Friday, July 3, 2009

Coordinator in chief (C4ISR Journal)

Coordinator in chief
What experts say Obama's cybercoordinator must do to succeed
By Ben Iannotta
July 01, 2009
When America's first national cybersecurity coordinator arrives at the White House, he or she will have to settle long-standing questions about the precise roles of the military, private companies and federal regulators in protecting the country's electrical systems, water supplies and other services from a hacker's computer keystrokes.
President Barack Obama said he would personally choose and meet regularly with the coordinator, a position he announced in a May 29 speech at the White House. He said this person will have an office and staff in the White House, and will draft a "comprehensive" national cyberstrategy in "partnership" with the U.S. computer industry and government agencies. The coordinator — White House officials are not using the term "czar" — would work closely with White House budget officials on spending decisions and coordinate U.S. responses in the event of a cyberattack, he said.
Obama spoke in the East Room before a cast of 120 mostly civilian VIPs, an exception being Marine Corps Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, whose job is to set the military's buying priorities. Also in the East Room were corporate CEOs and independent analysts who participated in the administration's "Cyberspace Policy Review," a fact-finding mission led by Melissa Hathaway, a former Bush administration intelligence official and now the top cyberofficial at the National Security Council. Hathaway and her staff met with networking companies, independent analysts and defense officials over the course of 60 days.
By placing responsibility for cybersecurity within the White House, and announcing a partnership with the industry, Obama set the U.S. on a different path than that of the Bush administration, which had relied on a combination of free market forces, presidential directives and the leadership of the Department of Homeland Security (DHS) to protect the private infrastructure. Instead of DHS leading the way, a White House official would be in charge, and this official would have a direct line to the White House Office of Management and Budget (OMB), which assembles spending requests from U.S. agencies into the annual budget requests to Congress. "It's going to be very important for the coordinator to work with OMB to ensure cybersecurity is adequately funded," said an OMB official in the East Room.
Neither Obama nor the 38-page Hathaway report spelled out precisely what actions the new spending authority and partnership with the industry would produce.
Would the government work with computer and software companies to draft regulations defining the security standards for the software underlying the U.S. infrastructure? Electrical hubs, for example, now have Internet Protocol addresses, which helps managers run electrical grids more efficiently, but also makes them vulnerable. Would better cybersecurity at such sites remain voluntary, as was the case under the Bush administration? Would the government cover the costs of beefed up cybersecurity in the private sector? For its part, the Hathaway report called for refining "government procurement strategies" and improving "market incentives" as the answer, but it did not define those steps any further. Would the coordinator's decisions affect the 2010 budget, which is currently before Congress, or wait until 2011 for impact?
Obama also did not discuss the controversial issue of America's offensive cyberattack planning, nor the precise role of the intelligence community and military in securing the U.S. private-sector infrastructure.
Military efforts
In recent months, military officials have been engaged in their own effort to reorganize themselves for cybersecurity. In May, for example, the U.S. Air Force announced it would establish a 400-person cyberheadquarters and operations center at Lackland Air Force Base, Texas, to coordinate cyberdefense with other services and, when necessary, launch offensive cyberactions. Originally, the Air Force planned on establishing its own cybercommand but backed away when critics said the service should focus on working with the other services instead of trying to lead in the cyberdefense domain.
Air Force Maj. Gen. William Lord, the service's top cybercommander, said "six verbs" would govern the work of the new 24th Air Force, the group focused on cyberspace: "establish, operate and maintain, defend, and exploit and attack." He spoke in late March at the National Space Symposium, before the service announced the location of the cyberheadquarters and operations center.
Lord said U.S. offensive cyberactions could turn out to be critical in future wars: "If you think about not warfare today, but warfare maybe 20 or 50 years from now, maybe it's not about the kinetic destruction of people or facilities. Maybe it's about so confusing a technologically advanced force by scrambling their technology that they don't have the ability to conduct warfare."
Part of the Obama strategy is likely to focus on technologies for identifying cyberattackers without violating the privacy of Internet users, something defense officials said would not be technically easy. "Two years ago in April, a million computers from 75 different nations attacked Estonia. Who do you go to war with?" he said. "Most of that attack came from [unknown people in] the United States. We're friends with Estonia," he said. "So figuring out: One, who the enemy is, and second, what's the intent of an enemy, in this domain, is very, very challenging."
Lord said the Air Force advised the Hathaway panel indirectly about the Air Force's plans and views on major cyberissues through the Pentagon's Joint Staff and the Office of the Secretary of Defense. Lord said reacting quickly to a cyberattack would be one of the great challenges confronting the country.
"What happens when you track back an IP address to you-name-the-country? How do you get law enforcement to that address, that physical address and using the laws of that country say, 'Stop that stuff?' That process takes weeks today. And we've got figure out how to make it occur more quickly," he said.
As far as military management of cyberdefense, Lord said defense officials were discussing the possibility of establishing a "sub-unified command" under U.S. Strategic Command to coordinate cyberwork among all the services. At about the time of Obama's announcement, The New York Times and The Associated Press reported that the U.S. was on the verge of establishing a new Cyber Command.
Though much is left to be sorted out, industry officials, by and large, said they were pleased that the White House had set a tone of partnership and will establish a high-level authority to define the national cyberstrategy under which the government, in all likelihood, would spend billions of dollars to improve security.
"It's encouraging to watch the United States and President Obama take the lead here in trying to innovate," said David DeWalt, CEO and president of McAfee, the computer security giant. DeWalt was one of those invited to gather in the East Room.
He said the importance of the word partnership, meaning with the industry and government, should not be discounted. "We believe the lack of partnership in the past has actually enabled the criminal behavior and terrorist behavior to emerge quicker, and with more force than had we had this interlock," he said.
Gregory Q. Brown, president and CEO of Motorola, also was in the East Room. "My team has met with [Hathaway], and we're very supportive," he said. He said Motorola is ready to help advise the government about how to keep networks secure, particular during emergency responses.
Budget link
Obama's most significant move, several attendees said, might have been when he underscored the cybercoordinator's relationship with the White House Office of Management and Budget.
"The way you get anyone to do anything is through the budget," said Alan Paller, director of research and defense at the SANS Institute, which researches information security technology. "That's what was wrong before. DHS didn't have any leverage" over spending at other agencies involved in cybersecurity, he said. "DHS could say anything they wanted and everyone could ignore them because there were no consequences."
Agencies have to listen to OMB or risk losing spending for other priorities, he said. "If you ignore OMB, the consequences are very sharp," he said.
Obama said he will designate cybersecurity one of "my key management priorities" and that the office of the cybercoordinator would set cyberpriorities and work "closely" with OMB "to ensure agency budgets reflect those priorities."
How much time the government should take before spending money under the new plan could emerge as an area of disagreement between the government and the industry. The Hathaway review describes refinement of government procurement strategies and establishment of market incentives as "Mid-Term" actions. Even at that, they are listed in line No. 14 of a table showing 14 mid-term actions.
Even so, Paller predicted the Obama administration would begin using the procurement process, in particular the defense process, in the near term "because it's the lever. It's the one you can move."
Also unclear in the Obama announcement was whether the emerging cyberstrategy would affect spending in the 2010 budget, which the administration sent to Capitol Hill three weeks before Hathaway's finding were made public and Obama announced the cybercoordinator office.
DeWalt of McAfee said it would be unwise to wait until the 2011 budget request to start applying funds under the administration's emerging cyberpolicy. "My opinion is, every day that we wait is another day that we're completely vulnerable. And I think, again, this activity [in the White House East Room] was a step in the right direction," he said.
DeWalt said the government already has billions of dollars of cyberdefense money in play because of the Bush administration's cyberinitiative. In 2008, with attempts to penetrate U.S. networks on the rise, the Bush administration launched the largely-classified Comprehensive National Cyber Security Initiative, which was defined by two executive directives, Presidential Directive 54 and Homeland Security Directive 23.
Former-Homeland Security Director Michael Chertoff announced the initiative and his agency oversaw the effort. Observers expect the Obama team to rework much of the Internet monitoring and intelligence-gathering policies contained within the Bush initiative. Obama, for example, said this cyberoffice "will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people."
The differences in philosophy are huge, but the money and momentum remain. "This isn't starting from scratch with nothing," DeWalt said. "There is been some budget laid out from the previous administration. There is some opportunity to leverage that into the new programs," he added.
Industry officials said they expect the Obama strategy to focus less on spying on individual Internet users and more on securing private-sector networks related to critical infrastructures, and improving early-warnings of attempts to spread viruses and computer worms.
Federal regulations
One of the great debates among industry officials and analysts has been about the appropriate role for federal regulations, and whether it would be wise for an administration and Congress to create a new regulatory law that would require certain security software and procedures for private-sector networks. Such an act could be patterned after the U.S. Sarbanes-Oxley law that defines the kind of records financial institutions must make public, DeWalt said.
The topic of regulations was a hotly contested one during a series of meetings in 2007 through 2008 organized by the Center for Strategic and International Studies (CSIS), a think tank based in Washington. CSIS officials wanted to recommend a cyberstrategy for the incoming president. The experts met periodically over the course of more than a year, and in December, the group released its report, "Securing Cyberpspace for the 44th Presidency."
"We deliberated for about 14 months on that issue," said Phyllis Schneck, McAfee's director of threat intelligence for the Americas, and a member of the CSIS panel.
In the end, the CSIS panel was not shy about recommending federal cyber-regulations. The panel blasted the Bush administration's 2003 National Strategy to Secure Cyberspace for relying on market forces and ruling out federal regulation as a major player.
"In pursuing the laudable goal of avoiding overregulation, the strategy essentially abandoned cyber defense to ad hoc market forces. We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit, to survive, to supply this public good in adequate amounts," the CSIS panel said.
Obama stopped well short of embracing the CSIS wording: "My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity," he said.
Schneck said the Obama administration will need to find incentives. "How do we take a private-sector company that at the end does need to make money, and enable them to not only protect their infrastructure, but do things in the public good, and still remain profitable?" she said.
In the coming months, those in the East Room said one passage in Obama's 16-minute speech makes them certain that cybersecurity will remain a priority for the administration. Obama said that between August and October 2008 — the final stretch of the U.S. election campaign — "hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans." He said his campaign hired security consultants and met with the FBI and the Secret Service.
"It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities," he said.

Cyberactions plan (C4ISR Journal)

Cyberactions plan
July 01, 2009
The "Cyberspace Policy Review" developed a 10-point "near-term action plan" for U.S. cybersecurity efforts:
• Appoint a cybersecurity policy official responsible for coordinating the nation's cybersecurity policies and activities; establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council, to coordinate interagency development of cybersecurity-related strategy and policy.
• Prepare for the president's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities.
• Designate cybersecurity as one of the president's key management priorities and establish performance metrics.
• Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
• Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities and the application of agency authorities for cybersecurity-related activities across the federal government.
• Initiate a national public awareness and education campaign.
• Develop U.S. government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies and opportunities associated with cybersecurity.
• Prepare a cybersecurity incident response plan; initiate a dialogue to enhance public-private partnerships with an eye toward streamlining, aligning and providing resources to optimize their contribution and engagement.
• Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories and identifying solutions.
• Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

Thursday, July 2, 2009

Defend America, One Laptop at a Time (NY Times)

Defend America, One Laptop at a Time

Cambridge, Mass.

http://www.nytimes.com/2009/07/02/opinion/02goldsmith.html

OUR economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks. These networks are poorly defended and vulnerable to theft, disruption or destruction by foreign states, criminal organizations, individual hackers and, potentially, terrorists. In the last few months it has been reported that Chinese network operations have found their way into American electricity grids, and computer spies have broken into the Pentagon's Joint Strike Fighter project.

Acknowledging such threats, President Obama recently declared that digital infrastructure is a "strategic national asset," the protection of which is a national security priority.

One of many hurdles to meeting this goal is that the private sector owns and controls most of the networks the government must protect. In addition to banks, energy suppliers and telecommunication companies, military and intelligence agencies use these private networks. This is a dangerous state of affairs, because the firms that build and run computer and communications networks focus on increasing profits, not protecting national security. They invest in levels of safety that satisfy their own purposes, and tend not to worry when they contribute to insecure networks that jeopardize national security.

This is a classic market failure that only government leadership can correct. The tricky task is for the government to fix the problem in ways that do not stifle innovation or unduly hamper civil liberties.

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

The government should also use legal liability or tax breaks to motivate manufacturers — especially makers of operating systems — to improve vulnerability-filled software that infects the entire network. It should mandate disclosure of data theft and other digital attacks — to trusted private parties, if not to the public or the government — so that firms can share information about common weapons and best defenses, and so the public can better assess which firms' computer systems are secure. Increased information production and sharing will also help create insurance markets that can elevate best security practices.

But the private sector cannot protect these networks by itself any more than it can protect the land, air or water channels through which foreign adversaries or criminal organizations might attack us. The government must be prepared to monitor and, if necessary, intervene to secure channels of cyberattack as well.

The Obama administration recently announced that it would set up a Pentagon cybercommand to defend military networks. Some in the administration want to use Cybercom to help the Department of Homeland Security protect the domestic components of private networks that are under attack or being used for attacks. Along similar lines, a Senate bill introduced in April would give the executive branch broad emergency authority to limit or halt private Internet traffic related to "critical infrastructure information systems."

President Obama has tried to soothe civil liberties groups' understandable worries about these proposals. In the speech that outlined the national security implications of our weak digital defenses, the president said the government would not monitor private sector networks or Internet traffic, and pledged to "preserve and protect the personal privacy and civil liberties we cherish as Americans."

But the president is less than candid about the tradeoffs the nation faces. The government must be given wider latitude than in the past to monitor private networks and respond to the most serious computer threats.

These new powers should be strictly defined and regularly vetted to ensure legal compliance and effectiveness. Last year's amendments to the nation's secret wiretapping regime are a useful model. They expanded the president's secret wiretapping powers, but also required quasi-independent inspectors general in the Department of Justice and the intelligence community to review effectiveness and legal compliance and report to Congress regularly.

Many will balk at this proposal because of the excesses and mistakes associated with the secret wiretapping regime in the Bush administration. These legitimate concerns can be addressed with improved systems of review.

But they should not prevent us from empowering the government to meet the cyber threats that jeopardize our national defense and economic security. If they do, then privacy could suffer much more when the government reacts to a catastrophic computer attack that it failed to prevent.

Jack Goldsmith, a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004, is writing a book on cyberwar.

Wednesday, July 1, 2009

U.S. Official: Cybersecurity Plans Not Just Talk (internetnews.com)

U.S. Official: Cybersecurity Plans Not Just Talk
By Kenneth Corbin
July 1, 2009
http://www.internetnews.com/government/article.php/3827936/US+Official+Cybersecurity+Plans+Not+Just+Talk.htm

NATIONAL HARBOR, Md. -- Amid all the recent talk in Washington about getting serious about cybersecurity, some skeptics have expressed concern that it might be just that -- all talk, followed by little action.

But a senior White House official this morning official promised an audience of security professionals that unlike past federal reviews, which have been criticized for making promises that policymakers didn't keep, this time is different.

Speaking at research firm Gartner's annual Information Security Summit, Christopher Painter, the National Cybersecurity Council's director of cybersecurity, outlined the steps the Obama administration is taking to move ahead with the recommendations of a 60-day review the president commissioned earlier this year.

In a speech accompanying the release of the review in May, Obama outlined a multi-prong plan to tighten up the nation's cyber defenses, including the formation of a new position to coordinate cybersecurity policy across the agencies, Congress and the private sector.

But despite Obama's assurance that the cybersecurity coordinator would have his full support and regular access to the Oval Office, critics have speculated that the position is too far down the bureaucratic pecking order to have any real clout. In practice, they warn, the role might end up little more than a glorified cheerleader.

Painter promised otherwise.

"The cyber coordinator is going to be more than just a figurehead," he said. "We really have to deliver on the action plan."

The previous two administrations have made noise about cybersecurity, including a policy review President Bush ordered in 2001, which resulted in a strategy directive two years later. But Painter noted that those efforts didn't come with the mandate of a White House address, a jump-off point that he said elevated the issue to a chief policy priority.

"That's really a watershed event," Painter said of Obama's speech. "That really sets the tone, not only in this country, but around the world."

He added, "We had a strategy in 2003, but you didn't have the president coming out and giving a speech on this, and that's really, really important."

In that address, Obama made the case that defending critical infrastructure against online threats is as much an economic priority as it is a security issue.

That was reflected in the structuring of the cybersecurity coordinator position, which will serve on both the National Security Council and the National Economic Council. He has yet to fill the position.

Obama's efforts to bring cybersecurity into the mainstream fit with many of his other policy initiatives, where he is trying to apply technology solutions to areas like energy and health care. The idea of connecting the power grid to an interoperable network, while alluring for the energy savings it could yield, could have disastrous results if hackers were able to infiltrate the system and knock it offline. Similarly, the grand vision of an IT-based health care system where patients' records are digitized and doctors can provide treatment to patients in remote areas through robust networks could quickly unravel if the technology were compromised.

"It's really important to have security baked in from the beginning," Painter said.

That goes for government, too. Other members of Obama's tech team, particularly Aneesh Chopra and Vivek Kundra, who respectively fill the new positions of federal CTO and CIO, have been talking loudly about bringing new technologies to the federal computing apparatus to make it more efficient and collaborative.

[cob:Special_Report]As Chopra, Kundra and others tinker with new Web 2.0 technologies and moving the federal IT infrastructure to the cloud, Painter said they will work closely with the new cybersecurity coordinator to ensure that the government is leading by example.

"The cybersecurity coordinator is going to work very closely with [Obama's] CTO and CIO," he said. "The idea is, when we're thinking about these new technologies, we're thinking about security."

Painter stressed the need to partner with foreign countries to develop a coordinated approach to combat cyber threats. He spoke of the "weakest-link problem," where hackers will scour the globe to find a nation with lax cyber defenses, and route their attacks through servers in that nation to reach their ultimate target.

"It is clear that given the ubiquitous borderless nature of computer systems and computer networks that it doesn't matter if we do everything right" if other nations aren't on board, he said. "We need to have a dialogue with other countries."

He also spoke of the delicate balance of protecting privacy while maintaining a reasonable level of security in networks that are under continuous threat. Obama has said he will appoint a privacy official to the National Security Council's cybersecurity directorate to help ensure that the government's cyber policing efforts don't run roughshod over Americans' civil liberties.

The two aren't mutually exclusive, Painter said, pointing out that properly securing the systems that house personal information such as health records will keep people's sensitive data private.

"It's not a zero-sum game," he said. "If we're doing this right, we're enhancing privacy."

A Bustling Week for Cyber Justice (Washington Post: Security Fix)

A Bustling Week for Cyber Justice

http://voices.washingtonpost.com/securityfix/2009/07/a_bustling_week_for_cyber_just.html?wprss=securityfix


This past week has been a bustling one for cyber justice. The Federal Trade Commission announced a settlement in its ongoing case against scareware purveyors; a notorious hacker admitted stealing roughly two million credit card numbers; the Justice Department has charged a software developer from Arkansas with launching a series of debilitating online attacks against several online news sites that carried embarrassing stories about him. Finally, a federal appeals court decision gives security vendors added protection against spurious lawsuits by adware companies.

-- Last week, the FTC said it had settled with James Reno and his company ByteHosting Internet Services LLC. Both were named in the commission's broad sweep last year against purveyors of "scareware," programs that uses bogus security alerts to frighten people into paying for worthless security software.

The settlement imposes a judgment of $1.9 million against Reno and Bytehosting, yet the court overseeing the case suspended all but $116,697 of that fine, "based on the defendants' inability to pay the full amount."

Six other defendants allegedly involved in the scareware scams face pending charges from the FTC. One of the defendants, a San Francisco man named Sam Jain, is currently the subject of a federal criminal prosecution in California. According to Jain's attorneys, federal prosecutors in Illinois also are preparing to indict him on computer fraud charges related to the scareware distributed by his company, Innovative Marketing. Jain is currently a fugitive from justice.

-- From Wired.com's Kevin Poulsen comes what may be thepenultimate chapter in the prosecution of so-called superhacker Max Ray Butler, also of San Francisco. Butler, 36, faces up to 60 years in prison after pleading guilty to federal wire fraud charges that "he stole roughly two million credit card numbers from banks, businesses and other hackers, which were used to rack up $86 million in fraudulent charges."

Poulsen's story on Butler in Wired Magazine from December 2008 is a page-turner that chronicle's the hacker's successful bid to hack into, take over and ultimately consolidate several online forums dedicated to the theft and sale of stolen credit card numbers. One of the forums he hacked, called "Darkmarket," turned out to be a full-blown undercover sting operation set up by the FBI.

-- In a criminal complaint unsealed yesterday in a New Jersey federal court, the Justice Department charges a software developer from Arkansas with using botnets -- armies of hacked PCs -- to flood several targeted Web sites with so much data that they were at least temporarily unable to accommodate legitimate visitors.

The government alleges that between July 2007 and March 2008,Bruce Raisley launched a series of denial-of-service attacks against Rollingstone.com, and several other Web sites. Among those attacked was perverted-justice.com, a site dedicated to publicly exposing and shaming men who solicit sex from underage boys and girls online. Perverted-justice.com is perhaps best known for its connection to the Dateline NBC show "To Catch a Predator."

Charging documents note that Raisley apparently targeted those two sites and seven others for their publication of stories that retold an embarrassing chapter of his life. According to a July 2007 Rolling Stone article about perverted-justice.com founder Xavier Von Erck, Raisley himself was a former volunteer who helped perverted-justice members ensnare new targets.

At some point, the Rolling Stone article says, Raisley had a falling out with perverted-justice, and launched his own online campaign to depict the site's members as an out-of-control vigilante group. According to the Rolling Stone article, Von Erck "exacted a particularly sadistic form of revenge against" Raisley:

Posing as a woman named Holly, Von Erck began an online flirtation with Raisley, who was smitten enough to leave his wife and rent a new apartment. On the day Raisley went to pick up Holly at the airport, Von Erck sent a friend to snap his photo and posted it with a warning: "Tonight, Bruce Raisley stood around at an airport, flowers in hand, waiting for a woman that turned out to be a man. . . . He has no one. He has no more secrets. . . . Perverted-Justice.com will only tolerate so much in the way of threats and attacks upon us."

Raisley's court-appointed attorney could not be immediately reached for comment.

-- On Friday, the U.S. Ninth Circuit Court of Appeals in Seattle upheld a decision to dismiss a case brought in 2007 by Bellvue, Wash., based adware maker Zango. The company had sued anti-virus makerKaspersky, charging that Kaspersky interfered with its business by removing Zango's adware without first alerting the user.

The appeals court affirmed that Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable.

Eric Howes, director of malware research at computer security firmSunbelt Software, said admittedly, this decision is not nearly as consequential for anti-malware providers as it would have been three or four years ago, when adware vendors such as Zango and Direct Revenue were regularly threatening anti-spyware providers with legal action and peppering them with cease-and-desist letters on a weekly basis.

"It's a been a while since we received any serious legal threats, although we do still get the occasional protest from software developers whose apps we target as 'low risk,' potentially unwanted programs or tools," Howes wrote on the company's blog. "Nonetheless, the decision is a welcome one, as it extends to Sunbelt and other anti-malware providers the kind of legal cover we need in order to provide our customers and users with strong protection against unwanted, malicious software."

By Brian Krebs | July 1, 2009; 7:00 AM ET

Tuesday, June 30, 2009

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance (Threat Level)

Deep-Packet Inspection in U.S. Scrutinized Following Iran Surveillance

Following a report last week that Iran is spying on domestic internet users with western-supplied technology, advocacy groups are pressuring federal lawmakers to scrutinize the use of the same technology in the U.S.

The Open Internet Coalition sent a letter to all members of the House and Senate urging them to launch hearings aimed at examining and possibly regulating the so-called deep-packet inspection technology.

Two senators also announced plans to introduce a bill that would bar foreign companies that sell IT technology to Iran from obtaining U.S. government contracts, legislation that is clearly aimed at the two European companies that reportedly sold the equipment to Iran.

The Wall Street Journal reported last week that Nokia Siemens Networks, a joint venture between Germany's Siemens and Finland's Nokia, recently gave Iran deep-packet inspection equipment that would allow the government to spy on internet users.

According to the Journal, Iranian officials have used deep-packet surveillance to snoop on the content of e-mail, VoIP calls and other online communication as well as track users' other online activity, such as uploading videos to YouTube. Iranian officials are said to be using it to monitor activists engaged in protests over the country's recent disputed presidential election, though the Journal said it couldn't confirm whether Iran was using the Nokia Siemens Networks equipment for this purpose or equipment from another maker.

Nokia Siemens has denied that it provided Iran with such technology.

But similar technology is being installed at ISPs in the U.S.

It spurred extensive controversy last year when Charter Communications, one of the country's largest ISPs, announced that it planned to use deep-packet inspection to spy on broadband customers to help advertisers deliver targeted ads.

The plan sparked a backlash and heated congressional hearings. Publicity about the issue died down, however, after Charter retreated from its plan, and Congress moved on to other matters. But deep-packet inspection didn't go away.

ISPs insist they need it to help combat spam and malware. But the technology is ripe for abuse, not only by ISPs but also by the U.S. government, which could force providers to retain and hand over data they collect about users.

In its letter to lawmakers (.pdf) urging them to investigate the technology, the Open Internet Coalition delicately avoided placing the U.S. government in the same category as Iran by not mentioning possible U.S. government abuses of the technology.

"We do not believe U.S. network owners intend to interfere with political communications in the way the Iranian government is doing, but the control technologies they are deploying on the internet carry the same enormous power," the Coalition writes. "And, whether an inspection system is used to disrupt political speech or achieve commercial purposes, both require the same level of total surveillance of all communications between end-users and the internet."

At a House subcommittee hearing this year to examine the technology, Rep. Rick Boucher (D-Virginia) also expressed alarm.

"The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail or attached document is alarming," he said.

With regard to the sale of the technology to Iran, Sens. Charles E. Schumer (D-New York) and Lindsey Graham (R-South Carolina) attempted to address the Nokie Siemens issue with a bill that would prevent foreign companies selling sensitive technology to Iran from either obtaining new government contracts or renewing existing ones, unless they halt their exports to Iran.

According to NextGov, Nokia did more than $10 million in business with the U.S. government between 2000 and 2008; Siemens has nearly 2,000 U.S. government contracts and obtained $250 million in U.S. government contracts this year alone. Nokia Siemens Networks currently has more than $5 million in U.S. government contracts.

Neither Schumer nor Graham mentioned how such a law would be enforced if foreign companies used proxies to sell their products to Iran to circumvent the regulation.

The U.S. government embargo against U.S. companies selling to Iran is one of the tightest. The embargo currently prevents any U.S. individual or company from obtaining a license to sell goods and technologies to Iran that could be used for, among other things, missile proliferation purposes, chemical and biological warfare proliferation, human rights and crime control. The embargo, however, has done little to prevent Iran from obtaining U.S. technology anyway.

In the meantime, consumers called for a boycott of Nokia and Siemens products. And Hands Across the Mideast Support Alliance (HAMSA) has organized a writing campaign urging users to send a protest letter to Nokia. According to the organization's site, nearly 4,000 people have acknowledged sending the letter so far.

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL (Defense Tech)

NSA EDGES OUT OTHERS IN CYBER COMMAND CONTROL

cyber-command-CO.jpg

Last week Defense Secretary Robert Gatesordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at theWhite House. The historic event took place on Tuesday, June 22nd.

As one could imagine, this is no small task. StratCom has just a little over sixty days to accomplish this mission. The plan to create this new entity operating within the Department of Defense and lead by a 4-star general is due to the Defense Secretary by September 1st. According to Gates' timeline, Cyber Command is expected to be up and operational by October 1, 2009, and fully functional one year later. An internal memo from Gates to senior Pentagon officials stated that he intends to recommend that Lt. Gen. Keith Alexander, the current director of the National Security Agency, take on the role as commander of the Cyber Command with the rank of a four-star general.

What this will actually cost is anyone's guess. Current thinking is that the budget to just establish the new command through year's end could reach as high as $200 million. Longer term, the cost of cyber intelligence, defense and offensive capabilities are estimated to be around $55 billion annually. This will create our offensive cyber forces and capabilities and defend the over 100,000 DoD Networks and 5 million DoD computers against cyber attack. One might say it is just a drop in the bucket of a 2009 DoD budget that topped $515 billion.

The United States is not the only country making this move. The UK defense ministry announced plans to establish an office of cyber attack and defense but gave no hard date when it would be operational. Britain's GCHQ (Government Communications Headquarters, their equivalent of the NSA) seems to be well underway in fully developing their cyber capabilities. In addition, the defense ministry of South Korea has also announced plans to establish a cyber command by 2012.

Internal cooperation is critical for cyber incident investigations and event attribution. As more and more countries establish a focal point for cyber defense, the greater the opportunity to conduct these investigations and accurately identify those behind cyber attacks.

-- Kevin Coleman

StratCom Plows Ahead on Cyber (DoD Buzz)

StratCom Plows Ahead on Cyber

http://www.dodbuzz.com/2009/06/29/stratcom-plows-ahead-on-cyber/

You are the commander of Strategic Command, charged with coming up with an implementation plan for the new cyber command within 60 days. But there's going to be a new head of cyber command, a four-star just like you, and Lt. Gen. Keith Alexander has the Big Mo on his side. And Alexander is known as an almost crazily foxy guy who has rebuilt the NSA and will be largely dependent on folks from NSA for most of his capabilities. Air Force Gen. Kevin Chilton is known as one of the brainiest generals around. Hmmm. Who's going to win this bureaucratic game will be great fun to watch.

For some idea of just what may lie ahead, have a look at this April 7 speech by Chilton, which has been quoted by the two cyber warriors with whom I speak. This is not about improving the country's IT capabilities in terms of efficiency and information sharing. This is about life and death on the battlefield.

"It's not a convenience any more, it's a dependency. We need to recognize that we need this domain and we need these systems to conduct our fight today and tomorrow. We need to recognize that we can fight in this domain just as an air-to-air fighter can fight in the air domain; and we can fight through this domain and affect other domains just as an airplane can drop a bomb on a land domain and create affects across a domain. And as commanders we must appreciate the vulnerability of this domain, not just its importance. We have to transition from a culture of convenience to a culture of responsibility. We must recognize vulnerability — the vulnerability that one system can create here on the other side of the world, not just locally," Chilton said. For more on this, have a look at Kevin Coleman's piece below from Defense Tech.

Last week Defense Secretary Robert Gates ordered U.S. Strategic Command (StratCom) to deliver a plan to stand-up a new command to oversee information technology security and attack – what would be known as "Cyber Command." This is in addition to President Obama's announcement last month that he will establish a new cyber security office at the White House. The historic event took place on Tuesday, June 22nd.

As one could imagine, this is no small task. StratCom has just a little over sixty days to accomplish this mission. The plan to create this new entity operating within the Department of Defense and lead by a 4-star general is due to the Defense Secretary by September 1st. According to Gates' timeline, Cyber Command is expected to be up and operational by October 1, 2009, and fully functional one year later. An internal memo from Gates to senior Pentagon officials stated that he intends to recommend that Lt. Gen. Keith Alexander, the current director of the National Security Agency, take on the role as commander of the Cyber Command with the rank of a four-star general.

What this will actually cost is anyone's guess. Current thinking is that the budget to just establish the new command through year's end could reach as high as $200 million. Longer term, the cost of cyber intelligence, defense and offensive capabilities are estimated to be around $55 billion annually. This will create our offensive cyber forces and capabilities and defend the over 100,000 DoD Networks and 5 million DoD computers against cyber attack. One might say it is just a drop in the bucket of a 2009 DoD budget that topped $515 billion.

The United States is not the only country making this move. The UK defense ministry announced plans to establish an office of cyber attack and defense but gave no hard date when it would be operational. Britain's GCHQ (Government Communications Headquarters, their equivalent of the NSA) seems to be well underway in fully developing their cyber capabilities. In addition, the defense ministry of South Korea has also announced plans to establish a cyber command by 2012.

Internal cooperation is critical for cyber incident investigations and event attribution. As more and more countries establish a focal point for cyber defense, the greater the opportunity to conduct these investigations and accurately identify those behind cyber attacks.

Monday, June 29, 2009

Obama and Cyber Defense (WSJ)

Obama and Cyber Defense

Government should protect our e-infrastructure.

http://online.wsj.com/article/SB124623073971766069.html

In a Monty Python skit from 1970, the Vercotti brothers, wearing Mafia suits and dark glasses, approach a colonel in a British military barracks. "You've got a nice army base here, Colonel," says Luigi Vercotti. "We wouldn't want anything to happen to it." Dino explains, "My brother and I have got a little proposition for you, Colonel," and Luigi elaborates, "We can guarantee you that not a single armored division will get done over for 15 bob a week."

If the idea of the military having to pay protection money to the mob seems silly, imagine what Monty Python could do with last week's White House decision on security. It announced a new "Cyber Command" to protect information infrastructure, but stipulated that the military is allowed to protect only itself, not the civilian Internet or other key communications networks. When President Barack Obama announced the plan, he stressed that it "will not -- I repeat -- will not -- include monitoring private-sector networks or Internet traffic." It's like telling the military if there's another 9/11 to protect the Pentagon but not the World Trade Center.

The announcement shows that our political system is still ambivalent about how to defend communications networks such as the Internet. We expect privacy, but we know that intrusive techniques are required to protect the system from cyber attacks. How to balance privacy with preventing attacks that would undermine the system altogether?

It's an open secret that the National Security Agency (NSA) must operate through civilian networks inside the U.S. in order to prevent millions of cyber attacks every year by foreign governments, terror groups and hackers. Likewise, the NSA must follow leads through computer networks that run through innocent countries. "How do you understand sovereignty in the cyber domain?" asked James Cartwright, vice chairman of the Joint Chiefs of Staff, in a recent speech. "It doesn't tend to pay a lot of attention to geographic borders."

The risks are real. Cyber attacks on Estonia and Georgia by Russia in recent years forced government, banking, media and other Web sites offline. In the U.S., the public Web, air-traffic control systems and telecommunications services have all been attacked. Congressional offices have been told that China has broken into their computers. Both China and Russia were caught having infiltrated the U.S. electric-power grid, leaving behind software code to be used to disrupt the system. The risk of attacks to create massive power outages is so serious that the best option could be unplugging the U.S. power grid from the Internet.

The military is far ahead of civilian agencies such as Homeland Security and is now focused on cyber offense as well as defense. Cyberspace, says Gen. Kevin P. Chilton, commander of the U.S. Strategic Command, is the new "domain," joining the traditional domains of air, land and sea. Each is a focus for both defense and attack. The U.S., a decade behind China, is now officially focused on using cyber warfare offensively as well as defensively.

The U.S. is an inventive nation, so we'll get to the right answer on security if we ask the right questions. What if the only way the military can block a cyber attack is to monitor domestic use of the Web, since foreigners use the Web to launch cyber attacks? What is a "reasonable" search in a virtual world such as a global communication network? What's the proper response to cyber attacks?

If cyber war is a new form of war, wouldn't most Americans adjust their expectations of reasonable privacy to permit the Pentagon to intrude to some degree on their communications, if this is necessary to prevent great harm and if rules protecting anonymity can be established? Finally, wouldn't it be better for politicians to encourage a frank discussion about these issues before a significant attack occurs instead of pretending there are no trade-offs?

Only the NSA, which operates within the Defense Department, has the expertise to protect all U.S. networks. It has somehow found ways to mine needed data despite pre-Web rules that restrict its activities domestically. But the question remains: How can the military get enough access to private, domestic networks to protect them while still ensuring as much privacy as possible? One logical approach is for Homeland Security to delegate domestic defense to the NSA, but for the domestic agency to maintain enough responsibility to have political accountability if privacy rights get violated in the process.

We'll look back on the current era, with the military constrained from defending vital domestic interests, as an artifact of an era when it was easy to point to what was foreign and what was domestic. In the digital world, as the cyber threat shows, physical distinctions such as political borders are unhelpful and can be dangerously confusing.

Google mistakes Michael Jackson searches for cyber attack (

Google mistakes Michael Jackson searches for cyber attack

Author:
Posted:
14:56 29 Jun 2009
Google has admitted that it mistook the sudden spike in searches for Michael Jackson last week for an automated cyber attack.

As word spread of Michael Jackson's death there was a "meteoric rise" in related searches.

"Search volume began to increase around 2:00pm (PDT), skyrocketed by 3:00pm, and stabilised by about 8:00pm," Google product manager RJ Pittman said in a blog post.

According to Pittman, last week also saw one of the largest mobile search spikes ever seen, with five of the top 20 searches about Jackson

As a result, for about 25 minutes, when some people searched Google News they saw a "We're sorry" page before finding the articles they were looking for, said Pittman.

The surge in demand for news and information about Michael Jackson hit most US news sites, with many taking more than double the usual time to respond.

Microblogging site Twitter was forced to disable some functionality on the network to keep the service working.