Schmidt says there are about 40 legal questions surrounding the cybersecurity initiative that the government is working on. The initiative was set to protect US networks – military, civilian and government networks as well as infrastructure systems – and to combat cyberwarfare.

The declassified plan includes information on Einstein 2 and 3, intrusion detection systems on federal networks that would detect potential threats. Wired does a great job discussing the privacy and civil liberty issues surrounding these deployments. The plan outlines several initiatives that are a part of the Comprehensive National Cybersecurity Initiative (CNCI) – see the outline here.

It is being reported that cyberattacks on the U.S. Department of Defense have jumped  sharply in 2009 with many of the hits coming from China.  Data from 2000 show that there were 1,415 incidents of attacks on department systems. 

This is a huge contrast to the 43,785 that were reported in the first half of 2009 alone.  Considering the fact that there were 54,640 incidents in all of 2008, it’s very likely that this will translate into a 60% increase in the attacks in just one year. 

Of course, with so much activity, the department has been investigating the origin of the attacks and has even spent $100 million to protect the military between September 2008 and March 2009.  Clearly, the efforts are doing little to stop the incidents.

No major details were provided in the article. The evidence shows that Chinese IP addresses are associated with much of the activity, but, because of the “decentralized nature of the Internet, it is very difficult to tell when an attack is actually generated in China, instead of simply using Chinese servers as a steppingstone.” 

There is also a pattern indicating that the attacks are coming from North Korea and the Middle East in addition to China.  

Photo credit: Rick Scavetta, U.S. Army Africa

The report says that for the fiscal year 2008, almost all 24 major federal agencies had weaknesses in information security controls. These weaknesses include issues with access control, configuration management, segregation of duties, continuity of operations and security management.

The GAO says these weaknesses are the result of security programs not being fully implemented. While control activities – such as awareness training – have gone up, several agencies reported decreased levels of testing security controls and training for employees with significant security responsibilities.

The GAO recommends that the Director of the Office of Management and Budget (OMB) make several changes to their guidance policies, including the implementation of an “approve” or “disapprove” of agency security programs after review periods. This is suggested so that agencies are held accountable for implementing effective security programs.

You can download the full report here [PDF].

6 years after FISMA was enacted, the GAO reports that poor information security is still a widespread issue in the Federal government. In the 2008 performance and accountability reports, 20 out of 24 major agencies noted that information system controls over their financial systems and information were either a “significant deficiency” or a “material weakness.”

The GAO summary notes that:

Over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA.

23 out of 24 agencies were found to have weaknesses in their agencywide information security programs in 2008. Although agencies reported an increased compliance in implementing security controls in 2008, the GAO notes that there are shortcomings with implementing key control activities for the year.

For fiscal year 2008 reporting, agencies reported higher levels of FISMA implementation for most information security metrics and lower levels for others. Increases were reported in the number and percentage of employees and contractors receiving security awareness training, the number and percentage of systems with tested contingency plans, and the number and percentage of systems that were certified and accredited. However, the number and percentage of employees who had significant security responsibilities and had received specialized training decreased significantly and the number and percentage of systems that had been tested and evaluated at least annually decreased slightly.

The GAO recommends that current reporting requirements change in order that inspector generals be required to report on the agencies’ effectiveness of activities, which would help determine if agencies are effectively implementing their policies, procedures and practices. The full list of GAO recommendations can be found in this PDF.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

The documents outline a Metropolitan Police Service and MI5 counterterrorist operation against al-Qaeda suspects. The document revealed details for a planned arrest of terrorist suspects following a long covert surveillance operation. Steps were made to censor the photographs (only successful in Britain) and Mr. Quick’s location fearing that information would tip off the suspects. The operation was able to continue, with arrests made sooner than was planned, but it is still a major security blunder.

Bob Quick says he “deeply regretted” revealing the documents to photographers, and some people seem willing to forgive him for simply holding the paper the wrong way. However, the secret documents should not have been carried outside of secure areas in printed format – at the very least, they could have been transported in an encrypted drive. This is not the first incident where a government official has accidentally shown secret notes to the journalists who often wait outside of Downing Street.

Bob Quick resigned soon after the incidence, following a meeting with the home secretary and the Metropolitan Police commissioner.

“I have today offered my resignation in the knowledge that my action could have compromised a major counterterrorism operation.

I deeply regret the disruption caused to colleagues undertaking the operation, and remain grateful for the way in which they adapted quickly and professionally to a revised timescale.”

It is a pity that the breach was made, but the repercussions are already wide-ranging. Not only has the public outcry damaged the trust in government security, but the MPS has lost its most senior, and experienced, counterterrorism specialist. This should underscore the importance of having a clear security policy and ongoing employee training – at all levels – to ensure compliance to basic security measures.

Via Schneier

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy.

The GAO made 30 recommendations in key cybersecurity areas, including bolstering cyber analysis and warning capabilities, completing actions identified during cyber exercises, improving cybersecurity of infrastructure control systems, strengthening DHS’ ability to help recover from Internet disruptions and addressing cybercrime.

In addition to these areas identified as needing improvement, the GAO report identified 12 key strategy improvements:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy
3. Establish a governance structure for strategy implementation
4. Publicize and raise awareness about the seriousness of the cybersecurity problem
5. Create an accountable, operational cybersecurity organization
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
7. Bolster public/private partnerships through an improved value proposition and use of incentives
8. Focus greater attention on addressing the global aspects of cyberspace
9. Improve law enforcement efforts to address malicious activities in cyberspace
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts
11. Increase the cadre of cybersecurity professionals
12. Make the federal government a model for cybersecurity

The GAO says that the nation’s federal and private-sector infrastructure systems remain at risk without these improvements. They suggest the new administration consider these improvements as part of the nation’s cybersecurity strategy.

Via network world

The CAG initiative is part of a larger effort to advance recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency. The goal of the consortium was to come up with a risk-based standard to counter known forms of cyber attack. The 20 actions should help the government or private organizations mitigate or prevent cyber attacks. The controls cover areas including access controls, wireless security, data leakage and training. Each control details what threat it covers and how the control could be automated & tested for effectiveness.

20 Controls & Metrics for Effective Cyber Defense

1. Inventory of authorized and unauthorized hardware.
2. Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
3. Secure configurations for hardware and software on laptops, workstations, and servers.
4. Secure configurations of network devices such as firewalls, routers, and switches.
5. Boundary Defense
6. Maintenance, Monitoring and Analysis of Complete Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection
16. Secure Network Engineering
17. Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training To Fill Gaps

The CAG is still in draft and they are actively soliciting criticism and suggestions. You can learn more about how to contact them here for most of March. After a public review of the standards, pilots will be conducted in several federal agencies and the draft will be reviewed and audited.

Hat tip to Dave Jevans ; Image: Clipart

Melissa Hathaway, who has served as Cyber Coordination Executive to the Director of National Intelligence, chaired the National Cyber Study Group, a group responsible for helping develop a 5-year $30 billion dollar plan to secure federal systems and infrastructure against online threats. This Comprehensive National Cyber Security Initiative (CNCI) was approved by Bush earlier last year and is still being implemented.

The new review will look at ongoing security programs, plans and activities and will develop recommendations to ensure they continue to meet the needs of both the public and private sectors. Essentially, Hathaway will be reviewing the progress of the existing CNCI plan and offering advice to keep it moving forward.

“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

As part of her task, Hathaway will reportedly evaluate a recommendation that a special White House “cyberadviser” role be created (something Obama echoed on the campaign trail). It is suggested that this role report directly to the President rather than leaving cybersecurity to the Department of Homeland Security. This type of role would help create a comprehensive plan for cybersecurity, an issue that spans all government agencies.

Via CSO Online, Computerworld, Govtech, White House, USA Today, WSJ ; Image: clipart