Blog posts tagged with 'Cybersecurity'
Friday, September 10
The long-gestating cybersecurity bill — aimed to upgrade the government’s security measures in order to keep up with technology — may soon be ready for prime time. But as Diane Bartz of Reuters reports, despite Senator Harry Reid pushing it near the top of the agenda, the bill’s chances of being passed this year are looking dicey:
Previous congressional efforts to address these threats have run into roadblocks from high tech and telecommunications companies. They staunchly oppose any mandates—such as certification of cybersecurity professionals or requiring portions of the network to be shut down to mitigate a threat.
“I don’t think it’s going to happen,” Marcus Sachs, a cyber policy expert with Verizon Communications Inc, told Reuters, about the prospects for legislation this year.
Thursday, September 02
While Congress works to put together a cybersecurity bill, rumors keep circulating that it will contain a so-called Internet “kill switch,” which some believe will give the president the power to essentially turn off the Internet. Now, as Gautham Nagesh from The Hill reports, congressional leaders are attempting to clear up misconceptions about the bill:
At the heart of the issue is whether the president already has the authority to intervene in private-sector networks in the event of such an emergency. [Sen. Susan] Collins and other supporters of the bill contend the president has had that authority for some time under a little-known provision of the Communications Act passed one month after the December 1941 Japanese attack on Pearl Harbor.
“The president’s had that authority for a while,” said a senior Senate aide, who asked not to be identified. The aide said the “kill switch” is a misnomer because the infrastructure that supports the Internet in the U.S. makes it impossible to take down the entire network from one location. But the aide said the storyline has picked up steam because it’s very difficult for the public to conceptualize the severity of the cyber-threats facing the United States.
Tuesday, June 22
Recently, word made the rounds that Senator Joe Lieberman was promoting a bill that would give the president the power of an “Internet kill switch.” This set off a number of warning flares among civil liberty and privacy groups. To help squelch the concern, PC Mag reports, Sen. Lieberman has clarified matters:
The country’s “electric grid, the telecommunications grid, transportation, all the rest is constantly being probed by nation states, by some terrorist groups, by organized criminal gangs,” he said.
As a result, “we need the capacity for the president to say, Internet service provider, we’ve got to disconnect the American Internet from all traffic coming in from another foreign country, or we’ve got to put a patch on this part of it,” he said.
Friday, June 04
Cybersecurity is getting a lot of attention these days, with a number of bills making the rounds on Capitol Hill to ensure America’s digital infrastructure remains operative during an emergency. Wired takes a look at the most recent one, sponsored by Sen. Joe Lieberman and Sen. Susan Collins:
Lieberman and Collins’ solution is one of the more far-reaching proposals. In the Senators’ draft bill, “the President may issue a declaration of an imminent cyber threat to covered critical infrastructure.” Once such a declaration is made, the director of a DHS National Center for Cybersecurity and Communications is supposed to “develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate the consequences of the potential disruption, of covered critical infrastructure.”
“The owner or operator of covered critical infrastructure shall comply with any emergency measure or action developed by the Director,” the bill adds.
As Wired points out, the President will only be able issue a declaration if the threat will “do massive harm,” meaning breaches January’s hacking of Google and Adobe wouldn’t qualify.
Friday, April 16
Today’s New York Times has an interesting read on the differences between how the U.S. and Russia view cybersecurity:
The United States has succeeded in creating a global 24-hour, seven-day network of law enforcement agencies in 50 nations, which have agreed to collect and share data in response to computer attacks and intrusions. While officials from both nations said that law enforcement cooperation had improved, the Russians have refused to sign the European cybercrime treaty, which the United States strongly backs.
At the same time, for the past 13 years, the Russians have been trying to interest the United States in a treaty in which nations would agree not to develop offensive cyberweapons or to conduct attacks on computer networks. The United States has repeatedly declined to enter into negotiations, arguing instead that improved law enforcement cooperation among countries is all that is necessary to combat cybercrime and cyberterrorism.
Monday, February 22
CNN looks at the role the U.S. government accidentally played in the recent Google hack from China:
The news here isn’t that Chinese hackers engage in these activities or that their attempts are technically sophisticated—we knew that already—it’s that the U.S. government inadvertently aided the hackers.
In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
Tuesday, December 22
The Washington Post is reporting that President Obama will name Howard A. Schmidt, who worked as a cyber security expert at eBay and Microsoft, and served in the Bush administration, as the White House cybersecurity coordinator.
Tuesday, August 04
Melissa Hathaway, the first “Cyber Czar” under the Obama administration, is leaving her post. Reports the Wall Street Journal:
Melissa Hathaway, who completed the Obama administration’s cybersecurity review in April, said in an interview that she was leaving for personal reasons. “It’s time to pass the torch,” she said, adding that she and her colleagues have provided an “initial down payment for what’s needed to start to address cybersecurity.”
In the past year, intelligence officials have grown increasingly concerned about Chinese and Russian cyberspies surveilling U.S. infrastructure and military networks.
Given that cybersecurity is a big priority for President Obama, expect the position to be re-filled soon.
Thursday, July 30
Add British intelligence agency MI5—the home of James Bond—to the growing list of government agency websites that have been hacked. ZDNet has the scoop:
Last week, a hacker with the handle ‘[-TE-]-Neo’ wrote that the MI5 website was vulnerable to cross-site scripting and Iframe injection. The hacker put the post on the Team Elite hacker forum last Tuesday, claiming the site was breachable through the search engine. Team Elite notified MI5’s administrator of the flaw before posting proof-of-concept code.
MI5 says no sensitive material could be accessed through the hack, but they moved quickly to fix the problem anyway.
Wednesday, July 01
A hacker from Boston has been sentenced to more than 11 years in prison for his online shenanigans. Reports eWeek:
Matthew Weigman, 19, also known as “Little Hacker,” was accused of being part of a gang of telephone hackers that made more than 60 fake emergency calls and broke into the phone network to make it appear as though the calls came from somewhere else.
Weigman pleaded guilty in February to one count of conspiracy to retaliate against a witness, victim or informant as well as one count of conspiracy to commit access device fraud. According to Wired, which has interviewed Weigman in the past about his activities, the FBI had been chasing the hacker since he was 15, and at times treated him as an informant. As part of his plea, he admitted to conspiring with other hackers to place bogus emergency calls that sent SWAT units to the homes of their unsuspecting victims.
Curious footnote: Weigman is blind.
Thursday, June 25
Last month, the Obama administration announced it was creating a national “Cyber Czar” to oversee efforts to fight cyber attacks. Now the United Kingdom is following suit, creating a new Office of Cyber Security. Reports ZDNet:
The Office of Cyber Security (OCS), dedicated to protecting Britain’s IT infrastructure, will be created in line with a model proposed — and in part practised by — the US, the Cabinet Office said on Thursday. The OCS will have charge of a cross-government programme of work, while a multi-agency Cyber Security Operations Centre (CSOC), based at GCHQ in Cheltenham, will coordinate the protection of critical IT systems.
As well as cyber-defence and cyberattack coordination, the OCS will act as a conduit for information security collaboration between government and industry experts.
Wednesday, June 10
Forbes has an interesting profile of Ovidui-Ionut Nicola-Roman, a 23-year-old online “phishing” scammer who in March became the first foreigner extradited to the United States for cybercriminal activity:
The dismantling of the phishing scheme involving Nicola-Roman is an example of American law enforcement’s increasingly cozy relationship with foreign cybercrime investigations. Along with the 23-year-old Nicola-Roman, authorities arrested 37 other members of that cybercriminal ring last May. Those globally dispersed defendants were based in countries stretching from the U.S. to Romania to Pakistan.
Nicola-Roman has been sentenced to 50 months in prison. But with a reported 5 million Americans still being scammed online each year, he’s just a drop in the global cybercrime bucket.
Wednesday, June 03
Via Ars Technica:
As a member of the International Atomic Energy Agency, the US regularly prepares a report on its civilian nuclear program for the Agency, which provides a detailed listing of the sites and assets of the nuclear power industry throughout the US. Although most of the information is available from other sources, the report is, quite reasonably, considered very sensitive. Over the weekend, however, the Federation of American Scientists’ Secrecy News blog noticed that the document had appeared on the website of the Government Printing Office. Although it has since been pulled from that site, these sorts of errors have become irreversible in the Internet era—the document now resides on Wikileaks.
Stopping sensitive information from leaking out is, of course, a top priority when it comes to cybersecurity. Being able to halt—or even slow—the spread of leaked information could prove to be the most challenging task.
Wednesday, May 27
The Washington Post reports:
President Obama is expected to announce late this week that he will create a “cyber czar,” a senior White House official who will have broad authority to develop strategy to protect the nation’s government-run and private computer networks, according to people who have been briefed on the plan.
The adviser will have the most comprehensive mandate granted to such an official to date and will probably be a member of the National Security Council but will report to the national security adviser as well as the senior White House economic adviser, said the sources, who spoke on the condition of anonymity because the deliberations are not final.
Good news, especially given recent attacks on U.S. government networks.
Tuesday, May 05
With cybersecurity currently a hot topic in Washington, D.C., researchers at the University of Santa Barbara have taken the step of hijacking a botnet in order to see just how much damage it does. Ars Technica has the scary scoop:
UCSB’s researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it’s gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using “simple replacement rules” and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that “often contain detailed (and private) descriptions of the lives of their authors.”
The University’s full research paper is available here.
Thursday, April 23
Hot on the heels of a recent Wall Street Journal report about hackers breaching a U.S. military fighter-jet project comes this chilling article from Popular Science on the rise of Chinese hackers and their targeting of America:
Hackers are pervasive, their imprint inescapable. There are hacker magazines, hacker clubs and hacker online serials. A 2005 Shanghai Academy of Social Sciences survey equates hackers and rock stars, with nearly 43 percent of elementary-school students saying they “adore” China’s hackers. One third say they want to be one. This culture thrives on a viral, Internet-driven nationalism. The post-Tiananmen generation has known little hardship, so rather than pushing for democracy, many young people define themselves in opposition to the West. China’s Internet patriots, who call themselves “red hackers,” may not be acting on direct behalf of their government, but the effect is much the same.
The entire piece is worth digging into.
Tuesday, April 21
WIth the Obama administration working to overhaul cybersecurity in the U.S., online hackers and spies keep justifying that overhaul. The latest breach, as the Wall Street Journal reports, is particularly severe:
Computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project—the Defense Department’s costliest weapons program ever—according to current and former government officials familiar with the attacks.
Similar incidents have also breached the Air Force’s air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.
Even scarier is the fact that snooping on the jet project appears to have been going on since 2007.
Wednesday, April 15
Raw Story reports that a cybersecurity bill proposed in the Senate contains language that would allow the federal government to shut down the Internet during a crisis:
The bill’s draft states that “the president may order a cybersecurity emergency and order the limitation or shutdown of Internet traffic” and would give the government ongoing access to “all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access.”
Authored by Democratic Sen. Jay Rockefeller of West Virginia and Republican Olympia Snowe of Maine, the Cybersecurity Act of 2009 seeks to create a Cybersecurity Czar to centralize power now held by the Pentagon, National Security Agency, Department of Commerce and the Department of Homeland Security.
Proponents of the bill say the provision is necessary to for the protection of America. Critics, however, are worried the bill reaches too far:
Organizations like the Center for Democracy and Technology fear if passed in its current form, the proposal leaves too much discretion of just what defines critical infrastructure. The bill would also impose mandates for designated private networks and systems, including standardized security software, testing, licensing and certification of cyber-security professionals.
“I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” CDT General Counsel Greg Nojeim told eWEEK. “The president would decide not only what is critical infrastructure but also what is an emergency.”
Adds Jennifer Granick, civil liberties director of the Electronic Frontier Foundation, “Essentially, the Act would federalize critical infrastructure security. Since many systems (banks, telecommunications, energy)are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government.”
Wednesday, April 08
Hot on the heels of the Obama administration creating a national cybersecurity czar comes word that the U.S. electrical grid has been hacked. From the Wall Street Journal:
Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”
Monday, April 06
With more and more government business being dependent upon the Internet, cybersecurity is of utmost importance.
With President Obama’s 60-day comprehensive review of US cybersecurity still underway, Sens. Jay Rockefeller (D-WV) and Olympia Snowe (R-ME) on Wednesday introduced sweeping legislation that would establish a cybersecurity “czar” within the White House and bring both governmental and private sector “critical infrastructure” under a unified regulatory regime.
The “czar”—more precisely, an Office of the National Cybersecurity Advisor within the White House—is established in a separate short-but-sweet bill running a mere three pages. It specifies that the post will be subject to Senate confirmation, and it gives the cybersecurity advisor a backstage pass to all of the federal government’s cyber-related “special access programs,” a designation given to highly secret initiatives.
The full text of the Cybersecurity Act of 2009 can be found here.