Schmidt says there are about 40 legal questions surrounding the cybersecurity initiative that the government is working on. The initiative was set to protect US networks – military, civilian and government networks as well as infrastructure systems – and to combat cyberwarfare.

The declassified plan includes information on Einstein 2 and 3, intrusion detection systems on federal networks that would detect potential threats. Wired does a great job discussing the privacy and civil liberty issues surrounding these deployments. The plan outlines several initiatives that are a part of the Comprehensive National Cybersecurity Initiative (CNCI) – see the outline here.

The Cyber Security Research and Development Act of 2009 (HR 4061) would create new research and education programs at the National Science Foundation and the National Institute of Standards and Technology to promote research in cybersecurity and to attract more teachers and students to the field.

“This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported,” said Symantec CTO Mark Bregman. “HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry.”

Aside from the scholarly aspect, the new bill would develop an awareness program to help consumers, organizations and government bodies to keep their computers secure. The National Institute of Standards and Technology has been tasked with improving development of new identity management systems used to control access to buildings, networks and data.

If the bill becomes law, NIST would have one year to develop a plan for Congress about how it would participate in creating International cybersecurity standards and would have 90 days for a plan on its cybersecurity awareness program.

Via CNet & opencongress

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

The Midyear Security Report provides an overview of Cisco security intelligence, including information about new threats and trends, for the first half of 2009. Highlights from the Report:

• Criminals are exploiting traditional vulnerabilities because they believe security experts and users are paying little attention to these types of threats.
• Compromising legitimate websites to propagate malware remains a highly effective technique
• Web 2.0 applications have become lures for criminals
• Criminals are now targeting online banking customers using well-designed, localized text message scams
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are following suit.
• Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly.

Given the interest in insider threats, the report also details a possible increase in this threat given the current economic instability. This section of the report simply reiterates other studies and articles on the topic, simply providing context for what could be a growing security trend.

Download the report here.

Via eweek

H*Commerce, Hacker Commerce, is the “business of making money through the illegal use of technology to compromise personal and business data.” The new series will air 6 episodes, one episode being added every two weeks. Each episode involves real people doing normal online activities who are then attacked by cybercriminals. Each episode focuses on real stories in a documentary-style.

Here is the first webisode, “Unexpected Beginnings”, telling the story of Janella Spears, who lost more than $440,000 as the result of an email scam. The video explores the effects this cybercrime had on Janella and her family as well as Janella’s education in how to clean her system, handle hackers and stop cybercrime scams.

McAfee also recently launched a Cybercrime Response Unit designed to help victims of cybercrime.

Melissa notes that our global digital infrastructure is neither secure nor resilient, driven by interoperability and efficiency rather than security. She notes that previous attempts at cybersecurity have been made in isolation and have failed; the Federal government is not organized to address this growing issue because responsibilities for cyberspace are distributed widely across federal departments and agencies.

During the 60-day review, the cybersecurity team identified 250 needs, tasks and recommendations for a national cyber security plan. The recommendation outlines a top-down approach to cyber security, with the White House leading the way and overseeing and working with other government agencies, State and local stakeholders, as well as those in academia and the industry.

Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society.

Here’s a video of Melissa’s speech:

The speech, if somewhat repetitive and littered with political fluff, does hint at many changes to come. Almost nothing was specified yet, and many are critical of it. Let’s hope the report released in a few days will specify a bit more. Attempting to muster resources on the National and International level, across the government and private sectors, won’t be an easy task!

Download Melissa Hathaway’s prepared remarks here [PDF]

The new cybersecurity legislation proposes additional changes to address issues of cyber crime, global cyber espionage and cyber attacks.

“I believe Congress must bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cybersecurity efforts in the 21st century.” – Senator Rockefeller

The Rockefeller-Snow initiative would include provisions for:

• Raising the profile of cybersecurity within the Federal government, including the aforementioned Office plus a comprehensive national strategy, a quadrennial cybersecurity review and a threat and vulnerability assessment
• Promoting public awareness and protecting civil liberties, including a legal review of the statutory and regulatory framework applicable, changes required, and a report on identity management and civil liberties
• Remaking the relationship between government and the private sector on cybersecurity, including a public-private clearinghouse for cyber threat and vulnerability information sharing, an Advisory Panel, enforceable cybersecurity standards, licensing for cybersecurity professionals, State and regional cybersecurity centers for small and medium-sized businesses, and more
• Fostering innovation and creativity in cybersecurity to develop long-term solutions, including increased recruitment for students into cybersecurity, increased funding for R&D, and an attempt to place a dollar value on cybersecurity risk

Read more about the new cybersecurity legislation being proposed here.

Via SecurityFocus ; Image: clipart

Pervasive and sustained computerbased (cyber) attacks against federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity nationwide. Congress and the Executive Branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high risk and has reported on needed improvements in implementing the national cybersecurity strategy.

The GAO made 30 recommendations in key cybersecurity areas, including bolstering cyber analysis and warning capabilities, completing actions identified during cyber exercises, improving cybersecurity of infrastructure control systems, strengthening DHS’ ability to help recover from Internet disruptions and addressing cybercrime.

In addition to these areas identified as needing improvement, the GAO report identified 12 key strategy improvements:

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy
3. Establish a governance structure for strategy implementation
4. Publicize and raise awareness about the seriousness of the cybersecurity problem
5. Create an accountable, operational cybersecurity organization
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans
7. Bolster public/private partnerships through an improved value proposition and use of incentives
8. Focus greater attention on addressing the global aspects of cyberspace
9. Improve law enforcement efforts to address malicious activities in cyberspace
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts
11. Increase the cadre of cybersecurity professionals
12. Make the federal government a model for cybersecurity

The GAO says that the nation’s federal and private-sector infrastructure systems remain at risk without these improvements. They suggest the new administration consider these improvements as part of the nation’s cybersecurity strategy.

Via network world

Melissa Hathaway, who has served as Cyber Coordination Executive to the Director of National Intelligence, chaired the National Cyber Study Group, a group responsible for helping develop a 5-year $30 billion dollar plan to secure federal systems and infrastructure against online threats. This Comprehensive National Cyber Security Initiative (CNCI) was approved by Bush earlier last year and is still being implemented.

The new review will look at ongoing security programs, plans and activities and will develop recommendations to ensure they continue to meet the needs of both the public and private sectors. Essentially, Hathaway will be reviewing the progress of the existing CNCI plan and offering advice to keep it moving forward.

“The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties,” said Assistant to the President for Counterterrorism and Homeland Security John Brennan.

As part of her task, Hathaway will reportedly evaluate a recommendation that a special White House “cyberadviser” role be created (something Obama echoed on the campaign trail). It is suggested that this role report directly to the President rather than leaving cybersecurity to the Department of Homeland Security. This type of role would help create a comprehensive plan for cybersecurity, an issue that spans all government agencies.

Via CSO Online, Computerworld, Govtech, White House, USA Today, WSJ ; Image: clipart