Evidently, according to a Defense Science Board study, the Pentagon needs to address institutional change to deal with the new threat environment. Interesting categorization of surpises as “surprise” surprises and “known” surprisies.
Among the “known surprises” are threats in the cyber realm, space and nuclear regimes. The study’s authors conclude that the US has made a start in dealing with the cyber threat “but we still have a large, difficult and costly way to go.” To mitigate those risks the chairman of the Joint Chiefs must initiate a series of exercises to gauge “what and how deep our vulnerabilities are.” Also, the services and combatant commands must improve the ability of critical information systems to resist attack.
so, where are the thought leaders on weaponizing cyber capabilities?
Parry Aftab notes that when COPPA first became effective, a lot of children’s websites simply went away — assumingly because the owners could not manage or understand the COPPA requirements. And, for those that remain:
While the sites want to do the right thing, they are often adopting “do it yourself” methods that violate the law or put kids at risk unintentionally. Best practice standards for the kids Internet industry are new and require professional guidance.
How do you measure the cost of compliance? Should those costs be transparent when policies are created?
How much easier would it be to manage risk in an organization if you were able to divine the mood of the staff? Robert Scoble has this interesting comment from his talk with
**Facebook is, he told me, studying “sentiment” behavior. It hasn’t yet used that research in its public service yet, but is looking to figure out if people are having a good day or bad day. He said that already his teams are able to sense when nasty news, like stock prices are headed down, is underway. He also told me that the sentiment engine notices a lot of “going out” kinds of messages on Friday afternoon and then notices a lot of “hungover” messages on Saturday morning. He’s not sure where that research will lead. We talked about how sentiment analysis might lead to a new kind of news display in Facebook. Knowing whether a story is positive or negative would let Facebook pick a good selection of both kinds of news, or maybe even let you choose whether you want to see only “happy” news
The ISTTF is the first task force of its kind in the United States. And, although it may not have provided major new findings, it did get things jump-started. The National Telecommunications and Information Administration’s (NTIA) working group will be announced very shortly and hopefully one under the guidance of the Federal Trade Commission (FTC) will be compiled. The Attorneys General are seeking more concrete recommendations and an action plan. And the members of the ISTTF are looking for the opportunity to provide those concrete recommendations.
A journey, not a destination…we need to remember that.
Securityfix presents interesting analysis concerning conficker — seems the creators don’t mind soiling their native lands.
According to an analysis by Microsoft engineers, the original version of the Downadup (a.k.a. “Conficker”) worm will quit the installation process if the malware detects the host system is configured with a Ukrainian keyboard layout. However, the latest variant has no such restriction. Stats collected by Finnish computer security firm F-Secure show that Russia and Ukraine had the second and fifth-largest number of victims from the worm, 139,934 and 63,939, respectively, as of Tuesday, Jan. 20.
PII should be graded by “PII confidentiality impact level,” the degree of potential harm that could result from the PII if it is inappropriately revealed. For example, an organization might require appropriate training for all individuals who are granted access to PII, with special emphasis on moderate- and high-impact PII, and might restrict access to high-impact PII from mobile devices, such as laptops and cellphones, which are generally at greater risk of compromise than non-portable devices, such as desktop computers at the organization’s headquarters.
Would be interesting to know how much these standards will cost to implement.
“If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,” said Rick Wesson, chief executive of Support Intelligence, a computer security consulting firm based in San Francisco.
Cyber Security. Given the increasingly sophisticated number of threats to all areas of national cyberspace and considering the authorities provided by the Homeland Security Act, the Post-Katrina Emergency Management Reform Act, and Homeland Security Presidential Directive 23/National Security Presidential Directive 54, what are the authorities and responsibilities of DHS for the protection of the government and private sector domains, what are the relationships with other government agencies, especially the departments of Defense, Treasury, and Energy, and the National Security Agency, and what are the programs and timeframes to achieve the department’s responsibilities and objectives? An oral report is due by Feb. 3, with a final report due Feb. 17.
“One of my top priorities is to unify this department and to create a common culture. These action directives are designed to begin a review, evaluation and dialogue between the various functions of this department and me,” said Secretary Napolitano.
DHS intends to revitalize its relationship with state, local, and tribal governments effective immediately with the intent of creating a working partnership.
Critical infrastructure protection. — This entails extensive dealings with other federal agencies, states, and the private sector, involving collaboration, data collection, risk analysis, and sharing of best practices.
Risk analysis. — What is the status of risk analysis metrics and what is the plan and time frame for setting up a full-blown system to govern the establishment of critical infrastructure programs, the priorities among national planning scenarios, and the distribution of grants to state, local, and tribal entities? More broadly, how can DHS enhance risk management as the basis of decision making?
State and local intelligence sharing. Provide an evaluation of which activities hold the most promise for achieving the smooth flow of information on a real time basis.
The inventory and evaluation should take into account the voices of all stakeholders, especially state, local and tribal entities.
The evaluation should also consider the private sector’s perspective and its relationship to these stakeholders.
Cyber security and the protection of the technology critical infrastructure have been a top priority in Arizona. As Attorney General, I created the Computer Crimes Unit to train law enforcement in the identification and investigation of cybercrimes; the Unit successfully prosecuted some of the first cybercrime cases in Arizona. As Governor, I created the Statewide Information Security and Privacy Office to ensure adequate controls and safeguards are in place for all State of Arizona government technology systems and business practices.
Barack Obama and Joe Biden — working with private industry, the research community and our citizens — will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America’s competitive advantage, and advances our national and homeland security. They will:
Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.
SecurityFix is a great place to watch developments in this regard.
The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable. All this is happening after credit card companies and merchants spent over $2 billion on establishing the Payment Card Industry standards, Ms. Litan said. “And yet the breaches continue and they get more serious.”
Standards are promoted by both industry and DHS as the means to manage the issue. So, what do you do when standards are not enough?
More from the Post on how long it took to discover how the breach was made:
Robert H.B. Baldwin Jr., president and chief financial officer of Heartland Payment Systems, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports from MasterCard and Visa in October.
Heartland called the U.S. Secret Service, which investigates financial crimes, and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software on the company’s processing network was recording payment card data as it was being sent to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how the software got there, how long it was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
More than 40 states have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were reported, according to the nonprofit Identity Theft Resource Center, up from 446 in 2007.