Cybersecurity News

In a letter to the editor this morning in the Washington Post, Philip Reitinger, deputy undersecretary for national protection and programs at the Department of Homeland Security, pointed out that “Cybersecurity has come a long way since September 11.”

Reitinger’s comments come as rebuttal to DHS Inspector General Richard Skinner’s announcement last week that the Department was experiencing shortfalls in the cybersecurity office, the US-CERT.

While Reitinger may be right that the US has made cybersecurity strides over the past nine years, it seems cybersecurity has also picked up momentum over the past few days.

According to The Hill, the Senate Committee on Homeland Security and Governmental Affairs yesterday moved to approve Sens. Lieberman, Collins and Carper’s comprehensive cybersecurity bill, The Protecting Cyberspace as a National Asset Act.  That is, after the much debated “kill switch” portion of the bill was amended “to limit the president’s authority in the event of a cyber emergency.”
Read more…

Over the past few weeks, we’ve been closely following new cybersecurity legislation introduced by Sens. Lieberman, Collins and Carper, a 197-page bill that, among other things, would provide the President with the emergency authority to shut down the nation’s Internet connectivity in the event of a major cyber attack on the United States.

Deemed an Internet “kill switch,” the bill’s suggested presidential power has made its way into the limelight as government types, tech execs, privacy wonks and the media alike are all debating the idea of a cyber shutdown and whether or not some sort of ‘blockading button’ could actually exist to carry out the kill.

CNET reports that “Industry and civil liberties groups have worried about the ability to shut down parts of the Internet and raised concerns about ‘the potential for absolute power.’”

According to the Huffington Post, other groups, such as the leading technology trade association, TechAmerica, are also criticizing the bill, warning of the possible power trip and “expressing reservations about the ‘unintended consequences’ that would result from the legislation’s regulatory approach.”

Meanwhile, an article in Time magazine reports that “Other countries are also decrying the bill, fearing the impact on their own security if the US were to shut down essential parts of the Internet.”

Keeping other countries in mind, let’s rewind to July 4, 2009.  Independence Day in the United States…

North Korea’s leader, Kim Jong-il, had just appointed his Number Three Son, Kim Jong-un to be his successor. And – in what is believed to be the country’s attempt to prove to the world that Jong-un’s power paraelleled his father’s – North Korea launched a series of Distributed Denial of Service (DDOS) cyber attacks on US and South Korean government and corporate websites.
Read more…

Yesterday Cybersecurity News reported that DHS Inspector General Richard Skinner was expected to announce the US Computer Emergency Readiness Team (US-CERT), the Department’s cybersecurity unit, lacks the authority and manpower needed to protect the nation from cyber attacks.

Skinner’s announcement appears to have struck a nerve… at least in the media.  This morning, headlines include:  The Associated Press – “US lacks staff, power to protect networks.”  CNN – “US vulnerable to cyber threats, experts warn.”  The Hill –  “Inspector General: DHS lacks authority, staff to protect federal networks.”  Network World -  “DHS has dropped the ball on network security.”  Information Week –   “Inspector General criticizes cybersecurity efforts.”  And a Cybersecurity News personal favorite, from Wired’s Danger Room – “DHS geek squad: No power, no plan, lots of vacancies.”

And while the DHS staggers to find a solution to cybersecurity woes, it appears the Senate may already have one.  A press release yesterday from the Senate Homeland Security and Government Affairs Committee reported: “House leaders announce support for Lieberman, Collins, Carper cybersecurity bill.”

According to the release, House Homeland Security Committee, Intelligence Subcommittee Chair Rep. Jane Harman (D-CA) and the Committee’s Ranking Member, Peter King (R-NY) will introduce the Senate cybersecurity legislation into the House by the end of the week.

Also covering the bill’s growing support, the National Journal said Rep. Harman believes “urgency is needed to address major gaps in the government’s efforts to protect federal IT systems and those that run critical private infrastructure, such as electrical grids and telecommunications systems.”

Meanwhile, an article in Politico this morning points out that several key points remain in the debate for ideal cyber legislation.  One being that – Sens. Rockefeller (D-WV) and Snowe (R-ME) introduced a cybersecurity bill earlier this year, which unlike the Lieberman-Collins-Carper legislation, does not require Congressional approval for the President to make a decision in the event of an attack.  The two bills are also divided on the link between private and public sector roles, as well as the idea of the President reigning supreme with an Internet “kill switch.”
Read more…

The National Journal is reporting this morning that DHS Inspector General Richard Skinner will testify before Congress today to warn that a key government cybersecurity unit – The US Computer Emergency Readiness Team (US-CERT) – lacks the authority and expertise needed to protect federal information technology networks.

Skinner is scheduled to announce his findings at a hearing before the House Homeland Security Committee today, just one day after the Senate Homeland Security and Governmental Affairs Committee held a hearing for Sens. Lieberman, Collins and Carper’s cybersecurity legislation.  Aware of Skinner’s report, the Senate trio used the findings to leverage support for their new bill, which calls for a complete overhaul of the government’s current handlings of our nation’s cybersecurity.

According to the National Journal, Philip Reitinger, DHS deputy undersecretary, said “The department is deploying a technology system called ‘Einstein’ to federal agencies to help detect and stop electronic attacks.”  But Inspector General Skinner is prepared to note that several agency network upgrades are needed before Einstein can effectively be deployed.

Bottom line, Skinner plans to testify:  “The US-CERT does not have the appropriate enforcement authority to ensure that agencies comply with mitigation guidance concerning threats and vulnerabilities.”
Read more…

Making Cybersecurity News this morning, in an interview with the American Forces Press Service, US Deputy Secretary of Defense, William Lynn III, warned yesterday that links between the US and Canada “are so strong that a cyber attack on one would be felt within milliseconds by the other, and both countries must work together to improve cybersecurity.”  Included on his list of affected links, Lynn mentioned US and Canadian military, infrastructure, economics and telecommunications would all suffer in the event of a cyber attack.

Meanwhile, following up on the latest iPad security breach, the FCC’s “Reboot” blog published an article on “Staying safe from cyber snoops.”  The blogger, Joel Gurin, Chief of the Consumer and Governmental Affairs Bureau for the FCC, does little to address consumer concerns, but rather passes readers on to an FTC “guide to wireless safety,” where – by using a provided glossary – readers can attempt to retrieve information on wireless security.

But CNET’s Elinor Mills took a different approach to addressing the breach.  On her blog, “InSecurity Complex,” Mills acknowledged AT&T’s apology for the data leak, but said the company “mostly used the e-mail [apology] to blame the hackers who discovered the problem instead of accepting responsibility for its own security oversight.”  While Mills noted that the hackers were right to expose the hole, she advised, “It’s time for the industry to come up with standards for [hole] disclosure that are ethical and which protect consumers from threats while giving vendors and Web site owners adequate time to address the vulnerabilities.”

And stay tuned to Cybersecurity News as we follow this afternoon’s 3 PM Senate Homeland Security Committee hearing on Sens. Lieberman, Collins and Carper’s latest cybersecurity legislation…
Read more…

Another day, another attack … That may be the attitude of the South Korean government this morning, as the Associated Press reports that two more cyber attacks hit the country’s government websites over the weekend.

According to the AP, an investigation is underway, with all eyes looking to North Korea, after speculation that the country is running an “Internet warfare unit aimed at hacking into US and South Korean military networks to gather information and disrupt service.”

But it appears that the US isn’t waiting around for the possibility of an attack.  As new cybersecurity measures continue to propagate in the House and Senate, The Protecting Cyberspace as a National Asset Act, introduced last week, continues to gain support, with The Hill now reporting that a 2:30 PM hearing will take place tomorrow to discuss the bill’s vitality.

Sen. Susan Collins (R-ME), co-sponsor of the legislation, urged, “We cannot afford to wait for a ‘cyber 9/11′ before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities and mitigating the consequences of penetrations of our networks.”

And while some technology corporations will spend thousands to lobby the legislation, Politico takes a look at one company that could care less about Capitol Hill –  Apple.  According to the article in today’s paper, Apple’s low profile on the Hill is “irking” some members of Congress.  Sen. Jay Rockefeller (D-WV), co-sponsor of the Cybersecurity Act of 2010, is particularly concerned that the company may have “more than technical innovations to hide.”
Read more…

Yesterday we saw the roll-out of new cybersecurity legislation co-sponsored by a Senate trio.  This morning Federal News Radio reports that that legislation, the “Protecting Cyberspace as a National Asset Act of 2010,” is on the “fast track” to becoming law.  According to the news station, Sen. Lieberman is planning a June 15 hearing, will mark up the bill a week later, and anticipates having the bill out of the committee by July 4 recess.

Also on the fast track, earlier this week we learned of the “high possibility” of North Korea hitting South Korea with a cyber attack during the upcoming G-20 Summit.  Now the AFP is reporting that a cyber attack, believed to be from North Korea, has already hit one of South Korea’s government websites, infecting the system for nearly three hours.

And leave it to Fox News to bring us the cybersecurity-scare tactic term: “Electronic Armageddon.”  Citing “high-energy electric pulses from the sun,” Fox reports that our electrical grid could falter if Congress does not provide funding to fix the potential problem.  According to the article, a recently passed House measure, “The Grid Reliability and Infrastructure Defense Act” would “amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the defense of the United States against cybersecurity and other threats and vulnerabilities.”
Read more…

Several key media, including Business Week, are reporting this morning that new cybersecurity legislation will be rolled out today by Sens. Joe Lieberman (I-CT), Susan Collins (R-ME) and Tom Carper (D-DE).

The new measure, to be announced at an 11:30 AM press conference, would aim to provide the president with certain specific powers in the event of a major cyber attack.  The legislation would also create a White House Office of Cyberspace Policy, and the president would be required “to inform Congress in advance of what measures are being taken. The measures would expire in 30 days unless renewed by the president.”

“Our economic security, national security and public safety are now all at risk from new kinds of enemies, cyber- warriors, cyber-spies, cyber-terrorists and cyber-criminals,” Sen. Lieberman announced in a statement. “The need for this legislation is obvious and urgent.”
Read more…

The Scottish Herald is reporting this morning that a cyber attack shuttered the website of the Strathclyde Police.  According to the report, the Scottish police force shut down its site for nearly 24 hours “after a number of weblinks appeared that diverted users to a Chinese site with a history of distributing viruses.”

While the cybersecurity world knows all too well that a China-based attack is not a novel concept, in an article published this morning by Xinhua, China’s official press agency, it appears that the nation may be trying to repair its global cyber image.  To “beef up” cybersecurity, the press agency reports that “China is taking actions to attack on-line criminals while guarantying openness of the Internet.”  The article goes on to mention that “Legislation is in place against the illegal use of the Internet.”

And in further attempts to boost cybersecurity in China and across the globe, NPR ponders the question, “Does averting cyberwar mean giving up web privacy?”  In a Morning Edition feature, Princeton cybersecurity expert, Rebecca MacKinnon, told NPR, “Criminals and militaries are most likely going to figure out ways to do what they need to do on the Internet and minimize their traceability… The people who are really going to be hurt are dissidents in countries like China or Iran.”
Read more…

A hard hit for NATO this week.  While reports trickled in that insurgents killed 12 NATO soldiers on Monday in the “worst single day for the foreign forces operating in Afghanistan,” The Times (UK) reported a series of Russian-based cyber attacks on NATO members, as well as “warnings from intelligence services of the growing threat from China.”  According to the paper, the organization will consider the use of military force to protect NATO members in the event of future online attacks.

But cyber threats span beyond China.  In an article in the Korea Times, military leaders warned of the “high possibility” that North Korea will rock South Korean networks with cyber attacks during the upcoming G-20 Summit in Seoul.

Back in the States, The New New Internet said that a hacker took more than $640K from the NYC Department of Education.  According to the report, investigators were able to track the stolen funds, resulting in a 364-day federal prison sentence for the hacker, as well as $275,188.67 owed in restitution.

And Google continues to make Cybersecurity News this morning, as NASDAQ notes that the Internet search giant has hired a leading security firm to examine how its software “inadvertently gathered Internet users’ private data transmitted over unsecured wireless networks.”