News from around the Internet
Will U.S. Businesses Finally Get Some Cybersecurity?
Dec 16, 2011
Link: link"It's very targeted on solving one particular problem," says Chris Padilla, vice president of government programs at IBM, which has endorsed the bill. "How do you facilitate the sharing of information between business and government when there's an attack, and how do you shut the attack down?" Liability protection against errant lawsuits, he says, is a key part of that picture.
Then there are the cases we don't know about. An indication: Symantec sells network-security software to companies and updates that software to address new attacks it wants to protect customers against. Symantec sent out 20,254 updates in 2002. That rocketed to 113,081 in 2005. Last year—reflecting the escalating assault on U.S. companies—Symantec issued 10 million updates.
"If you think of the cyberdomain as these individual companies defending their companies, theirs is a perimeter defense," says Michael Hayden, former head of the CIA and the National Security Agency. "The NSA is way beyond the perimeter fence. We have a lot of talented players on the sidelines. This is our chance to get more of them in the game."
This article is basically a summary of the White House's recent strategic plan for federal cybersecurity, but what caught my eye were the statistics from Symantec and the quote from Michael Hayden. With the number of malware increasing so fast (Symantec is averaging 19 updates per second!) a more tractable approach may be to profile the attackers and look for attackers' profiles in meta-patterns in your network.
Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program
Dec 2011
Link: linkA primary objective of the Federal cybersecurity R&D strategic plan is to express a vision for the research necessary to develop game-changing technologies that can neutralize the attacks on the cyber systems of today and lay the foundation for a scientific approach that better prepares the field to meet the chal- lenges of securing the cyber systems of tomorrow. As a strategic plan, this document provides guidance for Federal agencies, policymakers, researchers, budget analysts, and the public in determining how to direct limited resources into activities that have the greatest potential to generate the greatest impact.
Currently, a chasm exists between the research community, which focuses on exercising research components in demonstration environments, and the operations community, which acquires system prototypes containing research components and implements them in operational environments. Bridging that chasm, commonly referred to as the "valley of death," requires cooperative efforts and investments by both the R&D and operations communities, and may involve significant risk-taking on the part of the private sector as it shepherds research results through the commercialization process.
This is a typical government document which focuses on broad, non-controversial themes. For example, what organization wouldn't want to (1) induce change, (2) base their work on sound scientific principals, (3) maximize the impact of research, and (4) transition research results into practice as soon as possible? Perhaps, by explicitly pointing these out, however, the White House is implicitly stating to the community, "You suck at these things. Get your act together."
Still, the document is relatively short and to the point. Where things will get interesting is when dollars start flowing. The goals are great. The document used the phrase "game-changing" or "change the game" 13 times. It is the flow of money (funding of research, allocations for operations, and buying of products) that will actually affect change. Time will tell.
China-Based Hacking of 760 Companies Reflects an Undeclared Cyber Cold War
Dec 14, 2011
Link: link"They are stealing everything that isn't bolted down, and it's getting exponentially worse," said Representative Mike Rogers, a Michigan Republican who is chairman of the Permanent Select Committee on Intelligence.
An informal working group of private-sector cybersecurity experts and government investigators identified the victims by tracing information sent from hacked company networks to spy group-operated command-and-control servers, according to a person familiar with the process. In some cases, the targets aren't aware they were hacked.
John Alexandersen, a spokesman for the Lundtofte, Denmark-based Thrane & Thrane, said although he couldn't "rule out" that hackers breached their networks, no confidential data was taken.
Erik Fallis, a spokesman for the California State University Network, said that following an investigation, "no evidence was found to suggest that this event compromised CSU assets."
This is the pattern you see over and over. At some point someone detects a breach. Investigators follow the data to a remote server somewhere. Upon investigation of that server they find lots of evidence of other sites being penetrated. When investigators contact those sites, they claim they have no evidence of anything being taken.
Of course they don't have evidence because they don't have the ability to even know when their stuff is stolen. They need to turn on their audit trails in order to have some chance of having some visibility into what is actually happening on their computers.
U.S. Homes In on China Spying
Dec 13, 2011
Link: linkThe Chinese cyberspying campaign stems largely from a dozen groups connected to China's People's Liberation Army and a half-dozen nonmilitary groups connected to organizations like universities, said those who were briefed on the investigation. Two other groups play a significant role, though investigators haven't determined whether they are connected to the military.
Still, diplomatic considerations may limit the U.S. interest in taking a more confrontational approach because some U.S. officials are wary of angering China, the largest holder of U.S. debt.
The U.S. is starting to name names, but decades of fiscal irresponsibility is hampering our ability to respond.
USB Sticks Lost by Railway Commuters Are Unencrypted and Often Infected
Dec 7, 2011
Link: linkAn analysis of [50] USB memory sticks lost on trains in Sydney revealed that two thirds of them were infected with one or more strains of malware and none was secured with an encryption solution.
Don't even think about sticking a USB stick you find into your computer.
The Future of the Electric Grid
Dec 5, 2011
Link: linkThe scale of investment required to improve cybersecurity [of the electric grid] is not insignificant. A 2011 EPRI report estimated that a $3.7 billion investment is needed for grid cybersecurity, although this amount is relatively low compared to its estimate of a net total investment over 20 years of between $338 and $476 billion needed to realize the benefits of the smart grid. But as GAO points out in a 2007 report, it is difficult to make the business case for investing in critical infrastructure cybersecurity because the probability of a serious event is still very low and the consequences are so difficult to quantify.
The lack of a business case to invest in cybersecurity doesn't leave me with a warm comfortable feeling. The amount planned for cyber security is only about 1% of the investment costs for the smart grid. If the electric grid goes down, pretty much everyone's networks will go down shortly.
No Austerity in Cybersecurity: Double-Digit Growth Predicted
Nov 30, 2011
Link: linkA new forecast for cybersecurity spending cements the industry's status as a growth sector, rather than a passing fad. The study, published Dec. 1, predicts more defense contractors will be scooping up information-technology companies in the coming years as a means to capture market share.
Analysts at the global accounting and auditing firm PwC project that overall global cybersecurity spending will reach $60 billion in 2011, and will grow at a rate of 10 percent annually during the next three to five years.
Army Gen. Keith Alexander, commander of U.S. Cyber Command, has described the theft of sensitive information and trade secrets from corporate networks as staggering and the "greatest raid on intellectual property" in history.
The last quote doesn't square with the first quote. As can be seen in the other articles cited here, the current technologies are not stopping "greatest raid on intellectual property". Instead of buying "market share", companies should be investing in and buying original solutions.
2011 Report to Congress of the U.S.-China Economic and Security Review Commission
Nov 2011
Link: linkThis report responds to the mandate for the Commission "to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People's Republic of China."
In continuation of previous practice, China in 2011 conducted and supported a range of malicious cyber activities. These included network exploitations to facilitate industrial espionage and the compromise of U.S. and foreign government computer systems. Evidence also surfaced that suggests Chinese state-level involvement in targeted cyber attacks.
I didn't even realize such a commission existed. There is really nothing new here, at least if you read this blog.
The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world
Nov 2011
Link: linkAround half of the £650 million funding will go towards enhancing the UK's core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber attacks. The details of this work are necessarily classified, but it will strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat.
GCHQ is home to world-class expertise in cyber security. Government will explore ways in which that expertise can more directly benefit economic growth and support the development of the UK cyber security sector without compromising the agency's core security and intelligence mission.
Government Communications Headquarters (GCHQ) sounds like the UK's version of Cyber Command. The report hits on the standard messages for government reports on cyber crime and cyber espionage.
National Counterintelligence Office: Foreign Spies Stealing US Economic Secrets in Cyberspace
Oct 2011
Link: linkThis report differs from previous editions in three important ways. The first and most significant is the focus. This report gives special attention to foreign collectors' exploitation of cyberspace, while not excluding other established tactics and methods used in foreign economic collection and industrial espionage. This reflects the fact that nearly all business records, research results, and other sensitive economic or technology-related information now exists primarily in digital form.
Many victims of economic espionage are unaware of the crime until years after loss of the information.
Estimates from academic literature on the losses from economic espionage range so widely at to be meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the variety of methods used to collect losses.
Just say "it's a lot of money", and many, if not most, victims don't even know they are being robbed.
