The House Science and Technology Committee approved legislation Wednesday that would reauthorize and expand federal cybersecurity research programs. The bill (H.R. 4061) would require federal agencies to develop, update, and implement a strategic plan for cybersecurity research and development. The bill, which combined two different bills, would require the National Institute of Standards and Technology to develop and implement a plan to ensure coordination on the development of international cybersecurity technical standards within the federal government.
"This bill will help to ensure an overall vision for the federal cybersecurity R&D portfolio, will help train the next generation of cybersecurity professionals, will improve cybersecurity technical standards and will strengthen public-private partnerships in cybersecurity," said the bill's sponsor, Rep. Daniel Lipinski, D-Ill., chairman of the Research and Science Education Subcommittee, in a statement.
The stage is set for a potentially raucous day in the House Judiciary Committee Wednesday as Democrats try to push legislation to modify and reauthorize expiring portions of the USA PATRIOT Act, CongressDaily's AM Edition reported. They are also scheduled to mark up a separate bill to provide courts with specific standards for handling state-secrets claims by the government in civil lawsuits.
House Judiciary ranking member Lamar Smith and other Republicans have unsuccessfully argued that the PATRIOT Act bill introduced two weeks ago by Chairman John Conyers with House Judiciary Constitution Subcommittee Chairman Jerrold Nadler, D-N.Y., and Crime, Terrorism and Homeland Security Subcommittee Chairman Bobby Scott, D-Va., deserves a hearing before it is teed up for a vote.
Smith called the lack of a hearing an "unwarranted departure" from the regular committee process. He chaired a GOP briefing on the bill Tuesday. Smith said Democrats insist on making unnecessary changes to the law that could undermine law enforcement. The Obama administration backed a full reauthorization of the expiring provisions but said it remained open to suggestions for modifications.
Read the full CongressDaily story here (subscription required) and read more coverage in Thursday's AM Edition.
User-centric, federated identity systems have the potential to improve the security and privacy of authentication and services, but if improperly designed, the systems can negatively impact users and become a burden, according to a new report from the Center for Democracy and Technology. The paper by CDT policy analyst Heather West comes as the U.S. government begins a series of pilot programs through the Center for Information Technology, the National Institutes of Health, and the Department of Health and Human Services that will use third-party user credentials to authenticate users of federal Web sites.
The term "user-centric identity" refers to systems where users, rather than service providers, control their identity credentials, CDT said in a Monday press release. A similar concept in the offline world would be using various forms of identification for whichever transaction one chooses. The white paper discusses key components of a user-generated identity system (such as trust frameworks, users and identity providers) as well as the benefits and liabilities of federated identity management. A copy of the CDT document can be found here (PDF).
The high-tech sector is growing restless as it awaits President Obama's appointment of a White House cybersecurity coordinator. In one of the most recent displays of that frustration, the trade group TechAmerica wrote to Obama urging him to name "a qualified, credible, senior level official... at the earliest possible opportunity." While he tends to other priorities, bad actors around the world are not sitting idly by, the Friday letter stated. "Those that would seek to harm America by exploiting our digital infrastructure continue to increase their efforts," the group said.
Ideally, the cyber czar would have relevant experience in both government and industry in order to truly reflect the shared roles and responsibilities in cybersecurity, TechAmerica President Phil Bond wrote. The letter came on the heels of a series of meetings in Washington in which industry executives sought to impress upon members of Congress and administration officials the importance of strong cooperation between industry and governments at the national and international levels in securing cyberspace.
Also on Friday, Senate Homeland Security and Governmental Affairs Chairman Joseph Lieberman outlined his plans for cybersecurity legislation, which will support the naming of a White House coordinator. Lieberman's backing for the adviser, which some have called a cybersecurity "czar," puts him at odds with the top Republican on his committee, Sen. Susan Collins, R-Maine. But he said he is in talks with Collins over the legislation and hopes to get her support for a bill they can introduce as co-sponsors by December.
Read more about Lieberman's speech at the U.S. Chamber of Commerce in CongressDaily here (subscription required).
With nine days left to go in October, the House on Thursday unanimously passed Rep.Yvette Clarke's, resolution honoring National Cyber Security Awareness Month. The Senate approved a similar measure several weeks ago."This Congress understands that our citizens rely on information technology in every aspect of our lives - from managing businesses to social networking," the New York Democrat said in a statement. "As innovation spurs increased access and demand for the internet and information technologies, cyber warfare and cyber crime are increasing in sophistication and frequency."
Clarke, who chairs the House Homeland Security Emerging Threats Subcommittee, added that in the digital age, "we are all interconnected and our national cyber infrastructure is only as strong as the weakest link in the chain." "The passing of this resolution is a clear message to the American people that our government will continue to protect and strengthen our critical cyber infrastructure," she added. Clarke is hosting a pair of related events next week geared toward members and staff to promote good cyber hygiene on congressional networks.
House Judiciary Chairman John Conyers joined Reps. Jerrold Nadler, D-N.Y., and Bobby Scott, D-Va., on Tuesday to introduce legislation that would revise and extend expiring sections of the USA PATRIOT Act and related provisions. They also introduced a measure intended to amend the Foreign Intelligence Surveillance Act to safeguard the constitutional rights of Americans while ensuring that the government has the tools it needs to collect foreign intelligence.
Judiciary ranking member Lamar Smith, Minority Whip Eric Cantor and GOP Conference Chairman Mike Pence of Indiana introduced their own version of a PATRIOT Act reauthorization bill in March, which would simply extend the provisions, which sunset Dec. 31, for 10 years. "Over the past eight years, Americans grew tired of the same old scare tactics, designed to fool the public into believing that we needed to give up freedom to be safe from terrorism," Conyers said. "It is a new day and an opportunity for reform."
The Conyers-Nadler-Scott measures include language that would bring sweeping changes to the way controversial administrative subpoenas known as "national security letters" are handled. Americans would be able to use libraries and bookstores "without fear that their choice of books will be monitored by overzealous federal agents," noted Nadler, who chairs the Judiciary Constitution, Civil Rights, and Civil Liberties Subcommittee.
The Government Accountability Office on Thursday warned that although NASA has made progress in information technology security controls, "it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates." The report, which was directed by a 2008 NASA reauthorization bill, said the space agency has not yet fully implemented key activities of its security program to ensure that controls are appropriately designed and operating effectively.
During fiscal years 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information. To address these incidents, GAO reported that NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture.
"GAO's findings remind us that much remains to be done to ensure the security of all of our federal agencies' IT networks," House Science Committee Chairman Bart Gordon said in a press release. "Regulation and legislation alone will not suffice. Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities." NASA generally concurred with GAO's recommendations that the NASA administrator take steps to mitigate control vulnerabilities.
House Homeland Security Emerging Threats Subcommittee Chairwoman Yvette Clarke, D-N.Y., will host a cybersecurity roundtable Friday that will bring together industry representatives and policymakers. The event, which is closed to press and the public, is expected to cover the White House 60-day cyberspace policy review; legal technical and operational obstacles; discussions of current legislative proposals; and recommendations for moving forward, according to the invitation sent to participants.
Clarke spoke at a Tuesday event where she called for the swift appointment of a White House cyber czar and highlighted the urgent need for collaboration and information-sharing among federal agencies, academia, and industry. She will host two additional events this month sponsored by the National Cyber Security Alliance. They will take place Tuesday, Oct. 27 and Friday, Oct. 30. The events are primarily geared toward members and staff to promote good cyber hygiene on congressional networks.
Clarke said earlier this week that ignorance about safe computing "creates vulnerabilities right here on Capitol Hill." October is National Cybersecurity Awareness Month.
FCC Chairman Julius Genachowski and FTC Chairman Jon Leibowitz on Friday urged the public to take steps to protect themselves, their privacy, and their personal information online as part of National Cybersecurity Awareness Month. "The Internet has connected Americans to each other and the rest of the world like never before. But those connections can also be exploited by scammers, so consumers need to be alert for online fraud and safeguard their personal information," Genachowski said in a press release. "Consumers should stay alert, recognize the potential risks associated with cyber crimes and take some simple precautions to help reduce their chances of falling victim to scams."
Leibowitz noted his Commission is committed to protecting consumers by stopping con artists from committing fraud online, working to preserve the privacy of consumers' sensitive personal information, and educating people on how to use technology safely and securely through sites like OnguardOnline.gov. The FTC is also committed to working with the FCC to promote consumer protection in the online marketplace, he said. Some tips from the chairmen include: Use security software that updates automatically; keep operating systems and Web browsers up-to-date; keep passwords private and secure; always back-up important files.
House Homeland Security Emerging Threats, Cybersecurity and Science and Technology Subcommittee Chairwoman Yvette Clarke, D-N.Y., on Tuesday introduced a resolution supporting the goals and ideals of National Cybersecurity Awareness Month. The Senate passed a similar resolution last week, which was sponsored by Sen. Dianne Feinstein, D-Calif. Additionally President Obama issued a proclamation in honor of the month.
"Americans rely on information technology in every aspect of our lives - from managing businesses to social networking," Clarke said in a press release. "In this digital age, we are all interconnected and our national cyber infrastructure is only as strong as the weakest link in the chain." She pointed out that cybersecurity vulnerabilities can impact national and economic security. The Homeland Security Department logged 5,499 such incidents in 2008 -- a 40 percent increase over the previous year.
Clarke will join industry executives at a Tuesday event on Capitol Hill to discuss emerging threats, vulnerabilities and challenges. Additional speakers at the TechAmerica briefing include: Microsoft's Vinny Gullotto; RSA's Uri Rivner; Eric Cole of Lockheed Martin; IBM's Kristin Lovejoy; and John McCumber of Symantec.
The International Spy Museum on Friday unveiled a new exhibit showing how a team of cyber spies, terrorists or other criminals, armed with weapons no more sophisticated than common laptops, can turn power lines into battle lines. The Homeland Security Department's top cybersecurity official, Philip Reitinger, and former Director of National Intelligence Mike McConnell were on hand to help launch the exhibit. Read more about their remarks in CongressDaily's PM Edition and learn more about SPY here.
President Obama on Thursday issued a proclamation recognizing National Cybersecurity Awareness Month saying that throughout October "we rededicate ourselves to promoting cybersecurity initiatives that ensure the confidentiality of sensitive information, the integrity of e-commerce, and the resilience of digital infrastructures." Obama announced a focus on cyber issues early in his presidency and in May vowed to handpick a White House official to oversee that mission. The post remains vacant.
The proclamation points out that Americans are "constantly adopting new and innovative
technologies" and that exposure increases the public's thirst for computers, smartphones, and other digital solutions at work and at home. "In the Information Age, the very technologies that empower us to create and build also empower those who would disrupt and destroy," he wrote. "Cyber attacks and their viral ability to infect networks, devices, and software must be the concern of all Americans."
The Senate passed a resolution supporting the goals and ideals of National Cybersecurity Awareness Month on Tuesday but the House has yet to act.
The House Energy and Commerce Committee easily approved two bills on Wednesday designed to require companies that store private information to better protect it against security breaches, and to warn consumers about potential dangers of downloading the "peer-to-peer" software that has been implicated in such unauthorized breaches, CongressDaily reports. The Data Accountability and Trust Act and the Informed P2P User Act, passed on voice votes with no individual amendments.
The Data Accountability and Trust Act requires entities that hold personal information to adopt appropriate security measures to protect it. In addition, if a breach occurs, such as inadvertent release of tax records or medical information, they must notify consumers. The FTC would be empowered to enforce the law, with penalties up to $5 million for violations. The Informed P2P User Act requires installers of peer-to-peer software, that allows many people to access information contained on a personal computer, to notify computer users that the software is about to be installed.
Read the full mark up report here (subscription required).
The House Energy and Commerce Committee is slated to vote Wednesday on legislation that would require strong security policies from firms that collect and store individuals' sensitive information and provide for nationwide notification in the event of a data breach. The bill was sponsored by House Energy and Commerce Commerce, Trade, and Consumer Protection Subcommittee Chairman Bobby Rush, D-Ill., and was tweaked to win his panel's approval in June, but more revisions are expected.
The committee also plans to take up legislation sponsored by Rep. Mary Bono Mack, R-Calif., that would regulate peer-to-peer programs and educate consumers about privacy and security risks associated with file-sharing. She plans to offer a manager's amendment to narrow the definition of a covered entity to avoid sweeping in legitimate technologies such as Web servers, e-mail and security software. Read more details about tweaks to both measures here, courtesy of CongressDaily.
Sen. Arlen Specter, D-Pa., urged Senate Judiciary Chairman Patrick Leahy in a Tuesday letter to insist on a committee vote Thursday on legislation to protect confidential sources of journalists. "There has been ample time for consideration so that amendments should be presented and voted upon and the bill should be reported to the floor promptly," Specter said. Last week, the panel confronted bipartisan opposition on grounds the bill does not do enough to protect national security.
Specter reintroduced the bill in February and it has been on the committee's agenda since May. Since the introduction of the original measure in 2005, the panel has held multiple hearings and heard from 24 witnesses, he pointed out. In October 2007, the committee reported the previous bill on a 15-4 vote. "If there are objections, let the objectors offer amendments without a continuing filibuster," Specter said.
Senate Intelligence Chairwoman Dianne Feinstein and Judiciary ranking member Jeff Sessions have argued the bill could encourage leaks of classified information. Sessions has also claimed it would impede national security investigations and make it difficult to subpoena source material from reporters, especially where the crime is related to classified information. "I'm going to have a hard time voting for this bill," Feinstein said last week.
The Senate Commerce Committee's timetable for advancing broad cybersecurity legislation continues to slip as aides retool key provisions and the bill's co-sponsors -- Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine -- continue their prominent roles in the high-stakes healthcare debate. It appears unlikely that a hearing on the measure will happen this month, Rockefeller aides said Wednesday. An August e-mail from Commerce Committee General Counsel Bruce Andrews to outside groups said the panel was aiming for a hearing and a markup in September or October.
Several sections of the legislation are considered "wet cement," an aide said. One such provision, which high-tech policy watchers argued could give the president the power to effectively shut off the Internet in a Web crisis, is being reworded after lengthy consultations. The goal is to map out the untested responsibilities of the public and private sector in the event of a high-tech hurricane. More prominent in a forthcoming version of the bill will be language that details how the president and pertinent government and industry officials can develop emergency response plans.
Read the full story in CongressDaily's Thursday AM Edition here (subscription required).
House Cybersecurity Caucus co-chairs Jim Langevin, D-R.I., and Michael McCaul, R-Texas, urged President Obama last week to swiftly appoint a permanent cybersecurity coordinator within the White House. In a Thursday letter, the pair said the absence of such an official "impedes the ability of federal agencies to move forward in updating and strengthening their aging cyber policies," while complicating efforts to collaborate with private institutions that also play a critical role.
The appointment of a cyber czar was among a number of recommendations offered by the Center for Strategic and International Studies' Commission on Cybersecurity, which Langevin and McCaul co-chaired, and the administration's own comprehensive review of the government's cybersecurity infrastructure. Both reports also said the creation of a national security strategy for cyberspace is needed and the lawmakers lauded Obama for getting the ball rolling on that front.
"Foreign aggressors and criminals have been able to penetrate inadequately protected U.S. computer networks," the letter stated. "Those attacks have provided access to vast quantities of valuable information, and while our most sensitive U.S. military communications remains safe, economic competitors and potential military opponents have not hesitated to exploit opportunities presented by our lack of robust cybersecurity protections." The Senate Homeland Security and Governmental Affairs Committee has scheduled a Monday hearing on the topic.
Senate Homeland Security and Governmental Affairs Committee Chairman Joseph Lieberman and ranking member Susan Collins over the weekend gave a sneak peek at a Monday hearing intended to examine cybercrime that is directed at small- to medium-sized companies. In a Sunday press release, the pair said the event precedes the introduction of legislation focused on combating high-tech attacks on the private sector. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, also introduced a broad cyber bill earlier this year.
"The Internet now is a global asset - a new strategic high ground - that simply must be secured just as any military commander would seize and control the high ground of a battle field," Lieberman said. "But unlike a battlefield, securing cyberspace is much more complicated to do since the Internet is an open, public entity. Security cannot be achieved by the government alone." Collins added that for every communications advance, there is a risk that the technology will be misused. She cited estimates that cybercrime may cost the global economy $1 trillion in losses - nearly $8 billion of that in the United States.
Witnesses at the hearing include Heartland Payment Systems CEO Robert Carr; Financial Services Information Sharing and Analysis Center President William Nelson; U.S. Secret Service Office of Investigations Assistant Director Michael Merritt; and Homeland Security Undersecretary for National Protection and Programs Philip Reitinger.
Balancing national security with military personnel's use of social networking sites like Facebook and MySpace is one of the Pentagon's biggest technology challenges, Army Chief Information Officer Jeffrey Sorenson told reporters at a high-tech conference Thursday. Appearing at the Gov 2.0 summit, he characterized the issue as "a point of friction" within the Defense Department -- and a problem that Deputy Assistant Secretary of Defense and Deputy CIO Dave Wennergren is trying to fix.
Wennergren is working on a policy paper to inform agency leadership on how and whether those Web sites, which let those deployed overseas stay in touch with family and friends, should be accessed on the Pentagon's unclassified computer network. His review comes on the heels of an August ban on Facebook and MySpace by the Marines. "It gets down to management of polarities," Sorensen said, noting the open question is how the military can balance operational capabilities and security.
Social networking sites aside, troops on the ground are leading the Pentagon's efforts to embrace super-secure collaborative technologies that give them a tactical edge while enterprise-level offices are trailing behind, Sorenson said. For its part, the Army has "grown up with a very specific ways of conducting operations" but is increasingly aware that publishing pamphlets makes no sense in the digital age where guidance and training documents can be updated and disseminated in real-time, he said.
A formal request from the British government to the Justice Department to obtain terrorist e-mails helped the United Kingdom obtain long-awaited guilty verdicts this week in a costly and high-profile case that has lasted more than three years. On Monday, three men were found guilty of conspiring to blow up trans-Atlantic airliners in 2006, using crude but potentially devastating handmade bombs. During the trial, the jury was shown e-mails containing coded references to the plot, which had been sent from the ringleader of the London-based cell, Abdulla Ahmed Ali, and his suspected minder in Pakistan, an Al Qaeda operative named Rashid Rauf.
Those messages had been sent through servers located in the United States. British law prohibits prosecutors from introducing intercepted electronic communications at trial but if the e-mails could be obtained legally by the U.S. government, they could be shared with the British. A DOJ spokesman told National Journal that following "requests for information from the United Kingdom...court orders were obtained and served, and we were able to provide [the] information obtained pursuant to the court orders."
It has been reported by several British newspapers that the e-mails were held by Yahoo, and that a court order for the messages was issued in California, where the company is based. The Justice spokesman said the U.K.'s request was made under the Mutual Legal Assistance Treaty, which allows two countries to gather and share information in a criminal case. According to British press reports the e-mails were initially intercepted by the National Security Agency in 2006, while the conspirators were under intense, around-the-clock surveillance by British authorities.
White House Chief Technology Officer Aneesh Chopra told reporters at a high-tech summit Wednesday that the Obama administration will announce its long anticipated cybersecurity coordinator "in the not-too-distant future." "I've had the pleasure of interviewing a number of candidates that I think are top notch," he said. "I don't think we're in a position to say that we have a candidate picked yet but I'm hopeful." President Obama in late May pledged to handpick his cyber czar -- a position recommended by recent legislation and an administration report.
House Cybersecurity Caucus co-chairs Jim Langevin, D-R.I., and Michael McCaul, R-Texas, pressed the administration before August recess to move quickly in appointing a high-level official to coordinate agencies' efforts to identify and guard against attacks on public and private sector IT networks. Their statements came on the heels of the news that Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, was resigning effective Aug. 21.
Christopher Painter, the National Security Council's cyber chief, has been helping Chopra and Chief Information Officer Vivek Kundra with cyber planning since Hathaway's departure. Chopra called Painter, a former leader of the Justice Department's Computer Crime and Intellectual Property Section, "an incredibly talented guy." For his part, Kundra has held recent meetings with industry stakeholders -- particularly from the financial services sector -- on strategies to bridge the gap between government and private sector IT security efforts.
House Homeland Security Chairman Bennie Thompson on Thursday commended Homeland Security Secretary Janet Napolitano's announcement of new directives for border laptop searches. "With the change in administrations, there was an opportunity to bring greater accountability and transparency to the practices surrounding searches of electronic devices at the border," he said in a statement. He noted the DHS action, which was announced the same day, seems to reflect provisions in legislation he has been working on with Rep. Loretta Sanchez, D-Calif.
The new DHS directives, available at DHS.gov, address the circumstances under which U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement can conduct border searches of electronic media -- consistent with the department's constitutional authority to search other sensitive non-electronic materials, such as briefcases and backpacks. The DHS Privacy Office also released a privacy impact assessment in connection with the directives to enhance public understanding of the authorities, policies, procedures and controls employed by DHS during border searches.
The DHS Office for Civil Rights and Civil Liberties will also conduct a civil liberties impact assessment within 120 days. The agency said it conducts border searches of computers and other electronic media on a small percentage of international travelers seeking to enter the United States. Between Oct. 1, 2008, and Aug. 11, 2009, CBP encountered more than 221 million travelers at U.S. ports of entry. Approximately 1,000 laptop searches were performed in these instances -- of those, just 46 were in-depth.
The Homeland Security Department's third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the Obama administration, said industry and government participants in the simulation exercise during a conference on Tuesday. Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact, according to NextGov.
"The national cyber response plan will be an offshoot of a lot of the findings that came out of Cyber Storm I and II that will formalize the roles and responsibilities," said Brett Lambo, director of the cyber exercises program in DHS' national cybersecurity division. He participated on an afternoon panel at the GFirst conference in Atlanta hosted by the department's U.S. Computer Emergency Readiness Team. "It's not a direct cause-and-effect relationship, but a lot of questions bubbled up [from the exercises]," followed by the announcement along with President Obama's 60-day cyber review that a response plan should be developed. Read the full story here.
Sweeping cybersecurity legislation introduced by Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, in April has undergone major changes during the August recess and now features a more prominent focus on ensuring that the U.S. government and private sector have a properly trained workforce to thwart high-tech threats.
A revised version of the bill sent to Commerce and Intelligence committee aides late last week "captures a lot of the input we've received since its introduction" but is still a draft and has not been approved at the member level, Rockefeller aide Chan Lieu said in an e-mail to colleagues obtained by CongressDaily. A separate e-mail from Commerce Committee General Counsel Bruce Andrews said the panel is aiming for a hearing and a markup in September or October.
High up in the reworked document are provisions instructing the Commerce secretary to work with the White House Office of Personnel Management to train and certify government cyber professionals. Under the proposal, uncertified individuals could not represent themselves as such nor could uncertified service providers handle critical infrastructure information systems or networks. A new section would require the head of each federal department to develop an annual workforce plan that includes hiring projections, short- and long-term planning to address skill deficiencies, recruitment strategies and an analysis of barriers to recruitment.
Read the full story on CongressDaily's Web site here (subscription required).
House Cybersecurity Caucus co-chairs Jim Langevin, D-R.I., and Michael McCaul, R-Texas, pressed the Obama administration on Tuesday to move quickly in appointing a high-level White House official to coordinate agencies' efforts to identify and guard against attacks on public and private sector information technology networks. Their separate statements came on the heels of the news that Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, was resigning effective Aug. 21.
"I greatly appreciate Melissa Hathaway's service and her dedication to ensuring the security of our nation's cyber infrastructure," Langevin said. "She has helped us make significant progress towards that goal, and I wish her the best in the future." He added that several months have passed since Hathaway completed the administration's cybersecurity review and he is hopeful President Obama will appoint a cyber coordinator soon. In May, Obama vowed to handpick such an official who would report to the National Security Council and National Economic Council.
McCaul called Hathaway's departure "a loss to our efforts to better protect our nation's cyber networks." "I hope the administration will proceed with deliberate speed to fill this important position," he said. Langevin and McCaul also served as co-chairs of the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency. That panel's report informed much of Hathaway's deliberations and spurred several hearings on Capitol Hill. Read more congressional reaction to Hathaway's resignation in CongressDaily's PM Edition here (subscription required).
Melissa Hathaway, top cybersecurity adviser to the director of national intelligence and the principal author of the Obama administration's 60-day review of the U.S. government's cybersecurity posture has resigned, a National Security Council spokesman told Tech Daily Dose late Monday. Hathaway, who was senior adviser to former Director of National Intelligence Mike McConnell in the Bush administration and held the same post under Dennis Blair in the current White House, will depart effective Aug. 21. "We are grateful for her dedicated service and for the significant progress she and her team have made on our national cyber security strategy," the NSC official said.
Cybersecurity has been touted as a major priority for President Obama, which is why shortly after taking office he directed the NSC and Homeland Security Council to conduct the top-to-bottom review of federal cyber efforts and to recommend the best way to secure critical networks. In late May, the White House released the report and announced the creation of a cyber security coordinator who will have direct access to the president. "The president is personally committed to finding the right person for this job, and a rigorous selection process is well underway," the NSC spokesman said. Hathaway was initially thought to be a top contender for the job.
CongressDaily recently reported that two frontrunners to become cyber czar are Howard Schmidt, former White House special adviser for cyberspace security, and Frank Kramer, an assistant Defense secretary under President Bill Clinton. Other names floated included Microsoft Vice President Scott Charney; Obama transition team technology adviser Paul Kurtz; and former Rep. Tom Davis, R-Va. Davis said in June he was neither interested in returning to government nor being a candidate for the position. Read more here (subscription required).
Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, plan to circulate after the August recess a retooled version of sweeping cybersecurity legislation they introduced in April, CongressDaily's PM Edition reported on Friday. The bill will likely be the subject of a September hearing, with a markup scheduled shortly thereafter. They had been aiming for July committee action but the healthcare debate "put everything on simmer," said one staffer.
One of the bill's most controversial provisions, which high-tech policy watchers say would give the president the power to effectively shut off the Internet during a cyber crisis, has been a critical component of discussions with stakeholders. It is uncertain how the measure may change in light of the White House's roadmap for fighting high-tech attacks, which was released in May. The original bill would establish an Office of the National Cybersecurity Adviser within the Executive Office of the President. But under the administration's plan, the cyber czar will report to the National Security Council and the National Economic Council.
Read the full story here (subscription required).
House Oversight and Government Reform Chairman Edolphus Towns on Wednesday was expected to blame the Bush administration for having a laissez-faire attitude that has allowed privacy and security problems posed by peer-to-peer networks to persist online. At a hearing on the topic, he is likely to call for legislation to guard against inadvertent file-sharing, heightened FCC and FTC involvement and the creation of a public awareness campaign to inform people about the dangers of P2P software. The panel held similar hearings in 2007 and four years earlier. In response, the P2P industry adopted a voluntary code of conduct to prevent unintentional data disclosures, but a new committee investigation showed popular platforms like LimeWire are not living up to their promises.
In his opening remarks, Towns pointed to an analysis by security experts at Tiversa and said specific examples of recent LimeWire leaks "range from appalling to shocking."
• The Social Security numbers and family information for every master sergeant in the Army had been found on LimeWire.
• The medical records of some 24,000 patients of a Texas hospital were inadvertently released and most of the files are still available on LimeWire.
• FBI files, including surveillance photos of an alleged Mafia hit man, were leaked while he was on trial and before he was convicted.
• A security breach involving the Secret Service resulted in the leak of a file on LimeWire containing a safe house location for the First Family.
Read a preview story in CongressDaily's AM Edition here (subscription required).
The Center for Strategic and International Studies, SANS Institute, the Defense Department, universities and private sector partners launched a series of competitions Monday intended to encourage young people to enter cybersecurity-related careers. The goal of the U.S. Cyber Challenge is to find 10,000 scholars to become "cyber security practitioners, researchers, and warriors," CSIS said. The effort was unveiled at a Capitol Hill briefing where National Security Agency Information Assurance Director Richard Schaeffer stressed the importance of recruiting new high-tech talent.
"The pipeline is reasonably robust but it needs to be more robust," he said. "We're talking about tens of thousands of technical professionals." Schaeffer said he wants outreach to occur as early as middle school. "I still want young folks to say I want to be a policeman [or] fireman... but I'd love to hear them saying I want to be a computer scientist... and know what it means," he said. Last week, a report by the Partnership for Public Service and Booz Allen Hamilton cited a troubling shortage of skilled cyber professionals and a lack of leadership, planning and coordination within the federal workforce. "This is clearly a place where public-private partnership is essential," he said.
The three cyber challenge components are a "Cyber Patriot" defense competition from the Air Force Association; a DOD competition focusing on cyber investigation and forensics; and a SANS Institute challenge testing mastery of vulnerabilities. Click here (PDF) for the U.S. Cyber Challenge flyer and here to read more about the initiative.
A blue ribbon panel of high-tech and security experts whose December report spurred a flurry of cybersecurity hearings and legislation is entering a new phase that its co-chairs hope will inform and influence the Obama administration, CongressDaily's AM Edition reported. The Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency has begun examining "foundational problems" that are key to fixing the nation's security vulnerabilities with the goal of releasing recommendations this year, Microsoft Vice President Scott Charney said at a Thursday briefing.
Lt. General Harry Raduege, chairman of Deloitte & Touche's Center for Network Innovation, said some of the group met in June to construct a blueprint for their work, and the full panel will reconvene Friday. Some issues they will tackle include authentication of Internet users, international engagement, and how to scale security solutions while preserving privacy and civil liberties, Charney and Raduege said. Charney said the commission was pleased with its 96-page original report but drafting that analysis brought up a host of new questions about the 21st century cyber infrastructure. "The appropriate response to problems will not be the traditional response of many years ago," he said.
The House Oversight and Government Reform Committee will wade back into the debate over inadvertent file-sharing over peer-to-peer networks next Wednesday. The panel has scheduled a hearing that will focus on how popular platform LimeWire and other services could endanger citizens and jeopardize national security. Lime Group Chairman Mark Gorton, Tiversa CEO Robert Boback and Progress and Freedom Foundation Senior Fellow Thomas Sydnor are scheduled to testify. The committee held similar hearings in July 2007 and four years earlier. After the 2003 hearing, the P2P industry adopted a voluntary code of conduct to prevent inadvertent disclosures of sensitive information.
In March 2007, the Patent and Trademark Office released a report suggesting that inadvertent file-sharing may still be a serious problem and that the industry might not be living up to its promises. In response to the PTO report, committee staff conducted its own probe. Using LimeWire, aides ran a series of common searches during a one month period. They were able to easily obtain personal bank records and tax forms, attorney-client communications, corporate strategy documents for Fortune 500 companies, confidential corporate accounting documents, government emergency response plans, and even military operation orders.
Meanwhile, Rep. Mary Bono Mack, R-Calif., who is not on the committee, introduced legislation earlier this year that would help educate Internet users about P2P privacy and security risks. The bill came on the heels of reports that file-sharing software was implicated in a security breach involving Marine One, the helicopter used by President Obama. Bono Mack's measure, which was cosponsored by Rep. John Barrow, D-Ga., and Energy and Commerce ranking member Joe Barton, would ensure P2P programs cannot be installed without providing clear notice and obtaining user consent. It would also make it illegal for firms to prohibit users from blocking, disabling, or removing the software.
CongressDaily's AM Edition reports (subscription required) that Senate Judiciary Chairman Patrick Leahy hopes the third time will be a charm for his legislation intended to better protect citizens' personal information. The bill, which he reintroduced Wednesday and in two previous Congresses, would increase criminal penalties for identity theft involving electronic data and criminalize intentional or willful concealment of a security breach. Leahy said passage of the measure, which would pre-empt a patchwork of state data breach laws, is among his top legislative priorities.
Leahy's cybersecurity bill is one of many expected in the House and Senate. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were first with legislation in April, which could see committee action before August recess. Rockefeller issued a statement saying he and Snowe are working hard on the measure and hope to mark it up soon. "This is an enormously critical issue that cuts across every agency of government, every sector of our society and our economy, and of course multiple committees," he said. Senate Homeland Security and Government Affairs Chairman Joseph Lieberman is reportedly working on his own measure.
Major shortages of skilled cyber professionals and a lack of leadership, planning and coordination within the federal cybersecurity workforce threaten national security according to a Wednesday report by the Partnership for Public Service and Booz Allen Hamilton. The report recommends that the White House develop a government-wide blueprint to acquire, train and retain cyber talent. President Obama declared cybersecurity to be one of the nation's most serious economic and national security challenges and the solution is "to build a vibrant, highly trained and dedicated federal cybersecurity workforce," Partnership President Max Stier said.
The report also recommended devising new job classifications because one classification hasn't been updated since the 1980s. Furthermore, the paper urges the creation of a dedicated, high-level team within the Office of Personnel Management to identify and remove barriers to hiring top cybersecurity talent. Meanwhile, members of Congress should expand and fund programs that train graduate and undergraduate students in cybersecurity. Training programs should be developed to ensure a state-of-the-art federal cybersecurity workforce, the paper stated. Read the full report here.
This week's crude and fairly ineffective attacks on U.S. and South Korean Web sites were a minor event, network experts said, but could represent a warning shot portending much more serious threats to worldwide communications and commerce on the Internet. James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies, noted the paradox in the attacks - that they were well-coordinated and broad in scope, but very limited in their aims. If they were the work of the North Korean government or affiliated forces, as South Korean officials suspect, said Lewis, it seems that the real purpose might have been to get the attention of foreign governments. Much like North Korea's missile and nuclear testing, this week's cyberattacks could be part of a diplomatic game aimed at extracting concessions from the United States and Western powers, he speculated.
On the other hand, any number of foreign governments, including North Korea, are capable of much more serious action that could do greater and long-term damage to Internet communications, Lewis said. Robert Beverly shrugged off the reported attacks this week as insignificant, but said that what keeps him up at night worrying is an attack on the domain name system - the computers that translate familiar words like Google into numerical Internet protocol addresses. Beverly, a network computing expert affiliated with the Massachusetts Institute of Technology, said that a network of privately-owned computers around the world, known as root name servers, coordinate this activity.
Senate Homeland Security and Governmental Affairs Federal Financial Management Subcommittee Chairman Thomas Carper, D-Del., said sweeping computer attacks that impaired the Web sites of several agencies including the Treasury Department, Secret Service, Federal Trade Commission and the Transportation Department around July 4 demonstrate that the U.S. government needs to be better armed to fight 21st century security threats. News reports late Tuesday and early Wednesday said the attacks were targeted at varying points over recent days, and sites of 11 South Korean organizations were targeted as well. The activity was a possible coordinated assault by North Korea, officials with knowledge of the incidents told various media outlets.
In April, Carper introduced legislation that would bring big changes to the way agencies protect sensitive information. His bill would modernize the Federal Information Security Management Act of 2002, and empower agency chief information security officers to focus their efforts on monitoring, detecting and preventing cyber intrusions. It would also augment the power of the Homeland Security Department's U.S. Computer Emergency Readiness Team to be proactive before a cyber attack penetrates government networks. "We need to pass this legislation so our federal agencies can stop spending billions of taxpayers' dollars on wasteful paper compliance and instead invest in real security - the kind of security that prevents these types of attacks," Carper said.
The White House still lacks a cyber czar but that's not stopping high-tech hackers. The Associated Press reported late Tuesday that a widespread computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime. Officials told the AP that the Treasury Department, Secret Service, Federal Trade Commission and the Transportation Department's sites were all down at varying points over the weekend and into this week. Some were still experiencing problems or delays Tuesday evening.
The fact that the government sites were still being affected three days after it began signaled an unusually lengthy and sophisticated attack, officials told the AP on the condition of anonymity. The weapon of choice was a denial of service attack, which commonly involves saturating the victim machine with a flood of external communications requests that prevent it from responding to legitimate traffic. President Obama in May said he would handpick a cybersecurity enforcement coordinator who would report to the National Economic Council and National Security Council but that position remains vacant despite murmurs about potential candidates.
Homeland Security Department spokeswoman Amy Kudwa told Tech Daily Dose that her agency was aware of the attacks on federal and private sector public-facing Web sites and the U.S. Computer Emergency Readiness Team has issued a notice to agencies as well as other partner organizations, on this activity and advised them of steps to take to help mitigate against such attacks. "We see attacks on federal networks every day, and measures in place have minimized the impact to federal Web sites," she said. "US-CERT will continue to work with its federal partners and the private sector to address this activity."
Foreign trade groups and their counterparts in the United States pressed Chinese Premier Wen Jiabao on Friday to halt a July 1 mandate for all computers manufactured and sold in China to be shipped with Internet filtering software, which the government has claimed would help protect children from inappropriate content. The letter from the American Chamber of Commerce in China, Business Software Alliance, Business Roundtable, Consumer Electronics Association, Information Technology Industry Council and others says the requirement "raises serious concerns for us and seems to run counter to China's important goal of becoming a vibrant and dynamic information-based society."
The correspondence comes on the heels of a similar message sent to high-level Chinese government officials by U.S. Trade Representative Ron Kirk and Commerce Secretary Gary Locke earlier this week and a letter from business groups the week before. "The Green Dam mandate raises significant questions of security, privacy, system reliability, the free flow of information and user choice," the most recent document said. The letter points out, however, that "effective and responsible parental controls" are the way to go. "Ensuring that our youth can enjoy the full benefit of the Internet while keeping them out of harm's way... is an important objective we all share." Read related coverage in CongressDaily here (subscription required).
The Obama administration could ask Congress for regulatory changes to create "far-reaching incentives" for prioritizing cybersecurity in the private sector, which controls much of the nation's critical IT infrastructure, a high-ranking Department of Homeland Security official said Thursday. Acting Assistant Secretary for Cybersecurity and Communications Michael Brown said a range of proposals are being considered by the White House and the department as their cybersecurity plan unfolds. The department is moving quickly to ramp up its cyber processes, Brown told an Armed Forces Communication & Electronics Association conference. Homeland Security Secretary Janet Napolitano's selection of under secretary Philip Reitinger to head the National Cybersecurity Center this month, was another step forward, he said. Read the full story in CongressDaily's AM Edition here (subscription required).
In related news, Reitinger spoke about cybersecurity to a standing-room-only crowd at Google's Washington office on Friday. He was joined by Senate Commerce Committee Chief of Staff Ellen Doneski; TechAmerica Vice President Liesyl Franz; Defense Information Systems Agency Chief Information Assurance Executive Richard Hale; and Christopher Painter, director of cybersecurity for the National Security Council.
A high-tech watchdog group filed a lawsuit against the Justice Department on Wednesday demanding the public release of the surveillance guidelines that govern investigations of Americans by the FBI. The protocols took effect in December 2008 and detail the bureau's procedures and standards for implementing the attorney general's guidelines on approved surveillance strategies. The Electronic Frontier Foundation's complaint comes after DOJ failed to respond to a Freedom of Information Act request for a complete copy of the document. FBI General Counsel Valerie Caproni has acknowledged that "the expansion of techniques available [to the bureau] has raised privacy and civil liberties concerns."
Investigations can include the electronic collection of information from online sources and computer databases, as well as the use of grand jury subpoenas to obtain telephone and e-mail subscriber information, EFF said in a press release. Other recent policy changes allow the FBI to engage in free-ranging investigation of Internet sites, libraries, and religious institutions, the group said. "Americans have the right to know the basic surveillance policies used by federal investigators and how their privacy is -- or is not -- being protected," EFF senior counsel David Sobel said. Read EFF's full complaint to the U.S. District Court for the District of Columbia here.
Update: An FBI spokesman would not comment on the lawsuit but said: "It is the FBI's job to protect Americans, not only from crime and terrorism, but also from incursions into their constitutional rights. That effort starts with the FBI's commitment to scrupulously protect privacy rights of civil rights and civil liberties in the course of its investigations."
Former Rep. Tom Davis, R-Va., said Tuesday that he does not want the job of President Obama's cybersecurity coordinator despite recent rumblings that he was one of the top contenders for the position. "If I'd wanted to stay in government, I would have stayed in Congress," he said at a National Press Club briefing. "I don't have any real interest in going back." Davis joined the federal services team of consulting firm Deloitte last year after serving as chairman and ranking member of the House Government Reform Committee where he took the lead on legislation aimed at improving e-government, information security and critical infrastructure. When pressed further by reporters, Davis said he was "not a candidate for anything... [but] you never say never." He has maintained his departure from public service is only a sabbatical.
His main concern with the cyber czar position, which Obama described on the campaign trail and formally announced last month in conjunction with a wide-sweeping report that examined the federal cybersecurity posture, is the job description remains vague. Davis said it is unclear what the position would entail and how much authority the individual, who would report jointly to the National Security Council and National Economic Council, would have. "For this job to work you'd better get some understandings up front," he said. Davis lauded Obama for recognizing the need for a strong cybersecurity leader but said he thinks the administration has brought on too many czars. Melissa Hathaway, a senior adviser to Director of National Intelligence Dennis Blair, is potential candidate. Former Microsoft security chief Howard Schmidt's name has also come up.
NextGov.com's Jill Aitoro writes that the Homeland Security Department's science and technology office plans to triple spending on cybersecurity research and development. The acting undersecretary told Congress Tuesday that most of the additional funds in President Obama's fiscal 2010 budget request are focused on new ways to protect the nation's critical infrastructure, including transportation and the electric grid. The Directorate for Science and Technology, which is the primary research and development arm of DHS, requested $968 million for fiscal 2010, a 3.8 percent increase over the previous year's enacted budget. Of the $35 million in additional funds requested, DHS would earmark $5.4 million for cybersecurity, Brad Buswell, the directorate's acting undersecretary, told the House Homeland Security Subcommittee on Border, Maritime and Global Counterterrorism.
Buswell said cybersecurity would gain a 300 percent funding increase, compared with fiscal 2009, for the development of "leap-ahead technologies" that secure the nation's computer networks and information infrastructure -- including energy, transportation, telecommunications, and banking and finance. Pointing to the DHS National Protection and Programs Directorate as the office's primary customer for cybersecurity technologies, Buswell emphasized the need for coordination with the private sector to ensure the department's research and development doesn't overlap with work in industry. "The work we're doing [in cybersecurity] is work that the private sector is not doing for a number of reasons," he said. "But we're very mindful of the fact that we don't deploy the technology -- we develop the technology. Much of this is deployed by private sector, so we need to keep them closely involved in all development to make sure we're not duplicating efforts."
Read the full story here.
TechCentral's latest Issue Of The Week reports...
Now that the results of President Obama's cybersecurity review are out, the focus has shifted to the yet-unnamed White House cyber czar who will carry out five broad goals: developing a comprehensive strategy to secure networks; coordinating with states and cities to respond to any future attacks; strengthening coordination between the government and the private sector; ramping up government investments in research and development; and launching a national campaign to promote cybersecurity awareness while building a digital workforce for the 21st century. It is a tall order, but experts on Capitol Hill, at think tanks and within industry are willing to assist.
Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, introduced a bill before the administration's 60-day review was completed, and more are expected since multiple committees share jurisdiction over the issue. The Rockefeller-Snowe bill and the administration report both call for the cyber czar post, increased federal research and development, and enhanced public-private partnerships. The senators issued a statement Friday urging Obama to give his cyber chief "the heft and authority the position requires."
Not everyone was as keen on the position. Senate Homeland Security and Governmental Affairs ranking member Susan Collins said the appointment of another White House czar will hinder congressional oversight and do little to resolve bureaucratic conflicts, turf battles, and confusing lines of authority. High-level coordination is not enough, she said in a statement: "Securing critical systems will require effective day-to-day management, including the authority to recommend best practices, modify information technology procurement standards, coordinate action to prevent and mitigate vulnerabilities, encourage innovation, and, when necessary, enforce compliance."
Read the full Issue Of The Week feature here. Read additional perspectives about Obama's cyber czar in Monday's CongressDaily PM Edition here (subscription required).
President Obama's remarks on his administration's cybersecurity review on Friday in the East Room of the White House:
We meet today at a transformational moment -- a moment in history when our interconnected world presents us, at once, with great promise but also great peril. Now, over the past four months my administration has taken decisive steps to seize the promise and confront these perils. We're working to recover from a global recession while laying a new foundation for lasting prosperity. We're strengthening our armed forces as they fight two wars, at the same time we're renewing American leadership to confront unconventional challenges, from nuclear proliferation to terrorism, from climate change to pandemic disease. And we're bringing to government -- and to this White House -- unprecedented transparency and accountability and new ways for Americans to participate in their democracy.
The Obama administration's release Friday of a report on the federal government's cybersecurity posture will not offer specific recommendations for action, sources who reviewed the document told CongressDaily on Thursday. The paper will call for the creation of a cybersecurity coordinator who would be housed in the National Security Council but report to the National Economic Council as well, they said. The report does not state how senior the individual will be within the White House or to whom the official would report. The roughly 40-page document emphasizes the importance of building public-private partnerships to safeguard communications networks and creating incentives for threat information-sharing between government and industry entities, sources said. The report includes language intended to sharpen the government's IT procurement processes to drive greater security; underscores the need for more federal cybersecurity R&D; and calls for the cultivation of a highly skilled cybersecurity workforce in and outside of government. The paper will be unveiled at a White House event attended by an impressive list of tech execs.
Read the full story in CongressDaily's PM Edition.
In anticipation of the release of a White House cybersecurity report later this week, Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, urged the Obama administration on Wednesday to create an Office of the National Cybersecurity Advisor within the Executive Office of the President. The proposal is part of legislation they introduced earlier this year intended to improve the nation's safeguards against high-tech attacks. The advisor "must serve as the lead official on all cyber matters -- reporting directly to the President and coordinating with the intelligence community, government agencies, Congress, and the private sector," they said in a press release.
Rockefeller and Snowe also pressed Obama to create state and regional cybersecurity centers for small and medium sized businesses; increase federal cybersecurity R&D programs at the National Science Foundation; and require the National Institute of Standards and Technology to establish measureable cybersecurity standards and best practices that are applicable both to government and the private sector. Additionally, they called for the creation of an information sharing clearinghouse where government and industry work together in real time to identify cyber threats; and the creation of a cybersecurity advisory panel of experts from industry, academia, non-profits and civil liberty organizations to advise the president.
"The Obama administration has been hard at work on a comprehensive review of the cyber threat and we applaud their effort," Rockefeller and Snowe wrote. "We have learned the hard way in recent years that 'stovepiped' national security systems and failures in coordination can leave us vulnerable to attack, and that bureaucratic confusion can cripple our response to a disaster. We must apply these lessons to the threat of cyber attack. There is no room for error." White House Press Secretary Robert Gibbs told reporters that the report, which caps off an expansive 60-day probe, will be released Friday.
White House Press Secretary Robert Gibbs told reporters Tuesday the results of the Obama administration's 60-day review of the federal government's cybersecurity posture will be released Friday. The probe, begun shortly after Obama took office, is expected to make broad recommendations for protecting public and private sector networks from high-tech attackers. The report's release has been delayed due to internal disagreements about where a cyber czar would be housed and what kind of power that official would wield, non-administration officials familiar with the report said.
Melissa Hathaway, a top adviser to Director of National Intelligence Dennis Blair who managed the audit, told the RSA security conference last month that it is "the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution." That responsibility transcends the jurisdictional purview of individual departments and agencies because no single agency has a broad enough perspective to match the sweep of the challenges, she said at the San Francisco gathering. Hathaway also said dealing with tech threats requires "leading from the top" -- from the White House, to departments and agencies, state, local, tribal governments, the "C-suite," and to the local classroom and library.
Ahead of a comprehensive Obama administration review of the U.S. government's cybersecurity posture, consulting firm Gartner said Thursday that the country needs to take a more operational approach toward the problem rather than focusing on strategies to drive higher spending or higher visibility for security. Although there is a definite role for government to play in accelerating progress toward higher levels of cybersecurity, it will be more akin to trying to deal with global warming than dealing with telephone, banking, or automotive industry policies, Gartner Vice President John Pescatore said. "Different approaches are required to ensure reliable and secure services in cyberspace than on old telecom networks, and the development of public policy has to proceed very differently, as well," he said in a press release. Government policy that attempts to force top-down solutions onto an inherently peer-to-peer problem will always fail, he said.
Pescatore said a national cybersecurity strategy should not be aimed at having the government seek to control the level of security on the Internet or issue legislations to mandate solutions. Rather, the strategy should focus primarily on using public policy and the government's buying power to accelerate progress in eliminating vulnerabilities that enable attacks versus simply driving increased reporting of attacks. "A successful national cyberscurity strategy will look more like a hurricane preparedness strategy that mandates redesigning structures or building higher levees versus the deployment of more water gauges," Gartner said. In a new report, analysts said several key elements should be the focus of U.S. government strategy for cybersecurity. One notable recommendation is for the administration to establish a federal chief information security office, not a federal cybersecurity czar. Read more recommendations after the jump...
As Congress gets ready to take off for a week-long recess following Memorial Day, the Senate Commerce Committee holds a Tuesday hearing on two key tech-related nominations: Larry Strickling to head the National Telecommunications and Information Administration -- which is part of the Commerce Department -- and Aneesh Chopra, now Virginia's secretary of technology, to serve as the nation's first chief technology officer. Confirming Strickling -- a former telecom executive, FCC official and adviser to President Obama's 2008 campaign -- is a priority, given the forthcoming June 12 switch to digital television broadcasts and the NTIA playing a major role in the distribution of $7.2 billion in broadband funds contained in the Obama economic stimulus program. The hearing gets underway at 11 a.m. in Room 253 of the Russell Senate Office Building.
Meanwhile, Homeland Security Secretary Janet Napolitano will address the National Security Telecommunications Advisory Committee Thursday, as the committee plans to discuss vulnerabilities in the federal government's information networks. The session comes as the Obama administration is expected soon to announce the findings and recommendations of a major national cybersecurity review. The Telecommunications Advisory panel is also expected to discuss satellite security issues. Portions of the meeting -- which starts at 2:30 p.m. at U.S. Chamber of Commerce headquarters, 1615 H Street, N.W. -- will be closed to the public. On a related front, FBI Assistant Director for the Cyber Division Shawn Henry and Cyber Division Section Chief Jeffrey Troy Tuesday will speak at an Anti-Spyware Coalition conference about how their agency is combating high-tech threats. The day-long session gets underway at 9 a.m. at the Grand Hyatt Washington, 1000 H Street, N.W.
As U.S. military and government officials consider the best approach to fighting cyber threats, they are considering the relevance of historic approaches to national security dangers such as nuclear weapons and terrorism. Herbert Lin, chief scientist at the National Research Council's computer science and telecommunications board, said a range of topics are currently being weighed such as "strategy, escalation, and deterrence, as well as issues related to doctrine and employment policy for cyber weapons." Doctrine and employment policy refer to how the military plans to operate during a conflict and strategy refers to thinking beyond immediate engagement to develop a roadmap for how to win, he said. Deterrence involves persuading a bad guy to not attack and escalation refers to how to keep a war from getting out of hand, he said.
"The very concepts of what constitutes offense versus defense and what is contained within either is a new and nascent debate in cyber," wrote Rod Beckstrom of the Homeland Security Department's National Cybersecurity Center, in an email. Historic concepts that have emerged include preemptive war strategy or when an attempt is made to combat a perceived inevitable threat before the threat becomes a reality and, the "no first use pledge," or when a state with nuclear weapons promises not to use the weapons first. Another approach, known as mutually assured destruction, "reflects the idea that one's population could best be protected by leaving it vulnerable so long as the other side faced comparable vulnerabilities," NuclearFiles.org states. The U.S. has waged past wars against threats that are not easily defined and geographically diverse such as terrorism and drugs.
House Science Committee Chairman Bart Gordon is ready to launch his panel's examination of the Obama administration's recently completed 60-day review of the U.S. government's cybersecurity posture as soon as the highly anticipated document is made public. Gordon told the Computer and Communications Industry Association's annual meeting Wednesday that he expects the report, written by Melissa Hathaway -- a top adviser to Director of National Intelligence Dennis Blair -- to surface in a matter of days. A spokeswoman for Hathaway could not confirm when the document would be released. Gordon said his committee has already scheduled a hearing later this month that will focus on recommendations of the report. Witnesses could include representatives from the Homeland Security Department, National Science Foundation, National Institute of Standards and Technology, he said. Follow up hearings will ask industry representatives, watchdog groups and other stakeholders for their thoughts on the matter. Gordon hopes the hearings will serve as a basis for legislation that would improve network security. Senate Commerce Committee Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were the first to introduce a cybersecurity bill this Congress. Other committees are expected to offer their own measures in the coming weeks and months. Read more about CCIA's summit in CongressDaily.
From the May 2 issue of National Journal magazine...
In response to an unprecedented wave of attacks on the Defense Department's computer networks, and possible theft of information about U.S. weapons systems by foreign governments, the Pentagon has quietly begun sharing classified intelligence about hackers and online threats with the country's biggest defense contractors. The intelligence-sharing program began almost two years ago, after top Pentagon leaders realized that hackers were trying to steal information not just by breaking into government computers but also by going after corporations that contract with the government. These private computers and networks often contain the same sensitive and classified information found in the government's systems.
The new intelligence partnership, which has not been previously reported, is known as the Defense Industrial Base initiative, or "the DIB." The department formally launched the program in September 2007, but it took a year to work out a legal arrangement by which the contractors and the government could confidentially share information. In mid-2008, the effort ramped up after what was described as a hair-raising meeting in a secured facility at the Pentagon in which officials gave temporary security clearances to chief executives from the biggest defense firms and delivered a no-holds-barred briefing on the range of successful cyberattacks launched against the government and their companies.
Read the full story here (subscription required).
The Senate Homeland Security and Governmental Affairs Committee will wade into the congressional cybersecurity debate on Tuesday with a pair of hearings -- one in the full committee that will focus on developing a national strategy to fight high-tech threats and another in the Federal Financial Management Subcommittee that will cover the Obama administration's tech priorities and how agencies can use technology to become more efficient and secure.
Hearing #1:
Stewart Baker, former Homeland Security Department assistant secretary
James Lewis, Center for Strategic and International Studies
Alan Paller, research director for the SANS Institute
Tom Kellermann, vice president at Core Security Technologies
Hearing #2:
Vivek Kundra, OMB e-government and IT administrator
David Powner, director of IT management issues at GAO
Karen Evans, former OMB e-government administrator
Philip Bond, president of the Technology Association of America
Read a related story in CongressDaily's AM Edition here (subscription required).
It's been a bleak April for the nation's cybersecurity. With hacks reported in the U.S. electrical grid and the Pentagon's Joint Strike Fighter program -- not to mention the continuing specter of debilitating worms and viruses -- officials are facing a battery of new questions about a persistent problem. Rep. Jim Langevin, D-R.I., co-founded and co-chairs the House Cybersecurity Caucus, and he recently co-chaired a cybersecurity report from the Center for Strategic and International Studies for the 44th presidency. In a recent interview with National Journal, Langevin discussed the importance of a national cyberspace office in the White House and a comprehensive security effort throughout not just the government, but the private sector as well. To read the edited excerpts of the interview or listen to the audio presentation, go here. Also check out the National Journal magazine story on how the administration and lawmakers are responding to cyber concerns here. -- Winter Casey
The House Committee on Oversight and Government has sent a letter to Secretary of Defense Robert Gates requesting a briefing as soon as possible on a recent news report that computer spies may have infiltrated the Pentagon's $300 billion Joint Strike Fighter project, which is reportedly the most expensive weapons program that has been managed by the Department of Defense. "If true, these allegations are serious and potentially far-reaching. Given the potential national security implications of this matter, we hereby request that the department provide committee staff with a briefing regarding the events alleged," wrote Chairman Edolphus Towns and ranking member Darrell Issa.
Earlier this month the Wall Street Journal reported that foreign cyber spies may have penetrated the country's electrical grid and left behind software programs that could be used to disrupt infrastructure. It has also been reported that the Obama administration may have plans to create a new military command that would focus on defensive and offensive cyber security efforts within the Pentagon. Meanwhile, the administration is still trying to work out what its overall approach to cyber security will be and lawmakers are paying increasing attention to the issue. -- Winter Casey
Melissa Hathaway, a top adviser to Director of National Intelligence Dennis Blair, offered what she called a "movie trailer" of the recommendations she made in a report to President Obama after finishing a 60-day federal cybersecurity review. Details of the examination and her findings, which were delivered to Obama and key White House officials late last week, will be made public once the president and the administration have had a chance to review the material. Nevertheless, Hathaway told the RSA security summit Wednesday that it is "the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution."
That responsibility transcends the jurisdictional purview of individual departments and agencies because no single agency has a broad enough perspective to match the sweep of the challenges, she said at the San Francisco gathering of high-tech and security experts. Hathaway also said dealing with tech threats requires "leading from the top" -- from the White House, to departments and agencies, state, local, tribal governments, the "C-suite," and to the local classroom and library. "The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation," she said in prepared remarks provided to the press.
The federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident, Hathaway said, emphasizing the importance of private sector support. "The public and private sector's interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend," she said. Hathaway closed with a bit of humor: "I almost forgot, this speech will now self-destruct, but don't worry... this is the Internet-age, there are already hundreds of copies which you can download online."
House Oversight and Government Reform Chairman Edolphus Towns and ranking member Darrell Issa are reopening their committee's investigation of inadvertent file sharing on peer-to-peer networks, including LimeWire. The pair wrote to Attorney General Eric Holder requesting a briefing on the agency's role in protecting Americans from the dangers associated with P2P networks. They want to know which federal law enforcement actions may be taken to protect individuals, commercial entities and agencies from security risks associated with programs such as LimeWire. They also wrote to FTC Chairman Jon Leibowitz requesting an update on his commission's work on the P2P front. A third letter went to LimeWire Chairman Mark Gorton, who testified before the committee in 2007.
At that hearing, witnesses said they were able to easily obtain bank records, health records, military files, tax returns, corporate documents, and other highly sensitive private files via the LimeWire network. Two years later, it appears that LimeWire and other P2P providers have not taken adequate steps to address the problem, the lawmakers said, citing a recent string of news reports indicating the continued availability of such information on LimeWire. Towns and Issa asked Gorton to provide information about LimeWire's services and software involved in any of the incidents that have been documented. They also asked what measures the firm has taken to fix security loopholes and identify and eliminate illegal activities associated with the software. Gorton's answers are due May 4.
"The emerging P2P industry takes the safety of consumers very seriously," said Marty Lafferty, executive director of the Distributed Computing Industry Association, which represents file-sharing services. "Our best advice now - to parents and children alike - is similar to that given by other Internet software distributors: please upgrade to the latest version for the best performance and the safest experience." LimeWire spokeswoman Linda Lipman told the AP that LimeWire's newest version does not share any file or directory without explicit permission from the user. Lafferty also pointed to principles released recently by the Inadvertent Sharing Protection Working Group, which can be found here.
Senate Homeland Security and Governmental Affairs Chairman Joseph Lieberman and ranking member Susan Collins will hold a hearing in late April to examine the 60-day cybersecurity review ordered by President Obama. The audit, which is slated to conclude Friday, is being led by Melissa Hathaway, a top adviser to Director of National Intelligence Dennis Blair. After the hearing, Lieberman "will consider his legislative options," a spokeswoman said Wednesday. A number of bills intended to help secure U.S. computer networks, the power grid and other critical infrastructure are expected from committees that share jurisdiction over the issue. House and Senate committees covering commerce, homeland security, intelligence, judiciary and government reform have all introduced legislation in the past.
"The cyber threat to our nation's computer systems is real, and action to secure our cyber infrastructure is long overdue," Collins said in a statement. She is concerned that more than a year has gone by since the Bush administration announced its multi-billion dollar cybersecurity initiative and the Homeland Security Department still lacks the authority to set and enforce policies across the federal government. In last year's authorization bill, Lieberman and Collins outlined their vision for cybersecurity that would establish a National Cyber Security Center to coordinate efforts to protect government networks, strengthen DHS's ability to hire experts, and establish a private sector board to advise the agency on cybersecurity policy.
On the other side of Capitol Hill, House Homeland Security Chairman Bennie Thompson is focused on high-tech threats to the electrical system. "Our electric system is critical to our way of life, and we cannot afford to leave it vulnerable to attack," he said in a statement. "Our oversight indicates there is a significant gap in current regulation to effectively secure this infrastructure. I intend to introduce legislation that will address these limitations." Experts at the Center for Democracy and Technology briefed reporters on the path forward for cybersecurity policy at a Wednesday briefing. Read this story CongressDaily's PM Edition for more details.
The Office of the Director of National Intelligence and the Defense Department want to modernize the nation's aging satellite-imagery architecture by evolving government-owned satellite designs and enhancing use of U.S. commercial providers, officials said Tuesday. Multiple government studies and an independent panel of former defense and intelligence experts demonstrated the need for a new path forward after examining current imagery, alternative architectures, cost and affordability, technological risk and industry readiness. A new plan by ODNI requires congressional approval but officials hope once that happens, implementation can begin in the coming months. Commercial imagery elements of the initiative would likely be operational in several years and the overall system would be fully deployed before the end of the next decade.
Under the proposal, government satellites would be developed, built and operated by the National Reconnaissance Office and the defense and intelligence communities would increase the use of imagery available through U.S. commercial providers. The additional capability would provide the government with more flexibility to respond to unforeseen challenges, officials said. The less complex satellites based on technologies already in production by U.S. vendors would be available sooner than the much more capable NRO-developed systems. The National Geospatial-Intelligence Agency would continue to integrate capabilities as well as imagery products.
Though now-President Obama said during campaign trail that he would appoint a top cybersecurity czar that would be charged with coordinating government efforts to protect the country's networks, it remains to be seen whether this person will indeed be appointed and what role they will play in the administration. As a result both lawmakers and industry folks are weighing in. The Intelligence and National Security Alliance released a report Monday that states a "single cybersecurity official should be appointed at the White House-level to clarify the roles, mission, and responsibilities of those government agencies" involved in critical infrastructure. "The responsibilities of this individual shall include the development of the national cyber security plan and organizing our nation to effectively function through a cyber attack," the report reads.
The INSA report also says the maximization of open source software use "will increase cyber security and reduce exposure to the hidden risks of closed, proprietary commercial off the shelf software." INSA makes money from events and alliance members that include Microsoft, HP, SAIC and ManTech. But a representative from Microsoft, a company with a significant stake in proprietary software, said the company did not participate in the INSA report. The document also holds that a lack of adequate security and effective monitoring currently exists in the operation of the global domain name system and Internet routing system.-- Winter Casey
As the Obama administration crafts a game plan for keeping the nation's computer networks and critical infrastructure secure, the White House is going to anchor the interagency coordination and set a vision for the way forward, administration officials told reporters Friday evening on a conference call about the 60-day cybersecurity review the president ordered earlier this year. The White House does not plan to strong-arm the Homeland Security Department, National Security Agency and other entities that currently control operational aspects of government and private sector IT security, they said. Cybersecurity leadership has been a hot topic among lawmakers, think tanks and tech industry officials recently with at least one prominent report calling for the White House to take charge of that mission.
With 46 days under their belt, officials working on Obama's review have set a goal for releasing an overarching study to guide the formation of a trusted, resilient communications infrastructure through a national public-private partnership. Over the course of that examination, officials have identified and inventoried more than 250 cybersecurity requirements across federal agencies and asked those in charge of each initiative to connect the dots between their overall mission and the various requirements and programs they have in place. At the same time, the team reached out to stakeholders through a series of 40 meetings that yielded more than 100 white papers. Those who spoke to reporters refused to give details about their forthcoming recommendations since the review is ongoing.
Administration officials met with sector-specific coordination councils, the National Security Telecommunications Advisory Committee, industry associations and privacy and civil liberties groups. They consulted the American Civil Liberties Union, the American Library Association, Center for Democracy and Technology, the Electronic Frontier Foundation and range of others. The National Science Foundation with the cooperation of more than 50 universities also played a role by suggesting quick wins and longer term R&D projects to help safeguard the nation's networks. Additional briefings involved federal regulatory agencies; state and local homeland security officials and CIOs; members of Congress and their staffs; and foreign partners.
Legislation unveiled Wednesday by Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, would require greater oversight of the Internet Corporation for Assigned Names and Numbers. The private entity based in California is slated to sever formal ties with the Commerce Department later this year and is working on a controversial plan that would change the way top-level domains, such as .biz, .info, and .us, are assigned. Read CongressDaily's coverage for details (subscription required).
"It's a great thing the Congress is taking this issue so seriously" and better coordination of cybersecurity is a laudable goal, ICANN Vice President Paul Levins told Tech Daily Dose. But the Internet is a dispersed network "so you can't just turn it off by exerting pressure at one point," he said. The bill would "make sure that ICANN does not succumb to foreign pressure" to end its relationship with the U.S. government, according to a summary. Levins argued the analysis "misunderstands ICANN's interests" and said his organization does not want to end its link to the U.S. government.
Another section would require the head of the National Telecommunications and Information Administration to develop a secure Internet addressing system. According to the summary, ICANN has "failed in this regard." Levins defended his group's leadership on the issue saying a proposal on this front was sent to the Commerce Department in October and officials have been running a test bed for over 12 months. ICANN is awaiting feedback from the agency, he said.
The Obama administration's 60-day review of the federal cybersecurity posture will likely conclude that a comprehensive strategy for protecting the government's IT assets and critical infrastructure from high-tech attacks should be run by the White House, Rep. Jim Langevin, D-R.I., told reporters Thursday. The review being conducted by Melissa Hathaway, a senior adviser to former Director of National Intelligence Mike McConnell, is more than halfway complete. Recent studies have recommended that oversight authority be housed in the Executive Office of the President rather than the Homeland Security Department or the National Security Agency. "I expect that cybersecurity as we go forward will look very much like our counter-proliferation program," said Langevin, who co-chairs the House Cybersecurity Caucus.
On the campaign trail, Obama promised to create a cyber czar post in the White House and Hathaway is the heir apparent. "I'm very impressed with the due diligence she's exercising in putting together the team and reaching out to outside groups and experts," Langevin said of Hathaway, who was on Capitol Hill for an event to reconstitute the caucus for the 111th Congress. Rep. Yvette Clarke, D-N.Y., who replaced Langevin as chair of the House Homeland Security Emerging Threats Subcommittee this session, emphasized the enormity of Hathaway's task. She pointed out that there are 42 different departments and agencies involved. "Every new [technological] advance we have creates new vulnerabilities and our responsibility is to have oversight over each and every area," Clarke said.
Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, are crafting legislation that they hope will improve the country's cybersecurity posture in the face of increasingly sophisticated global attacks against U.S. government networks as well as the nation's broader critical infrastructure. Rockefeller indicated he was working on the bill at a Thursday hearing where he also pledged to make cybersecurity a committee priority this year. He called cybersecurity "a profoundly and deeply troubling problem to which we are not paying much attention." CongressDaily's AM Edition has more coverage of the hearing (subscription required).
"We presently have systems to protect our nation's secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies' cyber capabilities," a draft summary of the Rockefeller-Snowe proposal obtained by CongressDaily stated. "However, the threat of cyber attack on our private sector's critical infrastructure - banking, utilities, air/rail/auto traffic control, and telecommunications is equally alarming and protections must be put in place." The document goes on to say the proposal would "bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership."
Follow the jump for a detailed rundown of what the bill could include...
In observance of Sunshine Week, the Electronic Frontier Foundation on Monday launched a sophisticated search tool that lets the public to examine thousands of pages of documents the watchdog group has retrieved from government agencies through Freedom of Information requests and litigation. The documents relate to a range of technology issues and government policies that affect civil liberties and personal privacy. EFF's collection sheds light on controversial government initiatives, including the FBI's Investigative Data Warehouse and the Homeland Security Department's Automated Targeting System.
"Until recently, documents obtained under FOIA often gathered dust in filing cabinets," EFF Senior Counsel David Sobel said in a press release. "We believe that government information should be widely available and easy to research, and our new search engine makes that a reality." "We welcomed President Obama's declaration -- on his first full day in office -- that he will work to make the federal government more open and participatory," EFF attorney Marcia Hofmann said. "There's certainly a lot of work to do -- so much government activity has been hidden from public view in the name of 'national security' and the 'war on terror.'"
In her first hearing before Congress since being confirmed, Homeland Security Secretary Janet Napolitano was grilled about U.S. government policies for screening laptops and other high-tech gadgets at airports and whether she would address concerns from people who have had their laptops taken away at airports and examined. Rep. Loretta Sanchez, D-Calif., plans to reintroduce legislation on the issue. When asked by Sanchez to describe border control agents' abilities in this arena, Napolitano said the "law here is very straightforward." The federal government has broad authority to search at the border. However, existing statutes do not specifically answer whether agents should search laptops and what elements should be included in a search, she said. Napolitano said she is still looking into the issue and noted there are "a number of issues we handle that have really key privacy concerns inherent in them." She also answered questions about a 2012 deadline for scanning all U.S.-bound cargo containers in foreign seaports and whether she believes the Federal Emergency Management Agency should be moved out of the department. -- Juliana Gruenwald
Information technology security is unsurprisingly the top challenge reported by federal government CIOs in an annual survey conducted by the Technology Association of America -- a group formed earlier this year by the merger of the Information Technology Association of America and the American Electronics Association. Since 2009 marks a period of greater change than normal, with the transition to a new administration, authors revised the study's format to examine impacts of the transition and offer advice for the future. The paper also looks back at the eight years of President George W. Bush's administration and provides commentary on challenges, outcomes and lessons learned.
The study's findings, released Tuesday, classify participating CIOs into three categories in terms of their thinking on the current IT security challenge. One subset tended to define their IT security progress and challenges in terms of compliance with OMB directives and initiatives. Another subset was more focused on protecting current IT assets -- infrastructure, networks, software and data -- from unauthorized intrusion and harm. A third subset believed a strategic response is required to address cybersecurity. Other challenges described in the report include IT infrastructure, management, resources, workforce, applications systems and transitioning to the future.
Key observations from CIOs for the Obama administration fit into the following themes:
• Strong leadership drives change
• Employ laser-sharp focus
• Demand results and verify
• Achieve good IT governance
• Fix IT infrastructure
• Fund priority initiatives
• Continue to standardize and consolidate
• Strengthen the blended workforce
The full report and CIO survey will be available on the ITAA and AeA Web sites.
The White House planned to announce as early as Monday that Melissa Hathaway, top cybersecurity adviser to the director of national intelligence under President George W.Bush, will oversee a review of federal cybersecurity efforts, after which she will likely be offered the post of cyber czar, an intelligence official confirmed Friday. Hathaway, who was senior adviser to former Director of National Intelligence Mike McConnell and previously worked as a consultant at Booz Allen Hamilton, will leave the office for 60 days to conduct the review of overall cyber organization and strategy in the federal government, sources told GovExec.com.
Hathaway will lead the review with the National Security Council, the president's principal forum for considering national security and foreign policy issues with senior advisers and Cabinet officials. The council also helps coordinate policies among federal agencies. Homeland Security Secretary Janet Napolitano is running a parallel review at that department outlining the state of cybersecurity in government. Senate Homeland Security and Governmental Affairs Federal Financial Management Subcommittee Chairman Thomas Carper, D-Del., lauded the news but said the exploration must not stop with Hathaway's assessment.
"I will continue to monitor cyber security issues and work with the Obama administration to ensure our nation's sensitive information and critical infrastructure is protected," Carper said. "America's military, economy and way of life depend on our ability to send and receive accurate and reliable information quickly and securely. Unfortunately, I have seen evidence of criminal groups and even foreign nations looking to do us harm by exploiting vulnerabilities in our information infrastructure."
Update: The announcement about Hathaway came at 6:45 p.m. Follow the jump for the official White House press release...
Greg Garcia, the Homeland Security Department's first assistant secretary for cyber security and communications -- who left his post in December after more than two years -- announced his next move on Thursday. In an e-mail to friends and colleagues, he wrote: "I have known that I want to continue contributing to the mission of cyber security and national security/emergency communications. But rather than commit myself to this mission through just one organization, I have chosen to contribute independently."
"After taking some time off through the holidays, I have formed my own advisory firm, cleverly named Garcia Strategies. This approach I believe will broaden my perspectives, and diversify my partnerships and tools for making progress against a complex challenge," Garcia wrote. "I have also tailored a Web site of rather modest accoutrements, and will try to maintain a blog, which might on occasion have the intended effect to entertain and inform." Find out more here.
Former National Security Agency analyst Russell Tice told MSNBC's Keith Olbermann Wednesday night that the agency spied on U.S. news organizations "24/7, 365 days a year." Former President Bush and senior officials insisted repeatedly that the warrantless wiretapping program that came to light in 2005 was legal and only targeted those with suspected ties to terrorist organizations. Tice said he did not know what became of the journalists' collected communications nor did he mention news outlets by name.
He told Olbermann he volunteered his expertise to President Barack Obama's campaign and transition team but they did not take him up on the offer. "They knew my background but they never utilized me," said Tice, who has leaked information about the NSA before and has pushed for whistleblower protection legislation. Before appearing on the show, he sent a handwritten note to Obama's camp saying he planned to speak about the NSA activity in more detail.
Sen. Dianne Feinstein, D-Calif., on Tuesday introduced a pair of data security bills -- one that would require businesses to notify consumers in the event of a security breach and another, co-sponsored by Sens. Judd Gregg, R-N.H., and Olympia Snowe, R-Maine, would ban the sale or display of an individual's Social Security number without his or her consent. The legislation, which she also offered in the 110th Congress, was part of a package of "first day" bills she sponsored as members returned to Capitol Hill, according to a release.
Specifically, her breach bill would require a federal agency or business entity to quickly notify an individual of a security breach involving personal data and would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached contains more than a million entries, is owned by the federal government, or involves national security or law enforcement. The Social Security measure would prohibit federal, state and local governments from displaying the numbers on records posted online or from printing them on government checks. It would also place limits on when businesses can ask customers for their Social Security numbers.
Amid a growing sea of phishers, spammers and other Internet-based crooks, the most daunting cyber challenge faced by law enforcement agencies is identifying how best to secure the U.S. national high-tech infrastructure writ large, Deputy Attorney General Mark Filip told the International Conference on Cyber Security this week in New York City, which was organized by the FBI and Fordham University. "We must secure our cyber infrastructure in a manner that addresses threats from foreign armies, adversary intelligence services, criminals, and terrorists. It's hard to exaggerate how important this is or how hard it is to accomplish fully," he said in remarks released Wednesday. "We've made real progress in this area, but we all know there's a lot to do."
Filip outlined some successes like an FBI center in Pennsylvania that brings together private parties and government investigators together to work on cyber breaches and threats, but said that effort and others are in their early stages. The Justice Department and FBI are also ramping up collaborations with other agencies to address cyber espionage and cyber terrorism threats. That work is done at places like the Joint Terrorism Task Forces and the National Counterterrorism Center.
In the coming years, those who safeguard the IT space will encounter the same kinds of spies, criminals, terrorists, and armies -- "but we're now living in a world where technology moves much faster than the government typically moves, and where our adversaries are anxious to exploit every vulnerability that technological change can offer," Filip warned. For that reason, the government's response must be nimble and effective at working with the private sector, he said. He also mentioned President-elect Barack Obama's interest in creating a White House position to coordinate cyber policy across agencies but would not offer an opinion on the wisdom of that model.
Rep. Frank Wolf, R-Va., told House leaders Tuesday that few members of Congress have availed themselves of secret briefings meant to educate them about outsiders trying to penetrate lawmakers' computers and steal sensitive information. Despite "repeated assurances" that the House leadership would inform members of Congress about threats to their computer systems and personal electronic devices, members are still at risk of being hacked by foreign and domestic sources, Wolf wrote in a letter [PDF] sent to House Speaker Nancy Pelosi and other leaders, which was obtained by National Journal. In September of last year, the Republican and Democratic caucuses held classified briefings for lawmakers about cyber risks, but "the meetings were sparsely attended," Wolf wrote. "I fear that Members are no better informed today than they were before."
Continue reading Hacked Lawmaker Calls For Cyber Briefings .
FBI Cyber Division Assistant Director Shawn Henry and Deputy Director Christopher M.E. Painter are among several key law enforcement officials slated to speak at the International Conference on Cyber Security next week in New York City. Henry, Painter and Louis Grever, executive assistant director for the FBI Science and Technology Branch, will speak on Tuesday while Deputy Attorney General Mark Filip will deliver remarks on Thursday. The event is being held at Fordham University at Lincoln Center.
The FBI has teamed with Fordham's Department of Computer and Information Sciences to bring together global leaders in emerging cyber threat analysis and enforcement for the first of its kind conference. This gathering of international cyber security experts will host more than 300 delegates from around the world, officials said in a press release. ICCS -- which is sponsored by Google, Booz Allen Hamilton, BAE Systems and others -- will consist of three full days, 50 unique lectures, cutting edge demonstrations and networking opportunities. Read more about the Jan. 6-8 conference here.
From NextGov.com's Bob Brewin:
A joint report released on Monday strongly urged the Defense Department to fully fund and deploy as soon as possible a $16 billion advanced satellite system that would give the military the ability to transmit larger amounts of surveillance and intelligence information at a much faster rate. The Transformational Communication Satellite system, which the Air Force is building, will transmit images, video and signals intelligence from unmanned aerial vehicles and spy satellites to Army and Marine units on the battlefield and Navy ships.
The Air Force had planned to award the contract for the satellites this month, with Boeing Co. and Lockheed Martin Corp. competing for the pact. But the award has been delayed because of both Air Force funding issues and the Joint Staff is reexamining the contract's requirements, Chris Isleib, a Pentagon spokesman, said in October. A report released by the Defense Science Board and the Intelligence Science Board warned against further delays, saying the TSAT system is "essential to enhancing military and intelligence operations."
Read the full story here.
Homeland Security Secretary Michael Chertoff announced Thursday that a "live exercise" of the next-generation of the department's automated process for collecting and sharing security information -- referred to internally and by many in the data security community as "Einstein" -- should be ready within six months. The cyber threat detection and mitigation program is currently operating in its second generation as part of a larger, largely classified Bush administration plan to heighten security of federal computer networks, which was brought to light in January and has been the subject of several congressional hearings. He said Einstein has been deployed within DHS and will be rolled out in other agencies "in short order."
Chertoff, who was speaking to participants of a cyber threat simulation staged by consulting firm Booz Allen Hamilton, also reflected on the government's systematic strategy for "reducing, if not eliminating" the cyber security problem. He said the danger falls into three categories: (1) Information being stolen, be it sensitive military data, financial material, or diplomatic or business plans. (2) Attacks that flood or topple a network -- like denial-of-service attacks on the domain name system. (3) Corruption or changes to a system that make it unusable and undermine public confidence and trust. Read more about Chertoff's talk in CongressDaily's PM Edition.
The Identity Theft Resource Center unveiled its predictions for 2009 on Tuesday and real estate and credit card-based scams top the nonprofit's list of potential problems on the horizon. Multiple scams are already circulating on the Internet and through local advertising that attack the equity in a home or which may be used to establish a whole new home loan, the group said. Meanwhile, ID thieves may also take advantage of the tight credit climate by advertising the ability to get credit cards despite a poor credit score or the lack of a Social Security number.
The center warns that job scams are on the rise -- as people seek second sources of income -- and a variety of fake IRS emails have arisen, including tax refund offers, audit information demands and verification of citizenship status. In addition, the center is anticipating an increase in check fraud and sophisticated ways to "mine" personal information, sometimes by organized crime groups. On a positive note, the center predicts increases in the number of state and federal agencies and nonprofits that provide free ID theft victim assistance.
A growing number of organizations believe that an information security incident would have a greater impact on reputation and brand than on revenue, with 85 percent of respondents to a new Ernst & Young survey citing damage to reputation and brand as significant, compared with 72 percent for loss of revenue. Regulatory sanction is cited by only 68 percent, the report stated. The survey canvassed nearly 1,400 senior executives in more than 50 countries.
"A good brand and reputation can take years to build but can be severely damaged or even destroyed by a single security incident," Ernst & Young Technology & Security Risk Service chief Paul van Kessel said in a release. For the past few years, most improvements in information security stemmed from regulatory compliance, he said, but now the desire to protect brand is motivating many firms to "do more than just tick regulatory and corporate compliance boxes."
Despite tightening economies, the report indicates that organizations are increasing investments in information security and more are adopting international security standards. About 67 percent of respondents interviewed say they have now implemented controls to protect personal information. Half of respondents are set to increase their budgets for security and only 5 percent plan to decrease money flowing to those accounts, officials said.
Continue reading Ernst & Young: IT Security Tied To Corporate Image.
The FBI in conjunction with a number of international law enforcement partners on Thursday announced the conclusion of a two-year undercover sting targeting members of the online “carding” forum known as Dark Market. Cyber criminals using this forum represented a virtual transnational criminal network involved in the buying and selling of stolen financial information including credit card data, login credentials as well as equipment used in carrying out financial crimes. FBI cyber czar Shawn Henry hinted that the announcement was coming in this CongressDaily story.
A primary objective of this operation was to infiltrate the forum, which at its peak had over 2,500 registered members; develop intelligence on key players; and in coordination with our U.S. and international partners, systematically identify, locate, and arrest them over a sustained period. The sting resulted in 56 arrests worldwide and $70 million in economic loss was prevented from the seizure of compromised victim accounts, the FBI said in a press release. Separate from those successes, the operation created new leads and more investigative information to pursue, officials said.
The National Security Agency is intercepting and storing communications of innocent Americans in Iraq's so-called "Green Zone," according to allegations made by two NSA whistleblowers in an ABC News segment that aired Thursday night. According to the report, agency workers even pass around the most titillating conversations had by U.S. soldiers and aid workers with their families in the United States. That eavesdropping reportedly continued even after NSA analysts knew that the calls they were tapping belonged to Americans who had no ties to terrorism.
One Army Reserve linguist interviewed said the program helped find evidence related to terrorist plots against the United States but she told ABC News the intercepts were so broad that it made it more difficult to find the calls that needed monitoring. The report calls into question assurances the NSA and Justice Department repeatedly gave Congress that internally enforced "minimization procedures" are adequate to protect the private conversations of Americans, the Center for Democracy and Technology said. Senate Intelligence Committee Chairman John (Jay) Rockefeller has said he will investigate the claims.
Computer and Communications Industry Association President Ed Black said he hoped the Senate "will take this matter very seriously." "The executive branch has taken on unprecedented new powers to spy on Americans, asking us to trust them that this is needed to catch terrorists," he said. "The allegations in this news report, if true, would add to the evidence that this trust is being misused." These developments reinforce the need to reverse the telecommunications company immunity recent granted by Congress to get the truth out with regard to abuse, he said. (Photo Credit: Library of Congress via Flickr)
The United States experienced the most cyber attacks in 2008 with more than 20 million attempted attacks originating from computers within the country, according to a client study by security firm SecureWorks. China was second with 7.7 million attempted attacks emanating from computers within its borders and Brazil took third place with over 166,987 attempted attacks. South Korea, Poland, Japan, and Russia were also high on the list.
"This should be a warning to organizations and personal computer users that, not only are they putting their computers and networks at risk by not securing them, but they are actually providing these cyber criminals with a platform from which to compromise other computers," SecureWorks researcher Hunter King said in a press release. The findings illustrate the futility of simply blocking content from foreign IP addresses as a defense mechanism, added Don Jackson, the firm's threat intelligence director.
The Georgia/Russia cyber conflict was a good example, SecureWorks said. Many Georgian IT staffers thought that by blocking Russian IP addresses they would be able to protect their networks but the Russian attacks were actually launched from IP addresses in Turkey and the United States.
The Internet Security Alliance in conjunction with the Homeland Security Department and the National Institute for Standards and Technology will launch a year-long program designed to create greater assurance and security in Internet telephony (VoIP), officials said Monday. The alliance will kick off the project at a security automation conference being held at NIST's Gaithersburg, Md., campus this week.
While VoIP and other networks have plenty of perks, "there is a potentially exhaustive list of VoIP and converged network vulnerabilities which can be accessed by organized crime and others to steal confidential data from companies, governments and even the police,” ISAlliance President Larry Clinton said in a press release. "A collaborative effort to secure this popular platform is needed now."
Nortel's Lawrence Dobranski said the initiative's goal is to build a secure and cost effective solution to let government and corporate users deploy VoIP and other converged networks with greater confidence. Part of that effort is building a checklist of vulnerabilities that will form a baseline of minimum security that can be augmented by more product specific and industry specific standards and practices, he said. The Office of Management and Budget has already mandated that federal CIOs use automated security tools as they become available, Dobranski said.
The FBI and the Internet Crime Complaint Center have received reports of recent spam e-mails spreading malicious "Storm Worm" software, officials said Wednesday. The e-mails, which contain the phrase “F.B.I. vs. Facebook,” direct recipients to click a link to view an article about the FBI and the popular social networking Web site. The Storm Worm virus has also been spread in e-mails advertising a holiday e-card link.
According to an FBI press release, clicking the link downloads malware onto the Internet-connected device, causing it to become infected with the virus and part of the Storm Worm "botnet," a collection of compromised computers under the command of a criminal “botherder.”
“The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity," the FBI's Richard Kolko said. "We urge citizens to help prevent the spread of botnets by becoming Web-savvy. Following some simple computer security practices will reduce the risk that their computers will be compromised."
The American Civil Liberties Union has unveiled an online advertising campaign aimed at raising awareness about the lawsuit the watchdog group filed last week in New York federal court, which seeks a permanent injunction that would bar the U.S. government from conducting surveillance operations under a major revision of the 1978 Foreign Intelligence Surveillance Act.
President Bush signed into law legislation that expands the authority for the government’s warrantless electronic spying activities and virtually ensures retroactive immunity for telecommunications firms involved in the program. “This law will play a critical role in helping to prevent another attack on our soil,” Bush said as he signed the bill, calling it “vital to the security of our people.”
Some have argued that the measure eroded checks on the power of government but the Bush administration said it needed the expanded authority to thwart terrorist attacks. The ACLU also ran an ad addressing the issue in The New York Times on Thursday.
The non-profit Identity Theft Resource Center released statistics on Monday showing that the group's data breach count has reached an all-time high. The total number of breaches recorded by the ITRC between Jan. 1 and June 27 was 342 -- more than 69 percent higher than the same time period in 2007. The actual number of breaches is probably larger due to underreporting and the fact that some reported incidents that affect multiple businesses are listed as a single event.
The ITRC breach report sub-divides and tracks all breaches into five categories. The following is a comparison of 2008 (as of June 27) with annual totals from 2007 and 2006.
• Business: 2008- 36.8 percent | 07- 28.9 percent | 06- 21 percent
• Educational: 2008- 21.3 percent | 07- 24.8 percent 06- 28 percent
• Govt/Military: 2008- 17.0 percent | 07- 24.6 percent | 06- 30 percent
• Health/Medical: 2008- 14.9 percent | 07- 14.6 percent | 06- 13 percent
• Banking, finance: 2008- 10 percent | 07- 7 percent | 06- 8 percent
Identity intelligence firm ID Analytics also cooperated with ITRC in its 2007 breach study and found that 39 percent of data exposures in 2007 were related to missing or stolen devices and said the “malicious intent” categories comprised 25 percent of the total data exposure events. ITRC believes that this indicates an increasing awareness by thieves of the monetary value of personal identifying information. Read ITRC's report here.
Over at NextGov.com, Jill Aitoro writes that hostile code attached to e-mail messages is one of the most significant cybersecurity problems federal agencies face today, according to an industry analyst and former FBI investigator. “It’s getting scarier and scarier and scarier,” said Michael Gibbons, principal of security and privacy services at Deloitte and former chief of computer crime investigations.
Long recognized as a serious problem, phishing attacks send messages masquerading as notices from legitimate organizations or persons to computer users, with the expectation that they will click on a link and enter personal information, such as bank account numbers or passwords. Spear phishing attacks, however, target specific individuals, frequently using their name, and are therefore harder to spot and avoid. Read the full story here.
The FBI and its partner, the Internet Crime Complaint Center (IC3), warned consumers on Friday of reports of malicious computer-based "phishing" attacks targeting users of EPPICards, which are similar to a debit cards and are issued by a state agency for the purpose of receiving child-support payments. The cards are currently used in 15 states.
Individuals have reported receiving e-mail or text messages indicating a problem with their account or asking them to complete an online survey, the FBI said. They are directed to follow the link, which actually leads to a fraudulent Web site where their personal information, such as account number and PIN, is compromised.
“This is yet another attempt by cyber criminals to take advantage of technology to gain access to your personal information," the FBI's Richard Kolko said. "We are asking citizens to be alert and not to fall victim to these schemes. If you receive one of these messages, please report it to IC3."
The FBI warned the public on Tuesday to beware of e-mails claiming to be raising money to help victims of the recent earthquake in China. The Sept. 11, 2001 terrorist attacks, Hurricane Katrina, the Virginia Tech shooting and other tragedies have prompted online criminals to solicit contributions for charitable organizations.
Some of the Chinese earthquake scam messages claim to be offering free vacation trips to the largest donors and even use fake logos of legitimate online pay services to fool people, the FBI said. The bureau urged individuals not respond to unsolicited e-mail; not to click on links contained within those spam messages; and to make contributions directly to recognized organizations.
"People should feel free to make donations, just make sure you know who you are dealing with and where the donations are going," Special Agent Richard Kolko said. "This way you can make sure your money really makes a difference and helps out a needy person, not a greedy criminal."
The Homeland Security Department's recently launched blog has a new entry from Daniel Sutherland, the agency's civil rights and civil liberties chief. His post outlines efforts to make Hajj travel efficient and safe. More than a million people, including thousands of Americans, make a pilgrimage to Mecca and Medina in Saudi Arabia each year.
"We are strengthening our cultural competence and honoring our proud traditions of civil rights and civil liberties -- including religious freedom -- as we protect our homeland and our travelers," Sutherland wrote. "We work closely with various religious groups such as Sikh and Jewish organizations concerning the screening of people who wear religious head coverings or carry certain religious articles when they travel."
The DHS "Leadership Journal" averages more than 1,000 visitors a day, officials said. Recent posts have covered diverse topics like biometrics; the rollout of the standardized identification card program known as "Real ID;" and the government's response to an ice storm in the Midwest.
Global spam levels reached an all-time high of 95 percent of all e-mails at its peak during the third quarter of 2007, according to a new report by Commtouch®. The study, based on the automated analysis of billions of e-mail messages, noted the emergence of new kinds of attachment spam such as PDF spam and Excel spam.
There's a growing threat of innocent appearing spam containing links to malicious Web sites, the report indicated. The common thread to all of the nasty activities is the utilization of zombie botnets -- networks of compromised computers that are used to launch the blended spam/malware attacks, officials said. A bit of good news: image spam is on the decline.
This story was originally published in Tuesday's PM Edition of Technology Daily.
By Heather Greenfield
A House Oversight and Government Reform subcommittee spent Tuesday afternoon reviewing government and private-sector efforts to secure the nation's Internet infrastructure. The House Homeland Security Committee held a similar hearing last week.
The attention comes in part because the Homeland Security Department has declared October as Cyber Security Awareness Month, but the hearings are timelier after a recent video leak to the media. It showed an experiment at one of the national laboratories in which a researcher hacked into a power-plant control system and set fire to it with the click of a mouse.
Getting a grasp of the history of improving cyber security is a challenge in part because the threat has changed. Larry Clinton, president of the Internet Security Alliance, said in prepared testimony that as America has moved from vulnerabilities that might have taken months to exploit to the current era of immediate attacks, "just getting information is no longer nearly enough."
New Media
Online Politics
Tech Policy
