Cybersecurity: Senate bill would make international cooperation a priority

US and EU are both going in the direction of International cooperation. On the 30th of March 2009, European Commission Directorate General Information Society and Media released a communication on Critical Information Infrastructure Protection. Below you find an articole abou the new US legislation proposal, introduced on July 10.

Apart from the declarations, we need to define the building blocks of international cooperation. In particular:
a. Research funds that can be obtained by international consortia (all US and UE funds are closed only to US or EU members)
b. Cooperation legislation framework: a new legislation framework should be defined in order to allow exchange of data (data sets for researchers), information sharing (threats, vulnerabilities, incidents) and information exchanges between operators and government agencies from the same sectors
c. Establish clear point of contacts and responsibilities: who do you contact in US or EU in case of incidens/attacks
d. Exercices and simulations

(FederalComputerWeek) A new Senate bill would encourage the secretary of state to work with other governments to further cooperation on cybersecurity and would require the secretary to submit a report to Congress about those efforts.

The legislation, introduced by Sen. Kirsten Gillibrand (D-N.Y.) on July 10, states the secretary should work with other governments to:

• Develop cooperative activities.
• Encourage international cooperation for improving cybersecurity.
• Develop safeguards for privacy, freedom of speech and commercial transactions to be included in agreements or other cybersecurity activities.

The bill would require the secretary to submit a detailed report to congressional committees about actions taken to meet these goals in 270 days of the legislation’s enactment.

“Relevant international cybersecurity agreements focus only on issues relating to cyber crime and common operating standards, and have not been signed by certain countries from which cyberattacks may be launched,” the bill states.

The Obama administration’s cyberspace policy review, released in May, also emphasized the need for international cooperation to secure cyberspace.

"International norms are critical to establishing a secure and thriving digital infrastructure," the policy review states. "The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force."

The review recommended that the government develop positions for an international cybersecurity policy framework and strengthen its international partnerships related to cybersecurity.

Consensus Audit Guidelines (CAG) draft 1.0 released

A small revolution is going on almost silently in US: SANS published the first version of "Consensus Audit Guidelines" (CAG) a set of 20 recommendations to better protect federal Systems. SANS is open to receive comments till March 25 2009.

The guidelines have been developed with knowledge of actual attacks that have compromised systems in order to construct effective defence.

This is not a replacement for other guidelines (i.e. NIST Security Guidelines), but a complement to help CIOs and CISOs to identify their top priorities. The CAG has been developed with the support of NSA, US-Cert, DoD, DoE, GAO and many Federal CIOs and CISOs. Also, a reference to NIST 800-53 Rev 3 Controls has been provided.

Below a summary of the 20 controls. You find the Guidelines here.

1. Inventory of Authorized and Unauthorized Hardware.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4. Secure Configurations of Network Devices Such as Firewalls and Routers.

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering

2. Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Training to Fill Gaps

US: DHS Secretary Napolitano Issues First in a Series of Action Directives

(From 7th Space): On her first official day as Secretary of the Department of Homeland Security (DHS), Janet Napolitano issued five Action Directives, all centered on one of the primary missions of DHS: Protection. In the coming days, Secretary Napolitano will issue other action directives focused on other missions critical to the department: Preparedness, Response, Recovery and Immigration.

The action directives Secretary Napolitano issued today on protection instruct specific offices and agencies to gather information, review existing strategies and programs, and to provide oral and written reports back to her by a time certain. The areas in which today’s action directives were issued are: critical infrastructure protection; risk analysis; state and local intelligence sharing; transportation security; and state, local and tribal integration.

“One of my top priorities is to unify this department and to create a common culture. These action directives are designed to begin a review, evaluation and dialogue between the various functions of this department and me,” said Secretary Napolitano. “I look forward to receiving the information and to working with the offices and agencies involved to make DHS a more effective and a more efficient department.”

Succeeding at open-source innovation: An interview with Mozilla's Mitchell Baker

http://www.mckinseyquarterly.com/Strategy/Innovation/Succeeding_at_open-source_innovation__An_interview_with_Mozillas_Mitchell_Baker_2098

As companies reach beyond their boundaries to find and develop ideas, they are exploring new models to manage innovation. In projects that tap external talent, questions quickly arise about process management, intellectual-property rights, and the right to make decisions. Some executives have been at this game longer than others. Mitchell Baker, chairman and former chief executive officer of Mozilla Corporation, has devoted the past ten years to leading an effort that relies extensively on people outside her company—not just for creative ideas, but also to develop products and make decisions. The result: Mozilla’s Firefox browser, with 150 million users, has become a rival of Microsoft’s market-leading Internet Explorer.

As Firefox flourished, the process that created it became a model for participatory, open-source collaboration. Baker’s role, central from the beginning, has taken many twists and turns. Ten years ago, she was a software lawyer at Netscape Communications—which developed the original commercial Web browser—when the company decided to release its product code to the public. Baker’s interest in defining and managing the project quickly earned her a place as one of its leaders. She continued to guide the project after Netscape was acquired by AOL, led the subsequent spin-off (to the nonprofit Mozilla Foundation and its subsidiary, the Mozilla Corporation) to develop the next-generation Firefox browser, and presided over Firefox’s impressive growth. In her role as “chief lizard wrangler,”¹ she balanced and blended Mozilla’s commercial needs with the motives and efforts of an army of volunteers who develop the code and distribute the browser. Over the years, Baker has helped define the legal and functional model that allows an open-source community and a corporation to share responsibility for product development while managing the project and maintaining the organization’s momentum—not to mention its financial viability.

Today, Mozilla and Firefox are successful on several levels. Having recaptured market share lost to Internet Explorer, Firefox now holds 15 percent of the browser market in the United States and a higher share elsewhere. In 2006, the company’s revenue-sharing arrangement with Google for searches that originate in Firefox delivered revenues three times greater than Mozilla’s expenses,²an impressive rate of return. Finally, the organization’s open-source development model is a visible and well-tested experiment in managing innovation beyond corporate borders. To learn more about that model, McKinsey director Lenny Mendonca and Robert Sutton, a professor at Stanford University’s Graduate School of Business, met with Baker in her Mountain View office before her change in roles.

The Quarterly: You’ve said that Mozilla’s real contribution isn’t just the browser but the model of participation. How do you manage participation in this environment?

Mitchell Baker: Our mission is about keeping the Internet safe and open, but also about building participation. We do that by setting up frameworks where people can get involved in a very decentralized fashion. These frameworks embody our values and our goals and get embedded in other people’s minds. We attract people who care about those things, and they go off and participate in the mission in a very decentralized way.

So for some things at the center, we must have extreme discipline. If you’re touching code that goes into Firefox, the process is very disciplined. But there are lots of areas for participation—whether it’s building an extension or localizing the product or building new products—that don’t need that degree of discipline. And a key point is for people to “own” what they are doing, not in a financial or legal sense but in an emotionally committed sense that gives them a chance to decide, “I’m excited about this. I want to do something. I want to write an extension. I want to go tell people how to do this.” And it also gives people the success and the relationships to go back out and do more.

The Quarterly: How much of Firefox’s success depends on people you employ as opposed to the broader group of volunteers?

Mitchell Baker: I’d say we need both to be successful. If you took away our employees, we’d be a good open-source project but nothing like a force on the Internet. If you took away the volunteers and everyone else, we would die. On Firefox, for example, 40 percent of the code is not from employees—and that’s after a recent batch of hires from our volunteer community over the past year. We had 25 employees two years ago and now have more than 120. Sometimes we can hire from within our community, but not always. There are some people with a high degree of expertise and specialization who you can’t hire, and we would never find them if we weren’t an open project. We would never find these people if they couldn’t just step up and contribute. A lot of folks will start at one level, like fixing bugs, and go on to become star performers.

Actually, people can make a contribution without being either employees or members of our volunteer community. Firefox has about 150 million users worldwide, and since it doesn’t ship on new machines, that’s 150 million individual decisions to use it. How many people does it take to do that? I’m guessing hundreds of thousands of people around the world who said, “This is a great product. My family has to have it; my neighbors need to have it.” Hundreds of thousands of different decisions, and you cannot buy that.

The Quarterly: How do you motivate people to contribute to Mozilla, especially after ten years?

Mitchell Baker: I think that for the people who have kept Mozilla alive, the desire to maintain an open and participatory Internet has been very important. The Internet is hidden to human beings except for this piece of software we call the browser. Years ago, we could see that there was some risk of people not being able to reach the Web except through a browser that was part of a business plan. And by the year 2000, we were seeing pop-up ads, spyware, and other things that slowed down the whole computer. I think of this as abuse of the consumer, but it is a perfectly rational business decision for some companies to do that without considering it evil or nasty. But many people feel there should be an alternative, and that dedication to an open Internet has helped us.

The Quarterly: What else?

Mitchell Baker: Second, our product makes a giant difference in the lives of our volunteers, and they take ownership of it. I don’t know if you could build this degree of motivation for something that really didn’t change people’s lives, something that they weren’t emotionally committed to. But the number of people who feel that Firefox is partly theirs is very high.

That’s a tricky management challenge, but we work at it really hard. We see ourselves as part of a community, some of which is inside the organization and some that is outside it. Issues constantly come up within our walls, and we have to say, “This needs to be a public discussion; it needs to go up on the mailing list because other people are involved.” The community is reinforcing once you get started. We can’t ship Firefox or get it onto people’s machines without that community. So that means it’s very much a two-way street, and if we start to think of ourselves as the center, we will fail.

It’s a very exceptional emotional state to feel like you’re part of a healthy community and that you’re in trouble unless you’re reaching out and lots of people are reaching back. We also are extremely sensitive to community criticisms and desires—probably oversensitive sometimes. So when some significant part of the community gets upset, we pay a lot of attention. Sometimes our responses are defensive at first, but I think we’re pretty good at opening up. It’s pretty interesting to look at what somebody is complaining about and find the truth behind that. We also try to be very low spin. In fact, sometimes we joke that we’re negative spin. We don’t need the press or anybody else to do that; we’ll do it ourselves.

The Quarterly: The line between back stage and front stage appears to be pretty thin.

Mitchell Baker: Yes, and quite permeable. And that is a management challenge we haven’t quite solved yet. What’s the correct group of people for information to reach? The easy default is employees because we see each other regularly and they have signed confidentiality agreements. But that’s an unhealthy default for us because we’re not successful based just on employees. The community is as real as we are.

The Quarterly: How do you think about your role in enabling innovation in the communities?

Mitchell Baker: Sometimes, just giving people permission does wonders. Consider our quality control process. We have a public process for finding, tracking, and correcting bugs in the code we’re developing, and thousands of people are involved. When several people within the community began to take leadership in that effort, someone who worked with me said, “All we need to do is tell these people it’s OK.” So that’s what we did. We said to the leader, “You’re awesome; keep doing what you’re doing.” And after that, he became our release driver. There are more people like that than you would expect.

Second, we create scaffolding for people to work from, so that even if we’re not innovating ourselves, other people can. You can see, with the extensions and the customization, that there are thousands of people doing interesting things we haven’t thought of, and they don’t have to tell us or ask us.

Third, we’ve assembled a set of people here who are really motivated by seeing other people do interesting things. So if somebody appears, out in another community, doing something interesting, we don’t have a not-invented-here culture; we just say, “Wow!”

Another thing: not just celebrating when people do great things but knowing how to react when people do things that are troublesome. There are days when somebody’s done something and you wonder, “What were they thinking?” At that point, you have to look really carefully and evaluate what’s just uncomfortable and what really must be fixed. And then you try to keep that latter category to a minimum. A healthy community will do a lot of self-correction.

The Quarterly: What kind of people do well here as employees?

Mitchell Baker: Typically, people whose motivations line up very strongly with either our mission or our technical vision. Also, people who can handle large amounts of their work being public. People here are following the bugs; they’re watching each other, watching their progress. They know how quickly you’re working, and they know if you’re stuck on something. So you have to be able to live not just your social life in public but your work life as well. We called it “life in the fishbowl” long before Facebook.

The Quarterly: What would be an example of a red flag that comes up during the hiring process?

Mitchell Baker: If we ask, “What do you do if someone disagrees with you? What do you do if you think something needs to happen and it seems to be slow or stopped?” And the answer is, “Well, I tell them I’m in charge.” Bing. Even our employees rarely get told that, because I believe that many of the things that work in open-source management are also very valuable for your employees. You can try to tell an employee what to do, but if the two of you disagree the employee may be right. There’s much more negotiation here, like a professional partnership.

The Quarterly: Has the culture of the open-source group changed the culture of the core organization over time?

Mitchell Baker: I wouldn’t say “over time,” because I think we were born out of that organization. I would say it infused us from the beginning because even back at Netscape, leadership had nothing to do with employment status. In fact, sometimes the managers of our project members were demanding that they do things very contrary to what we at Mozilla thought should happen.

The Quarterly: More traditional organizations that are now looking outside themselves may not be used to this management style.

Mitchell Baker: Well, there’s a real dividing line between simply getting input from outside, though that can be very valuable, and what we do. Our decision-making process is highly distributed and unrelated to employment status, and some of the people who make decisions about code are not employees. But what ships as Firefox, with the Mozilla name and brand on it—that’s going to be a Mozilla decision, even though other things are not.

The Quarterly: What has been the biggest surprise in the time you’ve been working at Mozilla?

Mitchell Baker: That we had exactly what was needed at exactly the right moment. You often see this in start-ups that burst onto the scene and grow dramatically. There’s a lot of hard work and smarts, but also some piece of timing is right. Those things, you can’t control; you need to be ready.

The Quarterly: Do you think your success in timing was related to the fact that you had so many more “sensors” in the community than you would have if you were a group of 40 developers sitting in Silicon Valley?

Mitchell Baker: Oh, absolutely. We could not have succeeded if we’d been a closed little area. Yes, we had not only the right product but also the right community of tens of thousands of people all those years, and some sense of hope that we were the alternative to a closed Internet. All of those things mattered. We knew we had a community because we had been living in it for quite a while. All that came together in the product’s success. There’s just no way we could have been or continue to be as successful without being this very diffuse organization.

The Quarterly: Looking ahead, what do you worry about for Firefox?

Mitchell Baker: That Firefox is only a part of what’s necessary for the Internet to remain open and participatory. We’re the part that touches human beings, and that’s a powerful part. But we’re just one element. There’s so much value and revenue in the Internet that it makes economic sense for companies to try to create proprietary places there. And of course, there’s room for companies to do that and generate revenue for their shareholders.

But there also needs to be a section of the Internet that’s open, where people can participate. Open source has been a phenomenal force in pushing us in that direction. Firefox needs to remain strong enough and innovative enough that we’re able to continue to show the industry that you can give people control or choice in an elegant manner and still be a professional vendor and that there are revenue opportunities in this. That’s my greatest concern.

The Quarterly: What can other leaders learn from the Mozilla project about running an innovative company?

Mitchell Baker: Turning people loose is really valuable. You have to figure out what space and what range, but you get a lot more than you would expect out of them, because they’re not you.

Second, figure out where you want input. There are different varieties of input and user-generated content. Figuring out what you really want is very important because you can get benefits out of any of those things. But if you’re doing one thing and sending out a message that you’re doing another, I think you’re dead.

Third, look hard at whether there are areas where you can give up some control, because the returns are great. And if you can’t, then stay away from this type of model. If you have a good group of people around you—people you trust—sometimes just stepping back when you don’t like something is really valuable. Let the problem play out a little bit. The idea that a single individual is the best decision maker for everything and should have ultimate control works only some of the time. I think for Steve Jobs it works because he’s so good at what he does. But if you’re not Steve Jobs, I have found that, sometimes, even when I don’t like something, there’s often real value in stepping back and asking questions. When you just ask people to stop what they are doing, you lose their creative thought. And this approach can get even harder when that person shows that you’re making a mistake. In a lot of organizations, people don’t really admit when they make a mistake, which I think is delusional because we all know that no one’s perfect. 

About the Authors

Lenny Mendonca is a director in McKinsey’s San Francisco office; Robert Sutton is professor of management science and engineering at Stanford University.

US: Getting the Ear of the New President

(Americanbanker.com) If you follow the logic of FBI Director Louis Freeh, a cyber attack against America is inevitable and will feel like another September 11. He compares the current lack of coherent strategy and national will to prevent such an attack to the shoulder-shrugging response Americans had when the USS Cole was nearly sunk in the Yemeni port of Aden in 2000. "Neither the country, nor its leadership on both sides of the aisle, were motivated by this," Freeh lamented in a speech to attendees at the SC World Congress in New York in early December.

Freeh's words preceded Congressmen Jim Langevin (D-RI) and Michael T. McCaul (R-TX), who discussed their advice to president-elect Barack Obama on how to address the daily cyber threats and attacks against the nation's government, military and civilian networks. Langevin and McCaul co-chaired the Commission on Cybersecurity for the 44th Presidency, which spent more than 15 months formulating recommendations. The report has two main takeaways: the president should replace the current hodge-podge approach to cyber security with a new National Office for Cybersecurity, which would be part of the Executive Office of the President; and the government should issue strong, mandatory authentication identities for critical cyber infrastructures such as finance.

The first recommendation seems painfully obvious. Several technologists with strong industry credibility have held a variety of cyber "Czar" posts - Richard Clark, Amit Yoran, Greg Garcia, and the latest, Rod Beckstrom - to little avail. Creating a National Office of CyberSecurity charged with creating a comprehensive national security strategy might actually accomplish that goal.

As for authentication, the committee gave the FFIEC kudos for promoting stronger authentication for online financial services but wants to extend that effort even further. The report envisions a world where the government issues digital credentials that require in-person proofing - similar to a drivers license - which can then be accepted online by merchants and banks with greater certainty. The challenge is twofold: protecting individual privacy while at the same time preventing commercial interests and the government from requiring overly burdensome authentication, which could violate civil liberties.

Another challenge for cybersecurity experts is that many people are vying for the ear of President-elect Obama. Will the issue of cybersecurity prevail? There were four members of the Obama transition team on the committee, notes Jerry Dixon, a former FBI cybersecurity guru who is now director of analysis at cybersecurity consultancy Team Cymru. "It'd be bad form for them to ignore their own writing, wouldn't it?"

Obama is looking for a Cybersecurity Czar

On Forbes you find now an article about the new Cyber-Security Czar position at the Whitehouse. One of the candidates is Rod Beckstrom, a visionary who strongly believes in Information Sharing and Open Collaboration. Co-Author of the best-selling "the Starfhish and the Spider: the unstoppable power of leaderless organizations, from Al-Qaeda to the Internet", is now head of the National Cyber Security Centre at the Department of Homeland Security, US. 

http://www.forbes.com/technology/2008/12/18/cybersecurity-czar-obama-tech-security-cx_ag_1219cyberczar.html

NIAC publishes "Critical Infrstructure Partnership Strategic Assessment"

The National Infrastructure Advisory Council (more on NIAC here), published a final report on "

Critical Infrastructure Partnership Strategic Assessment" 

NIAC is indirectly mentioned in the CSIS "Security Cyberspace for the 44th Presidency" report, where it asked to work on a new Private-Public partnership strategy. 

The document has been published in October. 

Information Sharing (second priority of HSPD-7) is mentioned many times in the report as one of the key strategies to better protect the National Infrastructure. Private-Public partnership is the way identified to support Information Sharing. 

CSIS presents Obama new Cybersecurity strategy proposal

Today, the Centre for the Strategic and International  Studies of the United States (CSIS) published the report Securing Cyberspace for the 44th Presidency. 

The report is the result of a huge work, led by Jim Lewis (CSIS). Among the various proposals, there is the creation of a National Office for Cyberspace (NOC), by merging the existing National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force.

The report also says NOC should secure industrial control systems (SCADA), such as those used by Critical Infrastructure, Power and manufacturing plants, by developing regulations they would be forced to follow. 

Here is a summary of the recommendations: 

1. Create a comprehensive national security strategy for cyberspace
   
2. Lead from the Whitehouse: with the creation of a new office for cyberspace in the Executive Office of the President
   
3. Reinvent the Public-Private Partnerships: focus on Trust and on operational activities
   
4. Regulate Cyberspace: voluntary action is not enough!
   
5. Authenticate digital Identities
   
6. Modernize Authorities (and law)
   
7. Use acquisition policies to improve security: buy security products only
   
8. Build Capabilities: research, training and education
   
9. Do not start over: Comprehensive National Cybersecurity Initiative (CNCI - Bush administration), is a good starting point
   

Some additional articles on the same subject: 

TheRegister

Washington Post

Financial Times: US warned over cyber attacks

Eight homeland security bills make it through House

WashingtonTechnology: The House passed eight homeland security measures today that, among other measures, are designed to strengthen cyber security, promote greater sharing of unclassified information and prevent the over-classification of information. Rep. Bennie G. Thompson (D-MS), Chairman of the Committee on Homeland Security praised measures.
“Passage of these vital measures improves the nation's information sharing capacity, increases privacy protections at the department and further strengthens both our cyber and port security," said Thompson.
Following is a summary of the measures passed by the House: H.R. 3815 - Homeland Security Open Source Information Enhancement Act of 2008 - Sponsored by Rep. Perlmutter (D-CO), this bill requires the Secretary of Homeland Security to make use of open source information to develop and disseminate open source homeland security information products.
H.R. 4806 - Reducing Over-Classification Act of 2008 - Sponsored by Rep. Harman (D-CA), this bill requires the Secretary of Homeland Security to develop a strategy to prevent the over-classification of information and to promote the sharing of unclassified information.
H.R. 6193 - Improving Public Access to Documents Act of 2008 - Sponsored by Rep. Harman (D-CA), this bill requires the Secretary of Homeland Security to promote the implementation of the Controlled Unclassified Information Framework applicable to relevant unclassified information.
H.R. 6098 - Personnel Reimbursement for Intelligence Cooperation and Enhancement of Homeland Security Act - Sponsored by Rep. Reichert (R-WA), this bill ensures that homeland security grants can be applied to retain and acquire intelligence analysts to work in Fusion Centers and engage in information sharing.
H.R. 5170 - Department of Homeland Security Component Privacy Officer Act of 2008 - Sponsored by Rep. Carney (D-PA), this bill provides for a privacy official within each component of the Department of Homeland Security.
H.R. 5983 - Homeland Security Network Defense and Accountability Act of 2008 - Sponsored by Rep. Langevin (D-RI), this measure seeks to enhance information security within DHS by establishing authorities, qualifications, security practices for the Chief Information Officer, creating testing protocols to reduce network vulnerabilities and requiring the examination of contractor security policies.
H.R. 5531 - Next Generation Radiation Screening Act of 2008 - Sponsored by Rep. King (R-NY), this measure clarifies the criteria for certification relating to advanced spectroscopic portal monitors and authorizes the “Secure Our Cities” nuclear detection pilot at $40 million.
H.R. 2490 - Sponsored by Rep. Bilirakis (R-FL), this bill authorizes a successful pilot program that the Coast Guard has been conducting for the mobile biometric identification in the maritime environment of individuals interdicted at sea.

US Senate polishes new teeth for cyber cops

The US Senate has passed a bill to strengthen the hands of federal prosecutors who fight computer crime by removing some of the more common hurdles in prosecuting online miscreants.
One provision would eliminate a requirement that prosecutors prove illegal activity has caused at least $5,000 in damage before they can bring charges of unauthorized computer access. The threshold often proves problematic in pursuing cyber crime because a single incident may spread the damage across hundreds of thousands of victims. Because the harm is so dispersed, it's often hard to meet the burden.
tile++;
document.write('\x3Cscript src="http://ad.uk.doubleclick.net/adj/reg.security.4159/front;cta='+cta+';ctb='+ctb+';ctc='+ctc+';sc='+sc+';cid='+cid+';'+RegExCats+GetVCs()+'pid='+RegId+RegDT+';'+RegKW+';test='+test+';pf='+RegPF+';dcove=d;tile='+tile+';sz=336x280;ord=' + rand + '?" type="text/javascript">\x3C\/script>');

Under the new legislation, criminals could be charged with a felony if they install spyware or keystroke-monitoring software on 10 or more computers, no matter how much damage is caused. It also allows identity victims to seek restitution for the time they spend trying to restore their credit.
The bill would give the feds additional new powers. For the first time, they could pursue crimes when the miscreant and victim live in the same state. It also contains new provisions for charging cyber extortion.
The new provisions have been added to H.R. 5938, the so-called Former Vice President Protection Act.
Brian Krebs of the Security Fix blog has more about the measure here. ®

Homeland Security Cost-Benefit Analysis

From Bruce Schneier blog:

Homeland Security Cost-Benefit Analysis
This is an excellent paper by Ohio State political science professor John Mueller. Titled "The Quixotic Quest for Invulnerability: Assessing the Costs, Benefits, and Probabilities of Protecting the Homeland," it lays out some common send premises and policy implications.
The premises:
1. The number of potential terrorist targets is essentially infinite.
2. The probability that any individual target will be attacked is essentially zero.
3. If one potential target happens to enjoy a degree of protection, the agile terrorist usually can readily move on to another one.
4. Most targets are "vulnerable" in that it is not very difficult to damage them, but invulnerable in that they can be rebuilt in fairly short order and at tolerable expense.
5. It is essentially impossible to make a very wide variety of potential terrorist targets invulnerable except by completely closing them down.
The policy implications:
1. Any protective policy should be compared to a "null case": do nothing, and use the money saved to rebuild and to compensate any victims.
2. Abandon any effort to imagine a terrorist target list.
3. Consider negative effects of protection measures: not only direct cost, but inconvenience, enhancement of fear, negative economic impacts, reduction of liberties.
4. Consider the opportunity costs, the tradeoffs, of protection measures.
Here's the abstract:
This paper attempts to set out some general parameters for coming to grips with a central homeland security concern: the effort to make potential targets invulnerable, or at least notably less vulnerable, to terrorist attack. It argues that protection makes sense only when protection is feasible for an entire class of potential targets and when the destruction of something in that target set would have quite large physical, economic, psychological, and/or political consequences. There are a very large number of potential targets where protection is essentially a waste of resources and a much more limited one where it may be effective.
The whole paper is worth reading.

WSJ: U.S. Fears Threat of Cyberspying at Olympics

WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.

According to government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
Barack Obama became the first major presidential candidate to propose new cybersecurity policies Wednesday when he unveiled his cybersecurity strategy, which includes combating corporate espionage, shielding the country's Internet infrastructure and establishing a national cybersecurity adviser.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public. [...]

US. Cybersecurity and the presidential campaign

SC Magazine: In a speech delivered Wednesday at Purdue University, Sen. Barack Obama warned of the dangers of new forms of terrorism that could damage the United States. After detailing threats from nuclear and biological weapons, the presidential candidate outlined what he envisioned for a cybersecurity infrastructure that would protect the nation's computer networks and strengthen science and computer education programs. “Every American depends – directly or indirectly – on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow,” he said.

The Truth About Chinese Hackers

Here another article on China and its hackers. Written by Bruce Schneier, it gives a different perspective on the many statements appeared recently on China and its Cyber activities. Unfortunately Schneier does not provide any reference to support his theory.

http://dsc.discovery.com/technology/my-take/computer-hackers-china.html
The scoop: Last week, Rep. Frank Wolf, a Virginia Republican, said four of his government computers had been hacked by sources working out of China. Bruce Schneier, an internationally renowned security technologist, gives us his take on what went down.
The popular media concept is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated.
There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time.
These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, trying to demonstrate that they're just as good as everyone else. As well as the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites.
The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States.
And the money comes from several sources. The groups sell owned computers, malware services, and data they steal on the black market. They sell hacker tools and videos to others wanting to play. They even sell T-shirts, hats and other merchandise on their Web sites.

US Power grid overseer steps up cybersecurity

http://www.fcw.com/online/news/153154-1.html
The organization that oversees reliability for the nation’s electrical power grid is stepping up its cybersecurity efforts by setting up a new program office and creating a task force to review cybersecurity standards for the power industry.The North American Electric Reliability Corp. (NERC), a quasi-governmental coalition that operates under the Federal Energy Regulatory Commission (FERC), said it will establish a Critical Infrastructure Program, which includes cybersecurity, as its fourth program focus area. One of the program’s initiatives will be hiring a chief security officer to be a single point of contact for cyber and infrastructure issues related to the national electric power grid.NERC represents stakeholders, primarily utilities, involved in ensuring electric power reliability. In July 2006, FERC designated the corporation as the nation’s electric reliability organization. The corporation also serves as home to the Electric Sector Information Sharing and Analysis Center, one of 17 national centers devoted to critical infrastructure sectors identified under the National Infrastructure Protection Plan.

US: Sensors could plug leak in nation's infrastructure

Metro: Remember the water main break in March that opened a crater the size of a basketball court in Public Square? What if the pipe itself had been able to alert engineers ahead of time that its walls were thinning and in danger of rupture?
And the warped, rusted steel plates on the Inner Belt Bridge that required emergency repairs this winter after previous inspections missed the deterioration - could such parts send a warning signal when they first start to go bad?
Federal officials think a web of tiny, permanently embedded sensors might someday safeguard the nation's "critical infrastructure" of roads, bridges and water pipes, providing round-the-clock checks of vulnerable components and potentially saving money and lives.
But not without a major leap in technology.
So they're offering companies, universities and labs millions of dollars in research funds to goose the sluggish pace of sensor development.
The new program -- which could tap the sensing and micro-electronics expertise of Case Western Reserve University and other local groups -- aims to create advanced monitoring gear for inspectors who now must heavily rely on their eyes and ears to detect problems.

NERC CEO announces plan to improve response to cyber security and CIP

http://uaelp.pennnet.com/display_article/334315/22/ARTCL/none/none/1/NERC-CEO-announces-plan-to-improve-response-to-cyber-security-and-CIP/
Princeton, NJ, July 15, 2008 -- Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), recently announced the organization's plans to improve its response to cyber security and critical infrastructure protection (CIP) concerns for the bulk power system in North America. Revealed to NERC's board of trustees and stakeholders in a letter last week, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
The actions arise from NERC's recent interaction with various organizations, including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," said Sergel. "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
"As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues," he continued. "One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the chairman. The group will be instrumental in guiding NERC as we execute the plans announced today."
Specific actions NERC will take include:
Increasing NERC expertise on CIP and cyber security -- NERC will formally establish the CIP program as one of NERC's program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of the program will include the staffing of a chief security officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider alternative standard setting process for cyber security standards -- NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. The process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited review of existing cyber standards -- Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing CIP standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate joint collaboration on cyber security -- NERC, working with FERC and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.

US - DHS says 7,000 sites at 'high risk' of terrorist attack

Agency says 7,000 sites at 'high risk' of terrorist attack - CNN.com
WASHINGTON (CNN) -- More than 7,000 facilities, from chemical plants to colleges, have been designated "high-risk" sites for potential terrorist attacks, according to the Department of Homeland Security.
Experts long have worried that U.S. industrial facilities could be used as terrorist weapons.
Next week, the department will send letters to the facilities notifying them that they present the highest potential consequences in the event of a successful terrorist attack, said Robert Stephan, the agency's assistant secretary for infrastructure protection.
The facilities include chemical plants, hospitals, colleges and universities, oil and natural gas production and storage sites, and food and agricultural processing and distribution centers, Stephan said.
The names of the sites will not be released to the public.
The department compiled the list after reviewing information submitted by 32,000 facilities nationwide. It considered factors such as proximity to population centers, the volatility of chemicals on site and how the chemicals are stored and handled.
Experts long have worried that terrorists could attack chemical facilities near large cities, in essence turning them into large bombs. Experts say it is a hallmark of al Qaeda, in particular, to leverage a target nation's technological or industrial strength against it, as terrorists did in the September 11 terrorist attacks

What Constitutes an Act of Cyber War? : Cleveland IMC (((i)))

What Constitutes an Act of Cyber War? : Cleveland IMC (((i)))In the U.S. Army's Cyber Operations and Cyber Terrorism Handbook 1.02 I found the following reference to the definition of Cyber Warfare & Terrorism: "the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives." This was an excerpt from an article I wrote back in 2003 when the issue of cyber war was in its infancy. While this frames acts of cyber war, in retrospect it does not address a measure of the disruptive acts or provide guidance assess if individual acts, or a collection of acts rise to the level to be considered an act of cyber war.
June 18, 2008 10:58 AM Throughout history wars have been triggered by events. Being at war is a state or condition. To be legal, a war must be declared by a branch of the government entrusted by the Constitution with this power. In the Constitution of the United States, Article I provides Congress the power to declare war. War is defined as a contention by force; or the art of paralyzing the forces of an enemy. An act of war is typically defined as an aggressive act that constitutes a serious challenge or threat to national security, armed conflict, whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin. This frames the discussions around traditional war. In the physical sense it is easy to define such infractions; enemy troops crossing another countries border, military strikes by missiles or bombs, basically you know it when you see it. What constitutes a serious challenge and a threat to our national security in cyber space? That is much more difficult to define. In the U.S. Army's Cyber Operations and Cyber Terrorism Handbook 1.02 I found the following reference to the definition of Cyber Warfare & Terrorism: "the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives." This was an excerpt from an article I wrote back in 2003 when the issue of cyber war was in its infancy. While this frames acts of cyber war, in retrospect it does not address a measure of the disruptive acts or provide guidance assess if individual acts, or a collection of acts rise to the level to be considered an act of cyber war. If a foreign government hacks a sensitive system of another government and accesses security and defense information, is that an act of cyber war? If so, that has already occurred. If a foreign government hacks a sensitive system of another government and places software on the system that collects data and sends it back, is that an act of war? If military personal from a foreign government infiltrates another nation's networks or systems through the use of counterfeit hardware and monitors communications, is that an act of cyber war? Both are certainly acts of espionage and have already taken place. The factor that will determine if an act or acts of cyber attack rise to the level of an act of war rests in the magnitude of disruption that accompany the acts. Adding to the complexity is the fact that much of our critical infrastructure that are prime targets for cyber attacks are owned or operated by the private sector not the government. This infrastructure in some cases carries military communications, supports civilian emergency services as well business and consumer services. An attack on the infrastructure impacts multiple segments. The question of what constitutes an act of cyber war remains unanswered. Given that we are in relatively new territory, each individual attack must be examined and the forensic evidence weighed to determine the source of attack. Little physical evidence will ever exist that you can hold up and point to or take a picture of and say "they did this." Much debate is currently taking place over the legality of cyber warfare tactics and their use. Is a cyber attack on our networks and systems an act of war? Are acts of cyber espionage a violation of international law? It is better we investigate and answer these questions now rather than reacting to cyber events in the heat of the moment when they occur. -- Kevin Coleman http://www.defensetech.org/archives/004256.html

US: A National Fusion Centre Network

A National Fusion Center Network
The Department and states have made a lot of progress in making the State and Local Fusion Center Program -- a key provision of the 9/11 Commission Implementation Act -- a success in the last three years. Now we are committed to building on that success by supporting the implementation of a National Fusion Center Network.What do I mean by that? Working with our colleagues in the Department of Justice, Office of the Director of National Intelligence, Federal Bureau of Investigation and the Program Manager-Information Sharing Environment, the National Fusion Center Network strategy will connect more than 50 state and major city fusion centers and the federal government in a partnership to protect America.I envision a community of state, local and federal intelligence and law enforcement professionals working together – supported by appropriate tools – to achieve a common goal: protection of the nation.These men and women would leverage federal as well as state and local networks; move relevant information and intelligence quickly; and enable rapid analytic and operational judgments. That is what this National Fusion Center Network is all about.Our ability to move, analyze and act on information is our greatest strength. We must use the network and the information in that network to push our defensive perimeter outward. That’s what the National Fusion Center Network will do for us.We in the federal government recognize that state and local authorities have been working at this for years. We, particularly those of us in the Office of Intelligence and Analysis and the rest of the National Intelligence Community, must aggressively support the states in this endeavor and become a committed partner in creating the National Fusion Center Network.That is exactly what we are doing.Intelligence officers equipped with exiting capabilities are helping local authorities as needed and appropriate. In addition, information once only available in cities and states can be shared with the federal government and used to protect the nation as a whole.This is all very new and different for the Intelligence Community. We are working hard to educate ourselves on the information needs of our state, local and tribal partners, as well as increase our ability to provide them information.And we all must do this while paying the utmost respect to the civil liberties and privacy of our citizens.Creating this National Fusion Center Network is a challenging but achievable task. We are doing many things for the first time, and will likely make mistakes. But we will learn from those mistakes, do better, and create what the country should have had before 9/11.Charlie Allen
Under Secretary for Intelligence & Analysis
Published by the U.S. Department of Homeland Security Washington, D.C.