limit.

It would be relatively easy to protect against this problem if you could cut your computer or network off from the rest of the world. But as the majority of governmental and commercial services have moved online, we expect them to be offered anywhere; Americans still want to access their online banking accounts at Chase even if they are travelling in Africa or Asia. What this means in practice is that institutions typically cannot shut off access to their online services based on nationality of the user or the origin of the computer (and in the case of news or entertainment sites, they do not want to: greater access means more advertising income).

Together, these limitations create an opportunity for attackers. Since no one, not even the U.S. government, has infinite computer resources, any network is potentially at risk.

Taking advantage of this resource scarcity could be an effective way of causing trouble for sites one does not like. The simplest—and also the least effective—way of doing this is to visit the URL and hit the "reload" button on your browser as often (and for as long) as you can. Congratulations: you have just participated in the most basic kind of "denial-of-service" (DoS) attack, which aims to deny or delay the delivery of online services to legitimate users. These days, however, it would be very hard to find a site that would suffer any noticeable damage from such a nuisance; what is missing from your cyber-guerilla campaign is scale.

Now multiply your efforts by a million—distribute your attacks among millions of other computers—and this could be enough to cause headaches to the administrators of many Web sites. These types of attacks are known as "distributed denial-of-service" or DDoS attacks. Administrators may be able to increase their traffic and bandwidth estimates and allocate more resources. Otherwise they have to live with this harassment, which may disable their Web site for long periods.

DDoS attacks work, then, by making heavier-than-normal demands on the underlying infrastructure, and they usually cause inconvenience rather than serious harm. Not sure how to do it yourself? No problem: you can buy a DDoS attack on the black market. Try eBay.

In fact, your own computer may well be participating in a DDoS attack right now. You may, for example, have inadvertently downloaded a trojan—a hard-to-detect, tiny piece of software—that has allowed someone else to take control of your machine, without obvious effect on your computer's speed or operations. Some computer experts put the upper limit of infected computers as high as a quarter of all computers connected to the Internet.

Because a single computer is inconsequential, the infected computers form "botnets"—nets of robots—that can receive directions from a command-and-control center—usually just another computer on the network with the power to give commands. What makes the latest generation of botnets hard to defeat is that every infected computer can assume the role of the command-and-control center: old-fashioned methods of decapitation do not work against such dispersed command-and-control. Moreover, botnets are strategic: when network administrators try to block the attacks, botnets can shift to unprotected prey. Commercial cyber-security firms are trying to keep up with the changing threats; thus far, however, the botnets are staying at least one step ahead.

DDoS threats have been far more commercial than political. The driving force has been cyber-gangs (many of them based in the former Soviet Union and Southeast Asia) which are in the extortion business. They find a profitable Internet business that cannot afford downtime and threaten to take down its Web site(s) with DDoS attacks. The online gambling industry—by some estimates, a $15-billion-a-year business—is a particularly appealing target because it is illegal in the United States: it cannot seek protection and take advantage of robust U.S. communications infrastructure. Thus, administrators of popular gambling sites commonly receive threats of DDoS attacks and demands for $40,000-$60,000 to "protect" the sites from attacks during peak betting periods (say, before big sporting events such as the Super Bowl). Many legitimate businesses fall victim to cyber-extortion, too. Since it is better to dole out a little cash to stop future attacks than to deal with the PR fallout—and possible drop in stock prices—that usually follows cyber-attacks, cyber-crime is underreported and underprosecuted.

The risks to online freedom of expression may be considerable: saying anything controversial may trigger cyber-attacks that your adversaries can purchase easily.

Another commercial opportunity for cyber-gangs is the creation of a large army of for-hire botnets, with extremely powerful attack capabilities. It is currently quite straightforward to rent the destructive services of a botnet ($1000/day is a going rate). The point was made forcefully by a controversial recent experiment: a group of BBC reporters purchased the services of a botnet 22,000 infected-computers strong from a vendor of cyber-crime services and used it to attack the site of a cyber-security company.

The commercial availability of DDoS-attack capability has generated excitement about political applications. The risks to online freedom of expression may be considerable: saying anything controversial may trigger a wave of cyber-attacks that your adversaries can purchase easily. These attacks are financially burdensome and politically disabling for the victim. Getting your server back online is usually the least of your problems. Your Web hosting company may kick you off its servers because the cost of dealing with the damage caused by cyber-attacks usually outweighs the monetary gains of hosting controversial groups, from political bloggers to LGBT groups to exiled media from countries such as Burma (just to mention some recent victims of DDoS attacks). Protection from DDoS is available, but usually too expensive for nonprofits.

An alternative to expensive DDoS protection is a kind of distributed defense network. Imagine an idealized world in which every computer has the latest anti-virus update and where users do not open suspicious attachments or visit dubious Web sites. Cyber-gangs would then be left to their own devices—to attacking with computers they own—and the security issues would be considerably diminished. This perfect world is impossible to achieve, but the right policies could get us pretty close. One option is to go "macro"—to ensure that all critical national infrastructure is prioritized and protected, with extremely flexible resource allocation for the key assets (part of the job of a cyber-czar). This, however, would do little to curb the DDoS market. Indeed, it might embolden the attackers to ratchet up their capabilities. An alternative is to go "micro"—ensure that people who are responsible for the creation of this market in DDoS attacks in the first place (i.e., you and me) are knowledgeable (or at least literate) in cyber-security matters and do not surf with their antivirus protection turned off. This latter solution could eliminate the problem at root: if all computers were secure and computer users careful, botnets would significantly shrink in size. This, however, is a big "if," and most skepticism over whether the federal government is well-placed to educate about these threats is justified.

The security threats from DDoS attacks pale in comparison with the potential consequences of another kind of online insecurity, one more likely to be associated with terrorists than criminals and potentially more consequential politically: data breaches or network security compromises (I say "potential" because very few analysts with access to intelligence information agree to speak on the record). After all, with DDoS, attackers simply slow down everyone's access to data that are, in most cases, already public (some data are occasionally destroyed). With data breaches, in contrast, attackers can gain access to private and classified data, and with network security compromises, they might also obtain full control of high-value services like civil-aviation communication systems or nuclear reactors.

Data breaches and network security compromises also create far more exciting popular narratives: the media frenzy that followed the detection of China-based GhostNet—a large cyber-spying operation that spanned more than 1250 computers in 103 countries, many of them belonging to governments, militaries, and international organizations—is illustrative. Much like botnets, cyber-spying operations such as GhostNet rely on inadvertently downloaded trojans to obtain full control over the infected computer. In GhostNet's case, hackers even gained the ability to turn on computers' camera and audio-recording functions for the purposes of remote surveillance, though we have no evidence that attackers used this function.

In fact, what may be most remarkable about GhostNet is what did not happen. No computers belonging to the U.S. or U.K. governments—both deeply concerned about cyber-security—were affected; one NATO computer was affected, but had no classified information on it. It might be unnerving that the computers in the foreign ministries of Brunei, Barbados, and Bhutan were compromised, but the cyber-security standards and procedures of those countries probably are not at the global cutting edge. With some assistance on upgrades, they could be made much more secure.

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.

Hype aside, what we do know is that there are countless attacks on the government computers in virtually every major Western country, many of them for the purpose of espionage and intelligence gathering; data have been lost, compromised, and altered. The United States may have been affected the most: the State Department estimates that it has lost "terabytes" of data to cyber-attacks, while Pentagon press releases suggest that it is under virtually constant cyber-siege. Dangerous as they are, these are still disturbing incidents of data loss rather than seriously breached data or compromised networks. Breakthroughs in encryption techniques have also made data more secure than ever. As for the data loss, the best strategy is to follow some obvious rules: be careful, and avoid trafficking data in open spaces. (Don't put important data anywhere on the Internet, and don't leave laptops with classified information in hotel rooms.)

Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Although there is a continuous spectrum of attacks, running from classified memos to nuclear buttons, we have seen no evidence that access to the latter is very likely or even possible. Vigilance is vital, but exaggeration and blind acceptance of speculative assertions are not.

So why is there so much concern about "cyber-terrorism"? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; "cyber-squads" typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.

Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand. But what about genuine cyber-warfare? The cyber-attacks on Estonia in April-May 2007 (triggered by squabbling between Tallinn and Moscow over the relocation of a Soviet-era monument) and the cyber-dimension of the August 2008 war between Russia and Georgia have reignited older debates about how cyber-attacks could be used by and against governments.

The Estonian case is notable for the duration of the attacks—the country was under "DDoS-terror" for almost a month, with much of its crucial national infrastructure (including online banking) temporarily unavailable. The local media and some Estonian politicians were quick to blame the attacks on Russia, but no conclusive evidence emerged to prove this. The Georgian case—widely discussed as the first major instance of cyber-attacks (primarily DDoS) accompanying conventional warfare—has barely lived up to its hype. Many Georgian government Web sites were, in fact, targets of severe DDoS attacks. So was at least one bank. Yet, the broader strategic importance of such attacks within the Russian military operation is not clear at all, nor did Russia acknowledge responsibility for the attacks.

Although the attacks on Estonia and Georgia are often grouped together—perhaps because of the tentative Russian involvement in both—they are also very different. One important difference is in the degree of technological sophistication of the two countries. Attacking the Internet in Estonia, which made Internet access a basic human right in 2000, is like attacking the banks in Lichtenstein: the country's economy, politics, and even some emergency services are pegged to it so tightly that being offline is a national calamity.

Georgia, on the other hand, is a technological laggard. When Georgia's major government Web sites became inaccessible during the war, the Foreign Ministry was slow in finding a temporary home on a blog. The lapse may have gone largely unnoticed: 2006 Internet statistics gathered by the United Nations show that Georgia had about seven Internet users per one hundred population compared to 55 in Estonia and 70 in the United States. The Georgian case also highlights the danger of drawing too many strategic lessons from cyber-attacks. After all, one common result of the loss of Internet access is power outages, common during wartime regardless of cyber-attacks.

Moreover, both Georgia and Estonia are in a sense "cyber-locked," with limited points of connection (even in Estonia) to the external Internet. This limited connectivity and the two country's dependence on physical infrastructure heighten their vulnerability. Less cyber-locked nations do not face the same risk. As Scott Pinzon, former Information Security Analyst with WatchGuard Technologies, told me, "If Georgia or Estonia were enmeshed into the Internet as thoroughly as, say, the State of California, the cyber-attacks against them would have been reduced to the level of nuisance." The smartest way to guard against future attacks may, then, be to build robust infrastructure—laying extra cables, creating more Internet exchange points (where Internet service providers share data), providing incentives for new Internet service providers, and attracting more players to sell connectivity in places that now have limited infrastructure. The United States has actually done quite a bit of this already, so the Estonian experience may have little to teach Americans. While it might benefit Estonia and some other countries to invest heavily in upgrades, the United States may be able to forego dramatic and costly changes in favor of regular maintenance and incremental improvements.

Quite apart from the technological issues of cyber-warfare, there is the question of what even constitutes cyber-war. How do existing legal categories apply in this new setting?

Using the metrics of conventional conflicts to assess these attacks is not easy. How severe must the damage be in order for the cyber-attacks to qualify as armed attacks?

For largely geopolitical reasons, Estonia initially called the cyber-attacks a cyber-war, a move that now seems ill-considered (on a recent trip to Estonia, I noticed that Estonian officials had replaced the term "cyber-war" with the more neutral "cyber-attacks"). The militarization of cyberspace that inevitably comes with any talk of war is disturbing, for there is no evidence yet to link the current generation of cyber-attacks to warfare, at least not in the legal sense of the term. However, the attacks on Estonia and Georgia did each pose an intriguing legal question, and neither has yet been answered definitively. First, do cyber-attacks constitute a "use of armed force" as understood by international law (the Estonian case)? Second, what kind of cyber-attacks are allowed under the laws of war once the conflict has already begun (the Georgian case)?

The first question is the trickiest. Commenting on the attacks, the Estonian defense minister said "such sabotage cannot be treated as hooliganism, but has to be treated as an attack against the state." But did the cyber-attacks constitute the beginning of an armed conflict, as understood by the Geneva Conventions or Article 51 of the United Nations Charter? If the cyber-attacks constituted an armed attack, Estonia's NATO allies should have followed Article 5 of the North Atlantic Treaty, which treats an attack against one member state as an attack against all and calls for collective defense. NATO only sent a team of experts to assess the damage. Using the metrics of conventional conflicts to assess the severity of these attacks is not easy. How intense and severe must the damage be in order for the cyber-attacks to qualify as armed attacks? Does damage in cyberspace qualify, even in the absence of offline damage? Is inconvenience to Internet users enough? What about the duration of the attacks?

However such questions are answered, the aggrieved party would still have to prove that a cyber-attack was state-sponsored, and it is unclear how one makes this argument in a legally convincing fashion. Are states only responsible for actions they directly control? Are they also responsible for all cyber-activity in their territory? And how far does that responsibility extend? At least one computer with an IP address belonging to the Russian government was identified as part of a botnet used in the Estonian attacks, but it is hard to build a case for Russian government responsibility on that IP address alone, since there were thousands of other participating computers.

If state involvement cannot be proven beyond doubt, cyber-attacks should be treated as crimes and dealt with under national and, in some cases, international criminal law. But there are difficulties on this front as well. For example, unlike Estonia and many countries, Russia has never signed the Council of Europe Convention on Cybercrime, which is the first international treaty seeking to harmonize national laws and facilitate cross-border cooperation among states on issues of cyber-crime. This makes it impossible to hold Russia to the standards envisioned in the Convention, and international law also provides few mechanisms for punishment.

The second question—what kinds of attacks would be allowed under the law of armed conflict?—presents another theoretical challenge, though for now at least, existing legal standards may suffice to address the issues.

Common sense dictates that the severity and targets of such attacks should be guided by international law, particularly the Geneva Conventions and associated protocols. Broadly speaking, current norms state that the conduct of war must meet three fundamental standards: belligerents must distinguish military from civilian objects when selecting targets; balance military necessity with humanitarian concern (the choice of weapons is not unlimited and must be made with the avoidance of unnecessary suffering in mind); and shun the use of force that is disproportionate, in the sense that it shows insufficient attention to the unnecessary suffering that might result. These principles have proved very hard, but not impossible, to interpret in conventional conflict; applying them to cyberspace is not an insurmountable challenge.

The careful application of these three principles to the conduct of war could explain why militaries might shy away from cyber-attacks. First, it is hard to predict the consequences of such attacks; cyber-attacks typically lack surgical precision and are notorious for side effects—a virus planted in a military network could easily spread to civilian computers, causing much unanticipated collateral damage.

Second, precisely targeted cyber-attacks could be a more humane way of conducting warfare. Instead of bombing a military train depot, with collateral civilian deaths, one can temporarily disable it by hacking into its dispatch system. However, the rules of war also stipulate that once a belligerent has used a more humane weapon, it ought to use that weapon in similar situations—and who would voluntarily abandon tanks in favor of computers only?

Third, most cyber-attacks are hard to justify in strategic terms and therefore would open associated personnel to prosecution for war crimes. For example, if there is little to be gained from attacking a poorly maintained Web site of the Georgian parliament, Russia could not justify an attack on it in military terms. If it went ahead with such an attack, its commanders woul risk prosecution for a disproportionate use of force.

The Internet does create one complexity worth considering in the context of applying existing laws of war: civilians on both sides can now participate in hostilities remotely. At the height of the war with Georgia, Russian blogs were full of detailed instructions on how to enlist in the cyber-war effort. Currently, humans are of little value in this process: a conventional botnet attack is more damaging. Yet, it is possible that human-powered botnets—or "meatbots"—could soon play a more serious role. Would participants then be liable for war crimes for their actions as civilians, who, unlike combatants, do not enjoy immunity under the law of war for their participation in hostilities? Would such civilian actions fall under the category of "direct participation in hostilities," outlined in Commentary to Additional Protocol I to the Geneva Conventions ("Direct participation in hostilities implies a direct causal relationship between the activity engaged in and the harm done to the enemy at the time and the place where the activity takes place")? We may need a special clarification of this concept for cyberspace, but other metrics—the damage caused, the targets chosen, and so forth—could still apply.

There is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The legal options are also complicated in the case of classical rather than meatbot-powered DDoS attacks because there are often at least five parties to it: attackers, computer users whose machines are enlisted by the attackers, target Internet sites, software vendors responsible for the exploited security vulnerabilities, and various Internet service providers who deliver the attack traffic. These parties have different degrees of responsibility, and some of them are liable for negligence, itself a murky legal area.

Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia's ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government's reliance on the Internet and underestimates how much international PR—particularly during wartime—is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks—particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The usefulness of cyber-attacks as a military tool is also contested. Some experts are justifiably skeptical about the arrival of a new age of cyber-war. Marcus J. Ranum, Chief Security Officer of Tenable Network Security, argues that it is pointless for superpowers to develop cyber-war capabilities to attack non-superpowers, as they can crush them in more conventional ways. As for non-superpowers, their use of cyber-capabilities would almost certainly result in what Ranum calls "the Blind Mike Tyson" effect: the superpower would retaliate with offline weaponry ("blind me, I nuke you"). If Ranum is right, we should forget about the prospect of all-out cyber-war until we have technologically advanced superpowers that are hostile to each other. Focusing on cyber-crime, cyber-terrorism, and cyber-espionage may help us address the more pertinent threats in a more rational manner.

In the meantime, those truly concerned about the future of the Internet, global security, and e-Katrinas would be advised to watch a recent South Park episode, in which the Internet suddenly disappears and hordes of obsessed families head to the Internet Refugee Camp in California, where they are allowed to browse their favorite Web sites for 40 seconds a day, while the military fights the no-longer-blinking giant Internet router. Finally, a nine-year-old boy plugs the router back in, and its magic green light returns. This would make a sensible strategy for many governments, which are all-too eager to adopt militaristic postures instead of focusing on making their own Internet infrastructures more robust.

Multiple cybersecurity reforms launched (Federal Times.com)

2009-06-23T13:56:00.002-04:00

Multiple cybersecurity reforms launched

Federal Times.com, June 22, 2009

http://www.federaltimes.com/index.php?S=4150916

Gregg Carlstrom

The Obama administration and Congress have launched several initiatives that will radically transform the government's approach to cybersecurity:

• The White House's soon-to-be-established cybersecurity office is planning changes to the government's cybersecurity policies, and President Barack Obama will soon name a cybersecurity official to coordinate federal policy.

• The National Security Council, for the first time, is developing a response plan for cyberattacks.

• The Defense Department will invest tens of millions of dollars in cybersecurity research over the next few years — and may soon launch a new operational command dedicated to fighting cyberwars.

• The agency responsible for setting cybersecurity standards for federal agencies — the National Institute of Standards and Technology — issued security controls June 12 to protect agencies' networks from cyberattack.

• And Congress is working to rewrite the Federal Information Security Management Act (FISMA), the primary law governing federal cybersecurity activities. The bill — FISMA 2.0, some are calling it — would give chief information officers more power and more control over their IT budgets.

Taken together, these initiatives will allow the government to be more aggressive and efficient in confronting cyberthreats. Critics have long argued such changes are needed to transform a cybersecurity regime that they call bureaucratic, sluggish and outdated.

The changes come at a crucial time. Cyberattacks are increasing: There were 37,000 cyberattacks in the U.S. in 2007, the most recent year for which national data areavailable. That was an 800 percent increase from 2005.

And countering these attacks, many of which target the government, is costly for federal agencies: The Defense Department alone will spend more than $200 million this year protecting its networks.

The new FISMA legislation, the Information and Communications Enhancement Act, was introduced by Sen. Tom Carper, D-Del., in April.

Erik Hopkins, a staff member on the Senate Homeland Security and Governmental Affairs Committee, said the biggest change would be "greater accountability." Critics of FISMA have long accused it of giving CIOs too much paperwork and not enough real power to oversee their networks.

The proposed changes in the Carper bill would address those concerns by giving CIOs more budget control and streamlining the guidance and compliance requirements imposed on CIOs.

Hopkins said the legislation will require CIOs to continuously monitor their networks for security vulnerabilities. That will mean more upfront work — agencies have to develop and install monitoring systems — but it will make it easier to prove FISMA compliance in the long run.

CIOs would also have more control over agency technology budgets. For example, a CIO could cut funding for technology projects that are headed for failure.

"We're trying to strengthen the office so they have the ability, if needed, to effect change within the organization," Hopkins said. "And we're recognizing that [CIOs] only have two things: budget, and the ability to shut the system down."

The legislation would give CIOs the ability to shut down parts of their networks that become compromised. It would also allow them to take proactive steps, such as barring contractors from their networks if the contractors don't meet federal cybersecurity guidelines.

"We end up with the user being the last line of defense against many of these attacks," said Susan Alexander, chief technology officer in the Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance. "We need to be able to cordon off pieces of our networks from each other so that, if bad things happen, we can cordon off those bad things."

NIST is also working with the Defense Department to standardize cybersecurity controls for the entire federal government. The controls are recommended security settings for hardware and software; agencies use them to configure their networks.

Right now there are three sets of controls: one for civilians, one for Defense, and a third for the intelligence community. Experts say that creates a headache for contractors, who need to design different versions of their software to comply with each set of controls.

NIST took a first step toward fixing that problem earlier this month. It released a new version of Special Publication 800-53 — its list of recommended cybersecurity controls — including controls for national security agencies.

"It's really an incredible cultural breakthrough to say, we're not going to have a separate process at Defense, we're going to trust the other parts of government," said Tony Sager, chief of the National Security Agency's vulnerability analysis and operations group. "There's always this belief that, well, my problem is different than your problem … and we have to get over that."

Ron Ross, the FISMA project leader at NIST, said the new controls will also help agencies close some major "attack vectors" — common vulnerabilities that hackers use to break into networks.

There's also movement on cybersecurity in the White House — even before the "czar" is named. The National Security Council and Homeland Security Council are writing an incident response plan that will coordinate the government's overall response to a cyberattack.

That was one of the recommendations from the recently released review of federal cybersecurity policy. Melissa Hathaway, the official who led the review, said the plan will fix the government's uncoordinated response to attacks.

Hathaway frequently talks about the government's clumsy response to Conficker, the worm that spread across millions of computers around the world.

The government had no coordinated plan for dealing with the worm before it activated April 1; some federal agencies did nothing to clean their systems or prepare for the activation, despite knowing about the worm for months.

"We're working on our incident response plan … and we're going to have the private sector red-team it," said Hathaway, the acting senior director for cyberspace in the National Security Council. Red teams are teams of experts who pose as hackers and attack government systems to probe for weaknesses.

The private sector will also be involved in writing the plan, according to Hathaway.

"There's a number of things the government hasn't thought about that should be part of those chapters," she said. "I'm talking with [federal chief technology officer] Aneesh Chopra about setting up a wiki to help develop it with the private sector, so [they] can contribute to it."

The Defense Department has been talking about a "cyber command" for a few months; the new command would coordinate cybersecurity efforts across all of the military services and Defense agencies. But, at press time, Defense Secretary Robert Gates still hadn't decided whether to move forward with the idea.

Individual services have already announced their own cybersecurity programs: The Army created a cyber office at the Pentagon earlier this year, and the Air Force said it will likely create a new cybersecurity headquarters at Lackland Air Force Base, Texas. And the Navy has its own Cyber Defense Operations Command.

Deputy Defense Secretary William Lynn stressed that the new command, if created, would not have jurisdiction outside of the Defense Department.

Critics of the proposal — on Capitol Hill, in federal agencies and in the private sector — have expressed concern that the cyber command would trample civilian agencies and pose a threat to civil liberties.

"It would not be the militarization of cyberspace. ... It would in no way be the Defense Department trying to take over the government's cybersecurity," Lynn said in a June 15 speech at the Center for Strategic and International Studies. "The responsibility for protecting federal civilian networks would remain with [the Homeland Security Department]."

Defense officials are also working to incorporate cybersecurity into the upcoming congressionally mandated Quadrennial Defense Review, scheduled for release in 2010. Many of the military scenarios used in formulating the review are being updated to include cyberattacks, Lynn said. Some of the scenarios will also include red teams from the Pentagon.

"We've taken the conventional military scenarios and added a cyber component to those," Lynn said. "We have a red team. ... They are doing a red team analysis of those same scenarios, and they have a heavier emphasis on cyber[security]."

Some of these scenarios will eventually play out on the National Cyber Range, an Internet simulator being developed by the Defense Advanced Research Projects Agency. DARPA awarded nearly $30 million in contracts earlier this year to seven firms, including Lockheed Martin and Northrop Grumman, which are developing prototypes of the range.

"This will allow us to engage in real-world simulations and field new leap-ahead capabilities for cybersecurity," Lynn said.

A Weak Spot In Our Defenses (Washington Post)

2009-06-23T13:53:00.002-04:00

A Weak Spot In Our Defenses

Washington Post, 23 June 2009

Heather Wilson

Congressional computers have been penetrated, probably by the Chinese. The avionics system of the F-22 fighter may be compromised. Computers of our presidential candidates were hacked into -- and probably not by teenagers on a lark. Last year's advance of Russian tanks into Georgia was accompanied by the disruption of Georgian government computer systems.

These are only public manifestations of a new reality: Attacks on computer systems will be an integral element of future conflict, and the United States is more dependent on computer networks than any other nation.

Both policymakers and the military are in the early stages of coming to grips with this threat. We need to take some important first steps to strengthen our national capability to defend ourselves in cyberspace.

First, we must abandon the notion that static defenses will help us against sophisticated threats. One bipartisan Senate bill proposes to establish a government committee to set standards for all computer systems and software. This is the electronic equivalent of building a Maginot Line of concrete fortifications against a mobile enemy. It may keep common criminals at bay, but it will be no defense against a mobile and adaptable top-tier adversary. American government and private computer systems operate on an interconnected global network that is constantly changing like a biological organism. It operates at light speed, and both friends and adversaries are connected to the same network. We must anticipate that the most dangerous players will stay quiet until a time of national tension.

Our cyber-defense capabilities must be inherently dynamic, with a close connection between system operators, intelligence analysts, and the researchers who can rapidly build and deploy tools to protect or restore vital capabilities.

Second, our intelligence on other countries' cyber-capabilities must be strengthened. We have scores of trained experts who know the ins and outs of foreign radars and missile systems and almost none who are daily tracking cyberthreats in all their manifestations.

What new tools are under development and how do they work? How do other countries and non-state actors train their people? What do they value and what, if anything, can deter them? How do the entities that pose a threat communicate and who commands them? Who are these guys, anyway? We need to know more about our sophisticated adversaries before they strike so that we can defeat them.

Third, while there are national security systems we certainly need to protect, our greatest vulnerability as a nation is outside the government. Our banking system, our telephone communications and our electricity grid are all owned and run by private companies and are interconnected to the global computer network. We must anticipate that an adversary determined to cause economic damage or enhance the fog of war will exploit these vulnerabilities.

Currently, there is a strong disincentive for private entities to reveal that their computer systems have been compromised. For example, a bank that lets people know that its computers have been penetrated will see business move elsewhere and stock prices drop even if its competitors are dealing with the same problems.

Yet an important part of protecting ourselves is sharing information about what probes and compromises are found before a period of crisis or heightened tension. While the government could mandate reporting of certain threats, some problems are so difficult to identify that failure to report would be easily justified. And a compliance-oriented reporting system will not encourage the learning needed or expand the capacity of critical private-sector systems to protect themselves.

A better approach is to align the interests of stockholders with the interests of national security by establishing a trusted safe harbor where private entities can confidentially share information and get help from cyberexperts in and out of government. Such an information clearinghouse could, without attribution, share information with other private entities so that everyone benefits. The motivation to share information would be immunity from liability when private entities report problems.

Government and private computers in this country are attacked millions of times a day. Many of these attacks are easy to identify and stop. The most sophisticated ones are not, and we must establish patterns of close cooperation and information-sharing among public and private experts to give ourselves the best chance to mitigate a substantial attack on vital systems.

Cyberwarfare is a realm where technology is fast outpacing policy, doctrine and law. We must start closing the gap.

DEVELOPING A NATIONAL SECURITY STRATEGY

2009-06-21T16:30:00.002-04:00

For those in the DC area, here is a cyber seminar offered by CNAS and Google.

DEVELOPING A NATIONAL SECURITY STRATEGY

http://www.cnas.org/node/2818

Date:
June 26, 2009 - 10:00am - 11:30am

Location:
Google's Washington, D.C. Office
1101 New York Ave., N.W., 2nd Floor
Washington, DC 20005

Developing a National Cybersecurity Strategy

Presented by

Center for a New American Security and Google D.C. Talks

RSVP:
Click here to RSVP

The international security environment is evolving rapidly. In today's digital world, a cyberattack on the United States' telecommunications, electrical grid, or banking system could pose as serious a threat to U.S. security as an attack carried out by conventional forces. Once concerned solely with "megatons," security experts are now buzzing over "megabytes" and "megabits."

In its Cyberspace Policy Review, the Obama administration outlined a series of recommendations to defend against cyberattacks, while pending legislation seeks to promote more secure computer networks. Meanwhile, the Department of Defense has created a new cybersecurity command, raising questions on how to balance cybersecurity with user privacy and access.

As part of the ongoing Google D.C. Talks series, and in partnership with the Center for a New American Security (CNAS), experts will offer perspectives on how the United States can implement a national cybersecurity strategy.
Participants and those who are unable to attend the conference are invited to submit questions in advance via Google Moderator.

Event Speakers:

Introduction

Dr. Kristin Lord
Vice President and Director of Studies, Center for a New American Security

Moderator

Harry Wingo
Policy Counsel, Google

Panelists

Ellen Doneski
Chief of Staff, U.S. Senate Committee on Commerce, Science, & Transportation

Liesyl Franz
Vice President for Information Security and Global Public Policy, TechAmerica

Richard Hale
Chief Information Assurance Executive, Defense Information Systems Agency

Philip Reitinger
Deputy Undersecretary of National Protection & Programs Directorate, U.S. Department of Homeland Security

To RSVP for this event, click here.

Notes from NATO's cyberwarfare conference in Tallinn (Foreign Policy: net.effect)

2009-06-20T23:00:00.002-04:00

Notes from NATO's cyberwarfare conference in Tallinn

Thu, 06/18/2009 - 6:10pm

http://neteffect.foreignpolicy.com/posts/2009/06/18/notes_from_natos_cyberwarfare_conference_in_tallinn

This week I am in Talinn, Estonia, attending the first big cyberwarfare conference put together by the good folks at NATO's new Cooperative Cyber Defense Center of Excellence (whose work I covered in my Newsweek column on an earlier visit). The conference resembles an academic event rather than a usual industry gathering; speakers had to submit formal papers, which would be peer-reviewed and possibly published after the event. Moreover, many of the talks are on topics that get little to no attention in the media (seriously, when was the last time you read about "proactive botnet countermeasures", "behavioral analysis of zombie armies" or, my personal favorite, "enhancing graph-based automated DoS attack response"?).

I like this more academic approach, for it helps us not to get lose into a maze of metaphors like "digital Pearl Harbors" and "cyber 9/11", leaving more important subjects unaddressed. In fact, the only people using such overemotional expressions at the conference also seem to be pitching their own software or consulting solutions to help us cope with the "cyber-scare". There are, obviously, quite a few military types in attendance– it's a NATO conference, after all – but I also spotted many academics, policy-makers, and geeks (or, at least, pony-tailed , slightly overweight, and chaotically-dressed people who resemble them a lot).

There is also a great social program in the evenings here; one evening performance included a Microsoft employee showcasing how to carry a live cyber-attack; this is certainly the kind of a dinner address that I would like to see at other conferences (sadly, my social life at this conference leaves much to be desired; I spend most of my evenings here talking to reporters about Iran locked up in my hotel room). The Estonian National Theater (also known as the Opera, I guess) is one of the best conference venues I've been to: lots of free and fast wifi, excellent art-work, huge audiences, and, well, this building is definitely not your military bunker most commonly associated with the cyberwar!

Here are my notes from some of the talks I've attended. Most of them have been far too interesting (and long - 45 min each) to summarize in detail, so I'll only highlight the most interesting facts and concepts.

Jose Nazario of Arbor Networks mentioned the growing impact that DDoS-attacks - used predominantly as means of intimidation - are having on elections worldwide. To illustrate his point, he spoke of attacks on Kasparov.ru in Russia as well as the recent DDoS attacks on the web-sites of several parties in the UK; the Iranian case was, obviously, an elephant in the room (yet, surprisingly, Iran was barely mentioned throughout the entire conference). Nazario also pointed out to the disturbing frequency with which DDoS attacks are now accompanying important geopolitical and diplomatic negotiations, pointing to a spike in DDoS attacks against Ukrainian web-sites as anti-NATO protests where sweeping the country (the attacks carried a "NATO go home" message).

Felix Leder and Tillmann Werner, both of the University of Bonn, gave one of the best talks at the conference, describing their efforts to analyze, infiltrate, and even shut down botnets. Before telling us about the nuts and bolts of botnet take-downs, they also gave a very informative primer on "the botnet anatomy", describing the major differences between centralized, locomative and decentralized (or peer-to-peer) botnets. The most interesting part of their talk was the one that dealt with addressing numerous ethical and legal challenges that botnet fighters like them face. Unfortunately, the outlook is not too bright: privacy concerns (is it okay for two German researchers be cleaning up our computers without our consent?), uncertainty with regards to liability (who is to blame if something breaks while they are disinfecting our computers?), and various diplomatic and geopolitical concerns (why take all these risks only to find out that DHS thinks you are a threat to national security and ban you from entering the US?) all make it very unlikely that the botnet problem would be solved anytime soon, even if the technological means are already available.

Roelof Temmingh, the CEO of Paterva, showed the audience how easy it is to create fake but credible online profiles and make them look very credible; some of it could even be automated. One use for such mass-production of fake identities may be to organize what he calls "social denial-of-service attacks", where hundreds of angry (but fake) individuals will send yo a Twitter message every morning, "telling you how much they hate you". Temmingh says it takes 3-4 months to "create" and "grow" a virtual person; he showed us one such fake individual – Eugene Gregoria from Singapore– that he invented. He also shared some interesting tips on how to use services like Google AdWords for tracking global interesting in subjects that nobody but you needs to know about (e.g. "imagine" getting alerts when someone searches for a secret keyword that only you are supposed to know!). Another interesting part of Temmingh's talk was focused on how much useful information can be drawn from open and publicly available sources; he demoed a piece of software that pulled quite a lot of interesting data even on the ultra-secretive employees of NSA.

Olivier Thonnard, of the Royal Military Academy in Belgium, spoke about the importance of researching the behavior of zombie armies – i.e. large groups of malware-infected computers that could form one or several botnets. Much of such research is carried in the framework of the WOMBAT project funded by the money from the EU. WOMBAT is definitely an acronym I like: Worldwide Observatory of Malicious Behaviors and Attack Threats; it's good to be a botnet – you get your own observatory! Thonnard is particularly focused on studying the long-term behavior of such zombie armies: their average size, survival time, actions and evolution. The findings so far are quite interesting: the longest lifetime of a botnet that they studied has been be 586 days while the average life-time seems to more around 98 days; the long-living botnet is definitely an outlier and it's quite puzzling that botnets can live for that long. Thonnard also spoke of "zombie-friendly places", for they do see that highly uneven spatial distribution of infected computers in a limited number of "unclean networks". One of the most interesting future dimensions of this research for myself would be learning how different botnet armies can coordinate their behavior with each other, something, that according to Thonnard, is observable.

Amit Yoran, the former cybersecurity czar under Bush and currently the CEO ofNetWitness, gave a very gloomy speech about the prospects of fighting the cyberthreat (NetWitness must have been a major cheerleader for this event, for it was impossible to step in any conference hall without seeing one of its banners or screens – they must have a lot of promotional materials, to which we have all been, well, "witnesses"). Yoran, who a few weeks ago said that cyber-9/11 has been happening in slow motion over the last decade did not deviate much for this message, sharing very deep observations of like "We've lost the cyberwar (ed. so it has already begun?) because the venue favors the attacker". I am not even sure how to summarize Yoran's speech here, for he thinks that everything needs to be changed – the metrics, the fundamental computing as well as security paradigms, and even our propensity to analyse everything in turns of returns on investment, in which Yoran says he doesn't believe. Well, may be; to me this sounds exactly like the kind of challenging things that a cyberczar could have been doing in his day job.Oh wait, Yoran was the cyberczar...

Ned Moran, who teaches at Georgetown and also does some work for Booz Allen Hamilton, spoke of historical analogies with which we could better understand the threats posed by cyberwarfare. He mentioned four that have been most influential so far: the Strategic Defense Initiative, the Cold War, the National Highway System, and the Pearl Harbor. He also showed an interesting matrix depicting how other analogies could fit in on two of axes (one being inspiration vs desperation and the other one being disruptive vs systematic). I didn't expect anything less than a cyberwarfare matrix from the PowerPoint factory that Booz Allen Hamiltion is, but I still have my issues with using too many metaphors to communicate a problem that may be fundamentally different from the ones we have faced in the past. Metaphors here could only distract us – but I'd be happy to be proven wrong. In my opinion, many of such metaphors – Cyber Cold War and Cyber-balkanization among others – make little sense and only incite unnecessary paranoia from the general public (update: I should point out that Ned Moran said just that in his talk).

Cyrus Farivar, a freelance technology reporter who has written widely about cyberattacks on Estonia (and also a good friend), gave an excellent talk on how journalists go about writing on a subject as complex as cyberwarfare. Cyrus spoke of journalists' excitement over the prospect of covering a "war" without actually having to go to a war zone (however, Misha Glenny, a veteran war journalist, who happened to be in the audience, had little doubt that reporting on cyberwars comes no close). Cyrus also showed an interesting screenshot from Google Trends, depicting a growing media fascination with the subject of cybersecurity – there is no way to deny that journalists are not interested! He cautioned policy-makers against using inappropriate comparisons to nuclear attacks and other calamities and called on everyone working in cybersecurity to also do their homework and try to think of how journalists think and which journalists/media outlets could give their story the best coverage (this was particularly relevant given a keynote about GhostNet given by Nart Villeneuve, where he explained how he had been working with the New York Times before they broke the story). One word of advice that Cyrus gave to the attendees was to find ways to encourage journalists to learn more about the subject, perhaps, even by organizing various training events and conferences (Heli Tiirmaa-Klaar, who is one of Estonia's most senior cybersecurity officials seconded that suggestion).

There were a few other sessions but they were either too academic or too well-known to be reported here (i.e. we all know about the GhostNet already!). We have half-a-day of the conference left, and it has so far been a very interesting experience. I am looking forward to the next edition of this conference next year; too bad I won't be able to make it to their Cyber Conflict Law and Policy Conference, to be held in mid-September.

DOD warns against the dark side of social networking (GCN)

2009-06-20T22:49:00.002-04:00

DOD warns against the dark side of social networking

The pull of the online world is strong, but security must be maintained

By David F. Carr, Special to GCN
Jun 18, 2009

http://gcn.com/articles/2009/06/18/dod-on-dark-side-of-social-networking.aspx

In an earlier era, "loose lips sink ships" was the military's warning not to let even small details about military movements and operations slip in casual conversation. In contrast, social media Web sites today thrive on loose lips, making it even tougher to maintain operational security.

The problem is not so much people twittering away secrets as letting slip many smaller pieces of information that an adversary can piece together.

"There's a tendency to think that if information is not classified, it's OK to share," said Jack Kiesler, chief of cyber counter intelligence at the Defense Intelligence Agency, in a presentation last month in Orlando, Fla., at the DODIIS Worldwide Conference for intelligence information systems professionals.

Kiesler and colleague Nick Jensen, an operational security analyst at DIA, gave a presentation titled "How Adversaries Exploit Poor Operational Security."

Operational security refers to the process of denying information to potential adversaries about capabilities or intentions of individuals or organizations by identifying and protecting generally unclassified information on the planning and execution of sensitive activities.

An adversary trying to uncover secrets will start by chipping away at operational security indicators that point them toward a target, Kiesler said. A foreign agent seeking to steal stealth technology might start by trying to identify individuals who are working on the technology, figuring out whom they associate with, following their movements, looking for clues on new research areas and so on.

Much of that information might be available through a professional profile on LinkedIn, for example. Furthermore, participation in online discussion groups or blogs might help foreign intelligence services single out disgruntled military or intelligence agency employees who could be recruited or blackmailed, Kiesler said. Not only are younger employees immersed in the social media culture, but older ones often become participants without understanding their limited control over the information they post online, he added.

Although operational security is supposed to be a standard component of military operations, Kiesler seeks to pursue it in a more disciplined way, with proactive tests of an organization's operational security. Rather than embarrassing the organizations and individuals who flunk the test, the goal is to educate them, he said.

Jensen presented a fictional scenario that he said was based on those kinds of tests, in which a foreign agent named Jane starts by exploring the membership of a LinkedIn group called Intelligence Professionals.

In Jensen's scenario, LinkedIn provides a target DIA employee's basic résumé with a link to his blog. The blog, in turn, has links to other social media sites the person participates in, so the adversary can browse Flickr photos and Twitter messages, continuing to round out the picture. The DIA employee uses the same handle on many Web sites, allowing Jane to search for posts he has made elsewhere. On Slashdot, he mentions something about the Starbucks near his house.

That allows Jane to bump into her target at Starbucks, hack the wireless session he initiates from his iPhone and eventually capture information, including his online banking password. From there, she has many options to monitor his every move, drain his bank account or blackmail him.

Of course, the pull of the online world is not so easily countered. There really is an Intelligence Professionals group on LinkedIn, and Kiesler and Jensen found 163 LinkedIn members who listed DIA as their current employer, including at least one information security analyst based in Washington, D.C.

But Kiesler and Jensen said people can learn to be more circumspect and take precautions such as varying their online signatures rather than using the same user name on multiple Web sites.

Navy aggressive in protecting networks from enemies (FCW)

2009-06-20T22:46:00.002-04:00

Navy aggressive in protecting networks from enemies

Vice Adm. H. Denby Starling spoke recently about the role a cyber force plays in protecting U.S. information networks

By Barry Rosenberg
Jun 18, 2009

http://fcw.com/articles/2009/06/22/feat2-interview-starling-navy.aspx

Vice Adm. H. Denby Starling assumed command of the Naval Network Warfare Command (Netwarcom) in June 2007. He is responsible for operating, maintaining and defending Navy information networks, and conducting information operations and space operations.

Starling oversees a global force of more than 14,000 and is the functional component commander to the Strategic Command for space, information operations and network operations. Starling spoke recently with Defense Systems contributing editor Barry Rosenberg about the role a cyber force plays in protecting U.S. information networks against attack.

DS: You have said that Netwarcom is transitioning from a network and communications provider to a cyber force. What does a cyber force do that a network and communications force can't do?

Starling: It's a great question because I think it's not just an issue faced by the Navy, but one that's faced across [the Defense Department] today. Netwarcom has only been around since 2002, but the organizations that came together to make up Netwarcom are actually pretty old. The major ones were the Naval Telecommunications Command, which was very much focused at that time on networks and communication, and the Naval Security Group, which for years was largely a cryptographic force dealing in signals intelligence.

I have a very interesting group of people who have come together to form this one command, and my challenge to these folks as we mature is to not think of yourself as a former communicator or a former network guy. That's backward-looking; I want people looking forward.

If you read the definition of "cyber" that's been put out by the Joint Staff, it revolves very heavily around the use of computer networks for all of those things today that we depend on — not just communications but command and control that give you the ability to decide inside the enemy's decision cycle and the ability to defend, exploit and attack on those networks.

DS: I would imagine it's more interesting for your people to be attacking and defending through cyberspace rather than just managing the communications network.

Starling: Again, it's a great point because the piece we try to emphasize not just inside Netwarcom but inside the Navy is that everyone who sits down in front of a computer is a cyber warrior. It's like the force protection aspect of what we do. Every time you get on your computer and you connect yourself to the Global Information Grid or to the Internet, there are things you have to know just like if you're a soldier walking onto the battlefield. Every time you sit down at your computer, you enter the battlespace portion of cyberspace, and you're in there with everybody else who's using it, which includes U.S. and foreign criminals, hackers and nation-states.

DS: And I don't imagine that changes when sailors log on to ESPN for the daily highlights.

Starling: We have a culture in the Navy — and one that I'm strongly supportive of, to tell you the truth — that encourages our sailors not just at Netwarcom but everywhere to be more computer savvy. In the early days when computers showed up on desks, we told people that it was OK to use their government computer to do other things when they weren't doing their business. That is a policy we have not stepped around from today. I can use my computer to do my banking, and, in fact, we depend upon that for our sailors who are deployed and want to access their bank accounts or their pay records. In many cases, we expect them to do distance learning, and we expect them to do it from anyplace in the world.

To do those connections, we use the public infrastructure and to some extent, the public Internet. That presents unique security challenges. Sailors want to watch CNN; they want to know what's going on in the world. We recognize that. But if you're going to let folks be out there surfing the Web, we want them to take certain precautions so that the training piece is always foremost in our minds. That's not so much a challenge inside my own organization because we live it, sleep it, breathe it every day, but it's a big Navy challenge.

DS: The Netwarcom strategic plan refers to command, control, communications, computers, combat systems and intelligence (C5I). Tell me about the fifth C.

Starling: The fifth C is combat systems, of which there are a couple aspects. I wear another hat as the deputy chief of staff for communication systems for Adm. [Jonathan] Greenert at U.S. Fleet Forces Command. In that capacity, we do a number of things in shipboard combat systems and communications modernization. For example, we and Commander Pacific Fleet run the naval C5I modernization conference every quarter, where we look at all of the combat systems and communications and network installs that are going into our ships to make sure those are properly coordinated and prioritized.

In addition, Netwarcom is responsible for all the systems integration testing on board ships. We have a team that specifically goes out and does that for deploying strike groups to make sure that all of their communications in combat systems are interoperable.

We're not a platform-oriented type command, which is somewhat normal for the Navy. We are a capabilities-oriented group, particularly for combat systems. In [World War II], you needed radios to talk from ship-to-ship and maybe to a gunfire spotter, but you didn't need a radio to shoot the gun. So combat systems and your ability to communicate, while dependent on each other, weren't necessarily technologically connected. Today every combat system runs on a network, so more and more of these systems, which had real barriers between them [before], are today becoming more and more indistinguishable.

As we mature in this world, the same challenges that face communications networks also face combat systems networks. We need to make sure that we do that holistically, and that's part of our charter here at Netwarcom.

DS: In the past year, Netwarcom has established the Readiness and Training Directorate to enable its activities, created the Fleet Intelligence Office as your initial step in assuming duties as the type commander for fleet intelligence, and established the Next Generation Enterprise Network (NGEN) Fleet Integration and Transition Team to guide fleet transition activities as you approach the October 2010 expiration of the Navy Marine Corps Intranet (NMCI) contract. Can you bring me up to date on those activities and lessons learned so far?

Starling: We're a type commander here at Netwarcom, and every type commander's primary job is manning, training, equipping and readiness. It was decided that when Netwarcom was stood up that we would have a similar type of function initially for C4I and C5I. We have taken this cross-platform view because commanders tend to look at their own platforms and nobody was specifically chartered to look at the interoperability across platform types — between the aviation side and the surface side, for example.

So when we stood up our Readiness and Training Directorate, we did it specifically to look across the strike groups, across the platforms in a way that the individual platform type commanders might not do. As that process matured, there was a recognition and a desire that somebody do the same thing for intelligence — manning, equipping, systems and training inside the fleet. About a year ago, Netwarcom was directed to take on that responsibility so that we could advise U.S. Fleet Forces Command of the intelligence requirements that are specific and unique to our operations internal in the fleet.

I would say that we're the least mature of the type commanders right now, though we do have an intell flag officer and are moving to a staff here of about 20 or 25 people to do that piece. But again the idea is to have an organization that looks across the entire fleet from a wholeness perspective to advise fleet commanders so that they can then push the fleet requirements up to the [Office of the Chief of Naval Operations (OpNav)] staff. We're not intended to be in competition, for example, with the OpNav intelligence staff, but rather should be complementary.

DS: Have you had any resistance from other type commanders who have had to give up some responsibility to Netwarcom?

Starling: There's a little bit anytime you set up something new, particularly as you get your processes in place to sort out who it is you really want doing what. But all in all, I would say that the platform type commanders are recognizing that the cross-platform look that we get is very valuable.

The other guys who really like it are the fleet commanders because we now present them with a more integrated product. Before, they would get an air input, a sub input, a surface input, [and] they might get an input from the intell side of the house, from the Striking Fleet, the Training Fleet commanders or the training strike group guy. Now we're trying to put together for them in one package a very holistic look across all of their networks and IP-based decision-making systems from a manning, training and equipping status so we can say, "Yep, these guys are ready as a group to move into the integrated training phase," which the fleet commanders run.

DS: How is the transition from NMCI to NGEN progressing?

Starling: The parallel I'll draw for you is that in my previous job, I was the East Coast aviation type commander. When we were going to integrate a new airplane into the fleet — the F/A-18G, for example, which was going to replace the EA-6B Prowler — we stood up a team that specifically focused on transitioning this aircraft into the fleet from an operational perspective. They looked at where the airplane would be based, what the training requirement was going to be, how to introduce the new airplane while we phased out the old one. You can't do it all in one day; in fact, it takes years.

We're using a similar model for our transition out of the Navy-Marine Corps Intranet environment that we have been in with EDS for a number of years. As we move into NGEN beginning in October of 2010, the team that is down here is the organization that will work with the NGEN program office and also OpNav [intelligence staff] to manage the operational side of NGEN implementation and to provide them the fleet and operator view because once this new program goes in place — just like the rest of the Navy networks — we here at Netwarcom will be responsible for the day-to-day operations and defense of those networks.

Editor's Note: This article was originally published in Defense Systems, part of the 1105 Government Information Group, in its June 2009 issue.

DHS centralizes cybersecurity programs (FCW)

2009-06-20T22:07:00.002-04:00

DHS centralizes cybersecurity programs

Homeland Security Secretary Janet Napolitano explained how DHS is coordinating cybersecurity programs across the department

By Ben Bain
Jun 19, 2009

http://fcw.com/articles/2009/06/19/web-napolitano-leadership-journal.aspx

The Homeland Security Department has centralized its cybersecurity programs under the department's deputy undersecretary for the National Protection and Programs Directorate (NPPD), Homeland Security Secretary Janet Napolitano recently wrote in a message posted on DHS' Web site.

DHS announced June 1 that as part of his role as NPPD undersecretary. Philip Reitinger would also lead DHS' National Cybersecurity Center (NCSC) – an organization designed to improve cybersecurity coordination across the government's civilian, military and intelligence cyber domains. In her blog post, Napolitano also said Reitinger would coordinate cybersecurity efforts across the department, including the NCSC and the U.S. Computer Emergency Readiness Team.

The Bush administration gave DHS a major role in federal cybersecurity efforts, putting the department in charge of protecting the government's .gov domain and working with the private sector to secure the country's communication's infrastructure.

Some observers have criticizd the department's performance thus far, but President Barack Obama and appropriators in the House and Senate haveindicated they plan for DHS to continue those programs.

The Obama administration requested $400.7 million for DHS' cybersecurity programs in fiscal 2010, compared with the $313.5 million DHS got this year. Meanwhile, the House Appropriations Committee approved $382 million for fiscal 2010, and the Senate Appropriations Committee on June 18 approved a bill that would give DHS $398.7 million for the programs.

"Of all the threats America faces, the integrity of our cyber infrastructure demands special attention. These are no longer emerging threats. They are with us now, and are happening every day," Napolitano wrote June 18 in DHS' "Leadership Journal."

Is Tom Davis Too Qualified to be Cyber Czar? (The Public Eye)

2009-06-20T21:55:00.002-04:00

Is Tom Davis Too Qualified to be Cyber Czar?

June 19, 2009 - Eric Chabrow

http://blogs.govinfosecurity.com/posts.php?postID=218

Former Rep. Tom Davis' name has popped up before and it's come up again as President Obama's new cybersecurity czar.

A story posted on Time's website Friday says the moderate Republican from northern Virginia has emerged as a leading candidate for a job Obama describes as cybersecurity coordinator. White House sources quoted by Time who say the administration feels a Washington power player would make a better candidate than a tech guru. "They want someone who understands technology issues, but more importantly, knows how to get things done in Washington," says a cybersecurity expert who has been consulted by the White House. "There are very few people who have that combination of skills, and Davis is at the top of that short list."

There are very few people who have that combination of skills, and Davis is at the top of that short list.

Davis, indeed, is among the most qualified and influential people in Washington when it comes to information technology, IT security and getting things done. He's a wheeler-dealer in the best sense of that term. Indeed, as chairman of House panels overseeing government IT, Davis shepherd through Congress the E-Government Act and the Federal Information Security Management Act, which governs cybersecurity in the federal government. He's also a whiz at understanding the ins and outs of government procurement, important knowledge considering the amount of technology and services the government will acquire to in the coming years to secure IT systems and data.

But unless Obama boosts the cybersecurity adviser's job on the White House organizational chart a few notches to guarantee greater, direct access to the president, would someone of Davis' stature accept the job? So far, Obama has characterized the post as a cybersecurity coordinator, and coordinator doesn't sound very much like an influential of a role.

In an interview with GovInfoSecurity.com earlier this year, before Obama outlined his cybersecurity agenda in late May, Davis saw the need for the government to spend heavily on IT security, and expressed disappointment that no money was earmarked for cybersecurity in Obama's stimulus package. Davis said:

You are competing for dollars and priorities at this point ... but you know, at this point, we are not where we need to be and I think everybody understands that.

Davis sees the power of the buck in getting things done, and says Congressional appropriation process is a good vehicle to get federal agencies to improve federal IT security.

You have got to get the appropriators involved in this or I think otherwise there is no and you have got to make sure that this comes down from the top from the president that this is a priority. I get the feeling sometimes that everybody is hoping this won't happen on their shift. They are not getting additional dollars in any of these cases, they try to secure your networks but without any additional money they have a lot of other missions that they are trying to accomplish and you get no credit for doing anything here. It doesn't help you accomplish your mission, and you are trying to make sure you don't get a cyber attack, but you don't get any credit if an attack doesn't come whether you put FISMA or not and you are just taking the chance that it doesn't hit on your watch. Now, though, we are getting more and more penetrations and I think people are starting to get worried.

And, here's how Davis describes the government's current cyber defense stature:

It is still very stovepipe and we are going to have some cyber attack somewhere and there are going to be some damages done and at that point people are going to what to know what have you done about it. A lot of us have been screaming about this for years, Republicans and Democrats, but at the end of the day you can't legislate this stuff because it comes from the executive branch. Hopefully, after they have finished their study at this point they will put some money behind this. That is our goal and that is the hope.

Besides Davis, others mentioned as the potential White House cybersecurity adviser, according to Time and others:

Melissa Hathaway, who led the administration's 60-day cybersecurity review and former cybersecurity advisor to President Bush (read our profile on Hathaway).
Fred Kramer, assistant defense secretary for international security affairs under President Clinton;
Howard Schmidt, a onetime Microsoft chief security advisor and former adviser to Bush on cyberspace security and protection of critical infrastructure (read BankInfoSecurity.com's interview with Schmidt on the war on cyber crime)
Paul Kurtz, an Obama advisor who served in the National Security Council under Bush and Clinton (read/listen to our interview with Kurtz);
Susan Landeau, a Sun Microsystems's distinguished engineer with cybersecurity and public policy expertise;
Maureen Bainski, a former FBI intelligence leader; and
Scott Charney, head of Microsoft's cybersecurity division.

Web Fraud 2.0: Franchising Cyber Crime (Washington Post: Security Fix)

2009-06-20T21:51:00.002-04:00

Web Fraud 2.0: Franchising Cyber Crime

http://voices.washingtonpost.com/securityfix/2009/06/web_fraud_20_franchising_cyber.html?wprss=securityfix

For the most part, cyber gangs that create malicious software and spread spam operate as shadowy, exclusive organizations that toil in secrecy, usually in Eastern Europe. But with just a few clicks, anyone can jump into business with even the most notorious of these organizations by opening up the equivalent of a franchise operation.

Some of the most active of these franchises help distribute malicious software through so-called pay-per-install programs, which pay tiny commissions to the franchise operators, or so-called affiliates, each time a supplied program is installed on an unsuspecting victim's PC.

These installer programs will often hijack the victim's search results, or steal data from the infected computer. Typically, affiliates will secretly bundle the installers with popular pirated software titles that are made available for download on peer-to-peer file-trading sites. In other cases, the installers are stitched into legitimate, hacked Web sites and quietly foisted upon PCs when people visit the sites with outdated, insecure Web browsers.

Experts say one of the longest-running and most successful of these pay-per-install operations is an organization called "InstallsCash," which pays distributors to spread a variety of invasive programs. After you've signed up for a free account, InstallsCash will provide you with an installer file (.exe). They will then pay you between $5 and $140 per 1,000 installs (with higher rates for installations in countries like the United States, United Kingdom and Italy).

InstallsCash tells affiliates that the program they're distributing merely changes the victim's homepage, adds a browser toolbar, and installs aporn dialer, which hijacks the victim's dilal-up modem to make expensive 1-900 phone calls. Working with security researchers, Security Fixsigned up for an account at IntsallsCash to learn what their affiliates were really installing.

What we found was the installation program given by InstallsCash to distributors installs some of the most sophisticated and aggressive malicious software in circulation today.

According to one analysis by researchers at Atlanta based managed security services firm SecureWorks, an InstallsCash installer delivered to affiliates in mid-May dropped no fewer than 15 pieces of malware on victim systems, including Cutwail, one of the most sophisticated and prolific spam bots on the planet. Also included were variants of theKoobface worm -- which spreads via social networking sites like Facebook (hence, the anagram of Facebook), as well as the Zeus or PRG Trojan, a sophisticated password stealing program.

Separately, experts with security research firm Team Cyrmu looked at a different installer offered by InstallsCash. Team Cymru found that the installer seeded PCs with quite a different crop of malware, including several Trojan horse programs, a rootkit, a virus and backdoor calledVirut, and a generic spam Trojan that turns the victim PC into a spam relay.

No offices or phone numbers are listed on the group's Web site. On its "About Us" page, Installscash lists six different instant message accounts that can be used to contact them. SecurityFix left messages at all six. One who did answer, named "Install_Support," said "Ask me your questions, maybe I will answer,", but then declined to answer any of them, except to say that he or she was located in Ukraine.

A publicly-accessible test page on the group's Web site indicates that the last person to administer the site did so via an encrypted connection from a DSL account in Kiev, Ukraine.

It is illegal in most countries to distribute malicious software, such as computer worms, with the intention of infecting computers without the owner's permission

Michael LaPilla, director of malicious code operations for iDefense, a Sterling, Va. based security intelligence group owned by Verisign, said InstallsCash has a long and storied history, albeit under different names: The affiliate program previously went by the names Iframedollars and Iframecash, and for a long time was among the most visible arms of the infamous Russian Business Network.

"They've been active for so long," LaPilla said. "They just took new names after too much public attention got their old domains shut down."

LaPilla said exactly what that installer program will plant on infected machines varies from day to day, based on two factors: Where the victim lives, and which cyber criminal gangs are paying InstallsCash to distribute malware that week.

In 2007, iDefense analysts launched an investigation to see whether the malware being downloaded by the InstallsCash installer changed depending on geographical location of the victim PC. Sure enough, iDefense found that most of the PCs receiving password-stealing Trojans sought credentials for financial institutions specific to the victim's region.

Securing critical infrastructure needs holistic approach, panel says (GCN)

2009-06-20T21:07:00.002-04:00

Securing critical infrastructure needs holistic approach, panel says

By William Jackson
Jun 19, 2009

http://gcn.com/articles/2009/06/19/holistic-approach-to-securing-critical-infrastructure.aspx

Securing the nation's and the world's increasingly critical, connected and diverse information infrastructure requires a holistic view of cybersecurity, rather than a focus on specific technologies, threats and delivery vectors, according to a panel of government security officials.

"Security is all about mission" and not about networks or specific assets, said Phillip Reitinger, deputy undersecretary of the Homeland Security Department's National Protection and Programs Directorate.

"The United States is facing a grave economic and security challenge," through information security breaches, said James Richberg, acting assistant director of national intelligence for cybersecurity in the Office of the National Intelligence Director.

Much of our cybersecurity resources are focused on remote network penetration and securing data from theft, Richberg said. Although these are critical issues, focusing on any one aspect of cybersecurity leaves our enterprises vulnerable to other lines of attack.

"We must develop ways to defend against all lines of threats," he said. Those include insider and supply chain threats as well as remote penetrations; attacks from nations as well as from criminals, hackers or terrorists; and the destruction or manipulation of information as well as its threat.

The comments were made June 18 during a seminar hosted by GCN's affiliate publication, Federal Computer Week.

The Defense Department and the National Security Agency have led the way in much of the advancement in cybersecurity over the past decade, beginning with the Solar Sunrise penetrations by a pair of teenagers in 1998, said Richard Schaeffer Jr., NSA's information assurance director.

"That was the beginning of the leadership at DOD realizing that we have a problem," Schaeffer said. "Over the past 11 years, the DOD has made some great strides. We've come a hell of a long way, and we are accelerating at a terrific rate."

The Comprehensive National Cyber Initiative from 2008 and this year's cyber policy review represent a greater national consciousness of the problem, he said. But despite progress and growing awareness, the speakers agreed that the process of securing the information infrastructure will not be simple or easy, and probably never will be complete.

Key elements remaining to be addressed in strengthening cybersecurity include automating security with smarter, self-defending networks that can evaluate behavior, enforce policy and respond to incidents. Much of this process will require stronger identity management and authentication, they said. This would include not just persons using the systems, but machines and processes as well.

Another common theme is the need for stronger partnerships within government, between governments, and between government and the private sector. Progress has been made in partnering, Reitinger said, but operational cooperation between the public and private sectors still is lacking.

"I don't think we're there yet," he said. "This is less about talk and more about do."

To make these partnerships work, the private sector must insist that the public sector provides the assistance and information they need, Schaeffer said. "They must hold public partners accountable to be real partners."

Industry, Military Experts Discuss Murky Cyberwar Issues (CIO)

2009-06-17T22:21:00.002-04:00

Industry, Military Experts Discuss Murky Cyberwar Issues

– Jeremy Kirk, IDG News Service

June 17, 2009

http://www.cio.com/article/495220/Industry_Military_Experts_Discuss_Murky_Cyberwar_Issues

Nations increasingly touched by cyberattacks are still in the very early stages of figuring out how to deal with incidents that could escalate into critical national security threats.

From DOS (denial-of-service) attacks on Web sites to hacking attempts on power grids and financial and military systems, experts are warning that the next wars will be kicked off by electronic blitzes from non-state actors and that nations haven't worked out clear strategies.

But academics, experts from private companies and government officials are discussing those issues this week in Tallinn, Estonia, at the first-ever Conference on Cyber Warfare. It's hosted by the Cooperative Cyber Defense Center of Excellence (CCDCOE), launched in May 2008 to help NATO countries deal with ever-growing cyberthreats.

"Cyberattacks are here to stay," said Jaak Aaviksoo, Estonia's defense minister, during a keynote speech on Wednesday. "They are not disappearing."

Estonia experienced a devastating cyberattack in 2007 following a decision to move a statue memorializing Russian soldiers who fought during World War II. Pro-Russian hackers took down bank and school Web sites via DOS attacks on Estonian networks.

Subsequently, Georgia experienced similar attacks following its conflict with Russia last year. And earlier this week, Iranian news Web sites and those belonging to political organizations were hit with DOS attacks following the contested re-election of President Mahmoud Ahmadinejad.

A multitude of issues are under discussion at the CCDCOE's conference: how nations can legally respond under international law to cyberattacks, how nations should render assistance to one another and simply what is the definition of a cyberattack.

None are likely to be resolved quickly, said Estonian Army Lieutenant Colonel Ilmar Tamm, director of the CCDCOE.

"The situation changes so rapidly," Tamm said. "We have to be really conscious on the conclusions we recommend, and nations have to be understand the potential consequences of what they adopt on the legal side, the policy side."

The CCDCOE is funded by its seven nation members, which include Estonia, Latvia, Lithuania, Germany, Spain, Italy and the Slovak Republic. The U.S. is not a member but has assigned a civilian with the U.S. Navy to the CCDCOE. Turkey, Hungary and the U.S. have expressed interest in joining CCDCOE.

The CCDCOE does not advise NATO operationally but is instead a think tank that is working in policy areas related to cyberwarfare such as tactics, protection of critical national infrastructure, policy and legal issues, Tamm said. The organization produces research papers, some of which are public and some of which are only for benefit of NATO countries, he said.

On the technical side, CCDCOE also does research on botnets, or networks of compromised computers used in aggregate to carry out malicious activity, as well as ways to automate network analysis tasks such as log files and intrusions.

At the request of NATO, it is also working on a paper that defines concepts around cyberwarfare, Tamm said.

Getting all nations on the same page is crucial. The global nature of the Internet has hampered cybercrime investigations since hackers can route, for example, a DOS attack through countries that have poor law enforcement, said Kenneth Geers, a U.S. Navy civilian analyst assigned to CCDCOE.

"The cyberproblem is real, and it demands an international response, but nobody knows quite how best to improve the international response because nation states and organizations themselves have so many questions about cybersecurity," Geers said.

Another looming issue is the development of offensive cyberwarfare skills that could be used in the event of an attack, but that is not CCDCOE's domain.

"We do know that a number of NATO nations are developing offensive capabilities," Tamm said. "They have reason to do that."

It is clear, however, that organizations such as the Taliban are using the Web effectively, said Johannes Kert, an adviser to Estonia's defense minister and chairman of the CCDCOE's steering committee.

The Taliban and Al Qaeda have created Web sites in order to spread ideology, recruit members and teach bomb-making techniques as well as to promote attacks that have been executed. However, NATO has been focused on cyberdefense rather than offense, Kert said.

"This is a field where we clearly lose today as NATO," he said. "This is a question NATO should start to discuss."

DoD told to add more cyberwarfare training (AF Times)

2009-06-17T22:02:00.002-04:00

DoD told to add more cyberwarfare training

Air Force Times, 16 June 2009

Rick Maze

The House Armed Services Committee moved Tuesday to escalate U.S. cyberwarfare efforts with a five-part defensive plan for protecting critical military information systems.

Short- and long-term initiatives were approved by the committee as part of its version of the 2010 defense authorization bill.

One immediate requirement of the bill langauage would be for the Defense Department to come up with a better, more coordinated process for discovering and addressing software vulnerabilities in defense systems. At some high level within the Pentagon, defense, service and defense agency officials would coordinate their efforts.

Another immediate change would allow private-sector civilians to receive training from the Defense Cyber Investigation Training Academy, which could create a wider base of people who can address problems.

And the bill would order a joint-service office for cyber capabilities that would work on policies involving tactics, technologies and manning of cyber-related commands and bills.

For the long term, the bill would devote $4 million to education outreach programs aimed at encouraging mathematics and computer science education that could help develop a cyber workforce for the future. This would include programs for elementary and high school students, and undergraduate college programs.

Also part of the long-term plan is a requirement for a study about recruitment, retention and career progression of military and civilian personnel involved in cyber operations. This would look at the number and types of people needed, and potential career paths, pay or other policies needed to attract and keep workers.

Rep. Ike Skelton, D-Mo., the committee chairman, said this is part of an effort to ensure the newly established Cyber Command, part of the U.S. Strategic Command, "can carry out its mission effectively and responsibly."

Rep. Adam Smith, D-Wash., who heads the committee's terrorism panel that oversees cyber programs, said it is clear the military needs to keep doing more.

"While technological innovations have improved our ability to secure our borders, they also have exposed some security concerns to our information technology systems and the networks that support them," Smith said.

Iran: Before You Have That Twitter-Gasm….(Danger Room)

2009-06-17T20:30:00.002-04:00

Interesting observation at the bottom of this Danger Room post.

Iran: Before You Have That Twitter-Gasm….

By Nicholas Thompson
June 17, 2009 |
6:49 pm

http://www.wired.com/dangerroom/2009/06/iran-before-you-have-that-twitter-gasm/

Before we all have a collective Twitter-gasm about the short-messaging service's use in Iran, let's breathe for a second. Yes, it's useful; yes, it's greatfor following the events here in the U.S.; yes, it might one day be a driving tool for revolution. But it's an overstatement to call it "the medium of the movement," as Time did.

We have no idea how many Tweets are spreading through RSS, Facebook pages, and text-messages. Nor do we know how info gets into every Twitter feed. But there's evidence that the reach of some of the most prominent Iranian "Green Revolution" Tweeters may not be as great as it first appears. For example, many of the Iranian tweeters described in the Western press seem to have between 10,000 and 30,000 followers. That's a lot; but Ashton Kutcher it ain't. And many of those followers are in the U.S. Check out @Change_for_Iran, @persiankiwi, @StopAhmadi, @persiankiwi, or @mousavi1388 and you'll see a lot of American names. At least in the first few pages, it seems to be about a third who are clearly in the U.S.

English-language tweeters of course have English-language followers. But Twitter isn't set up to make Farsi use easy (for example, you can't search for Farsi posts in the language section of Twitter'sadvanced search feature). In fact, the always helpful Nancy Scola has done a search on Twitter of all users who have listed their location as within 250 miles of Tehran. One interesting result: there are posts there only in Spanish, German, and English.

This afternoon, I emailed UCSD professor Babak Rahimi, the author of "Internet & Politics in Post-revolutionary Iran" and someone who is in Tehran right now covering the events. I asked what he thought of my hunch that we in the Western press are over-hyping the impact of Twitter. Here's what he said:

"I very much agree with you. The Twitter factor is present, but not as significant as, say, cell phone or social networking sites… [granted, it's hard to separate these out -- nms] I just wonder (or worry) how the U.S. media is projecting its own image of Iran into what is going here on the ground."

Hathaway: National cyber incident response plan coming by year end (FCW)

2009-06-17T20:24:00.002-04:00

Hathaway: National cyber incident response plan coming by year end

Hathaway also confirms she's in running for White House cybersecurity coordinator

By William Jackson
Jun 16, 2009

http://fcw.com/articles/2009/06/16/hathaway-developing-cybersecurity-response-plan.aspx

The Cyberspace Policy Review released by the White House last month was only the beginning of an effort being driven by President Barack Obama to reshape and strengthen the nation's cybersecurity, according to Melissa Hathaway, who headed up the review.

Hathaway, acting senior director for cyberspace for the National and Economic Security Councils, said today her team plans to produce a comprehensive national incident response plan by the end of the year that will guide response to the cyber equivalent of a major natural disaster. The team also will be working to unravel the overlapping and sometimes contradictory laws and regulations identified in the study that get in the way of effective cooperation and responses to cyber threats.

"You can expect a dialog on this issue with the private sector," Hathaway said at the Symantec Government Symposium in Washington. "You will also see us working with Congress because many issues will require a legislative fix."

As a result of the Cyberspace Policy Review, Obama announced last month the creation of a White House office of cyberspace coordinator, who will oversee government cybersecurity policy.

Hathaway on June 12 told Federal Computer Week, that she is a candidate for the White House cybersecurity coordinator position. According to Hathaway, officials hope to select a cybersecurity coordinator in the coming weeks, but no definite date had been set.

"In the coming weeks there will be an announcement of a cyberspace coordinator," Hathaway said. She said the president is personally engaged in the selection, which should be made soon.

The efforts reflect what Hathaway called an '"unprecedented level" of presidential leadership in cybersecurity. It is being established as one of Obama's management priorities, which means performance metrics are being established that will make department heads, not just chief information officers, accountable for their agencies' security posture.

Hathaway illustrated the scope of the cybersecurity issue with a familiar litany of challenges. The Internet and its associated information infrastructure now underpin much of the global economy and are essential to continued economic growth. However, it has expanded in scope and functionality at a pace that has outstripped efforts to secure it.

"It is not secure enough nor is it resilient enough to be move us forward," she said. "We are faced with a dangerous combination of known and unknown vulnerabilities."

The infrastructure is being challenged and attacked not by amateurs, but by professional criminals and spies backed with substantial resources.

There are no coordinated plans for protecting the critical infrastructure or responding to incidents, either by government or the private sector, she said. At the same time, three of the most important initiatives in moving the nation's economy ahead — building out universal broadband networks, a smart energy grid and electronic health records — are all threatened by these vulnerabilities and exploits.

"These are some of the things that keep the president up at night," Hathaway said.

The incident response plan will be vetted by the Homeland Security Department and private industry, and Hathaway said a wiki might be established to allow the private sector to collaborate in its development.

Difficult issues of liability and confidentiality will have to be resolved to enable the kind of pubic/private partnership that everyone agrees is necessary to improve cybersecurity. "We can no longer talk about a public-private partnership, but need to act on it," she said.

Greater international cooperation also is needed, and achieving this will require establishing common standards of behavior in cyberspace. Norms need to be established for defining criminal activity, warfare and terrorism, so that appropriate responses can be agreed upon, she said.

And to achieve all of this, a greater pool of manpower and expertise is required. Educational efforts must be extended past universities into primary and secondary schools to provide an adequate flow to the pipeline.

Lynn Wants Halt to Cyber Sniping (DoD Buzz)

2009-06-17T06:58:00.002-04:00

Lynn Wants Halt to Cyber Sniping

By Greg Grant Tuesday, June 16th, 2009 4:18 pm http://www.dodbuzz.com/2009/06/16/military-must-adopt-cyber-maneuver-warfare-lynn/

Bot-nets, internet-zombies, industrial spies, and cyber-mercenaries attack U.S. networks every day in the ongoing 21st century cyber war, said Deputy Defense Secretary William Lynn. Defense networks are probed "thousands" of times a day and the frequency and sophistication of those attacks are increasing exponentially.

"This is not some future threat, the cyber threat is here today," Lynn said, speaking yesterday at CSIS in Washington. "The cyber threat to DOD represents an unprecedented challenge to our national security by virtue of its source, its speed and its scope." Defeating cyber enemies will require developing an agile and nimble cyber "maneuver warfare" response, not a "digital version of the Maginot Line."

The power to disrupt and destroy power grids and other critical infrastructure, once the exclusive province of nation states, is now in the hands of small criminal and terrorist networks and even individuals. Some countries are developing offensive cyber weapons and more than 100 "foreign intelligence organizations" are trying to hack into U.S. networks, he said. Criminal groups infect thousands of computers spread around the world with viruses that give them control of them all in one massive "bot-net," that they then lease out to the highest bidder to wield against vulnerable networks. Attacks are up against defense contractors, Lynn said, and "major aerospace platforms" have experienced intrusions that have compromised sensitive, but not classified, information.

To counter cyber attacks that can strike in milliseconds, the military must detect and respond to attacks at "network speed," before networks are compromised, he said. Billions of dollars are spent annually to harden networks against attack, he said, but static firewalls are not enough. To outmaneuver opponents in cyberspace, DOD is building a cadre of cyber experts, and is tripling the number of experts it trains each year to 250 people. DARPA is also building a "national cyber range," in effect a model of the internet, Lynn said, to permit development and testing of new cyber defenses and weapons.

"We need to end the jousting and jockeying within the department for personnel, for resources, for authority that has often prevented a more coordinated and effective response to the cyber threat." To that end, the Pentagon is mulling creation of a new "subordinate unified command" under Strategic Command, the lead command for cyber defense. Lynn said that although Gates has yet to make a final decision on the structure of the command, "it would not represent the militarization of cyber space," he said. The new command would only be responsible for protecting networks in the dot-mil domain, not the private sector.

Lynn said the military is stills struggling with issues such as the "difficulty of attribution," how to deter cyber attacks when the identity of the attackers in cyberspace is rarely known and massive bot-nets span multiple countries. Some cyber attacks have been traced back to China, he said, but the military has been unable to determine whether it was an individual, a criminal organization or the Chinese government.

Pentagon Can't Trace Source Of China Cyber Attacks, Lynn Says (Bloomberg.com)

2009-06-16T21:11:00.003-04:00

Pentagon Can't Trace Source Of China Cyber Attacks, Lynn Says

Bloomberg.com, 15 June 2009

Tony Capaccio

The Pentagon is unable to trace with certainty the source of cyber attacks on U.S. military systems that originate in China, Defense Secretary William Lynn said.

"Some of the attacks, we've traced back to China but we have not at this point been able to attribute whether it's military intelligence, industry or criminal" hackers, Lynn said in a speech today at the Center for Strategic and International Studies in Washington.

The inability to pinpoint who in China or other foreign locales is hacking into the Pentagon's more than 15,000 networks is among the primary challenges the U.S. military faces as it seeks to improve its cyber defenses, Lynn said.

Defense Secretary Robert Gates hasn't said whether the Pentagon will establish a separate unit to coordinate the military's cyber-security programs and to initiate attacks on adversary cyber systems. If a unit is set up, it would be part of the U.S. Strategic Command, which is charged with defending the nation against nuclear attacks.

Senior Pentagon officials rarely acknowledge that China is a source of cyber attacks on U.S. systems. Lynn's remarks back up similar statements from some lawmakers.

The chairman of the House Homeland Security Committee, Democrat Bennie Thompson of Mississippi, said in Feb. 12 interview that the Chinese government and freelance hackers are the primary culprits behind as many as several hundred daily attacks against U.S. government, electric-utility and financial computer networks.

Democrat Bill Nelson of Florida, a member of the Senate Intelligence Committee and a panel that oversees NASA, said March 20 that his office's computer network had been attacked by someone in China.

Nelson said the network had been hacked into three times in the previous 30 days, although no classified material was obtained.

DoD's 'Cybercommand', in broad brushstrokes (FederalNewsRadio)

2009-06-16T21:10:00.002-04:00

DoD's 'Cybercommand', in broad brushstrokes

FederalNewsRadio, 15 June 2009

Max Cacas

Calling it an "unprecedented challenge to the security of the United States," a top Pentagon official on Monday stopped short of announcing officially that the Department of Defense had officially set up its long-awaited cybercommand to protect the nation's military computer networks.

William Lynn III, Deputy Secretary of Defense, told a briefing at the Center for Strategic and International Studies in Washington that his boss, Defense Secretary Robert Gates, is continuing to refine how the new cybercommand will function.

"The Secretary is evaluating proposals, the Joint Staff is still working out details of how this command will work, and what the working relationships are," Lynn said, responding to a question from FederalNewsRadio.

He adds that, insofar as Congress is concerned, the "commander of the cybercommand, if we decide to create that, would be subject to Senate confirmation."

This suggests that the next cyber-commander might be a flag officer, such as a four-star general, or an admiral, similar to the way that General David Petraeus runs the ward in Iraq and Afghanistan from a Central Command in Tampa, Florida.

Lynn described the proposed cybercommand as a "sub-unified command of an existing unified command" within the Pentagon, and as such would not require enabling conmgressional legislation to "stand up" the new military cybercommand.

He did pledge to "consult actively with Congress as we do this."

Lynn told CSIS fellows, the media and invited guests that "just as with our national dependence, there is no exaggerating our military dependence on our information networks."

He added, "This is not some future threat, the cyberthreat is right here, and it is right now. In fact, the cyber threat to the Department of Defense represents an unprecedented challenge to our national security by virtue of its source, its speed, and its scope."

The Assistant Secretary says the focus on setting up such a cybercommand, reflects a recognition by the Pentagon for cyberspace being "a domain - similar to land, air, sea and space, a domain that we have come to depend on, and need to protect."

He says that the proposed cybercommand would focus on .mil -- military data networks -- and work in conjunction with private companies and government agencies to jointly protect the .com and .gov Internet domains.

That includes, he says, the federal contracting community, which is such an important part of how the military gets its work done.

Cybersecurity Poses ‘Unprecedented Challenge’ to National Security, Lynn Says (American Forces Press Service)

2009-06-16T21:08:00.002-04:00

Cybersecurity Poses 'Unprecedented Challenge' to National Security, Lynn Says

American Forces Press Service, 15 June 2009

John J. Kruzel

WASHINGTON – Threats to U.S.-based computer networks -- posed by the intelligence branches of foreign countries and teenage hackers alike -- represent an unprecedented national security challenge, the Pentagon's No. 2 official said today.

Making cyber warfare unique is the breadth of potential sources, plus the speed and scope of such attacks, Deputy Defense Secretary William J. Lynn III said.

"Once the province of nations, the ability to destroy via cyber means now also rests in the hands of small groups and individuals: from terrorist groups to organized crime, hackers to industrial spies to foreign intelligence services," he told the Center for Strategic and International Studies here.

Lynn said the common thread among three marquee reviews of U.S. cybersecurity is the need for greater public awareness of both the threat to the country and how it's prepared to defend against digital attacks. He cautioned that cyber warfare is not an emerging or distant risk.

"This is not some future threat. The cyber threat is here today; it is here now," said Lynn, whose remarks today come several weeks after President Barack Obama announced plans to appoint a cyber security coordinator to oversee the government's effort.

The 21st century U.S. military, like American society at large, is dependent on modern technology that is subject to vulnerabilities, Lynn said.

"Just like our national dependence, there is simply no exaggerating our military dependence on our information networks: the command and control of our forces, the intelligence and logistics on which they depend, the weapons technologies we develop and field – they all depend on our computer systems and networks," he said. "Indeed, our 21st century military simply cannot function without them."

Lynn said the government's roughly 15,000 networks – connecting 7 million computers, information technology devices and servers – all make for tempting targets.

Underscoring the clear and present danger cyberwarfare engenders, Lynn said there's evidence that more than 100 foreign intelligence organizations are trying to hack into U.S. networks. Lynn also cited a top intelligence official who said both Russia and China are capable of using electronic means to disrupt elements of the nation's infrastructure.

Speaking about the scope and speed of cyber warfare, Lynn pointed to the example of Estonia, which was victimized by an attack allegedly carried out by Russian operatives. A series of data-flooding attacks lasting about three weeks in early 2007 brought down the Web sites of several daily newspapers and forced Estonia's largest bank to shut down its online banking network.

Some cyber tactics can be carried out in less than one second, which increases the need for government preparedness.

"If attacked in milliseconds, we can't take days to organize and coordinate our defenses," he said. "If our networks were to be disrupted or damaged, we'd need to respond rapidly at network speed before the networks could become compromised and ongoing operations and the lives of our military are threatened.

"In short," he continued, "we have to be just as fast, if not faster, than those who would do us harm."

The Defense Department is considering a sub-unified command for cyberspace, Lynn said, though a decision hasn't yet been reached on what shape the command might take.

DDOS attacks on Iran's web-sites: what a stupid idea! (Foreign Policy: net.effect)

2009-06-16T21:03:00.001-04:00

DDOS attacks on Iran's web-sites: what a stupid idea!

Mon, 06/15/2009 - 7:27am

http://neteffect.foreignpolicy.com/posts/2009/06/15/ddos_attacks_on_irans_web_sites_what_a_stupid_idea

This was to be expected: as the protests in Tehran do not seem to calm down, the warring parties are sparring in cyberspace. As ThreatChaostpoints out, the plot has now thickened: now anyone with an Internet connection knows how participate in a DDOS attack on Ahmadinejad's web-sites! Thank you, Twitter!

I have come to believe that DDOS attacks must be the new counselling, for they seem to be much more effective at neutralizing the anger of millions of angry Americans and Europeans (not to mention Iranians themselves) and converting it into something tangible (well, tangible would be a bit of a stretch: so far, it only slows down several pro-government sites to a point where some of them become inaccessible altogether). The question, however, is whether it's going to help anyone but the angry netizens.

I've looked around Twitter and the Interwebs and have discovered several ways of helping the cause. Most are rather basic and are Web-based: those who want to launch DDOS from the comfort of their browsers, can go to Pagerload.com, PageReboot.com or AustinHeap.com, where they can either enter their own online targets or have to live with the targets that have already been chosen for them (AustinHeap even customizes its offerings: you can still launch DDOS attacks from your browser, but if you happen to run a PHP server, well, then you can be even more powerful - they let you know how too).

Those are who more experimental by nature could also download a shady software called "Low Orbit Ion Cannon" (that sounds like something dreamt up in computer labs of the Scientologists or, at least, to fight the Scientologists, no?), have it installed (disregard the alerts of your anti-virus :-), input a few targets, and, perhaps, also customize a message that you would like to "send" to Iranian servers, and hit "Launch Attack"! (it also displays some unknown call in a foreign language - I presume it is there to make it look more authentic; after all, you can't expect to be part of the Cyber-Jihad without some loud exclamations in Arabic or Farsi). There are calls to use an even more sophisticated tool called "BWraep", which seems to exhaust the target web-site out of bandwidth by creating bogus requests for serving images (many of these tools appear to be described and linked to from a shady web-site called the Insurgent Wiki).

There is a lot of Twitter hyperactivity surrounding these DDOS-attacks, including a dedicated Twitter handle "DDOSIran" and several frequent posters who share tips and links to new "tools" (some of these sites also carry some truly useful information, like the list of proxies that are currently working in Iran, so I assume there are quite indispensable at the moment, no matter what your take is on DDOS attacks). One interesting innovation that I've noticed is the use of Delicious to compile links to attack-sites; check http://delicious.com/freeiran for more - this strikes me as a very interesting use of social bookmarking, even though I am not sure that Delicious admins will let this stuff stay online if it gets really popular.

I don't know about you, but to me it looks as if DDOS attacks emerged as a very effective way to boost PR for some of their organizers. Don't you think it's a bit surprising to see, for example, "Josh Koster of the DC-based political firm Chong and Koster" become one of the "cyber-commanders" of a DDOS-army that was trying to take down the web-site of the Islamic Republic of Iran Broadcasting (is it a coincidence that the company also offers "rapid response" and "new media services"?). Poor Josh, he may not have known about the fact that his actions might be illegal - but still, the PR benefits, I am sure, were huge.

Several visible American blogs - TechPresident (that's where I found out about Koster's story) and DailyKos among them - have written celebratory articles that read as if they are encouraging people to participate in the cyber-attacks. Patrick Ruffini, one of TechPresident's founders, linked to TP's post with a brief comment that said "How to DDOS (in a good way) Iran's state-run media website", which was then re-tweeted a few dozen times. Saying that these cyber-attacks are somehow "launched in a good" strikes me as a very ood observation; so, when someone attacks the web-sites of the Georgian presidents, the DDOS attacks are deplorable, but to strike down Ahmadinejad's web-site is okay? I think we need more consistency here - we can't just selectively apply moral labels simply based on whose party we happen to support in a conflict.

Some wise folks have been cautioning against participating in DDOS attacks, for they are only likely to slow down Internet in Iran for everyone, not just Ahmadinejad's supporters (kudos go toInfoWarMonitor, MacSheikh, Robo_Fish, and several others). This blog post sums up their logic pretty well:

Iran is not your modern open developed nation with gigabit links coming out of its ears. It does not have unlimited transit, and it is likely that all its transit it through one or two carriers. If these links are overwhelmed by armchair protesters DDOSing the website, then Internet access from Iran to the outside world may be disrupted, and it's even possible that the carrier, which will also be catering to other under-developed nations in the region, will simply pull the plug to protect the rest of their network.

But these little subtleties get lost on an angry online mob that wants revenge on Ahmadinejad without taking the effort to educate themselves about the repercussions of their cyber-activity. It's a shame that some American bloggers are participating in this campaign and are even encouraging others to take up their "cyber-arms". Not only is this irresponsible and probably illegal, it also hurts users in Iran and gives their hard-line government another reason to suspect "foreign intervention" - albeit via computer networks - into Iranian politics.

One possible scenario is that if the cyber-attacks don't subside, Iran will simply pull the plug on the entire Internet in the country - this would be a logical thing to do - leaving all of us without all those Flickr pictures and YouTube videos. Now, this would be really sad - but, perhaps, also a good lessons for those who are all too eager to become "cyber-revolutionaries" in the comfort of their homes. If you want to help Iran, go organize a protest near the Iranian consulate in your city or send money to some independent online news agency - this, at least, will do no harm, unlike DDOS.

Evgeny Morozov