RSA 2009: Why the Top U.S. Cyber Official is Losing Sleep

(CSO)

Melissa Hathaway has led an extensive review of the nation's cybersecurity. Her dreams are haunted by what she has discovered

» Comments

By Bill Brenner, Senior Editor

April 22, 2009 — CSO —

SAN FRANCISCO -- The United States' top cybersecurity official already knew the world's digital infrastructure needed help before she took on a 60-day cyberspace policy review. With the review now complete, she admits the gravity of the situation seeps into her dreams and disturbs her sleep.

"I worry about [questions surrounding cyber security] every night; they infiltrate my dreams," Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, said in a keynote speech at the RSA Conference Wednesday. "I often wake up at 2:30 or 4:30 in the morning having worked the problem in my sleep, and sometimes even develop a good idea."

President Obama tapped Hathaway, a Bush administration official who helped develop a multi-billion-dollar classified initiative to better secure federal systems and critical-infrastructure networks against online threats, to lead a 60-day review of the government's cybersecurity efforts in February. [See Obama Taps Bush Aide to Review Federal Cybersecurity Efforts]

She acknowledged what everyone attending RSA already knew: The nation's digital infrastructure -- the world's, for that matter -- is full of security holes that leave us vulnerable to those who would steal personal data for financial gain or to compromise national security. [See Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]

"Despite all of our efforts, our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future," she said. "This poses one of the most serious economic and national security challenges of the 21st century."

She offered several examples: The design of today's digital infrastructure was driven more by considerations of interoperability and efficiency than of security, she said. As a result, a growing array of state and non-state actors can compromise, steal, change, or destroy information. She cited "countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation states and others to steal intellectual property and sensitive military information." Digital miscreants even have the ability to threaten or damage portions of the nation's critical infrastructure, she said, a recent example being a November 2008 incident where 130 automated teller machines in 49 cities around the world were illicitly emptied in the space of a half hour. These and other risks have the potential to undermine consumer confidence in the information systems that underlie our economic and national security interests, she said.

White House cyber security review goes to Obama

(AP) The White House says a 60-day review of the nation's cyber security is finished and a report has been submitted to the president.

The report comes amid dire warnings that the U.S. is ill-prepared for a cyber attack. The study looked at how the government can better manage and use technology to protect everything from the nation's electrical grid and stock markets to tax data, airline flight systems and nuclear launch codes.

Officials have acknowledged that government computer networks are constantly assailed by attacks and scans, ranging from nuisance hacking to more nefarious assaults, possibly from other nations, such as China.

President Barack Obama last month ordered the review and put former Bush administration aide Melissa Hathaway in charge of the effort. Hathaway met with industry leaders, Capitol Hill staff and other experts, seeking guidance on what the federal government's role should be in protecting information networks against an attack.

Her report is expected to recommend how the government should be organized and who should control cyber issues. Members of Congress have said they believe it will say cyber matters should be coordinated through the White House.

Officials have acknowledged that government computer networks are constantly assailed by attacks and scans, ranging from nuisance hacking to more nefarious assaults, possibly from other nations, such as China.

EU pledges to protect cyber infrastructure

(VNUNET) The European Commission (EC) has unveiled a new strategy to prepare the region to act in case of major disruptions or attacks against critical information infrastructure.

Purchases and sales over electronic networks in Europe amounted to 11 per cent of the total turnover of European Union companies in 2007, while over three quarters of businesses accessed banking services via the internet and two thirds used online public services.

Electronic communication services and networks provide the backbone of the European economy, according to the EC, and the risks posed by natural disasters, terrorist attacks, malicious human action and hardware failure could have a devastating impact if they are not dealt with quickly.

"The information society brings us countless new opportunities, and it is our duty to ensure that it develops on a solid and sustainable base," said Viviane Reding, commissioner for Information Society and Media.

"Europe must be at the forefront in engaging citizens, businesses and public administrations to tackle the challenges of improving the security and resilience of Europe's critical information infrastructures. There must be no weak links in Europe's cyber security."

The strategy follows high-profile cyber attacks against Estonia, Lithuania and Georgia last year, and predictions that there is a 10 to 20 per cent chance that telecoms networks will be hit by a major breakdown in the next decade.

Reding warned that, even putting aside the threat of cyber terrorism, damage to submarine data cables could easily be a potential source of disruption, as could other hardware failures or natural disasters.

The EC pointed out that the approaches and capacities of member states differ widely, and that a low level of preparedness in one country can make others more vulnerable, while a lack of co-ordination reduces the effectiveness of any countermeasures.

The new initiative builds on the Strategy for a Secure Information Society (PDF) developed by the Commission in 2006. The EC wants businesses, public administrations and citizens to focus on being prepared for all eventualities through the exchange of information and transfer of good policy practices between member states via a European forum.

It also aims to set up a European Public-Private Partnership for Resilience, which will help foster co-operation between businesses, and share information with public authorities to ensure that adequate and consistent levels of preventive, detection, emergency and recovery measures are in place in all member states.

The initiative also supports the development of a European information sharing and alert system, as well as regular exercises for large-scale network security incident response and disaster recovery.

Finally, the initiative seeks to drive a Europe-wide debate to set EU priorities for the long-term resilience and stability of the internet. The EC will propose principles and guidelines to be promoted internationally, and establish criteria for European critical infrastructure in the ICT sector as the approaches currently vary across member states.

 

Cybersecurity bill seeks to give president new powers over private-sector networks

April 3, 2009 (Computerworld) A wide-ranging cybersecurity bill introduced in the U.S. Senate this week would give the president unprecedented new powers to disconnect government and private-sector networks from the Internet in the event of security emergencies. But that provision is expected to be a hard sell in Congress.

The proposed bill, formally known as the Cybersecurity Act of 2009, was filed on Wednesday by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The legislation includes a long list of provisions that would give federal officials significant new authority to set and enforce data security standards for federal agencies, government contractors and key parts of the private sector.

Markle Foundation Report on Information Sharing

http://www.markle.org/events/20090310_nar/20090304_mtf_report.pdf

US: Hackers Penetrating Control Systems

Interesting article, for the first time someone claims that an attack to a Process Control System killed people.

Joe Weiss, a very well known expert on SCADA and process control systems, said this during a testimony in front of the US Senate committee.

Good reading:

(from pcworld.com) The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.

Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn't detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he did say he's been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.

"The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths," he told the Senate Commerce, Science and Transportation Committee. "We've already had a cyber incident in the United States that has killed people." [...]

2008 And The New (Old) Nature Of Critical Infrastructure

Interesting presentation on DNS as a critical component of Cyberspace. Dan Kaminsky talks about DNSSEC in its presentation given to Black Hat federal

Link to the presentation