Recent Posts

Lieberman Aide: Cybersecurity Executive Order Will Move Forward No Matter What

A top aide to cybersecurity legislation proponent Senator Joseph Lieberman (I-CT) said today that the administration will move forward on a cybersecurity executive order no matter what happens in the presidential election next Tuesday.  Speaking at a cybersecurity summit hosted by the Washington Post, Jeff Ratner, Counsel and Senior Advisor for Cybersecurity, Senate Homeland Security & Government Affairs Committee said "regardless of what happens on Tuesday, the executive order will move forward" because the Obama administration does not view cybersecurity as a political issue as much as it does a vital issue of national security.

What then will the Congress do given that Senator Majority Leader Harry Reid (D-NV) has announced his intention to bring up a cybersecurity bill during the upcoming lame duck Congressional session?  Ratner indicated that any cybersecurity bill that follows the executive order will likely fill in the gaps that the executive order cannot legally address, such as offering liability protection to critical infrastructure industries covered by the bill.  This protection offers affected companies some insulation from civil or criminal prosecution for activities carried out under the bill (such as information sharing) if conducted in good faith.  (A lot of debate has cropped up regarding what constitutes good faith under earlier legislative language and how effective the liability protection provisions are).

"Much of what we did in our new bill in Title I can be done via executive order," Ratner said.  "What can’t be done is the incentives.  You can’t offer [via executive order] incentives like liability protections, which the Congress can."

Kicking off the event, Department of Homeland Security Secretary (DHS) Janet Napolitano likened the effect of a cyberattack to Frankenstorm Sandy, and likened DHS to FEMA, the Federal Emergency Management Agency.  "We look and act like a cyber-FEMA," she said.

Whether DHS should have that kind of power, as is likely under the Executive Order and as was specified in cybersecurity legislation, has been subject to heated debate.  "People don't think DHS should be given more authority," Jim Lewis, Senior Fellow and Program Director at CSIS said.  But then the problem becomes:  which arm of the federal government should be given authority?

One other logical government agency that could be assigned cybersecurity responsibility is the National Security Agency (NSA). "When you say to people that you want to put NSA in charge of public information, it doesn’t bring screams of joy," Lewis joked.  How about the FBI, the other government arm arguably qualified to do the job?  Affected industries are bound to ask "am I going to want the FBI crawling over our networks?" Lewis said.  By default, for now, the DHS seems the best, if not optimal, government agency to take on the task.

Hurricane Sandy’s Crucial Technology Chain

Hurricane Sandy, with its wide swath of destruction and long duration, served as a case study of how important technology, particularly communications technology, has become during a crisis situation.  Most of us in Sandy’s path spent at least some time glued to our big and small screens over the past few days, but it’s interesting to take a step back and look at the very complex chain of technology that made surviving the storm easier. 

The following are just some of the crucial links in the technology chain surrounding the big storm.
  • Weather Satellites:  Most of the intelligence and analysis that gave us all uncannily accurate and advance warning of the hybrid conditions that would foster this superstorm came from satellites that fly pole-to-pole, taking snapshots and measurements of the entire earth’s conditions and producing data that make weather prediction a far more exact science than in decades past.    These satellites, however, are aging and bad planning by the Department of Commerce’s National Oceanic and Atmosphere Agency threatens to soon leave the U.S. with a potential three-year gap before replacement satellite capability can resume the data gathering capabilities.  Launching one of these birds takes a lot of advanced work and money (“it’s not simply like replacing a burned-out light bulb,” American Meteorological Society President-Elect J. Marshall Shepard said) and so far no good solution to the impending weather satellite intelligence drought has emerged. 
  • A Smarter Energy Grid:  The most fundamental technology that maintains acceptable quality of life during and after a weather emergency is electric power.  Although millions of homes are still without power in the Northeast, the situation could have been a lot worse, particularly in the DC and mid-Atlantic regions served by Pepco, which left hundreds of thousands of homes sweltering in triple-digit misery after the big derecho storm in July.  This go-around Pepco fared far better in maintaining and restoring power, with comparatively few homes in its service territory suffering lengthy outages.  Part of Pepco’s turn-around is no doubt a result of political heat placed on the utility by powerful people, including Democratic Maryland Governor Martin O’Malley, one of the party’s rising stars.  But part of the utility’s improved performance might be traced back to its ramped-up deployment of smart grid technology, two key benefits of which are improved resiliency and reduced power restoration time.  “Smarter” grid improvements by hard-hit New York area utilities and pre-emptive shut downs by ConEd may also be making the electricity down times shorter even though that region is still suffering widespread outages.
  • Smart Phones:  Not only were smart phones the top choice for connecting to the Internet during power outages, but they also served as Internet hot spots for some users.  And crucial services, including utilities and emergency responders, devised mobile apps for communications or urged affected citizens to stay in touch via handheld devices.    Flooding and power outages disrupted mobile  and other forms of communications throughout the storm-hit areas, but thousands of tweets and Facebook posts attest to the popularity of smart phones as a critical means of staying connected during the deluge.
  • Twitter:  Without a doubt, Twitter was a prime, if not the prime, news source for timely information during Sandy, serving as a real-time newswire that proved more informative than most newspapers and news channels.  In fact, the most useful information on most traditional newspaper websites came from curated tweets, with the “real” news articles often dated and inaccurate by the time they were posted.  Government officials and politicians (including heavily damaged Newark’s mayor Cory Booker) used Twitter as a primary mode of communications throughout the crisis.
  • Big Data:  Big data played a very useful role during the storm, helping to map everything from transportation problems to school closing to power outages.  The granddaddy of big data analytics, Google, created a SuperStorm Sandy mapping tool that detailed everything from power outages to emergency shelter locations to evacuation routes to live webcams.
  • Emergency Response Communications:  Although it’s too soon to say how well the first-responder community fared across the multiple states where Sandy hit, the storm does serve as an object lesson regarding why the upcoming First Responder Network, authorized under the Middle Class Tax Relief and Job Creation Act of 2012, is needed .  FirstNet will be a nationwide interoperable broadband communications network that allow emergency responders, including police, firefighters and emergency medical personnel, to have access to a common network dedicated to public safety purposes.
Update:  Right after posting this piece, I read Josh Smith's piece about how both TV broadcasters and wireless carriers are making their arguments for more spectrum on the basis of the vital information roles they played during Sandy.  I realize, dumbfounded, I left out television and radio out altogether in the crucial technology chain.  I suppose that most people do indeed watch broadcast stations during storms these days, but as Mathew Ingram noted, much of the TV reports "amounted to reading reports from Twitter, and interviewing their own news reporters standing hip-deep in the water in places like Atlantic City or Battery Park."  Radio is, of course, different and important.  But the fact that I genuinely "forgot" about TV and radio speaks volumes, whether it's about my skills as a media analyst or about the fading away of traditional broadcasting as an important communications tool in the U.S., I'm not sure.

Panetta Issues Cybersecurity Clarion Call...But Why?

The big cybersecurity news of the week is Defense Secretary Leon Panetta's high-profile clarion call for the Congress to pass a cybersecurity bill because the U.S.otherwise faces a possible "cyber-Pearl Harbor."  During his speech at an award dinner hosted by a group of security-focused business executives, Panetta also hinted that the government's interest isn't merely in defending against critical cyber threats but could extend to something more proactive.  "If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president," Panetta said. 

The speech is notable for three things. First, it's the most comprehensive statement by the Defense Secretary on the issue.  Secondly, it's clearly timed to either push the Congress into immediate action on passing a cybersecurity bill during the lame duck Congress or provide the President with enough rhetorical cover if he does issue an executive order on cybersecurity.  Finally, although the spin by administration flacks was that Panetta was disclosing new previously classified threats in his speech, the examples he offered -- DDoS attacks on U.S. financial institutions and the Shamoon malware that plagued Aramco and RasGas late this summer -- are all old news in cybersecurity terms, as Wired's Noah Schachtman points out

But why amp up the rhetoric regarding threats that are, by now, extensively known?  And for that matter, why is the Administration turning up the heat on the issue in general?  There is no question that cyberthreats are the 21st century version of nuclear warfare and should be much feared.  But, Republicans and business lobbies oppose anything beyond simple information sharing, and the relatively arcane issue of cybersecurity won't interest or sway many voters, so the Obama Administration stands to gain very little politically by continuing to push the issue. 

The clues to the puzzle of why Obama is pressing cybersecurity so hard are shrouded by the nature of the subject matter itself.  If there were a new threat on the horizon that could derail trains or "contaminate the water supply in major cities, or shut down the power grid across large parts of the country," as Panetta said in his speech, only a handful of people are allowed to know that, just as only a handful of people are allowed to know the launch codes for nuclear weapons. Panetta isn't going to trot out the latest intelligence on a potentially catastrophic cyber weapon during a black tie dinner and we are likely never going to hear what's really going on, or at least not for years.

It's also possible that the Administration plans to ramp up its own military capabilities in the cyber realm and the strong language used by Panetta (and others) helps to provide cover for stepped-up military action.  The U.S., after all, is the creator of the most potent cyber weapon the world has known so far (Stuxnet) and the Administration could be beefing up its military muscles not necessarily to defend against threats but to take the offense against enemies.

Whatever the case may be, the Administration is getting more serious every day about cybersecurity.  And we may never know why.

Shamoon image via SecureList

Rogers: White House “Irresponsible” for Failing to Consult on Cyber Executive Order

House Intelligence Committee Chairman Mike Rogers (R-MI) said today “it’s irresponsible” that the Obama administration failed to consult with the committee while drafting the impending executive order on cybersecurity.  Speaking at a U.S. Chamber of Commerce Cybersecurity Summit, Rogers said “we have been consulted as much as you have been consulted, which is a huge problem. “

“I don’t get it. I don’t understand it. I think it’s irresponsible.  We’re equally as frustrated as you are.” Rogers told the mostly pro-business audience.  The U.S. Chamber of Commerce opposes the President’s cybersecurity order, which mirrors to a large degree Senate cybersecurity legislation that failed to pass in August.  The Chamber also opposed that Democractic-backed bill, arguing that it creates an unnecessary regulatory structure.

Rogers said that the White House has also failed to seek private sector input when drafting the order.  “It’s just odd you would do it this way.  Why you wouldn’t want input from the outside is beyond me and that tells me what kind of product you’re going to get too.”

Cyber security legislation, along the lines of the Cyber Intelligence Sharing and Protection Act (CISPA), still stands a chance of passage during the upcoming lame duck session of Congress, Rogers said.  Rogers was a co-sponsor and proponent of that legislation, which established a voluntary cyber threat information sharing framework.  

Boosting the bill’s chance are recent classified briefings some members of Congress have received on “what appears to be a new level of threat from an unusual source that has some very real consequences,” Rogers said.  When pressed on the nature of this new threat, Rogers was vague – “I look really bad in orange,” he quipped.  But he seemed to indicate that perhaps a new nation-state has emerged as a cyber enemy.  “Our concern is nation-states that are gaining capabilities,” was the closest he came to an explanation of the new threat.

Utilities, Tech Industry Face Culture Clash in the Smart Grid

(Washington, DC)  As the nation’s electric infrastructure struggles to get smarter, a culture clash has emerged between the rapid-pace high-tech industry and the very slow-moving utility industry as they both try to inject intelligence into the grid.  Google-backed Silicon Valley-based Silver Spring Networks has experienced this first-hand as it pitches its 21st Century software, networking and platform solutions to utilities.

“We have to work to the biorhythms of our clients,” Eric Dresselhuys, Silver Spring’s EVP of Global Development said today at GridWeek 2012, held here.  “A utility client said ‘we don’t want you to force us into an upgrade more than every seven years.’ It made me realize the chasm we have to cross.”

“This [technology change] is coming at us in a lot of different directions,” Heather Sanders, Director of Smart Grid Technologies and Strategy, California ISO said.  The biggest challenge, Sanders said, is not technological but regulatory, with heavily rate-regulated utilities constrained by state public utility commissions in terms of how easily they can spend capital to upgrade technology.

“It's not clear that there is a regulatory meeting of the minds on how we're going to pay for this,” Dresselhuys said.  Regarding a recent case of regulatory lag in Illinois, “the absolute amount of money we're talking about here is so small, $1.50 per customer per month.  Nothing's happening and it's stunning.

Not all utilities are foregoing technology upgrades pending regulatory approval.  “We're spending money on projects for which we don't have regulatory approval because we have to move forward,” Lee Krevat, Smart Grid Director San Diego Gas & Electric (SDG&E) said.

Indeed, SDG&E is out ahead of the industry’s vendors, asking for more up-to-date technologies than the vendors’ products offer.  “We have things that we want and they don't exist the way we want them,” Krevat said.  It's the utility wanting to move faster than the suppliers.  It's bizarre.

Twitter Delicious Facebook Digg Stumbleupon Favorites More